DEF CON Was Actually Canceled (sort of)
Dan Mellinger: Today on Security Science, Defcon is definitely canceled. Hello and thank you for joining us. Today we're discussing the infamous cybersecurity gathering that gets canceled year after year, Defcon. Guiding us along the journey to nowhere is everyone's favorite security guru and multiple Defcon non- presenter, Jerry Gamblin, who is also definitely not going to Las Vegas. How's it going, Jerry?
Jerry Gamblin: It is going well. I'm 100% not going to Las Vegas. It's canceled. I don't know if you've heard.
Dan Mellinger: I did. Seems like Defcon has never actually happened for the last 10 years or so.
Jerry Gamblin: "It's too popular," as Yogi Berra says," no one goes there anymore."
Dan Mellinger: Very true. And all the hipsters can't cannabide.
Jerry Gamblin: Exactly.
Dan Mellinger: Awesome. Well, here I'll do a quick history, just so people have a little bit of context on what we're talking about. If this is the first time you've heard about Defcon, you're probably not into hacking anything or breaking things apart, especially on the electronic spectrum, but Defcon is in my mind at least, the world's largest and most notable hacker conventions held annually in Las Vegas, Nevada. It typically is paired up on the backside of Black Hat. And when I say hacker convention, I mean actual hacker convention. Not cybersecurity. People figuring out novel ways to break things, figure out how to make things happen differently from the badges to aerospace. Super interesting. Started in 1993 by a gentlemen who's handle Dark Tangent, AKA Jeff Moss, and was essentially a party, a going away party for one of his buddies that he ended up inviting the entire hacker community back in the dial up days. Since 1993, Defcon has expanded dramatically and has now 31 different specific villages and covers a broad range of topics. With that, I just wanted to have Jerry, could you give us a little walkthrough? Could you give us your background? What's your history with Defcon?
Jerry Gamblin: I've been to Defcon for 15 years now.
Dan Mellinger: Wow.
Jerry Gamblin: It's part of growing up. It's part of the week I used to spend in Vegas every year. That's not happening. It's weird too, because when I started going to Defcon it was more what Black Hat is today. And Black Hat was more what RSA was. Everything has seemed to take a step. I don't know what you call it. A step up. You would never see an offensive security talk at Black Hat and this year they have offensive security talks, last year they had it the year before. Defcon has recently, probably in the last three to five years from what I've seen, become a real hobbyist community. You won't see a ton of hacking like Jack did back in the day. Nobody's going to jackpot in ATM on stage anymore. They're going to do that down the street during the week at Black Hat. But you said there's 31 villages now so there's people who are interested in aerospace. There's all the cryptography nerds like me who always get together and just work on puzzles. There's an application security village. There's a blue team village.
Dan Mellinger: Career hacking.
Jerry Gamblin: Career hacking. Defcon has become more focused in a way than it than it was five years ago. Five years ago, it was quote unquote black hats. And since the industry's kind of smudged together, corporate stuff's moved to RSA, kind of really technical tacking stuff has moved to black hat and the hobbyists have kind of taken over Defcon.
Dan Mellinger: Yeah, no, that, that makes a lot of sense. I've noticed a similar trend. The very first conference I actually ever went to was an RSA. I've seen that transition of the course of the last 10 years or so to very much like you said, industry event, whereas Black Hat's more of the training slash sessions and Defcon has a lot of the actual hobbyist hacking. The big theme is people hacking the badges.
Jerry Gamblin: Badges or IoT hacking or car hacking village. I love that. I spend a bunch of time there every year.
Dan Mellinger: Didn't you speak at car hacking village last year?
Jerry Gamblin: For a couple years in a row. Yeah. I love to speak at those villages because it's how you give back. It's how you spend. It's how I spend my free time during the week or during the month that I get. I'll do something like I built an automatic license plate recognition system on a Raspberry Pi. And I was going to do a hands on class at Defcon this year so people can build their own for their driveways or whatever. It didn't happen this year, but hopefully it'll happen next year. But it's stuff like that that allows people who are hobbyists in these areas to get together and talk to people who are also interested. While Defcon will have, I don't know what they say the numbers are, 15,000, 20,000 people. If you get into one of these villages, it's going to feel like a village. It's going to be the same two or 300 people who are really involved, sitting around talking about this stuff. And then you will see a 1, 000 people walk through to try to grab stickers or whatever. But you can really get the village feel and start building a community around these Defcon groups, which is amazing to see.
Dan Mellinger: That's awesome. It sounds like stickers are almost a form of currency.
Jerry Gamblin: I think people like stickers more than t- shirts.
Dan Mellinger: That's interesting. Over the course of time, you've been there for 15 years so how would you say that it's changed over that period of time? We saw this evolution, but it sounds almost like a Defcon has still managed to kind of keep things very community focused, community centric, instead of necessarily, Black Hat people would say has become a little more corporate maybe than other places.
