BSides, Black Hat, and DEFCON

I spent 4 days in Las Vegas this past week attending the back-to-back BSides LV, Black Hat, and DEFCON 24 hacker conferences.  This was my first trip to Vegas and my first time at these events (although I have attended local hacker events, such as ArchC0n in St. Louis last September). Here are some thoughts on my experience and some photos from my trip.

You know you are in Vegas when you get off the plane, because who wants to wait until you leave the airport to start gambling?

Slot machines at Las Vegas airport

Usually I try to stay at a conference hotel, but I had been prohibited from using any of my  government devices in the conference hotels (too much of a security risk), so I opted for the Westin, where I could also get a government rate. BSides was a short walk down the street at the Tuscany. It was nearly 100 degrees in the mid-day sun, but without all the humidity we’ve been having on the East Coast. (And the hotels were heavily air conditioned so I was glad to have a cardigan for inside the hotels!)

Westin hotel in Las VegasTuscany Suites

I gave the Gave opening keynote at BSides LV Tuesday morning in a noisy room with about 1000 people…. a few hundred people were sitting at tables, standing, or sitting on the floor paying attention to my talk. The rest were collecting swag from vendors, talking to each other, learning how to pick locks in the back of the room, or getting a drink at the bar (at 10 am!). Nonetheless, I had good audience participation when I quizzed them on password strength, and an artist captured the key points of my talk pretty well. And my talk got some nice press coverage. I wore my password dress (as requested) and many people asked me to pose for selfies with them throughout the day. After my keynote I spoke on a career panel and attended some of the Passwords talks (kudos to Per Thorsheim for organizing a great event). I also enjoyed Andrea Matwyshyn‘s talk on hacker kids.

Besides LV chill out roomvisual summary of BSides LV keynotes

BSides is the scrappy conference of the week. It doesn’t have many bells and whistles, but it is also the least overwhelming. Volunteer staff (known as “goons”) are mostly polite, but I did have a run-in with one who refused to let me back into a session for the end of the Q&A because I had stepped out into the hall.  The hotel is not so classy and the whole thing smells like cigarettes, but the event is free to attend and not nearly as crowded as the other two events. And bonus points for the visual notes, speaker lunch, and providing a nice women’s cut v-neck speaker t-shirt.

I spent most of Wednesday and Thursday at Black Hat at Mandalay Bay, a 15-minute taxi-ride down the Strip from BSides. This is the classiest, most corporate, and most expensive of the three events. It was also the most traditional conference, the only one that did not require walking through a casino, and the conference badges actually had peoples’ names on them. Some people even wore button down shirts and suit jackets, although black t-shirts, jeans, and hoodies were still totally ok. Everything about Black Hat is big and polished. The breakfast/lunch room (this is the only event that includes meals) was an enormous matrix of banquet tables and professional staff who greeted everyone with a smile and directed people to the open buffet lines politely and efficiently. The plenary room was full of flashing lights and a glass cracking theme for the opening session (I assume the idea is glass cracking as in breaking things, not cracking the glass ceiling, since there wasn’t a whole lot of evidence of glass ceiling cracking here). I got to see Jeff Moss and Dan Kaminsky. Among other things, Dan urged hackers to “break things faster,” encouraged companies to publish their code so that it would be indexed by Google and easier for their own employees to find, and suggested outsourcing more security functions to the cloud.

Black Hat breakfast and lunch roomBlack Hat opening keynoteBlack Hat opening keynote Black Hat opening keynote - Jeff MossBlack Hat opening keynote - Dan Kaminsky

The Black Hat business hall was also enormous, and many vendors were handing out swag. I collected enough t-shirts to clothe my kids for quite a while, plus bags, pens, and light-up balls. I would not come home empty handed. I was excited to visit the Wombat booth. Down the hall from Blackhat, in the same hotel, was the Superzoo show for pet retailers. The carts stacked with dog beds and cat food were an amusing contrast to Black Hat.

Black Hat business hall Black Hat business hall - Wombat boothSuperZoo at Mondalay Bay

I attended several really interesting talks at Black Hat, mostly on the human factors track (including a talk by my former PhD student, Patrick Kelley). There was a fun talk about dropping USB sticks in the parking lot. I was mostly interested in the data about how often they got picked up, although I think many in the audience enjoyed learning about how to make a fake USB stick that would automatically deploy malware when someone sticks it in their computer. One of my favorite talks was on using forensic linguistics to identify signs that a phone call is from a scammer. And of course no hacker conference is complete if you don’t see someone who has brought their own ATM machine.

