Tonite, my unconventional conventionists -- Defcon report (some adult language - lotsa pics) ...

Ok, I promised you Film At 11, so here it is!

Foreword:

This is probably one of the most unusual trip reports that's ever appeared here.

Yes, there's a little bit of "before wheels down" in here, but stay with me, as it's relevant, very much, to the trip!

Let me start out by saying that I'm no stranger at all to such things as conventions, conferences, trade shows, training seminars, workshops and such. Over my too-many-to-admit years I've participated in more than I can possibly count or even remember. I've attended as a participant, as a vendor, as a speaker, as an exhibit coordinator, a sponsor's representative {dot dot dot}. I thought I had seen them all, until last week, that is.

To make a long story long ...

This all started a few months ago when I was having a supposed business lunch with a colleague and a couple of guys from one of my clients, both who I would describe as hardcore techies.

The requisite business discussion turned into chit-chat and all of a sudden the words "Hey, you like Vegas, right?" were directed to me.

{**perk!**}

"Why don't you come out with us to Defcon?" "You're kidding!" "No, I'm dead serious and you would fit right in."

I said that with all honesty, if this was an information security conference, there were others in our group who would be far more appropriate to attend. They kinda looked at each other and laughed.

They did say there was a lot that I would find of interest.

When they kept using lines such as "You will definitely fit in" I began to wonder what I was getting myself talked into.

For those who don't know, Defcon is an annual "Hacker" convention, and the definition of the term "hacker" is probably more misunderstood than it is correctly understood.

As an aside, you will see "Defcon", "DEFCON", and "DEF CON" at various times and places. According to the chief organizer, "DEF CON" is preferred, with "DEF" having phone phreak significance.

They did warn me, however, pointing to what I was wearing, that if I showed up at Defcon in business casual, I would be significantly overdressed! (Hold that thought!) "Just wear what you might wear to the casino on the weekend." LOL, I said I could live with that.

My retired boss, who I still keep in touch with, used to tease me about going on a "boondoggle" whenever I would go to Las Vegas on business. He was mostly joking, but he knew quite well that I loved going there and that I would sneak in some R&R and even sneak in some EtOH on the expense report. He was always joking that when I dialed into a conference call when in LV he could hear slot machines in the background.

I realized that, finally, I was about to go on a genuine Las Vegas Boondoggle, or so I thought, for real!

The stars all aligned. I honestly could not try to justify doing this on company time, but I'm in the situation this year that I have tons of use-it-or-lose-it PTO, so that's one more reason to do it. It actually ended up using only three days.

I did ask my "sponsors" regarding the admonition posted here to the effect of "use a burner phone" and don't carry credit cards and the response was "Oh Bullsh*t, you're smart enough, use common sense!"

They did suggest not staying at one of the conference hotels. They were up at Cromwell and I got a semi-decent rate at SLS, which has actually become one of my faves in LV. (Yes, soon to become Grand Sahara, I know.)

I won't post any hotel photos this time. The room was almost identical to the one I had when I posted these photos here:

https://www.vegasmessageboard.com/forums/index.php?posts/1460716/

This one had more of a real door to the bathroom, but otherwise was laid out the same.

For extra credit, you can also check out the Junior Executive Suite I also had at the SLS once. Surf here:

https://www.vegasmessageboard.com/forums/index.php?posts/1493122/


The Con:

Defcon, this year, was hosted primarily at Caesars Palace and has grown so much that they spilled over into the Flamingo and the Linq.

One of the main differences between Defcon and other conferences is that it's cash only, no pre-paid registration, and totally anonymous. That's right, you CANNOT register in advance. You register, check in, and pay on site!

I was admonished to get there early to avoid an hour or so wait.

Registration opened at 0600 (the entire conference operates on 24 hour "military" time, including such hours as 2500 and 2600, with the 2600 timeslot having special historical significance to the event) and I got there 8:00-ish, or make that 0800-ish and I had about a 10 minute wait to register. Not bad, and as I was wandering over to do breakfast at Bally's a guy riding up the escalator as I was riding down saw my badge and asked how long the wait was. I said about 10 minutes, and then I heard another voice behind me say "Yeah, about the same for me."