Jerry Gamblin: Yeah. Black Hat has actually become less welcoming in a way, because of the price. And it's really, oh, you don't have CSO in your title, you don't belong at Black Hat. People go to BSides Las Vegas and to Defcon. Defcon has become really more welcoming in kind of a way. It always gave off the vibe, oh, don't come to Defcon. Oh Black Hat hacker. Ooh, they'll get you. Bring your burner phone too. Defcon I've not ever had a bad experience at Defcon. I know people will say they have or whatever, but most people at Defcon are good people and they're there on their own money and they just want to have an entertaining time and learn about their hobbies. But of course it's Vegas so you always get the, hey, I saw a guy do something that he shouldn't have done. But I don't excuse that stuff, but what happens in Vegas, stays in Vegas sometimes.
Dan Mellinger: Yeah, absolutely. Defcon, they're famous for having what electron hacking machines. Competitions out in the villages, all that fun stuff.
Jerry Gamblin: It's where the three, two, one rule came from. It's three hours of sleep a night, two meals a day and one shower a day, please.
Dan Mellinger: Bare minimums.
Jerry Gamblin: They had to make stickers because you can go 24/ 7 in Vegas. I had an 11: 00 o'clock dinner with a group of friends last year and a 5: 00 AM breakfast with another group of friends. It's just stuff all the time at Vegas. And I think I might have got two hours, three hours of sleep in the middle there if I was lucky.
Dan Mellinger: That's always the most fun of Vegas. Till you go home and then it all hits you.
Jerry Gamblin: Yeah, or 28 days later when the credit card bill comes.
Dan Mellinger: Oh yeah. Yeah. That's another good point. Actually, that brings me to another question as well. Because I've been a bunch of Black Hats. I've never stayed for Defcon because I'm not technical and I don't feel like I would fit in super well there. Every time you go, we always have these tips on kind of hardening yourself before you go to Black Hat and especially Defcon. do you think that's really necessary? What's the merits to that? I know there's that whole board on who's been poned during Black Hat type thing.
Jerry Gamblin: That was super old. And that led directly to everything being encrypted on the internet. If you look, the Wall of Sheep is the reason why TLS kind of caught on and encryption by default is a thing now. That is good. What I like to tell people is if you think you're going to get hacked at Defcon and you're just as likely to get hacked at your local Starbucks. You shouldn't treat going to Defcon different than going to an untrusted network. There's always people who are going to do goofy stuff at Defcon, like try to spoof an SSID, play with a new toy they got, show their buddy a trick.
Dan Mellinger: Walk around with a pineapple trying to.
Jerry Gamblin: Yeah. I don't think anybody is maliciously, there are very few people who are maliciously trying to do that because it's a well, well recorded network and garden network and actually every year they put the complete P caps of all the network traffic online for people to download and to use. If you had an iOS vulnerability that hasn't been patched and wasn't known about, dropping it on the Defcon network is like giving away a million dollar.
Dan Mellinger: The best way to get it found real fast.
Jerry Gamblin: Exactly. It does happen, you just need to be smart and to be well behaved and well understood. Most of the time I hear people getting stuff stolen or taken at Black Hat and Defcon, it's not another hacker. It's your run of the mill people who are doing bad things in Vegas, probably.
Dan Mellinger: The Vegas shadiness.
Jerry Gamblin: Yeah. Skimming credit cards, copying RFID off your, it's not somebody coming out there to do that. Vegas is literally one of the most surveilled cities in the United States. Right outside of Washington DC, Las Vegas is a place where if you're not in your hotel room, chances are you're being recorded.
Dan Mellinger: Got it. Basically you're saying if you do anything different from a security standpoint for Black Hat and Defcon, you're probably doing security wrong in general.
Jerry Gamblin: Correct. Yep.
Dan Mellinger: Makes sense. I would expect that from our head of security as well.
Jerry Gamblin: And it makes people think, because you spend more time at your Starbucks or you used to, or wherever, your local coffee hang out shop, then you're going to do at Defcon. That's where you're more likely to be popped at.
Dan Mellinger: Yeah. Totally makes sense. Do you have any particularly interesting stories from the show over your history of going before we get into kind of what's coming up this year?
Jerry Gamblin: None that I'm able to share in a public way. Let's grab some bourbon and some glasses and when we all get our shots, we can sit down and have a discussion about all the interesting stuff that's happened because you do see a lot of stuff. And you do talk to a lot of people, but part of the myth and the thing is that it's not all public and that you just.
Dan Mellinger: What happens at Defcon stays at Defcon. And I think Jerry just put out an open call. If you see him, buy him a drink and try to ask him some stories about Black Hats and Defcons.
Jerry Gamblin: That's when the stories come out for sure.
Dan Mellinger: Very, very true. Okay. If anyone's listening in the future, assuming we all make it past 2020, there's a COVID- 19 pandemic right now. A lot of the in person events this year have been kind of shut down. Defcon is kind of actually canceled this year in all intents and purposes. I know it's a 10 year running joke, but Defcon this year for what? 28 they're calling it, They've Rebooted It in Safe Mode, which is, I think probably the best title for a rebooted conference of 2020. I think they've won that.
