07 Aug 2017
In addition to taking stock of how things went at Hacker Summer Camp, I think
it’s important to examine the lessons learned from the event. Some of these
lessons will be introspective and reflect on myself and my career, but I think
it’s important to share these to encourage others to also reflect on what they
want and where they’re going.
It’s still incredibly important to me to be doing hands-on technical work.
I do a lot of other things, and they may have significant impact, but I can’t
imagine taking a purely leadership/organizational role. I wouldn’t be happy,
and unhappy people are not productive people. Finding vulnerabilities, doing
technical research, building tools, are all areas that make me excited to be in
this field and to continue to be in this field.
I saw so many highly-technical projects presented and demoed, and these were all
the ones that made me excited to still be in this field. The IoT village, in
particular, showed a rapidly-evolving highly technical area of security with
many challenges left to be solved:
- How do you configure devices that lack a user interface?
- How do you update devices that users expect to run 24/7?
- How do you build security into a device that users expect to be dirt cheap?
- What are the tradeoffs between Bluetooth, WiFi, 802.15.4, and other radio
Between these questions and my love of playing with hardware (my CS
concentration was in embedded systems), it’s obvious why I’ve at least slightly
gravitated towards IoT/embedded security.
This brings me to my next insight: I’m still very much a generalist. I’ve
always felt that being a generalist has hamstrung me from working on cool
things, but I’m beginning to think the only thing hamstringing me is me. Now I
just need to get over the notion that 0x20 is too old of an age for cool
security/vulnerability research. I’m focusing on IoT and I’ve managed to
exclude certain areas of security in the interests of time management: for as
fascinating as DFIR is, I’m not actively pursuing anything in that space because
it turns out time is a finite quantity and spreading it too thin means getting
nowhere with anything.
Outwardly, I’m happy that BSidesLV and DEF CON both appear to have had an
increasingly diverse attendance,
though I have no idea how accurate the numbers are given their methodology.
(To be fair, I’m super happy someone is trying to even to figure this out in the
chaos that is hacker summer camp.) The industry, and the conferences, may never
hit a 50/50 gender split, but I think that’s okay if we can get to a point where
we build an inclusive meritocracy of an environment. Ensuring that women,
LGBTQ, and minorities who want to get into this industry can do so and feel
included when they do is critical to our success. I’m a firm believer that the
best security professionals draw from their life background when designing
solutions, and having a diverse set of life backgrounds ensures a diverse set of
solutions. Different experiences and different viewpoints avoids groupthink, so
I’m very hopeful to see those numbers continue to rise each year.
I have zero data to back this up, but observationally, it seemed that more
attendees brought their kids with them to hacker summer camp. I love this:
inspiring the next generation of hackers, showing them that technology can be
used to do cool things, and that it’s never too early to start learning about it
will benefit both them (excel in the workforce, even if they take the hacker
mindset to another industry) and society (more creative/critical thinkers,
better understanding of future tech, and hopefully keeping them on the white hat
side). I don’t know how much of this is a sign of the maturing industry (more
hackers have kids now), more parents feel that it’s important to expose their
kids to this community, or maybe just a result of the different layout of
Caesar’s, leading to bad observations.
There were a few things from my packing list this year that turned out to be
really useful. I’m going to try to do an updated planning post pair (e.g., one
far out and one shortly before con) for next year, but there’s a few things I
really thought were useful and so I’ll highlight them here.
- An evaporative cooling towel really helps with the
Vegas heat. It’s super lightweight and takes virtually no space. Dry, its
useful as a normal towel, but if you wet it slightly, the evaporating water
actually cools off the towel (and you). Awesome for 108 degree weather.
- An aluminum water bottle would’ve been nice. Again,
fight the dehydration. In the con space, there’s lots of water dispensers
with at least filtered water (Vegas tap water is terrible) plus the SIGG
bottles are nice because you can use a carabiner to strap it to your bag. I
like the aluminum better than a polycarbonate (aka Nalgene) because it won’t
crack no matter how you abuse it. (Ok, maybe it’s possible to crack aluminum,
but this isn’t the Hydraulic Press Channel.)
