DEF CON is Not a Conference for the Faint of Heart

Early on the morning of July 16, 2001 Russian programmer Dmitry Sklyarov left his Las Vegas hotel room with nothing more pressing on his mind than getting a bite to eat before his flight back to Moscow.

Instead, he walked into the waiting handcuffs of a team of FBI agents sent to arrest him for violations of the Digital Millennium Copyright Act (DMCA), making him the first person ever to be arrested under that law. The Russian company that Sklyarov worked for, Elcomsoft, had written and published, in Russia, a program that could circumvent the protections placed on ebook files created by Adobe and other vendors. Sklyarov was one of a handful of programmers that had worked on the software. The Feds couldn’t reach Elcomsoft, but they could nab Sklyarov as long as he was in the United States.

How had they known where and who he was?

Skylarov had developed some expertise in the encryption methods used in the ebook formats Elcomsoft had cracked. As a service to the security community, he’d come to Las Vegas to give a presentation on how exactly those techniques had been circumvented, pointing out the weaknesses to other programmers and cybersecurity professionals so they could avoid similar pitfalls.

And he’d done it at DEF CON, a hacker convention swarming with all stripes of hackers, federal agents, and security professionals engaged in fun, games, and serious security research that happens every year under the stark desert sun. The FBI and any other national security agency interested in the event—which is all of them—knew right where to find him.

It was just another moment of drama at a conference that is filled with both tension and entertainment. The incident showcased some of the major players and controversies in the cybersecurity field, something that DEF CON does every year.

DEF CON Brings Cybersecurity and Hijinks to Sin City

DEF CON is not a conference for the faint of heart. Past attendees have had their ATM cards skimmed, cell phones hacked, been fired by their employers, or been kicked out and heckled along the way as suspected reporters. It’s pretty much assumed that if you fire up a wireless device of any sort within a 10-mile radius, your packets are going to get sniffed.

Ninety percent of the time, it’s all fun and games—hackers hack, and when you go to a hacker convention, hacking is the whole point. In fact, the official show badges are often hackable by design, part of the annual Badge Challenge contest. But the games aren’t restricted to the badges, as the Wall of Sheep each year demonstrates. A huge video screen at the conference, the Wall of Sheep is constantly refreshed with the address, login, and partial password of systems that have been exploited from the conference floor.

Despite the heavy presence of federal agents and law enforcement at the event—so heavy that a game called “Spot The Fed” has become a prominent part of the conference—this outright illegality is typically overlooked as part of an uneasy truce between hackers and officers. As the Sklyarov arrest demonstrated, sometimes that truce is broken by one side or the other.

More recently, the feds also used DEF CON to nab British researcher Marcus Hutchins in 2017 on hacking charges. And a flurry of injunctions are almost inevitable prior to major presentations that might expose security holes in major pieces of software. Cisco, the Massachusetts Bay Transit Authority, and HBGary Federal have all sued to prevent researchers from exposing gaps in their security systems at the conference.

From Humble Beginnings To A Fixture In The Hacking Community

DEF CON was started by an unassuming fellow named Jeff Moss, better known in hacking circles as The Dark Tangent. His handle was taken from a FIDONET board that he ran, and what turned into DEF CON originated simply as a party for a fellow BBS operator who was moving and had to shut down his node. When the other organizer didn’t show up, Moss simply invited all his other hacker friends to Las Vegas in 1993 and everyone had a blast.

In fact, they enjoyed it so much that everyone implored Moss to make it a regular thing. Moss had run a popular hacking board but also had plenty of contacts on the corporate side of cybersecurity from his job with Ernst and Young’s Information System Security division. Having made a name for himself in both the white and black hat communities, it only made sense to bring everyone together and make it an annual event.

The conference has been held there every year ever since, growing to an estimated 25,000 attendees in 2017.

Moss decided to call it DEF CON partly as an homage to the classic inspirational hacker movie, “War Games” and partly as a tip of the hat to phone phreakers (DEF is the number 3 on a telephone keypad) with “con,” of course, being a common shorthand for “convention.”

But if the nomenclature is typical of conferences, other aspects of DEF CON are not. You can’t pre-register for the conference because proof of identification is not required and many attendees prefer to use hacker handles or pseudonyms. You have to buy tickets at the event and only cash is accepted, both to avoid fraud and to avoid accumulating information that law enforcement could subpoena. And you’re likely to hear in various places throughout the year that DEF CON has been cancelled. It hasn’t. Hackers just like a joke.

It’s possible to get a press pass to DEF CON, but it’s work to keep it—the conference has strict rules on preserving the anonymity of attendees. Catching an uncovered face in the distance in the background of an interview piece can and has resulted in summary removal from the conference.

Even more coveted is the famous Black Badge—an award offered to some contest winners or other attendees with major accomplishments performed at the conference. A Black Badge allows free entry to DEF CON for life.

Serious Cybersecurity Work Happens In The Shadows at DEF CON

DEF CON has come to offer an open venue for big security breakthroughs. The Cult of the Dead Cow released their Back Orifice 2000 Windows hacking tool at DEF CON 7 and set the stage for annual presentations of big, ground shaking exploit or hacking tool announcements.

Keynotes have been delivered by such varied luminaries as chess master Garry Kasparov and head of the National Security Agency Director Keith Alexander. Presentations on every security topic imaginable are on offer, and contests such as DARPA’s Cyber Grand Challenge have resulted in major breakthroughs in automated security software. A WiFi shootout competition in the desert in 2005 resulted in a record-breaking 125-mile wireless network connection.

Like all big cons, a variety of ancillary activities have sprung up around it to cater to special interest attendees.

• DEF CON Shoot – Every year a group of hackers and guns head for the hills outside of town to geek out on firearms and shooting techniques.
• DEF CON Toxic BBQ – A gathering of grill masters and foodies in a park somewhere in the Las Vegas area to hack together some truly amazing food.
• Hacker Jeopardy – A trivia contest covering the kind of random facts that geeks often know, such as UNIX Bugs, Famous Hacker Busts, and the size of, uh, equipment owned by famous porn stars.
• Spot The Fed – An ongoing contest to pick out federal agents from among fellow attendees.
• Capture The Flag – One of the longest running and most heavily contested events, this isn’t the traditional hide and seek game played in the woods, but a series of hacking challenges played between teams.

Besides these, there are always informal and sometimes impromptu contests for picking locks, hacking mobile devices, or sometimes just drinking contests.

Recently, the con has incorporated focus villages to concentrate on various aspects of hacking, such as:

• Bio Hacking
• Cryptography
• Wireless Hacking
• Car Hacking
• Voting Machine Hacking

Security vendors have also become prominent at the conference, both to hawk their wares and to receive feedback from the folks who are busily trying to break them.

Although the conference has been questioned and sometimes condemned, it’s unlikely to go away anytime soon. The interaction, both among independent security researchers and between them and their corporate or law enforcement counterparts, is simply too valuable, and the value grows with the increasing onslaught of cybercrime. Hacking outside the conference has become a significant threat to the stability of commerce and communication systems. DEF CON remains the one venue in which such serious matters can be openly debated in an atmosphere of fun and exploration.