(Making Sense of the Wonder and the Chaos )
Updated for DC27 (2019)
(as of July 6, 2019 – now with Villages and Demo Labs, and additional Workshop info)
DEF CON can be overwhelming, with a tremendous variety of talks, activities,
parties, and types of human beings from which to choose. In order to help you make sense of the con, and get the most out of it, I’ve put together this brief guide. It’ll be helpful for those of you attending DEF CON for the first time, but perhaps even experienced attendees will get something from this guide.
TL;DR: Three key tips
- Do a little homework
- Visit the official DEF CON site https://defcon.org/html/defcon-27/dc-27-index.html to plan how you want to spend your time
- Stay hydrated
- Bring a water bottle and keep refilling it
- Talk to people (and be respectful!)
- Make new friends while standing in the (many) lines. There are some incredibly intelligent and interesting people at DEF CON (in addition to yourself, naturally).
- Don’t be a jerk, please. We have enough of them in real life outside the con.
DEF CON has so many dimensions to it, that any summary will necessarily fall short of encompassing its full scope. Nevertheless, we’ll attempt it here.
There are several main “tracks” (I use this term loosely) within DEF CON, more or less broken down as follows:
- Contests and Events
- Capture the Flag
- Demo Labs
These are intense, hands-on technical sessions – each running 4-6 hours – held throughout the con.
New for 2019, DC has instituted a $25 charge for workshops. This seems to be driven by a desire to reduce the large number of no-shows in past years, when registration was free. Hopefully this will make it easier for folks to get into workshops they will actually attend. In any case, do anticipate that they will still fill up VERY quickly – typically within 1-2 minutes after registration opens.
If you’re interested in signing up, keep careful track of the exact minute when registration opens, and sign up then.
DC Twitter indicates that workshop signup will be Monday, July 8 at 3pm PST (https://twitter.com/defcon/status/1144463705452662785).
Update: As expected, the workshops all sold out extremely quickly. Anecdotally, there were some problems with the registration servers being overloaded. Workshops may offer waiting lists, and will likely have some no-shows, so try getting there in person well ahead of time – ask the organizers and maybe you can get a seat!
In many ways, these are the heart of DEF CON – an enormous number of presentations on topics that span technology, security, research, society, politics, and economics. These include large keynote presentations as well as smaller sessions.
Read through the list, make note of which ones you want to attend – and arrive early. There will be (long) lines to get in, and some sessions will be full!
Note that these official DEF CON talks are recorded, and freely available afterwards from (at least) two places:
DC Media Server: https://media.defcon.org/
DC YouTube Channel: https://www.youtube.com/user/DEFCONConference
One of the most amazing aspects of DEF CON is the huge spectrum of educational and hands-on activities. These are organized by topic area, or as DEF CON calls them, “villages”. Each village is located in a certain area of the convention center, easily found on the maps. This year’s DEF CON features more than 20 villages, including:
- Social Engineering: (includes schedule, and will hold the SE CTF scoreboard during the con)
- Car Hacking
- Voting Hacking
- Biohacking Village
- Packet Hacking
- IoT Village
These villages have different setups – some of them – especially the more technical ones, tend to be very hands-on (bring your computer). Some are a series of lectures & discussions – for example Biohacking, and Ethics – with a detailed scheduled listed on the DEF CON village site.
I recommend visiting as many of these as you can, at least to get a sense for what’s going on in each. There’s a remarkable variety of topics, and some incredibly intelligent and passionate people working at each. Go, talk to them, and learn something!
Contests and Events
DEF CON provides a huge array of Contests (and a few non-competitive Events) to choose from.
Events include an early morning bike ride, hacker karaoke, laser shooting, and a Mohawk hairstyling station (fundraising for the EFF).
But hackers are naturally competitive, and as such DEF CON offers an incredible variety of contests. Many of these are highly technical, while others stress different skills – such as Hacker Jeopardy, Hacker Spelling Bee, Scavenger Hunt, Drunk Hacker History, and the legendary Beard and Mustache Competition.
Most of the technical contests provide serious (but fun) challenges which require considerable skill, but also typically demand a considerable time commitment during DEF CON. I won’t attempt to enumerate the technical contests here – take a look for yourself at the link above.
Capture the Flag
DC27 Link: https://www.oooverflow.io/
Capture the Flag (CTF) is a highly overloaded term at DEF CON. Used generically, it refers to any of a number of the contests listed above, which are structured around obtaining (capturing) information. For example, The Social Engineer CTF (one of my personal favorites to observe) tasks contestants with obtaining information about a target organization.
But “the” CTF contest at DEF CON – referred to as simply “CTF” – is arguably the most prestigious hacking contest on the planet, one which requires teams to earn a spot through a series of qualifying rounds throughout the year.
DC27 Link here: https://www.defcon.org/html/defcon-27/dc-27-demolabs.html
These are technical demo stations dedicated to researchers and hackers who have something new and interesting to demonstrate. These are highly technical, but even if they’re beyond your depth, I encourage you to stop by to talk to the motivated and intelligent people behind these tools. Really interesting tools, and their developers are always more than happy to talk about them!