- RFID sleeves. I mentioned these before. Yes, my
room key was based on some RFID/proximity technology. Yes, a proxmark can
clone it. Yes, I wanted to avoid that happening without my knowing.
For some reason, I didn’t get a chance to break out a lot of the hacking gear I
brought with me, but I’ll probably continue to bring it to cons “just in case”.
I’m usually checking a bag anyway, so a few pounds of gear is a better option
than regretting it if I want to do something.
That concludes my Hacker Summer Camp blog series for this year. I hope it’s
been useful, entertaining, or both. Agree with something I said? Disagree?
Hit me up on Twitter or find me via other means of
05 Aug 2017
DEF CON, of course, is the main event of Hacker Summer Camp for me. It’s the
largest gathering of hackers in the world, and it’s the only opportunity I get
to see some of the people I know in the industry. It’s also the most hands-on
of all of the conferences I’ve ever attended, and the people running the
villages clearly know their stuff and are super passionate about their area.
Nowhere do I see so much raw talent and excitement for the hacker spirit as at
This year was the first year at Caesar’s Palace and quite frankly, it showed. Traffic
control reminded me of the first year at Bally’s/Paris: as best as they could do
without any data, but still far from optimal. Additionally, Dark Tangent
pointed out that they were expecting 6% growth, but ended up closer to 20%.
That’s thousands extra. The rule that they do not sell out and everyone gets
through the door is not without its downsides.
Overall, this year was incredible for me personally. Though I attended no main
track talks, I made it to a couple of Sky Talks and some village talks, as well
as a bunch of village activities. I met a bunch of interesting people who are
working on interesting technical things, which is great because it reminds me
why I got into this industry in the first place and what I want to be doing in
The IoT village was excellent, but I wish I had gotten to it earlier to
participate in the IoT CTF – it looked like a lot of fun, and their physical
target range wasn’t something you see everyday. They had everything from
cheap bluetooth devices to the Google Home and Amazon Alexa, and I believe this
is a reflection of where we’ll see the future growth in security – the IoT
isn’t a passing fad, and we’ll have millions of low-cost devices deployed and
not properly managed. There’s no time like the present to get security to the
front and center of the IoT device design process.
In previous years, I’d always played in the Capture the Packet contest. This
year I opted out, despite having a bye in the first round, because there was so
much going on and because it had consumed too much of my time at DEF CON 24. I
don’t regret this decision, but it is something I missed slightly. In fact, it
ended up that I never even set foot in the packet capture village! (I guess
that’s what happens to villages at the end of halls?)
The “linecon” joke was never more accurate than this year – there was a line
for everything! Not only did every talk have lines, but there were lines to get
into the Biohacking Village, the Swag line was long (where was Hacker Stickers
with our official unofficial swag?), even the line for Mohawkcon was ridiculous!
(Maybe next year I just need to get a mohawk before I go there – it’s not like
I don’t donate to the EFF anyway.) I’m sure this is a combination of many
factors, including the growth of the community, the new venue, and the fact that
it wouldn’t be DEF CON without linecon.
The DEF CON artwork is not something I normally write about, largely because I’m
no artist and I barely have an eye for, well, anything, but I really thought the
art was excellent this year. I so desperately wanted to rip one of the posters
off the wall next to the escalators! (I have hopes one of them might appear in
a charity auction at some point, but I didn’t see it at con.)
Caesar’s as a venue was okay – there was noticably more space, but figuring out
how to get between some of the areas was not crystal clear. A lot of that was
on me – I should’ve done more recon of the con area. (Look for a “lessons
learned” post coming soon.) My hotel room was awesome though, and in the tower
right above the con space, so I had that going for me. Fingers crossed to get
in the same tower next year.
Dual Core had an outstanding show on the Friday Night lineup. I don’t care what
DEF CON calls the headliner, Dual Core is always the headliner for my music
tastes. I’ve seen him perform live at least once at every DEF CON and at dozens
of other events (Southeast Linux Fest, DerbyCon, etc.), and I just don’t think
it would be a full con without seeing him.
