This past weekend I attended DEF CON 26. I’ve been following DEF CON for years, but this was my first time attending DEF CON, and it was a generally great experience. As I’ll get into, this year was definitely not without its problems, but I’m glad I went, and I plan to return. A lot of people came together to get me there this year, and I couldn’t be more grateful that they did.
When most people think of a hacker convention, they are probably envisioning a bunch of socially awkward guys in black hoodies, permanently attached to their laptops. Sure, there were laptops, and even a few black hoodies, but the range of people at DEF CON was much more diverse than even I expected. That said, there is still plenty of room for diversity. While there were clearly a number of different countries represented, it seemed like the attendees were 80-90% white males. I would love to walk in next year and see more women, and an even more diverse range of racial backgrounds. It was, however, nice to at least see people from obviously different social and economic backgrounds coming together at this event.
Hack All The Things!
By now, if you have heard anything about this year’s DEF CON, you have probably heard about the Voting Machine Village, and the 11 year old who hacked election results. This was really cool, and that 11 year old probably has their pick of jobs once they are old enough, but when I say hack all the things, I mean all the things.
One of the coolest, and scariest, topics discussed this year, is the idea of hacking the human body – or at least medical devices that are attached to, or implanted in, the human body. Pacemakers, insulin pumps, heart monitors, and even other medical devices like MRI machines are all potentially hackable. More and more, these devices are connected to wifi networks, and often without much, or any, access control in place. For devices like pacemakers, it makes sense that there would be a default username and password for access, but maybe this is information that should be restricted to those who need it, and not publicly available on the Internet. It may seem like a great idea to allow medical devices to be wifi connected, for monitoring and alerting, but I don’t think we are ready to handle these devices with the current state of IoT security.
It’s All About the Tools
There were a lot of presenters talking about tools or devices they built to solve problems they encountered, or just because they were cool things to mess around with. The talk that really stuck out in my mind this year was Amanda Rousseau (@malwareunicorn) and Rich Seymour (@rseymour) discussing Xori, a fantastic, open-source disassembly and static analysis library for shellcode and PE binaries. They developed Xori to solve the problem of reviewing a large number of binaries in a short time, and it looks like that’s exactly what Xori allows you to do.
Another talk that I enjoyed was Andrea Marcelli’s demonstration of YaYaGen, which automates much of the process of generating YARA rules. Sure, there are other YARA rule generators out there, but this one looks like it nearly eliminates all the pain points of generating YARA rules.
Possibly the “coolest” demonstration I attended was @d4rkm4tter taking wardriving to the next level with his WiFi Cactus. This device is a backpack with a stack of WiFi radios, monitoring 50 channels simultaneously, potentially collecting gigabytes of data transmitted over wireless networks within range. It’s amazing, and a little disturbing, what information can be gathered from the networks at a security conference. For anyone else who was there, #pineapplerick – the rest of you will just have to search the hashtag on Twitter.
Security?
One of the biggest issues with this year’s event really had nothing to do with the event itself, but rather with the host hotel. In the name of security, Caesars made the event a regrettable experience for many of the attendees – especially the few women who were staying there for the convention. After last year’s shooting, hotels have stepped up their security, this makes sense, but Caesars properties seem to have taken this to an extreme, even going beyond what their own security procedures dictate, as explained in this Tweet from DEF CON.
This situation has removed the feeling of security that many of us felt going into DEF CON, and instead left people feeling violated. There was no need for the tactics used by hotel security, and the fact that they rifled through personal belongings, and even confiscated personal items that were clearly not weapons is completely unacceptable. I do commend DEF CON staff for following up on this, and holding Caesars Entertainment responsible for the role their staff played in this situation.
(?=Next Year)
While I disagree with Caesars’ handling of “security,” I feel that DEF CON is handling the situation appropriately, and don’t want to punish them for the mistakes of the host hotel. Even though the event is taking place at another Caesars property next year, I’ll still show up to support the community, and DEF CON. I will just stay in a hotel that is not owned by Caesars Entertainment. I learned a lot this year, and have a lot of ideas about how I am going to implement my new knowledge. I also plan to spend this year working on ways to improve website security, and make security options more user-friendly for the average website owner. Next year, I plan to do more networking, and be much more hands on by participating in CTFs and other events. This was a great first year at DEF CON, and I can’t wait to see what future years hold for me.