US Markets Loading... h m s

HOMEPAGE

Tech

I spent the week with over 20,000 hackers in Las Vegas — here's what I saw

Darien Acosta

2015-08-13T18:50:16Z

Defcon is one of the largest hacker conferences in the world. Held over four days every August in Last Vegas, Defcon is now in it's 23rd year and is bigger — and scarier — than ever.

Advertisement

Now boasting an attendance of more than 20,000, I decided to venture out and see what all the fuss was about.

Needless to say, I was not disappointed.

Advertisement

One last farewell to the New York City skyline from Newark Liberty Airport.

Here's a partial view of the Grand Canyon from my flight.

Advertisement

Defcon 23 is held at the Bally's and Paris Hotel Casino near Caesar's Palace.

Ballys in Las Vegas

During the conference, special keycards are provided at participating hotels.

View post on imgur.com.

Advertisement

In preparation for Defcon, the hotel provides special "If you see something, say something" training for its staff.

Buzz Session Planner: Defcon (Hacker Conference) Awareness Training. I stumbled across this at one of the hotels during Defcon.

This is the main conference area for panel talks. This gigantic space will be divided into three separate tracks.

Advertisement

But first, attendees line up at 5 a.m. to purchase admission badges. Defcon operates on a cash-only basis — to prevent credit-card fraud — and there is no preregistration.

Badges are $230, so with 20,000 attendees, the con organizers will carefully process around $4.6 million over three days. This makes for long lines. I waited 90 minutes ... this experience is affectionately known as Linecon. Darien Acosta

The line's integrity is maintained by lovely folks called Goons, Defcon's volunteer security force.

A photo posted by @monsieurharry on Aug 6, 2015 at 5:05pm PDT

Advertisement

This is the admissions package. Contents include a vinyl record badge, a newspaper schedule, stickers, and various CDs.

A photo posted by @rbrigby on Aug 6, 2015 at 10:36am PDT

The badges, aka vinyl records, are worn around the neck using lanyards. This makes all conference-goers look like Flavor Flav from the hip-hop group Public Enemy.

A photo posted by Carnegie Mellon Engineering (@cmuengineering) on Aug 9, 2015 at 5:37pm PDT

Advertisement

Luckily, Flavor Flav approves.

View post on imgur.com.

Defcon banner art by official convention artist Mar Williams.

Advertisement

Defcon hotel floor sticker art, also by Mar Williams.

One of the cafes near the Paris Casino was designated for exclusive use by Defcon attendees.

Advertisement

This is a typical line experience when attending scheduled talks. Defcon is so massive that a single individual can only attend a minute fraction of the available track talks, skytalks, village talks, contests, and workshops — not to mention any of the secret, invite-only gatherings.

This is the "Medical Devices: Pwnage and Honeypots" talk given by Scott Erven and Mark Collao. When I arrived, only standing-room space remained.

Advertisement

At the talk, I learned that many of General Electric's medical devices feature remote access capabilities that use default factory passwords, such as "bigguy."

According to the speakers, GE claims this is not a real security problem because default passwords can be changed, but the speakers argue that, according to existing license agreements, if a medical provider changes the password, then the device is no longer eligible for troubleshooting — something akin to voiding a warranty. Default passwords are problematic because they can allow any knowledgeable patient to alter their morphine drip or an outside hacker to change the radiation setting on CT machines, exposing patients to harmful levels of radiation without a medical tech or doctor's knowledge. There is little precedent for dealing with these new problems. Darien Acosta

This is the Defcon Contest Area, in the Bally's Event Center.

Advertisement

The Contest Area is home to the Packet, Car Hacking, and Data villages; Capture the Flag; OpenCTF; Mohawk-Con; and a music stage.

Here's a guy inspecting a semi-disassembled SUV in the Car Hacking Village.

Advertisement

Hackers could learn a lot about vulnerabilities in vehicles in the village.

Some SUV parts.

Advertisement

Someone removed and mounted the dashboard from a sedan.

A photo posted by Dax (semprix) Labrador (@thedarthmeister) on Aug 8, 2015 at 4:22pm PDT

A look inside the stripped car.

Advertisement

Advertisement

A Tesla Model S was also present at the Car Hacking Village, but mostly for show.

Advertisement

Karaoke at the Car Hacking Village. This guy's singing Gary Numan's "Cars."