Mad props to DT and all the DEF CON Goons and organizers who work so hard to put
the event together. No matter how much chaos there may be, I’ve had a great
time every year, and I wouldn’t miss it for the world. That’s just a part of
the World’s Biggest Hacker Convention.
31 Jul 2017
In my post the Many Badges of DEF CON 25
I may have not-so-subtly hinted that there was something I was working on.
While none of the ones I listed were created in response to the announcement
that DEF CON had been forced to switch to “Plan B” with their badges, mine more
or less was. Ever since I saw the Queercon badge in 2015, I’d had the idea to
create my own electronic badge, but the announcement spurred me on to action.
However, what could I do in only 2 months? Before I created this badge, I had
never created a PCB. All my electronics design work before had been on protoboards at
best, and while I had assembled SMD electronics on PCBs before, I had no idea
how to design with it. So, it seemed like a perfect learning opportunity.
Boy, did I ever learn. In the process of creating this badge, I created 3
separate sets of PCBs, soldered 7 finished badges, (yes, only 7 – maybe this
was the most exclusive unofficial badge?), debugged numerous problems, and read
way more datasheets than I expected I would.
So what did I come up with? Well, how does 48 RGB LEDs drawing up to 15W of
power sound? Overkill? It totally was.
Ok, maybe there’s a little too much glare there. Sorry. It turns out that
pointing a cell phone at 48 LEDs rarely results in a quality photo. Let’s try
it again without the blinding light.
Way better, don’t you think? This is the “XXV Badge” – 48 APA102C LEDs
controlled by a Atmel SAMD21 ARM Cortex M0
MCU clocked at 48 MHz. The SAMD21 runs at 3.3v, the LEDs at 5V, so I have a
boost converter driving the LEDs based on a TPS61232. A 74AHCT125 quad buffer
provides level conversion (though not really designed to, it works quite well)
for the SPI signals. All told, there’s 98 components, though many of them are
simply things like decoupling capacitors.
I know the design is simple, but I’m no artist. On the other hand, I feel like
it worked out quite well for the parties and I got a number of compliments and
interest in the badge, so I’m pretty happy with the outcome for my first badge
design (and first PCB!) I can’t wait to start thinking about next year!
The boost converter design & layout are approximately based on the reference
design from TI, but I had to make a few adaptations due to part size and layout
constraints. Fortunately, it ended up working out pretty well, and with fresh
batteries, the output is well-regulated. However, running all of the LEDs at
full brightness draws more current than 3xAAAs can support, causing the input
voltage to the boost converter to drop and resulting either in an immense amount
of ripple, or so much dropout that the SAMD21 CPU resets.
Kicad design files and firmware source code are on
GitHub! My production boards were produced
31 Jul 2017
I’ve returned from this year’s edition of Hacker Summer Camp, and while I’m
completely and utterly exhausted, I wanted to get my thoughts about this year’s
events out before I completely forget what happened.
The Pros vs Joes CTF was, yet again, a high quality event despite the usual
bumps and twists. This was the largest PvJ ever, with more than 80 people
involved between Blue Pros, Blue Joes, Red Cell, Grey Cell, and Gold Cell. Each
blue team had 11 players between the two Pros and 9 Joes, making them slightly
larger than in years past. (Though I believe that’s a temporary “feature” of
this year’s game.)
I was also incredibly happy by the diversity displayed by the event this year:
at least 3 of the blue teams had women on them, as did both Gold and Grey cells.
Teams had experienced players, with some being veterans, as well as players with
no professional experience (students) and professionals working outside the
information security industry (my team alone had two electrical engineers).
This mix is part of what makes Pros vs Joes so good – everybody has something
to contribute, and you get such a wide range of views and experiences. Two
players on my team absolutely crushed the Windows aspects of the game, which
was incredible because everyone knows I’m a hardcore Linux guy. (The last
version of Windows I used as a “daily driver” was Windows XP SP 2. In 2003.)
Game mechanics were incredibly different this year than in years past. No
longer did a team turn in “integrity flags” for local points. More hosts had
multiple scored services. Tickets incurred a penality if they were reopened.