As with the other hacker conferences, the crowd was not particularly diverse, although I did not find the climate uncomfortable at Black Hat and I was glad to see that all the staff in the business hall booths seemed to be dressed appropriately for the event. The Black Hat organizers had posted their code of conduct all over the place, and there were a couple of sessions focussed on getting more women into the security field (thanks EWF and Equal Respect!). When asked what they could do to attract more women to apply to be speakers I suggested personal invitations (which is the main reason I was at BSides, thanks Per!) and childcare and/or kids track (my kids were not available this week, but had they been I could have brought them to BSides and DEFCON but Black Hat would have been prohibitively expensive).

Patrick presenting at Black Hat ATM machine for Black Hat demo Black Hat code of conduct

I didn’t have much time to sight-see, but did check out some of the other hotels and casinos. I visited Ancient Egypt, where I discovered you can eat sushi. Then on to New York, which was an adorable scaled-down replica of the real thing, but so much more peaceful without honking horns and huge crowds. The Excalibur castle looked like something out of Disneyland.

Inside the Pyramid in Las Vegas New York New York New York New York Excalibar at night

I had to taxi over to DEFCON and back on Thursday mid-day to pick up my speaker badge and was back there in the evening and then all day on Friday. DEFCON is the largest of the three events and uses space in both the Bally’s and Paris hotels. The Paris has a casino at the base of the Eiffel tower and cute Parisian streets lined with over-priced cafes where they require you to show ID when you buy a $3 yogurt with a credit card.

Las Vegas stripParis hotel Paris hotel

DEFCON has something like 15,000 attendees, but you can’t register in advance and you have to pay cash at the door. Badge distribution and crowd control in general is quite a challenge, and there is a lot of waiting in line at DEFCON. Nonetheless, the DEFCON goons were friendly and managed the crowd well. And they looked stylish with their red t-shirts and police-style goon badges. I walked by the DEFCON kids track which looked like it would be fun to check out if I had brought my kids.

Bally's to Paris connection at DEFCONDEFCON at Paris HotelDEFCON at Paris Hotel

I checked out the DARPA Cyber Grand Challenge and saw the Mayhem team with CMU colleagues being interviewed after their victory. I met up with some of my fellow “feds” to prepare for our Meet the Feds panel.

Cyber Grand Challenge Cyber Grand Challenge Cyber Grand Challenge Allan and Jonathan at Cyber Grand Challenge at DEFCON Allan, Jonathan, and Lorrie at Cyber Grand Challenge at DEFCON

We reported to the speakers room 45 minutes before our talk and our goon escorted us to the room we were speaking in, a long walk through the casino and into Bally’s. We had about 800 people for the Meet the Feds panel and it was standing room only. We had some good questions, including from a high school student who wanted to know about careers in government.

DEFCON speaker ready room, with Eric Mill and goonDEFCON, Meet the Feds Allan, Eric, Lorrie, and Jonathan - DEFCON, Meet the FedsAllan, Eric, Lorrie, and Jonathan - DEFCON, Meet the Feds

My second panel was back in the Paris hotel in another large room. Commissioner McSweeney and I talked about the FTC and our research wish list. I discovered that the super cool podium looks great, but is not so good for short people as I could hardly be seen behind it.

DEFCON FTC session DEFCON FTC session - Terrell and Lorrie DEFCON FTC session - Terrell and Lorrie DEFCON FTC session - Terrell and Lorrie

FTC folks all wore the FTC DEFCON t-shirts I designed, complete with secret code (successfully cracked by my son in about 90 minutes).

Joe, Lorrie, Aaron, Terrell at DEFCONFTC DEFCON t-shirt frontFTC DEFCON t-shirt back

The DEFCON vendor room did not have much for free, but lots of fun things to buy like lock picks and hacking tools. Contest rooms and “villages” featured tables full of hackers working on competitions and projects, lots of people soldering (not sure what exactly), cars for car hacking, and phones for social engineering. There were beauticians offering mohawks in any color. Hacker jeopardy was a low point, as interspersed between geeky technical questions were questions full of sexual innuendo, which produced the predictably inappropriate and vulgar responses from contestants. Not classy! While this sort of behavior seemed to be the exception and not the rule at DEFCON this year, it should not be tolerated.

Overall, I did not see too many women at DEFCON. One attendee who saw my speaker badge asked if I was Radia Perlman. Perhaps she was the only female computer scientist he could think of who might be a speaker? There are worse people to be mistaken for, but she is about 20 years older than me and we look nothing alike.

DEFCON Venders DEFCON contest room DEFCON contest room DEFCON contest room DEFCON car hacking Hacker jeopardy DEFCON soldering DEFCON

On the flight home the couple sitting next to me asked if I knew anything about all those people walking around the Strip with skull badges. Yes, indeed, I told them as I pulled my DEFCON badge out of my backpack and showed them how I could press the buttons in the right order and make it light up.