Def Con 23: Where PR stunts and hackers come together

Having outgrown the odiferous corridors of the Rio, hacker conference Def Con entered this year by relocating to Bally's Hotel and Casino -- a venue described to me, in turns, by a Mandalay Bay hairdresser as "a shithole," a taxi driver as "a punishment" and a Mandarin Hotel bar waitress as "totally haunted." It turned out to be all that and much more.

Def Con's move to Bally's and its adjoining property Paris allowed it to accommodate an estimated 20,000 attendees this year. And, like a goldfish growing to fit a big new bowl, the talks, expo, workspaces and hacking villages filled the vast ballrooms in each hotel to the limits. Lines for talks were long, and huge ballrooms were packed. In a time when stunt hacks garner headlines readymade for cartoonish CSI: Cyber plotlines, overhyped hacking talks were more overcrowded than ever; companies engaged in successful PR subterfuge on a bigger stage; and the U.S. government basically begged us to like it.

Thursday, August 6th

It's always twilight in a casino, so you couldn't tell it was 6AM when a long line of hundreds wound itself down the Paris hallway with cash in hand, waiting for the first-come, first-served cash-only registration. This year's theme was The 23 Enigma: A Hacker Noir, and hard-boiled cyberpunk artwork covered elevator doors, floor medallions throughout conference hallways, banners, signs and all the goodies in the registration packs. After getting a month's worth of exercise going from "Inhuman Registration" in Bally's to "Human Registration" in Paris, and back again, and back once more, I managed to get my press badge. This year, the press badges were yellow. Yellow for journalists. Get it? Few did.

LosT/1o57 gave his talk on breaking YubiKey in mid-afternoon, and Scott Erven and Mark Collao terrified us by presenting six months of network-connected medical-device hacking. No one was nearly killed as part of their demonstration, so I assume it'll be a few years until their work on patient safety and device network security ends up on Fox News and vendors are shamed into fixes.

By the evening, a few channels on the Bally's hotel TV network have been commandeered by Def Con. One channel would eventually run a live video feed of talks, but until then, we're tortured with endless episodes of Hak5. This will soon give way to a maddening loop of Code Rush (the 2000 Netscape documentary) which I caught just as Jamie Zawinski warned the interviewer that someday the internet will be run by corporations and suck as much as TV.

Friday, August 7th

The time for using WiFi, or trusting cell towers, had passed long ago. Is the food terrible? Check. Does drinking the coffee make licking the carpet look like a palate cleanser? Check. Have you witnessed con drama between bros before noon? Check. No matter what hotel it's at, Def Con hits all the notes right on schedule, and if I didn't have so far to walk, I'd stop to get a much-needed drink.

Hacker Chris Rock blew everyone's minds in his I Will Kill You talk, about staging fake deaths and births and profiting off them. He clearly knows what he's doing. Book signings drew crowds into the expo, where much-loved researcher Bruce Schneier signed a happy fan's Kindle and posed for fan photos. The rifle talk was stuffed with humans, and the Tesla talk, originally positioned to suggest a massive zero-day drop, came off looking like a carefully planned PR stunt for Tesla.

When a talk appeared on the Def Con schedule offering active Tesla hacks, the company didn't go silent or attack researchers, as many companies often do. As the talk's starting time approached, Tesla issued a patch for the hacks, and also sent a car, a PR team and its CTO to Def Con -- who went onstage and thanked the researchers, toasting them with a group round of shots. Tesla turned the message into "Tesla loves hackers" as he also announced Tesla was hiking up its bug bounty, that it wants to hire hackers, and handed out shiny collectible Tesla challenge coins for bug bounty winners. The tune seemed to have changed from pre-talk mischief -- "gosh we can't be responsible with what you do to Teslas with our hacks" -- to "Tesla has really great security."

By 8PM, I was at the pool for the conference-within-a-conference Queercon party. No food is allowed so I smuggled an entire pizza in my laptop bag, and the bartenders poured us on the heavy side. Every hacker who cares about status and VIPs is waiting in line trying to get into the bro-tastic Facebook party... somewhere else. Loads of new friends are made on a spreading pile of towels by the pool, and we took the LEDs out of the light-up, branded Trustwave foam pool noodles. Hackers of all genders and orientations lost their clothes and swam, and drank, and played with hacked gadgets in the warm Las Vegas night. The pool lockers failed, and soon a delighted dream team of hackers assembled, starring every skill set Def Con has to offer. Several drinks later, the lockers were gleefully opened.

I was back in my room by 3AM and Code Rush was on again. I raised a glass, and texted Jamie a picture of himself on my hotel's hijacked Def Con TV. My feet were numb, so I tried to level up the rest of my body with bourbon.

