April 26th was when I booked my flights to and from Las Vegas for hacker summer camp. I had no idea what was in store for me. The plan was to attend some conferences with Amanda Berlin, who had offered to to let me stay with her. Originally I did not plan to go at all. Although after discussing with her, I really only had one option left.
I was walking into one of the best hacker experiences I’ve had to date. The week long journey into Las Vegas that was hacker summer camp is a back to back combination of BsidesLV, Blackhat, and Defcon. It was nothing like I imagined but it definitely has me saving up for next year.
Amanda had shared a few links with me to prepare for Defcon. There were packing lists and notes like this one from JK-47. I signed up to volunteer at Bsides and to go to the “unoffical” Defcon shoot. There were plans to buy a burner phone and get all paranoid about getting hacked, but that didn’t last long. I entered every event I knew about into my calendar and Amanda shared hers with me as well. There were accounts on Twitter that I started following as well, like Defcon Parties.
When I was packing for the plane, I had originally imagined needing a checked bag and that I’d have a ton of gear to bring. As it turns out, a lot of technology is at risk of being hacked (who knew?). Meaning that the extra computers, raspberry pi, and other tools I thought would be fun to bring had to be left behind. I made do with just my carry on and a backpack. The only tech I brought was a computer with Kali, my phone, and a new MiFi I bought. The MiFi was because I was still too paranoid to trust any of the wifi networks.
Hacker summer camp started with BsidesLV at the Tuscany. For those who aren’t familiar with Bsides conferences, they are “smaller” conferences that accept talks that didn’t make it into the “main” conference. Imagine the B side of a cassette tape.
My volunteer shifts were Tuesday and Wednesday from 8am to 5pm. The shifts I had were laid back, I worked the information desk and was a floater for speaker ops. Most of the time my job was to inform any attendees that might have questions and I think I did pretty well with that. The only negative to working all the shifts I did meant that I left no time for actually attending talks. I’m still shifting though the videos that were uploaded to their youtube channel.
My favorite shifts were working the information booth with Kate from misec. Those shifts flew by because we talked the entire time. Some other volunteers would stop by and talk to us as well.
The parties were good too. Tuesday night I went to Queercon, a gathering of the LGBT hacker community. They really know how to throw a party, everyone was talkative and it was pretty fun while I was there. Wedneday night was the BsidesLV pool party. We took over the entire pool area and had an awesome party. I played “volleyball” with a beach ball for a majority of the time, it was a lot of fun.
The best part of BsidesLV (for me) was getting to network with everyone. Volunteering allows me to get close to the organizers and other staff and I get to see a different side of the conference. There’s still the parties, events, and after-hours stuff that allows me to experience the rest of the conference with the regular attendees.
Between BsidesLv and Defcon, there was the shoot. The Defcon shoot is an opportunity to unleash some lead downrange in a variety of amount and speed. Basically, pay to shoot guns. Lanes are bought and can be shared with the public or “reserved” for private parties.
The idea behind the Defcon shoot is to gather together some gun loving hackers and have a fun time. It’s a great opportunity to shoot for the first time or for foreigners to shoot if they’re not allowed to back home. The range is closely monitored by experienced volunteers (and this year, someone from range staff) so the entire event is extremely safe.
The lane I shot at was provided by some friends of Amanda’s from across the pond. They brought bleeding zombie targets, something they’ve made a name for themselves by doing. Throughout the night I shot a range of firearms from .22 caliber rifles to .40 caliber pistols. I could have social engineered my way to shoot even more exotic weaponry, but time flew by. One missed opportunity was a Defcon shoot veteran who brings machine guns every year.
The “badges” for the shoot were 40mm grenade launcher shells. Practice shells of course, with the primer removed as well. At the end of the badge making process, the shell was reduced to an amount of chalk in a plastic case, perfect for those going through the TSA to get back home. There were even stickers to personalize your badge.
Unfortunately I couldn’t attend Blackhat myself. While signing up to volunteer for as many shifts as I did at BsidesLV, I was unable to volunteer at Blackhat as well. Not to mention it was probably way too late to offer. I was able to experience it vicariously through Amanda who was a speaker liaison and was able to get me into a few Blackhat afterparties. Thanks to her I was able to get some cool swag. I’m waiting for the recorded talks to go live on their website.
Not to say we saved the best for last, but we did save the biggest conference for last. I had no idea what I was in store for. There’s so many rumors flying around what happens, it was hard to sort through it all to find what really happens. I’m just glad it wasn’t canceled this year.
This year’s defcon badge was a terminator themed skull. The core of the chip was an Intel Quark. The eyes of the skull had blue LEDs and there were eight buttons as well. After registration I met up with some more friends from misec and we gathered in Kate’s hotel room to take a shot at the badge’s crypto challenge.