Most signiciantly, there was a store where teams could buy a variety of things,
including the services of a Red Team member, a Security Onion box (I gotta give
Security Onion a try!), or “outsourcing” a grey team ticket. My team chose to
make little use of this store, but other teams made extensive use of Dichotomy’s
Emporium. (I’m not convinced that either is an “optimal” strategy, because a
lot depends on the strengths and weaknesses of their own team.) I can’t wait to
see the analysis from our data scientist on the different aspects of the game.
The game environment, on the other hand, was essentially unchanged from last
year. The same vulnerabilities and hosts were present. This lead to quite a
bit of surprise when, during scorched earth, I was able to use the same BIND 9
bug to take out DNS (and consequently, the ability of Scorebot to reach any
services) for all 3 other teams (which was a repeat of my same scorched earth
tactic from last year). A note to future captains: DNS is important, perhaps
you’d like to patch that machine.
I’ll leave any major announcements about the game to Dichotomy, but I do want to
mention that I envision more collaboration between the Pros & Staff over the
next year. Pros vs Joes is a learning CTF first, and this will allow us to
build a more immersive environment and a better set of resources for the blue
staff to use in mentoring Joes.
I was exhausted by the end of this PvJ, but it was a kind of good exhaustion.
No matter how tired I was, I was satisfied to know that all of my players seemed
to have learned something throughout the course of the game, and the cherry on
top was a victory for ShellAntics. Thanks to Dichotomy, Gold Cell, Red Cell (no
hard feelings t1v0?), and of course, the awesome Joes on my team.
18 Jul 2017
My hacker summer camp planning posts are among the most-viewed on my blog, and I
was recently reminded I hadn’t done one for 2017 yet, despite it being just
around the corner!
Though many tips will be similar, feel free to check out the two posts from last
year as well:
If you don’t know, Hacker Summer Camp is a nickname for 3 information security
conferences in one week in Las Vegas every July/August. This includes Black
Hat, BSides Las Vegas, and DEF CON.
Black Hat is the most “corporate” of the 3 events, with a large area of vendor
booths, great talks (though not all are super-technical) and a very
corporate/organized feel. If you want a serious, straight-edge security
conference, Black Hat is for you. Admission is several thousand dollars, so
most attendees are either self-employed and writing it off, or paid by their
BSides Las Vegas is a much smaller (~1000 people) conference, that’s heavily
community-focused. With tracks intended for those new to the industry, getting
hired, and a variety of technical talks, it has something for everyone. It also
has my favorite CTF: Pros vs Joes. You can donate
for admission, or get in line for one of ~450 free admissions. (Yes, the line
starts early. Yes, it quickly sells out.)
DEF CON is the biggest of the conferences. (And, in my opinion, the “main
event”.) I think of DEF CON as the Burning Man of hacker conferences: yes,
there’s tons of talks, but it’s also a huge opportunity for members of the
community to show off what they’re doing. It’s also a huge party at night: tons
of music, drinking, pool parties. At DEF CON, there is more to do than can be
done, so you’ll need to pick and choose.
Hopefully you already have your travel plans (hotel/airfare/etc.) sorted. It’s
a bit late for me to provide advice there this year. :)
What To Do
Make sure you do things. You only get out of Hacker Summer Camp what you put
into it. You can totally just go and sit in conference rooms and listen to
talks, but you’re not going to get as much out of it as you otherwise could.
Black Hat has excellent classes, so you can get into significantly more depth
than a 45 minute talk would allow. If you have the opportunity (they’re
expensive), you should take one.
If you’re not attending Black Hat, come over to BSides Las Vegas. They go on in
parallel, so it’s a good opportunity for a cheaper option and for a more
community feel. At BSides, you can meet some great members of the community,
hear some talks in a smaller intimate setting (you might actually have a chance
to talk to the speaker afterwards), and generally have a more laid-back time
than Black Hat.
