black hat and def con

A week ago I was in Las Vegas, surrounded by thousands of people attending Black Hat and DEF CON, the computer security industry’s two most important US gatherings. I had never been, and I loved it. I loved it.

What could be more hyperbolic than an army of hackers building a hive within Las Vegas, a place that is already a cartoonish, predatory and vacuum-sealed daydream? We have all watched decades of hacker movies and shitty quasi-martial CBS procedurals where geeks have piercings and weird hair and (when in front of a keyboard) superpowers. My expectations had been set by portrayals I knew to be bad. Surely the reality would be different, which is a euphemism adults use for “disappointing”.

But it wasn’t. It was a wonderland. Those production designers did a better job than I thought. And the superpowers are real, albeit demanding of much more time and tedious scrutiny of IDA Pro output than can comfortably fit in three acts and 46 minutes. But I’m getting ahead of myself.

I did not understand the difference between Black Hat and DEF CON before going. Black Hat is more professional, I had heard. DEF CON is cheaper. A lot of the same people go to both. All of this is true, but it’s a shallow explanation.

Black Hat is an expertly-produced conference for security professionals, a category that includes researchers, software vendors and surely more than a few cybercriminals. Its escalatingly expensive tiers of access allow participation in the frenzied vendor hall; attendance at the “briefings” where new and sometimes dangerous research is presented; and “classes” where specific attacks are taught–to use a not entirely hypothetical example, a fun class exercise might involve bringing Iran’s IP address block to its knees for an hour or two.

I was surrounded by khaki pants and polo shirts and a pervasive air of menace. My most vivid memory of the conference is among my first: walking into the keynote, an impossibly vast space even by Vegas’s improbable standards. Far above me the ventilation system exhaled a low, cavernous breath. The only light came from the projection screens that relayed the distant speaker’s image, bright like windows in a spaceship orbiting a blue-white star. By that light I could make out the silhouettes of the audience, thousands and thousands of them sitting in shadow, waiting to learn something new and frightening. You don’t take photos of other people at Black Hat, but in a room like that it would be hard, anyway: they’re not even lit by their own screens. Bringing a computer into such a hostile network environment is considered by most not to be worth the risk. I’ve never seen fewer computers in a conference audience than at this computer security conference. Everyone there learned long ago that if you are in the business of having prey you are also in the business of being still and unnoticed.

It freaked me out. Black Hat’s lightning talk track is called “Arsenal”; on Twitter, observers complained about talks that didn’t come with working code. This is not an academic conference.

DEF CON begins as Black Hat ends, and it is fundamentally a social gathering. The Black Hat attendees slip into a less stony kind of crypsis, cheerfully blending in with people whose skills and interests are similar to theirs but who possess vastly less discipline. Things become a lot more fun. $240 — cash only — at the considerably seedier Bally’s got me a skull-shaped electronic entry badge with ciphertext printed across it, connection pins that would whisper more secrets if hooked to the right hardware, and absolutely no instructions. If you solve the puzzles built into it and the lanyards and the conference signs and the schedule booklet and a hidden subdirectory on the welcome CD-ROM and who knows what else, you win free entry for life.

This was just one of many badges. I stood in line to get a kit that let me build a different badge, this one associated with an annual cyberpunk role-playing game. I soldered it together at the hardware hacking village’s free workstations; afterward I could use its infrared LEDs to trade handles with other players, then send them radio messages. There were badges that could connect to your car’s diagnostic network, badges for the LGBTQ and women-focused subcons, and badges made by groups of friends where you just had to know a guy to get one. They blinked LEDs, and paired with each other, and had secret accessories.

The badges are only a small part of the con, though. In a little over 48 hours I learned about beating airport wifi portals, lockpicking, dumping and decompiling router firmware, messing with tamper-evident seals and hacking Italian parking meters. The vendor hall was full of booths devoted to hawking t-shirts rather than to collecting CISO emails; I bought gadgets to let me spy on Bluetooth network traffic and a USB thumbdrive that injects exploit code at a thousand characters per second. Around midnight on Friday I found myself in safety glasses, a nylon net cage, a 26th floor suite, and a state of considerable intoxication, all at once, as I prepared to pilot a drone against three other people vying to be the first to pop a balloon at the cage’s center. Across the hall you could get an RFID chip implanted in your hand for $60.

I was jealous of the kids whose parents had brought them. They were finding this place so early. There is a certain type of person with certain types of interests and this is where they occasionally gather, like migratory animals, for those rare experiences unmediated by LCD screens.

My ebullience at finding so many people of the same type as myself powered me through most of the weekend. But at some point I had to start asking myself what type of person that was, exactly.

On Saturday my badge was malfunctioning. It wouldn’t blink the way it was supposed to. I had no relevant tools to tinker with, and was eventually referred up to one group’s suite for help. There an exhausted man behind a mountain of soldering equipment and several empty Surge tallboys was explaining, to a semicircle of my fellow newbies, how he had designed and thought about the group’s badge. No, the group wouldn’t accept sponsorship, he said. They paid for it out of their own pockets. To get a badge you had to be cool, that was it. They never had as many to give away as they would like. He didn’t want to see them in the hands of certain people, people whose names I had never heard of but which he practically spat. No, this wasn’t his day job, he–he trailed off. “I don’t make a lot of money,” he said, breaking eye contact.

He was generous with me, and after attending to a long line of questions and requests for aid that had arrived ahead of me, he performed a simple diagnostic test and declared, reasonably, that the repairs I needed were beyond the tools he had present.

It was about five minutes into our interaction before I realized he was open-carrying a glock on his hip. That’s the kind that doesn’t have a safety. This made me pretty uncomfortable, but of course I didn’t say anything. I was his guest, in his and his friends’ suite. I thanked him earnestly and honestly and left to find someone else to help me with my badge.

That gun was jarring to me, but maybe it shouldn’t have been. What are all of these exploits, these network packet captures, these lockpicking sessions about, anyway, if not having power over others? All of us there wanted secret knowledge to make ourselves stronger. For some it’s because we can’t forget being weak before. For others it’s probably something uglier. But it’s hard for me to imagine any of it being born of an impulse that’s particularly noble.

At best, it can be enough to know when you have gained that strength, to limit its expression to sly winks and low-grade mischief shared with the similarly afflicted. That’s DEF CON. If you begin using that new strength for a living, or find yourself forced to face the people who do–Black Hat. Worse things, if you ask me.

Well, I might find its emotional foundation suspect, but DEF CON was a hell of a lot of fun, and I will be back. Eventually, I’d like to better understand why I want to go so badly. But my short-term goal is just to get faster with my new lockpicks.

Comments are closed.