Las Vegas was invaded by hackers this month. The Black Hat and Def Con conventions were in town. I attended both this year, which gave me an opportunity to compare and contrast them.
Black Hat was first. Held the first week of August in the Mandalay Bay Convention Center, this conference hosted thousands of attendees, offering varying levels of activities. At the cheap end of the spectrum, the vendor floor teemed with dozens of security products — the same ones you see at RSA. In fact, it was virtually indistinguishable from the venerated RSA conference I attend every year at the Moscone Center in San Francisco.
This was my first visit to a Black Hat conference. Being only somewhat cheap, I paid for the $500 business pass, which allowed me to get into vendor-sponsored sessions (all of which felt a lot like sales pitches to me), as well as an open room containing several tables manned by representatives of open-source and noncorporate technologies — which I found very interesting. But the good stuff — hacking demonstrations like the ones that show how to take control of a Jeep or Tesla — was out of my price range. These cost thousands of dollars to get into, and some required additional special fees of thousands of dollars more. I’m not sure who has that kind of money to spend to see real-life demonstrations and get hands-on mentoring in hacking techniques — it’s hard to imagine individual hackers spending that kind of money (unless it’s someone else’s, ha-ha).
In any case, the parts of the Black Hat conference I went to felt very corporate and not underworldy at all. From the online registration process to the hotel booking, everything was streamlined and smoothly managed. There were even big vendor-sponsored parties each night, just like at RSA, with plenty of booming music, smoke and laser effects, wall-to-wall people, free drinks, and not enough food. What more could we ask for?
In contrast, the Def Con “hacking conference,” as they call it, feels much more down-to-earth and closer to its hacking roots. Following immediately on the heels of Black Hat, also in Vegas, Def Con took place the second week of August. I’ve been going to Def Con (on and off) for nearly 20 years, since its early days as an underground gathering of technophiles. More affordable and less glitzy than Black Hat, Def Con was nearly as fun and interesting to me this year as it was in the late ’90s. I saw some great demonstrations, chatted with some interesting people, and generally learned more than I did at Black Hat. One of the most interesting topics was the Internet of Things. There are so many exploits — from refrigerators to thermostats to baby monitors to cars — that look so easy to perform, I just can’t feel safe anymore. And that’s surprisingly exciting. I got so paranoid, though, that I turned my phone off, just to be safe.
A classic diversion at Def Con is known as “spot the fed” — a fun game of differentiating representatives of our government’s three-letter-agencies from the corporate suits and hackers at the conference. I didn’t see anyone this year who looked like an obvious employee of an agency, but I saw plenty of people who looked just like me, in their business casual. And I thought I could spot the hackers pretty easily — brightly colored or unusually styled hair and edgy looks like leather and Goth struck me as clear indicators of underground denizens — but who knows? In any case, I’m sure I rubbed elbows with people from many different walks of life. It was, as always, a memorable and energizing experience.
Of the two conferences, Def Con is hands down the winner for me. I enjoy delving into that world from time to time, and it was nice to get out of the office and my mundane corporate existence for a while. I’m already looking forward to next time.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.
This story, "Milling with the hackers at Black Hat and Def Con" was originally published by Computerworld.