DEF CON is entirely up to you: go to talks, or don’t. Go to villages and meet
people, see what they’re doing, get hands on with things. Go to the vendor area
and buy some lockpicks, WiFi pineapples, or more black t-shirts. Drink with
some of the smartest people in the industry. You never know who you’ll meet.
Whatever you choose, you can have a blast, but you need to make sure you manage
your energy. I’ve made myself physically sick by trying to do it all – just
accept that you can’t and take it easy.
I’m particularly excited to check out the IoT village again this year. (As
regular readers know, I have a soft spot for the Insecurity of Things.)
Likewise, I look forward to seeing small talks in the villages.
Whatever you do, be an active participant. I’ve personally spent too much time
not participating: not talking, not engaging, not doing. You won’t get the most
out of this week by being a wallflower.
DEF CON has a reputation for being the most dangerous network in the world, but
I believe that title depends on how you look at it. In my experience, it’s a
matter of quality vs quantity. While I have no doubt that the open WiFi at DEF
CON probably has far more than it’s fair share of various hijinks (sniffing,
ARP spoofing, HTTPS downgrades, fake APs, etc.), I genuinely don’t anticipate
seeing high-value 0-days being deployed on this network. Using an 0-day on the
DEF CON network is going to burn it: someone will see it and your 0-day is
over. Some of the best malware reversers and forensics experts in the world are
present, I don’t anticipate someone using a high-quality bug in modern software
on this network and wasting it like that.
Obviously, I can’t make any guarantees, but the following advice approximately
matches my own threat model. If you plan to connect to shady networks or
CTF-type networks, you probably want to take additional precautions. (Like
using a separate laptop, which is the approach I’m taking this year.)
That being said, you should take reasonable precautions against more run of the
- Use Full Disk Encryption (in case your device gets lost/stolen)
- Be fully updated on a modern OS (putting off patches? might be the time to
- Don’t use open WiFi
- Turn off any radios you’re not using (WiFi, BT)
- Disable 3G downgrade on your phone if you can (LTE only)
- Don’t accept updates offered while you’re in Vegas
- Don’t run random downloads :)
- Run a local firewall dropping all unexpected traffic
Using a current, fully patched iOS or Android device should be relatively safe.
ChromeOS is a good choice if you just need internet from a laptop-style device.
Fully patched Windows/Linux/OS X are probably okay, but you have somewhat larger
attack surface and less protection against drive-by malware.
Your single biggest concern on any network (DEF CON or not) should be sending
plaintext over the network. Use a VPN. Use HTTPS. Be especially wary of
phishing. Use 2-Factor. (Ideally U2F, which is cryptographically designed to
Personal Security & Safety
This is Vegas. DEF CON aside, watch what you’re doing. There are plenty of
pick pockets, con men, and general thieves in Las Vegas. They’re there to prey
on tourists, and whether you’re there for a good time or for a con, you’re their
prey. Keep your wits about you.
Check ATMs for skimmers. (This is a good life pro tip.)
Don’t use the ATMs near the con. If you’re not sure if you can tell if an ATM
has a skimmer: bring enough cash in advance. Lock it in your in-room safe.
Does your hotel use RFID-based door locks? May I suggest
Planning to drink? (I am.) Make sure you drink water too. Vegas is super-hot,
and dehydration will make you very sick (or worse). I try to drink 1/2 a liter
of water for every drink I have, but I rarely meet that goal. It’s still a good
goal to have.
Are you paranoid?
Maybe. I get paid to execute attacks and think like an attacker, so it comes
with the territory. I’m going to an event to see other people who do the same
thing. I’m not convinced the paranoia is unwarranted.
Will I get hacked?
Probably not, if you spend a little time preparing.
Should I go to talks?
Are they interesting to you? Go to talks if they’re interesting and timely.
Note that most talks are recorded and will be posted online a couple of months
after the conferences (or can be bought sooner from Source of Knowledge). A
notable exception is that SkyTalks are not recorded. And don’t try to
record them yourself – you’ll get bounced from the room.
What’s the 3-2-1 rule?
3 hours of sleep, 2 meals, and 1 shower. Every day. I prefer 2 showers
myself – Vegas is pretty hot.