DEF CON 26 link: https://www.defcon.org/html/defcon-26/dc-26-vendors.html
DC27 Link: Not available yet
The vendor room – notoriously crowded – features selected purveyors of books, tools, and hacking paraphernalia. It’s definitely worth a visit to see what’s new and interesting, and to chat with the EFF folks.
DC26 Link: https://www.defcon.org/html/defcon-26/dc-26-parties.html
DC27 Link: Not available yet
There are many parties at DEF CON. Have fun but please don’t overdo it!
Follow @defconparties on Twitter for the latest.
No DEF CON overview would be complete without discussing the badges.
First – the official DEF CON badges are the ones that get you entry to the conference, and for which you pay $300 cash (cash only**). You’ll be required to wear these throughout the conference,. These are not your normal conference badges — these have no identifying information or barcodes on them, and you’re not “scanned” by vendors.
The badges usually go on sale early Thursday mornings. Some folks get there early (as in, the evening before) for the “linecon” experience. Typically you can show up late morning or early afternoon on Thursday and still get a regular badge. At some point, they run out and begin issuing the alternative badges (typically laminated paper). This time point is different every year.
There are several different varieties of official badges – including Human, Press, Speaker, Vendor, Goon, and the rare Black Badge . Goons are the volunteers who help run DEF CON (treat them nicely, and talk to them – most of them are experienced infosec practitioners). Most of us will be attending DEF CON as Humans (sorry!). Most years the badges are electronic (and hackable), and there’s a rich history of tinkering with them.
In addition to the official badges, there is also a fun subculture called badgelife, comprised of people who make electronic badges for fun, or to support specific organizations ( e.g. QueerCon ). Some of these are available via Kickstarter, for direct purchase, or only onsite. Here is the semi-official list in GoogleDocs.
** DEF CON has a partnership with the commercial BlackHat conference which immediately precedes it. If you’re purchasing a BlackHat pass, you can also pre-pay online for a DEF CON badge, and receive it ahead of time at BlackHat. This lets you avoid the DEF CON badge line (linecon).
I might have mentioned once or twice that DEF CON is crowded! During DC 25 and 26, the food service in Caesar’s was unreliable in quality and availability (I’m being diplomatic here), and the hotel restaurants had very long waits (Caesar’s Smashburger 50-person line, I’m talking to you!). To be fair, 25,000+ people is a lot of people to feed! DC27 is at a new venue this year, but you should anticipate equally long food lines.
Bring some snacks (and water) with you, and you’ll have a lot more flexibility in terms of eating schedules. And share to make new friends!
Some people bring alcohol to share and accelerate the making of friends. This is not a bad idea!
DEF CON: The (Scheduling) App:
I’ve reluctantly included this section, but it’s a necessity – especially for the female attendees. Sadly, there are jerks at the conference (like elsewhere in life).
Try to avoid getting overly intoxicated, especially if you’re not with someone you trust. Please be aware of the possibility of getting “roofied” with a spiked drink. (I know, just a few paragraphs previously I encouraged people to be friendly and share drinks – but there’s a big difference between (say) accepting an unopened beer from someone (which is cool), and drinking something unknown from a plastic cup.
Likewise, while most DEF CON attendees won’t steal from you, some will – so don’t leave your bags or gear sitting around unattended.
Have a great time, but be careful about your belongings and personal safety.
Some Final Thoughts
- Be patient (it’s crowded), be inquisitive (there’s a ton to learn), and be respectful of the presenters and attendees (please)
- Plan your con – write down your top activities (especially those that are time-constrained, such as the speakers) but don’t overplan it. Some of your best and most memorable DEF CON experiences will be serendipitous
- Security – Turn off Bluetooth and Wi-Fi on your devices, lest you end up on the Wall of Sheep. The conference does offer Wi-Fi (see here) which the organizers have put a lot of effort into making secure. Bring a phone power pack and avoid plugging your phone into any public charging cables
- Be respectful of people! Read the official Code of Conduct here. Relevant quote: “insulting or harassing other participants is unacceptable.” It’s also bad karma, people.
Most of all – have fun! DEF CON is an incredible experience – one that we’re lucky to be able to participate in – so make the most of it.
- Official DEF CON 27 Site: https://defcon.org/html/defcon-27/dc-27-index.html
- Unofficial DEF CON Schedule: http://defcon.outel.org/ – extremely useful, this self-proclaimed “one schedule to rule them all” combines all things DEF CON into a single consolidated page. Bookmark it!
- DEF CON 27 “Mega Thread” : https://www.reddit.com/r/Defcon/comments/bw9t25/def_con_27_mega_thread_info/
- Official DEF CON 27 FAQ: https://defcon.org/html/defcon-27/dc-27-faq.html
- DEF CON: The Documentary: Official documentary made at DEF CON 20: https://www.youtube.com/watch?v=3ctQOmjQyYg
DEF CON Fiction:
And if you’re interested in some short DEF CON fiction, check out my story:
Tone DEF: a DEF CON Love Story (in which a DEF CON N00b, Max, tries to be more extroverted while attending a Skytalks session. Hilarity and drama ensue!)
DEF CON is a complex beast, and I can’t hope to give you a complete picture here. But do let me know what’s missing (or incorrect), and I’ll work to improve this.