One thing I sure noticed when I was waiting on line to register was that it appeared that (almost) everyone (except me!) was wearing black! I have TONS of black tees and tank tops and such, but I figured "naawww, too hot" and didn't pack any! As the weekend progressed, a more diverse collection of colors evolved. (You may now release that thought.)

There's no registration form to fill out! You don't have to give your name. You CAN'T give your name! They don't want to know it! They don't have a need to know it. Really! You just step up to the registration desk, hand over $280 (which is cheap for a four-day conference), and they hand you a packet consisting of ...

1. A conference booklet.
2. A sheet of stickers to be used for various mischief.
3. A CD (or is it a DVD?).
4. Your conference badge.
5. A 4-pack of batteries for your badge!



The badge is something else! Nowhere on it does it say your name or even have a space for it! None of this "Hello, I'm so-and-so", or "so-and-so from {city, country}", or "so-and-so representing {faceless corporation}", or "{sponsoring entity} welcomes so-and-so" or anything like that. No bar code or QR code to be scanned by vendors.

Here, a picture is worth thousands of words.



The batteries are on the rear.



You might wanna do a closer view of the front of the badge to follow along with some of this. Surf here:

https://farm2.staticflickr.com/1833/42228036570_10b12219d5_b.jpg

Mine is marked "Human", which is Defcon-speak for rank and file attendee.

Red badges are for "goons", which are the volunteer {slash} organizer {slash} security {slash} traffic cop {slash} babysitter types. Other types of badges are for things like speaker, vendor, artist, etc.

There's quite a story to the badge. It's actually kind of an "Adventure Game" (remember those?) which you can play two ways. You can actually do it from the badge itself, using the smiley-crossbones and the 26 pads on the bottom of the badge, or you can get fancy and plug your laptop into it and play it in text mode as you move through the scene.

That green figure toward the upper left is the human (YOU, or in this case ME) and it follows as you move through the various rooms. I'm now in the garage and there's a couple of lifts (elevators) below me as well as an auto shop and a control room. The room to the bottom right is a subway, with a train in the station. The character at the bottom left is B0B0 the robot, who loves eating DEAD BEEF.

The two red figures are goons, kind of like a Grue I guess. There are two of them on my badge since I have previously "paired" with a goon. You start out with one goon on the screen.

To solve the game, it's necessary to "pair" your badge with others at the conference, particularly those who have different badges than you, such as vendors, artists, goons, etc.

Notice the cream color connector on the bottom right of the badge:



Here's a closer view, but it's grainy since I really did not have a camera with me that could do close-ups very well.



LOL, I guess since I'm back I could re-shoot it but ... ...

Anyway, by taking any two badges and flipping one over, the two connectors will mate causing the badges to "pair" and exchange information, some of which may be necessary to solve the game.

The object of the game is to get all six letters "D E F C O N" green, and I never got it that far. I ended up never pairing with Artist, Black, and one other type of badge.

This encourages the people to interact and get to know each other, even if only to connect for a few seconds by pairing badges.

I did, however, get all letters red once, which is kind of a dystopian consolation prize, I guess.



(I **HATE** selfies! Yeah, I'm out of shape! Don't rub it in! I took this to show some of the others that I actually got the letters all red, in case one of them changed. They did this occasionally.)

One of the sessions, attended by many, was an introduction to the badges but they seemed to be careful to avoid blatant spoilers.



One clue in the game is "turn 180 degrees", which some interpreted as to physically turn one of the hardware chips on the badge board 180 degrees to reveal a clue or enable something. A few actually went to the hardware hacking lab, unsoldered the chip in question, and re-soldered it in place 180 degrees rotated from the original position. I never heard if this was effective.

One piece of trivia they noted is that they ordered 28,000 badges, to cover the anticipated crowd and then some, but they were only shipped enough batteries for roughly half of them! (Do the math, that's over 50,000 batteries short!) They ended up practically buying Fry's out of AA batteries and schlepping them in person to Caesars.

Another trivia item, the badges were designed to operate the whole extended weekend on one set of batteries. Chit-chat said that they would work fine on only three and work somewhat on two fresh ones.