♪ Here in my car / I feel safest of all / I can lock all my doors / It's the only way to live ♪ Darien Acosta

Capture the Flag is a hacking tournament comprised of 20 teams of eight who qualify in order to participate. The competition arguably attracts some of best hackers in the world.

Advertisement

There is also an OpenCTF event, where anyone can participate.

Folks participating in the OpenCTF contest.

Advertisement

This is the FTC RoboKiller contest table, a $50,000 contest challenging programmers to create software to help consumers identify and kill illegal robocalls.

Salvador Grec presents his talk "Creating REAL Threat Intelligence with Evernote" in the Packet Hacking Village.

Advertisement

The epicenter of the Packet Hacking Village.

The infamous Wall of Sheep is intended to shame conference-goers who exhibit poor computer security practices. For example, connecting to the WiFi network and logging into an unencrypted website will get you added to this list.

Advertisement

Now over to the Emerging Technology Threats table.

This is a SCADA system. Variations of these systems are used to monitor and control factory equipment, power plants, water treatment facilities, etc.

Advertisement

All about Open Access 4.0.

Not 100% sure, but this looks like a security keypad terminal connected to an Open Access 4.0 board.

Advertisement

Mike Ryan and Richo Healey drink with the Defcon Goons during their "Hacking Electric Skateboards" talk.

Mike Ryan and Richo Healey are able to hack — i.e., take command — of various skateboard models by jamming radio signals and broadcasting their own signals.

Advertisement

At Defcon's Vendor Area, a wide variety of items can be legally purchased.

Here's the Hak5 table. The giant pineapple advertises the infamous WiFi pineapple device, which broadcasts a WiFi honeypot (trap) that can be used for penetration testing (hacking).

Advertisement

Hak5 also sells the Lan Turtle — a USB device which opens backdoors for hackers wishing to connect to a network remotely — and the Rubber Ducky USB key, which can be used to capture all text entered on a keyboard and more. Prices are reasonable.

Lockpick sets are also for sale. Caveat emptor: Possession of lockpicks may be considered burglary tools in several US states.

Advertisement

Free internet = giant antennas that can allow you to connect to your neighbor's open WiFi access point down the street.

Vinyl stickers for decorating laptops.

Advertisement

Books for sale.

Advertisement

Hackers for Charity is a nonprofit that's solving technology challenges for various other nonprofits and provides food, equipment, job training, and computer education to the world's poorest citizens.

Meanwhile, back at the casino, someone set up a rouge WiFi access point, which was promptly removed by Goons and casino security.

imgur

Advertisement

This DARPA server contains more than 1,000 Xeon processors and runs software which algorithmically scans software for weak points and patches on the fly. This is probably the early stages of an artificial intelligence that is capable of attacking and defending computer networks autonomously.

William Gibson fans should immediately think of I.C.E. Darien Acosta

The DARPA Cyber Grand Challenge is a $3.7 million prize competition that "seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches, and deploying them on a network in real time."

Advertisement

You can read more about the DARPA Cyber Grand Challenge here.

Here's a view of the "Chillout Room," a place to relax, eat, drink, and chat with fellow attendees while listening to Chillout music.

Advertisement

At the ICS Village, there are industrial control system devices available for tinkering.

A photo posted by Kaizen Towfiq (@kaizentowfiq) on Aug 9, 2015 at 9:44am PDT

BTW: This is not actually a centrifuge for nuclear enrichment.

Some examples of controls that can be breached.

Advertisement

During one of the ICS talks, someone caused a drum barrel to violently collapse under the pressure of a vacuum, providing a perfect demonstration of the potential real-world consequences of ICS tinkering.

The shock wave shook the room.

In the IoT Village, I learned about the various ways many Internet of Things devices can be hacked.

Advertisement

At the BioHacking Village, I learned about the MinION, a $1,000 USB device by Nanopore Technologies, which is used to sequence DNA.

At night, attendees can retreat to the 26th floor for musical entertainment at Defcon's Black-and-White Ball.

Advertisement

The view from the party.

Or attend any of the many private parties. As in life, attendees at Defcon chooses their own adventure.

FYI: You may have to social engineer or bribe your way in. Darien Acosta

Advertisement

Jump to

Main content
Search
Account