Jerry Gamblin: And it's free this year, which is great on them. Or a lot of conferences are still trying to get people to give them a$1000,$2, 000 too.
Dan Mellinger: Way more than that.
Jerry Gamblin: To attend their conference that's virtual. Defcon just said," Hey, we're a community event and we're going to make everything free." They've opened up a Discord server that last time I looked, had 2, 000 people on it and they have all the villages in there and they're streaming all the talks for free. They normally put all the talks on the internet afterwards for free anyway. But it's really kind of speaking to that community vibe and it's giving people who've never had a chance to go to Vegas, an opportunity to feel like they're part of the Defcon community while it happens.
Dan Mellinger: That is really, really cool. And yeah, they're completely virtual this year so there's a ton of different Discord servers. All their stuff is hosted and available for on demand viewing. And we're going to have Jerry. If you're just tuning in, Defcon happened probably a week before this is actually airing, but we're going to, Jerry, what are some of the villages you're most interested in and some of the talks that you want to stream this year?
Jerry Gamblin: I love the AppSec village, it's a new village, two years. Kind of helped those guys last year get it started. I spoke there last year and it looks, they've got a bunch of good talks this year too. And they're doing an AppSec capture the flag with a bunch of good puzzles. I'll be spending some time this weekend on that. And I'll also be spending some time in the car hacking village. They have a bunch of good talks over there that are super technical. That'll be really interesting to kind of dig in. I'm really kind of interested to see how it goes, just because I think it's going to be crazy, but I wouldn't expect Defcon to be any other way.
Dan Mellinger: Any other way.
Jerry Gamblin: I don't think I'll be getting much sleep this weekend, but I don't think I would've gotten much sleep this weekend either way. It'll be fun.
Dan Mellinger: Yeah. It's solo versus a sing OBDs. Awesome. And then there's a couple other villages that you seem pretty interested in. Aerospace, blue team, crypto. Could you give us just kind of a sense of what these villages are like? They're functionally what? Most just topical areas of interest that people dive into?
Jerry Gamblin: Yeah, topical areas of interest, normally backed by either a large company, or government agency. I think last year they had the aerospace village for the first time and what was it? National Guard, I don't even know if it was Nevada brought out their flight simulators for people to look at and to try to hack that they of course had the prosumer kind of flight SIM guys who had their own setup that was probably better than the military one right next to them showing it. They had people out there showing how cyber security works at airports, from how the lights are controlled by radios. Really if you wanted to learn, if you had some interest in aerospace, you could go there and talk to them about it. They had a shipping village. I don't know if they're having it this year. Also a marine village where it was talking about all the stuff that's on the big tankers I go across. I spent an hour talking to the guy about how all of those big Musk containers that you see on those big container ships, they all have satellite connections back to a general purpose. And they actually, he was telling me a story that one of the things they do is they actually age the bananas as they come up from South America. Whatever gas is in there that keeps them fresh, they start letting that gas out as the tanker gets closer to the US so that when they unload the containers and get them to the store, they're ripe. That's all, if it's on the internet, somebody can probably do bad stuff. Musk has a big team that spends a lot of time trying to defend and look for attacks like that. And they were hiring some engineers to trying to red TA and break into this.
Dan Mellinger: That's interesting.
Jerry Gamblin: They're shifts which I thought was really cool.
Dan Mellinger: They have a hack the sea village this year for sure. And that's interesting. They're worried about people over ripening on the trip over.
Jerry Gamblin: Turning it off or whatever.
Dan Mellinger: Or keeping it going until they park and then everything's super green still.
Jerry Gamblin: Yeah, there's no bananas. It's don't hack my bananas, please. Yeah.
Dan Mellinger: That's awesome. Cool. Well, I think that's a really good overview. Ostensibly, it looks like it will be in person next year so I think we'd encourage people to go and we'll link a bunch of the Jerry's can't miss this year talks, but any tips for people who might be attending in person next year?
Jerry Gamblin: Yeah. Don't be afraid to just show up, get in line and just start talking to people. Or find something that you're interested in and just hang out in the village and you can't see everything at Defcon so don't try. Figure out what interests you and do that. I know people who live in the crypto village, I know people live in the AppSec village and in the car hacking village. They might go to two or three other things the whole weekend, but just think of Defcon as a large conference and the villages is where you find your home.
Dan Mellinger: Awesome. Well, appreciate all your time. I will definitely take your advice and maybe I'll go hang out in the lock picking village next year.
Jerry Gamblin: For sure. 100%.
Dan Mellinger: Awesome. Well, appreciate the time, Jerry. Again, we will link Jerry's recommendations for this year's different sessions on the podcast page and look forward to chatting with you again. And hopefully you'll be speaking at next one.
Jerry Gamblin: I hope so too. Hope to get back out there.
Dan Mellinger: Awesome. Thanks Jerry.
Jerry Gamblin: Awesome. Thank you so much.