Enough for the badges. Let's talk about the con ... ...


The entire schedule is on line here for those who care. It's long, like trying to take a sip from a fire hose! You have been warned.

http://defcon.outel.org/dc26-consolidated_page.html

There are four main "tracks" at the conference, Track 1, Track 2, Track 3 and Track 101. You might think that Track 101 is a "basic" or some kind of introductory track, but no, quite a few of the presentations on the 101 track were very deep. "101" apparently has some kind of phone phreak significance.



The four main tracks are in larger halls which are set up to hold a few thousand people.



Many smaller sessions are far more intimate.



There are also many "Villages", smaller special-interest tracks which have both talks and hands on experiences.

The Packet Hacking Village is for those who really like to get down to the nuts and bolts, or in this case the bits and bytes of things.



I guess the Hardware Hacking Village would be for nuts and bolts.

The Wireless Village is for, well, uh, wireless, such as WIFI and Bluetooth and such.



One "village" that I did spend a few hours at one morning was the Lockpick Village. I don't have any photos of the actual village, as I was very engrossed and found that I had a skill I never knew I had! I'm very dexterous and I just kinda fell right into this. I was able to open several of the locks that were being passed around at the table. I ended up buying a {blush} kit of lock picks {jeez, why am I posting this in public?} and a clear plastic "training" lock.



Another "skill" I picked up was how to {blush} "r00t a f0ne", meaning get into the phone more than the carrier wants you to be. I learned that a smartphone (at least the model I have) is actually a very physically small Linux computer and is really quite powerful, computing-wise.



I need to be VERY careful, as I feel I know just enough to be dangerous with this {blush} and I need to be careful, else I'll "brick" the phone! (Jeez, I'm already talking like a hacker!)

Should that happen, I guess I could just take it in, play dumb, and say it quit working. LOL! I don't think they would ever think I would be the type to be playing with it at a hacker conference!

One of the sessions I enjoyed the most was a talk by a pair who, among other things, were able to "turn the tables" on one of those "Windows Customer Support" spammer-scammers. They were able to talk the scamming agent (who knew very little about Windows support) into letting THEM remote-in to the agent's computer. They were able to activate the local web cam, which revealed a boiler-room call center in some far-away land.

As of Saturday they were estimating they had 25000 plus in attendance with more still coming in. As you would probably figure, they were mostly male and mostly younger. There were quite a few women there but I would say that we were outnumbered maybe 15:1 to 20:1.

One effect this had, and it's poetic justice fer shure, is that when the sessions at the 101 hall let out, the mens room just outside the hall had a line out the door but it was "walk right in, sit right down" for the ladies!

There were also a good number of more mature folks.

One thing I caught on to early in the conference was that with rare exception, everyone there was of high intelligence. I would say bright-normal at minimum to true genius level, really! Yes, Sheldon and gang would feel right at home.

With the spread between Caesars and Flamingo it was often times a long trek between things you wanted to do and the 15 minute "passing period" was barely long enough. For example, to get from a Track 101 session to a Track 2 session, you had to walk down a looooonnnnng hallway (at the Flamingo), down two stories on bottle-neck escalators, walk through the registration and casino, up over the bridge, past the Absinthe show tent, through Caesars registration and casino past the buffet, up a long escalator waaaayyyy down a hallway, across a bend, up some stairs, down another hall, and finally into the Track 2 hall!

When I registered on Thursday, I would say that 80% of the escalators at the Four Corners vicinity (Strip and Flamingo) were working, but by Sunday morning I would say that 80% of them were out!

I **DID** get my exercise!

They have clearly outgrown Caesars, and the decision was made (long before the roo erupted about room checks - see below) to seek a larger facility for 2019. The new Caesars Conference Center will not be finished by this time next year, so Defcon will have a new home next year. No decision has been announced, but if you think about it, there are three very obvious choices in LV that have such a capacity under one roof.

There were also several parties and get-togethers hosted by various groups of all types. Friends Of Bill W was one group having regular meet-ups. (If you don't know what that is, consider finding out to be an exercise for the student.) "Queercon" for the LGBT folks. (If you don't know what that is, phone Travelocity and ask for a one-way ticket to the real world.) There was a daily run at 6:00am (excuse me, at 0600) and I guess it was a Hacking Club with a Running Problem!

