What a week! Hacker summer camp in Vegas was amazing! This was my first time through for all three of the conferences in Vegas – BSidesLV, Black Hat, and Defcon. I’ve been to BSidesLV and Defcon plenty of times, but experiencing all of these back-to-back (-to-back!, with a bit of overlap) gives a unique perspective on each of these and what makes them valuable. On a somewhat unrelated note, it also provided me my own “unique perspective” on exactly how many days I can do in Vegas before being “done”. As it turns out, that number is four. Not the six that I was there for – or the nine that the more hard-core members of our Labs team did! I don’t even want to imagine what nine days would do to me. *shiver*
First, some background on me that helps shape my comments. My role here at Coalfire for the last five years has been primarily to manage the business side of the Coalfire Labs team. This includes growing and scaling a consulting business, maturing our service lines, optimizing our delivery mechanisms and dealing with a lot of things that are pretty removed from the geekery that I grew up with. Prior to being at Coalfire I was managing information security teams, and prior to that I was a bona fide security and IT geek. These three career phases roughly line up with my 40’s, 30’s and 20’s. With that in mind, here are my impressions, in a nutshell.
This is right up my 40’s me alley. This is the proverbial grandfather of ‘hacker’ conferences. It’s absolutely huge. There were 187 speakers listed, and I *think* there were 16 different tracks plus the “Arsenal” (where our own Marcello Salvati demo’ed his “CME” tool). Whatever you want, it’s at Black Hat. The downside? Whatever you want likely is at the same time as something else you want. Read the guide, and plan accordingly. And the vendor room – you could spend a day there just checking out the latest offerings from … well, everybody. Including Coalfire, we were there in a booth – first year and it was a great sponsorship experience (but that’s a different conversation). The rooms are huge, the A/V is top notch, lines to enter briefings are manageable, video broadcast for those that can’t fit into a full room, and the speakers are polished and professional (mostly!). Black Hat briefings were the most ‘comfortable’ of the experiences.
My key take-away from Black Hat: What’s old is new again-
One black hat briefing in particular stood out due to calling attention to a very, very old problem. It was by Jeremy Galloway (Abstract and PDF Presentation), and it was an amusing presentation about the threats of the presumably trusted AirBnB locations (YouTube of presentation) and their wireless networks. Physical access beats all. Don’t protect your network with kittens and wishful thinking.
BSides Las Vegas
30’s me likes this conference best. As part of the greater BSides “open” security conference communities, the Las Vegas conference is reportedly the biggest of the bunch. Now in its 8th year, this conference shares some of the same speakers and content as Black Hat, since they conveniently ‘coincide’ with each other, but it balances a variety of speakers and topics that are of both theoretical and practical in nature. The venue is ‘comfortable’ and centers around a huge “chill-out” room which is flanked by a modest amount of sponsor booths and has ample seating to … well, to “chill out”. With a low vendor-to-person ratio and a traditional pool-party, it’s easy to meet a variety of people and have a good time while still being able to take in a vast amount of talks while there.
My key take-away from BSidesLV: What’s new is still new-
There were literally dozens of briefings at Black Hat and BSides that focused on the cloud – and particularly the Amazon flavored cloud. Much of it surrounded the authentication systems used and their shortcomings. That, and there were quite a few informative briefings unraveling Windows 10.
20’s me, all the way. This is where my inner anarchist punk rocker finds solace. This little conference has grown to be quite large over the years, but it’s still considered the most “grass-roots” of all of them. Speakers not afraid to offend? Check. People free to express themselves? Double check. The most extreme and anarchist flavor? Oh, yes. And the ‘best of’ briefings from the other two conferences to boot. And it’s (still) cheap!
My key take-away from Defcon: The place for ‘new’-
Defcon had very few briefings that would be what your “traditional” attack vector looked like. The best of that bunch was Sean Metcalf’s talk on leveraging the data in Active Directory to efficiently ‘loot’ an organization. But outside that, there were more “things” and “thing protocol” briefings this year than I’d ever seen. There were new takes on ATM hacks (this time with EMV) and how those can / will be monetized, drone hacking, Bluetooth ‘lock picking’, and of course a few automotive-related presentations.
The present-day me found that from a business perspective they all have their benefits as well. For recruiting high caliber staff, BSides provides the most intimate environment where you can get to know attendees. For lead generation, nothing beats the gigantic security shopping mall that is the Black Hat vendor room. Finally, Defcon merits my vote as the best place to send your staff on a geek-boondoggle and have them return smarter and with renewed enthusiasm (albeit sleep-deprived).
These three conferences are all similar – and sometimes have the same speakers presenting. But each of them brings their own take on the subject, with Black Hat being the most ‘corporate’ of these three events, Defcon being the antithesis of that, and BSides being somewhere in between. But all of these conferences held two things in common. First, the content of the briefings was incredible and the speakers were truly impressive. I’m quite the cynic / critic (amazing how similar those words are), but I didn’t go to one lame briefing or sit through one pointless demo. Honestly, I was expecting at least one bad presentation out of the bunch. Next, it was a great experience meeting new, interesting people with whom I share a common interest / vocation. Throughout it all, I never met one person that I would have considered “shady” or “underground”. Everyone seemed pleasant and honest and were open to new ideas and perspectives.
Overall, it was a great experience. Just seeing the trends in the industry as demonstrated by the somewhat independent research community was well worth staying, well past my newly-discovered “Vegas expiration date”.