We found a lot of initial hints on the defcon reddit page. Lost shared a picture about the lanyards and the codes on the back of the badges had been collected in one reddit post. We were able to decode one of the encoded messages on the back of our badges, it was chameleon. Lost used ROT2 because it was the inverse of 24.
Within a couple hours we found that a modified konami code would activate a sequence on the LED eyes. The code is Up Up Down Down Left Right Left Right on the left four buttons and then Left Right (A, B) on the right four buttons. There was encoded text being displayed while running the konami code. We had to connect a computer to decrypt the messages. For a complete write up on the badge challenge, there’s an awesome post from the team that won.
There were a lot of vendors this year at defcon. Hak5 and the Hacker Warehouse were two of my favorite vendors. There were a lot of great companies, Rapid7 and Pwnie Express to name a few. As well as some important organizations like TOOOL and EFF. That’s a lot of big name companies and organizations that are key to hacker conventions like Defcon, I’ll let you take your pick and explore the links if interested.
I picked up a few new toys while at Defcon. The first thing I got was WiFi Pineapple Tetra. I also picked up new clear padlocks, a deadbolt, and a different style of tension wrenches.
Car Hacking Village
On Friday, I had breakfast with Amanda and Chris. After that, the first place Chris and I stopped at was the car hacking village. Rapid7 sponsored the badges. Each badge had a CAN adapter, which I thought was pretty cool.
The car hacking village was really cool. There was a driving simulator with a Dodge Challenger. Throughout the length of the conference, there were talks in the village about different kinds of car hacks.
After an afternoon of lock-picking and struggling to watch the recorded talks on the hotel tv network. An evening of parties awaited me. Amanda had an entire evening planned. For those who don’t have the same luck, this is where the Hacker Tracker app and the Defcon parties twitter account comes in handy.
Before getting to any parties, Amanda and I stopped at Drone Wars. They were racing small drones around obstacles and then attempting to knock down a solo cup pyramid without crashing the plane.
There are countless groups that attend Defcon, and a lot host parties in the hotel sweets. I joined Milton Security for a bourbon tasting party before going to meet with some friends I met at the BsidesLV pool party.
Saturday morning started with a combination of a CTF and Team Fortress 2 called Hack Fortress. Hack Fortress originated from Shmoocon in DC. Hackers get points they can redeem at a store that will affect the gamers. Special awards in game will also give more points towards the final team score.
Misec was able to represent with an entire team made up of Michigan hackers. The time limit was only 30 minutes. Unfortunately Misec didn’t win. If we were to play again, I would prepare by playing more Team Fortress 2 and understanding the game dynamics. Hacking was an important aspect, but a majority of the game points came from the gamers.
More talks on TV
The recorded talks on the hotel TVs were working a lot better on Saturday. The Misec group met back up at one of the hotel rooms to watch what was being broadcasted instead of dealing with linecon (waiting for hours to get into a talk).
The first talk we watched was on phishing campaigns. Tactics of a good campaign and what separates success from failure were the main topics. The speaker mentioned not reinventing the wheel for every campaign, and using a certain framework. (I’ll add more details when I get to rewatch that talk. Another talk we watched was about attribution. Attribution as in which hacker did what. For instance, did Russia really hack the DNC? It was really interesting to see where researchers, media, and more get their information from that allows them to attribute an attacker. I know I’ll be sticking to using Attribute Dice.
The last night of partying at Defcon (for me) started with Hacker Karaoke. Misec grouped together to sing Journey. It was a fun gathering. We then moved to the Social Engineering party which consisted of more bourbon tasting. (I hope you see the theme here).
Sunday morning was bitter sweet. After five days of conference, I was ready for it to close… but at the same time, I didn’t want it to end. The closing ceremony started with my longest linecon of the conference. Winners of the larger challenges from the conference were recognized. The black badge was shown to the audience, the eyes pop out and looks really cool. The animator that made the dinosaurs for Jurassic Park is hand crafting each one. A super computer was the first to win DARPA’s cyber grand challenge. Defcon 25 has a lot of potential.
What else happened at hacker summer camp?
There is so much that goes on at summer camp that it was impossible for me to attend it all. It’s been a week and I’ve only seen some of the Bsides talks that were recorded. What I talked about above was what I was able to participated in. There’s official and unofficial events, conferences, and parties throughout the entire week that I didn’t even know about outside of twitter. For instance there’s Tiaracon and Queercon (at defcon). There’s the open and official CTFs at Defcon. There’s honestly so much that I’m not even sure what else I missed. All I know is that I’ll find something fun and new to do next year!