As I figured, much of what was presented was over my head, but quite a bit was at my level. Quite a bit had to do with things like election security, privacy, etc. with subject matter experts and even one elected politician giving presentations. I found that mini track very enlightening.





A number of the presentations were quite geeky!




There were quite a few after-hours parties and get-togethers. They had a "Toxic BBQ" in a city park, and I and my "sponsors" were planning to get together and go to that, but when we met up it was unanimous that it was just too {f-bomb}ing hot to be enjoyable. We ended up going to Virgil's BBQ instead. Later we talked about going to a party at the Rockhouse at PH, but none of us ever made it. I was on my way that direction, but I saw a machine I like at Paris and the drink service was so frequent that I just camped out there.

One general note is that drink service at most/all of the CET casinos in the center Strip area is significantly more frequent than when I was there in April. Linq, Flamingo, Cromwell, Bally's and Paris were all that way.

One of the most fun of the after-hours things was Hacker Jeopardy. It's similar to regular Jeopardy but it's played in teams of three and there rewards and penalties involving beer, as you get a beer for so many points but if you go negative it gets taken away from you and replaced with a warm no-alcohol placebo beer.

The topics were a combination of techie subjects, general knowledge, and hacker and Defcon trivia and in-jokes and such.

In many cases I was laughing so hard I hurt!

(Warning: Adult language below.)

I didn't take any photos during the game as I was so engrossed in it, but here are a few of the intro slides ... ...







Notice the guy in the referee uniform. This game needs a final arbiter. He was a stickler for stating the answer in the form of a question. Nope, no reminder. No question, no points, no beer!











Hacker Jeopardy is NOT for those with virgin ears, those who lack a sense of humor, those who can't take a joke, and those who are offended by about anything! I heard that it has been tamed a bit over the past few years, but it's still quite bawdy.

When a Daily Double comes up, a chant of "Don't f*ck it up! Don't f*ck it up! Don't f*ck it up ..." erupts from the audience. It appeared to start from audience left. If the team does miss it, then "You f*cked it up! ..." follows!

If none of the teams give the correct answer, or rather the question, they throw it open to the audience and the first correct attendee gets some kind of swag thrown his/her way.

Of course the bar in the back of the hall keeps very busy.


One novel and amusing pastime for some, and a use for those stickers they give you, among others, is to try to slap them on the wall above the down escalators from the Caesars convention area.

(I did not slap any, I reached to see if I could, and I could not.)





Finding the significance of "Free Kevin" (and "Kevin Free") will be left as an exercise for the student.


Afterword:

I was there the full four days but only scratched the surface. There were many things I wanted to check out. Biohacking Village was one, which I passed several times but always on a rush to get from one end of the extended campus to the other.

I thought upon arrival that this was gonna be my genuine boondoggle, but I really got into it and really got a lot out of it.

I'll be honest that I was a bit shy about letting people know too much about what I was doing. "Yeah, Vegas yet again." The term "hacker" has quite a negative connotation, and my interaction with many such hackers has given me a great deal of respect and awe for what they can do.

I admit I was a bit hesitant to post that I was going on this board, even though at least one other had admitted to it.

The "Hacker Ethic" was commonly spoken of, and that involves the value of the sharing of information, to put it in one sentence. "Information wants to be free." "The Internet sees censorship as damage and routes around it."

As I was in the Lockpicking Village, learning how to, literally, break into my neighbor's house, many that I talked to emphasized that the skill was to be valued and to be used properly and ethically.

One of those I was talking to made the comparison to someone who possesses an nth-degree Black Belt in one of the martial arts. The skills the holder of such a belt has, along with the discipline required to obtain said skills, allow the holder of the belt to protect and defend, but along with that goes the responsibility to use those skills ethically.

Overall, I became aware that there's a lot of misinformation currently circulating regarding information security and of those who deal with it.

The biggest issue, from my perspective, was the weather. It was well over 100F and quite muggy. Add to that the smoke and haze from the California fires and it was not pleasant.

