If there is one event that is a must-attend for the global cybersecurity community, it is #DEFCON27.
Franck CECILE was our special correspondent on site and shares his personal impressions of #DEFCON27.
By Franck Cecile – TheExpert Cybersecurity Squad
> See also:
- Squad at #DEFCON27 (2/3): My experience
- Squad at #DEFCON27 (Part 3/3): My impressions
Disclaimer
I would like to point out that this article is written from my personal point of view and reflects only my own opinion, bearing in mind that:
- Language-related issues may have created a gap in understanding certain technical aspects.
- Due to a flight cancellation, I was only able to spend two days there, so I didn't get to explore everything (considering it was my first convention of this kind).
- My purely technical skills in the field of hacking are quite limited compared to visitors who are very knowledgeable in this area.
Other than that, I hope you enjoy the article as much as I enjoyed DEF CON!
Summary:
- What is DEF CON?
- What is it?
- What's it about?
- How?
- Where and when?
- Who is it for?
- My experience at DEF CON
- What did I do there, what did I see there?
- In detail?
- My personal feelings.
1. What is DEF CON?
What is it?
For those who don't know, let's quote Wikipedia: "DEF CON is the world's most famous hacker convention. It is held every year in Las Vegas. The first DEF CON convention took place in 1993." So I attended #DEFCON27, which took place just after/during BLACK HAT, another major hacker convention, also in Las Vegas. With more than 20,000 participants in recent years, DEF CON is one of the largest IT security conventions in the world. No small feat.
What's it about?
Hacking. Okay, that sounds a bit generic, but that's exactly the point. The strength of DEF CON is that it talks about hacking in general! As a reminder, hacking involves looking for ways to circumvent the security, protection, or defense measures in place on a computerized, digital, or even electronic or physical system (or set of systems).
DEF CON therefore focuses on discovering vulnerabilities and possibilities for exploiting network infrastructure equipment, computers, smartphones, industrial control systems (ICS/SCADA), cameras, electronic components, connected objects/IoT (vacuum cleaners, refrigerators, lamps, locks, thermostats, watches, sex toys... yes, you read that right, there was a presentation on penetration testing—no pun intended—on an anal plug... these guys know how to have fun), drones, and even physical locks (yes, a simple, traditional lock). And this is true regardless of the environments in which these systems are used:
- Enterprise Information System (IT – office computing & server)
- Industrial Information System (OT – Hydraulic dam, factory control system, city infrastructure management system, etc.)
- Home automation
- Ship / Airplane / Car
- Seaports
- Etc.
In short, it's broad. Very broad, in fact. One notable feature in France is that the cybersecurity market is mainly aimed at companies seeking to protect their information systems. Conferences such as Le Hack place much greater emphasis on methodologies for exploiting IT-related vulnerabilities. So much so that we tend to overlook the full range of possibilities.
DEF CON reminds us that IT ultimately represents only a small part of digital security, and that it is essential to redouble efforts to secure all equipment subject to cyber risk—whose nominal operation can be altered by a logical layer. It is likely that our colleagues across the Atlantic are one step ahead, and that they have understood that vulnerabilities are not only present in corporate IT infrastructures. It remains to be seen how the cybersecurity landscape will evolve in the coming years. Wait and see, as they say.
How?
How is all this discussed at DEF CON? As someone who is not familiar with this type of event, I must admit that this is what worried me most when preparing for my visit. What will I see? In summary, the main topics are:
- Conferences: At DEF CON, there are at least 200 people per conference, in very large capacity rooms. And there are four of them, continuously occupied by speakers. Lots of people, lots of topics, very varied, all the time. That's no small feat.
- Workshops: Technical exercises, places are limited (around thirty per workshop) and you have to register in advance (no more places available a few hours after registration opens, it's like an AC/DC concert). Participants bring their own PCs and practice discovering, exploiting, or understanding vulnerabilities. A minimum level of skill is required, but most workshops are accessible to beginners.
- Villages: This is the part that intrigued methe most. A Village is simply a dedicated space with one or more stands, each with a specific theme, where you can chat, attend talks (mini-conferences), try out products and systems, see how they work (flight simulators, maritime simulators, etc.), or take part in CTFs (Capture The Flag). Manufacturers and publishers also take advantage of this to set up bug bounties, allowing them to test their products at a lower cost.
- Competitions: Mainly CTFs, but also other competitions, including one for the DEF CON Badge, which is renewed every year.
- Technical Demonstrations
- And lots of other cool stuff: big parties, movies, workspaces and discussion areas, vendors (we're talking about vendors dedicated to the world of hacking, including clothing, book, and sticker vendors, hairdressers, but above all vendors of specific electronic equipment... no more big infrastructure equipment vendors such as Cisco, CheckPoint, Palo Alto, Microsoft, etc.), a Wall of Sheep displaying the least diligent users who were hacked during DEF CON, and so on.
Where and when is it?
Las Vegas. In this case, the 2019 edition took place from August 8 to 11 in four hotels, and not just any hotels. We're talking about the Paris, Bally's, Planet Hollywood, and the Flamingo, four of the most prestigious hotels on the North Strip. It's not always easy to navigate between the different areas of the convention, especially when moving from one hotel to another in the sweltering heat of Las Vegas (over 40°C). It's worth noting that there is now a DEF CON China in Beijing, held in late May/early June.
Who is it for?
Clearly, for anyone who identifies as a hacker or is involved in the hacking community, whether professionally or as a hobby.
Hold on, you might say, isn't this also true for anyone working in IT security/cybersecurity? Well, in my opinion, yes and no. It's fair to say that a cybersecurity consultant/network integrator/risk manager/SOC manager/etc. definitely has a place at this kind of event. But (because there is a but)! This is clearly not the target audience.
DEF CON is BY and FOR HACKERS.
At DEF CON, we operate in an exciting and vibrant microcosm, made up of people with a wide variety of profiles (ranging from hobbyists to expert professionals, from shy and unassuming personalities to completely eccentric hackers—there's no shortage of them). But they are all united by a shared passion for new technologies, computer hacking, and OFFENSIVE (or even defensive) security, and have (very) advanced technical skills.
For those who do not fit this description, the event remains, in any case, a must-attend cybersecurity event. So don't worry, even if you're not best suited to participate in the workshops, or if you find yourself technically limited when studying a vulnerability, DEF CON undoubtedly provides opportunities to meet people, learn, and discover this exciting world.