Saturday, August 8th

By noon, Paris and Bally's were jammed with a constant shoulder-to-shoulder flow of bodies between the two as Def Con attendees go from capture-the-flag hacking competitions to the expo, from talks to lock-picking villages; and in an upstairs ballroom, Def Con Kids flew hacked drones, and workshops on hacking basics of all kinds filled up. During lunch, Dan "AltF4" Petro and Oscar Salazar's talk on cracking smart safes was broadcast on Def Con TV to Bally's -- and now, also Paris -- hotel guests. Somewhere, John McAfee was filming his new TV show for Spike. Hackers complained to me that reporters were asking them if they did illegal things.

On the Def Con vendor floor, lockpicks, T-shirts, books, WiFi-hacking gear and more were sold at a brisk pace. One booth displayed a banner for Tyrell Corporation and featured a wanted poster for Roy Batty -- and a woman dressed perfectly as Rachael from Blade Runner handed out Tyrell Corporation propaganda.

Over in an Internet of Things hacking village room, the one for SCADA and Industrial Control Switches, a giant display of a water-processing plant showed all the points where control switches operate, and invited attendees to hack the switches. It's a massive display that I found out cost a pretty penny, and was put together by a number of security companies -- most of which are competitors. When I pointed that out to the man monitoring it, he explained that they've all come together in the name of raising awareness for public safety.

In the corner was where Jason Larsen and a co-presenter gave a demonstration on switch hacking, changing temperature flow in and out of a steel drum. Unexpectedly, during the demonstration a burst of cold air caused the drum to implode violently, scaring the hell out of attendees and causing a palpable pressure change in the room. It was a sobering demonstration, which left the IO Active researchers rattled, and left the drum frighteningly collapsed -- it was later auctioned off for charity.

By evening, everyone's tired, but that night was the big IO Active/Def Con pool party. The line for the party was long enough to make us question our choices in life, although I managed to get in. But after stewing in a pool with too many hacker bros for my taste, leaving was more appealing. By the time I get back in my room, Code Rush was on again, and I cursed Jamie for being right about the internet, and change to channel to a lucky hit: Point Break.

Sunday, August 9th

The Def Con goons were amazingly smiley, considering how many hotel guests they've had to keep out of the conference. You could tell the guests apart, not just by the look of OMGWTF on their faces, but also by the fact that they didn't have 10 blinky circuit boards on lanyards weighing down their necks, like everyone else doing a sore-footed death march around them.

Many said this was "the year" of the car hack. But, from what I saw, I'm inclined to agree with Hack A Day, which called it "the year of the unofficial hardware badge at DEF CON 23."

It seemed like no one has just one badge. Attendees layered them on with various flashing LEDs, microcontrollers, microphones, AM transmitters, crypto puzzles and much more. The infamous black badge (the "Uber" badge awarded for winning contests and providing free lifetime attendance) this year was actually radioactive. I discovered to my dismay that I didn't qualify for a Queercon badge and the rest were sold out, and once I started to see what the badge could do, I just wanted to go home and drink alone in my closet, where I clearly belong.

The Queercon badge was somewhat like a Tamagotchi, and you named your character -- which could sense other characters on other people's Queercon badges. The wearer collected "points" by getting in proximity of other Queercon badge holders, to unlock a variety of cool levels and functions, with the promise of finding your "twin" -- a badge matched to yours. The features were inherently social in nature, prompting wearers to make lots of new friends, and one level allowed the wearer to make the badge run a special LED color sequence either every 10 minutes or when in proximity to another badge holder. The sequences I saw available were the colors of gay pride, trans pride, bisexual pride, leather pride and bear pride (though there may have been more).

It wouldn't be Def Con if the feds didn't show up with relationship issues, hoping we could all process with them. In a Friday talk, Deputy Secretary of Homeland Security Alejandro Mayorkas drank shots onstage and did his best to cozy up to hackers. He got laughs for his ancient flip phone, but the unease was constant as he sidestepped a question about taking a stand against government backdoors for encryption.

Two years ago, and fresh off the heels of Edward Snowden's disclosures, Def Con told the feds to take some time off. So it's important to note that the DHS was allowed in because it's not the National Security Agency, FBI or other branches, and aren't directly spy or law enforcement agencies -- who still aren't welcome until they "explain themselves" according to Def Con head honcho Jeff Moss.

"If the FBI or the NSA or the CIA wanted to try to give a speech, I think there would be some problems," Moss told Agence France-Presse. "If other agencies want to come and try to repair relations, I counsel them to really think through how they are going to repair trust."

Later, on Sunday during the closing ceremonies, Moss announced that the theme for next year would be "Rise of the Machines" and there would be a Cyber Grand Challenge pitting DARPA's machines versus Def Con hackers in a capture-the-flag style contest -- with nearly $4 million in prize money.

It was almost time for it to be safe(ish) to go back online again. I'm convinced Bally's is haunted, and I'm told that Def Con will be here next year. I miss food, sleep and coffee that doesn't make me weep openly with each sip.

Def Con 23, with its gorgeous noir theme, is over.

Next year: Skynet, here we come.

[Image credits: tomhung (imgur), collapsing steel drum; all other images courtesy of Violet Blue and Roberto Baldwin]