As usual for LV properties, they ran the AC to the max! And I did as I usually do and always wore or at least carried a big shirt. Some of those lecture halls were COLD as it was obvious that they cranked the AC just before a large audience to compensate for thousands of 98.6F radiators.

Now ... {sigh!}

One frequent topic of discussion was the room security checks at many of the hotels, as was previously noted here. (My hotel did not do them.)

At the risk of over-generalizing, the people in attendance tended to be very security conscious and tended to highly value privacy.

I overheard talk of retaliation, and realistically, with the combined skill set of all of those who were majorly p*ssed about the room checks, they could have done, at the very least, some push-back in the form of very annoying mischief, and they most definitely had the ability, if they chose to use it, to render various hotel systems inoperable. Apparently those who were seriously planning things like this were talked out of it.

The only thing I heard that actually happened is that they were able to figure out the "all clear" code that was to be punched into a room phone when a daily check was complete, and that was widely passed among the attendees on Saturday.

There's a lot of discussion, petitions, and threats to avoid Defcon if the primary hotel does not support their expectations of privacy and security.

Time will tell on this one.

And no, you don't get a certificate for successfully surviving Defcon.

That's about it. I'm eagerly awaiting next year.

 

1. You look great.
2. Glad you had a good time.
3. ZOMG I hate the air conditioning in Vegas. I bring all these cute outfits then end up under huge shawls or sweaters because I am ALWAYS shivering. I had to go buy a shawl at my last bingo event and one of the ladies at my table gave me her blanket to use. :/

 

VERY interesting read. Thank you for sharing.

 

Thanks for writing this up, I now have a clearer idea what this conference is about. And I wonder if Caesars hotel checks may cost them dearly for this group next year. Their ire I'm reading about surely sounds like "move their business elsewhere talk".

 

Oh it definitely will not be at Caesars next year. The Con has outgrown it.

Mandalay, LVCC and Sands are the ones I think of immediately which can handle it all under one roof. I can't think of anything else. (Am I missing somewhere?)

Obviously Mandalay has room checks and probably can't be talked into negotiating a waiver. I dunno about Sands (V/P)? Class? If it goes to LVCC the closest hotels will be Westgate and SLS. I know SLS does not have room checks. I'm not sure about Westgate? Class?

 

It's going to be split between Paris, Bally’s, and Planet Hollywood.

 

Great report, @dmr!
Sounded like a great time!

I fear that I now know too much about DEF CON.
I feel like I'm being watched.

Entering VMB witness protection program now...

STEVEN

 

Very informative, thanks for sharing.

 

nice report!
rarely seeing a coverage of convention here, let alone such a detailed one.

 

Nice Rocky Horror reference in title.

Intersting report. Never thought of attending a convention. Might have ro see if theres something for any of the weird shit i find intersting.

 

As a fellow nerd I really appreciate this report! If I had known what I do now I think my wife and I could have planned a trip around this and written it off as a business expense (we are both IT). I didn’t realize until reading your report that it might have appealed to us. Thanks!

 

I went for a couple years, about 8 years ago, back when it was at The Riveria.

 

Awesome report! Danny Z from The Big Sky!

 

Thanks. I was wondering if anyone would get that.

 

Many of the people there were down to earth and approachable. Some, however, appeared to be quite shy and awkward at first, but would eventually open up. The convenient availability of adult beverages seemed to help keep the conversation going. There were bars in all (most?) of the chill-out areas and in most of the larger halls.

 

Thanks for the report. Def Con is one of the events I both want to attend and fear.

The whole security check issue is one I can really understand, especially for presenters. Many of them have information on unreleased bugs that could be exploited for real money.

 

Do DEF CON attendees have players cards????

Points can be hard to resist even for anarchists

 

Very interest trip report....thanks.

 

Just don't plan on using the wifi and turn off all bluetooth you'll (mostly) be fine

Husband has gone every year for the past 7. I went once and might try for next year if we can swing childcare.

As someone who is fairly cyber security literate but not in the field, I really enjoyed it. Glad you found stuff to interest you!

They alternate between electronic badges and non-electronic badges, but the puzzle aspect of the convention is always there. The year I went (non-electronic) the badge was a literal record you could play on a turntable.