Making the Most of DEF CON

Introduction

“Overtaken by Events”. This is a military term for a situation in which part of your plan has been made obsolete by the forces of chaos: unpredictable events, bad estimations of time, unforeseen circumstances. There is no better term from that space to describe what happens in Vegas during DEF CON. You meant to meet up for dinner, attend that specific talk, or engage with a particular village, but then those plans were overtaken by events. You had trouble checking into the hotel. You drank too much the night before. You got stuck in a long line. You spaced on what time it is. Something shiny caught your eye. The schedule, however, marches on. That thing you wanted to do was overtaken by events.

OBE.

You’ll find a lot of advice online about attending DEF CON, and most of it involves just giving up, submitting to the chaos of it all. Deity take the wheel. While you do need to be able to “go with the flow” and make the best of it, you can also pick a few things that you really want to do, be mindful in doing so, and actually accomplish some goals.

The purpose of this “guide” is to put you in a frame of mind that allows you to make some dynamic plans. Decide what events are important to you and let everything in between happen as it will. I’m assuming here that you’re not just coming for the parties (which is also completely valid and a really good time), and that you’d like to walk away feeling like you have improved yourself and your ability or desire to engage with the hacking/security community.

Set Some Self-Improvement Goals

You want to be a hacker, right? Want to learn how to reverse engineer (or write) malware? Understand microcontrollers? Sniff and analyze network traffic?

What skill do you want to obtain or level-up? Maybe you already know. If not, browse through the list of talks, villages, contests, and everything else while you think about it. When you figure out “what you want to be when you grow up”, write it down. Pick a couple of things.

This will help you focus. You’re going to intentionally pick talks, workshops, contests, and villages that interest you, and spend more time with them. Wandering aimlessly is fun, and you should absolutely do a quick and casual lap of the conference at least once. That said, for just about anything you’d like to learn or get better at, there’s content at DEF CON that will help you get there, or at least show you what you need to study when you get home. Take advantage of it, and you’ll feel a lot better about what you’ve accomplished.

Bring a Small Notebook

You’ll see several times in this guide where I talk about writing down topics you’re interested in, don’t fully understand, but want to learn about. Get a small notebook that will fit in the smallest bag that you intend to have with you (maybe A5 size), and a pen that feels good. If you have a thought about something you’d like to know, learn about, or be able to do, write it down. Do this while you’re planning, and while you’re at the conference.

Stuff to keep in your notebook:

• Travel itinerary, with confirmation numbers for flight/hotel/etc.
• A general TO-DO list
• A page-per-day “calendar” of your trip for listing scheduled things you intend to be at
• Vendors to check out, things to buy
• Learning Goals
• Research Ideas
• Books/resources you have been recommended
• Lists of talks/workshops/villages/etc you’re interested in
• Notes for things that you do attend
• Equipment to bring, things to pack
• People you’ve met (get a notebook with a pocked in the back cover for business cards/stickers, etc)

There are specific techniques for keeping notebooks. “Bullet journaling” is popular, but don’t be afraid to keep things more free-form. The key is getting things on paper, and reviewing those notes to do something about them later on. You’re keeping your own thoughts from being ephemeral and OBE themselves.

Attending Talks

The most common advice I see on this is: “don’t”. The rationale is that you’re better off networking and exploring other aspects of the conferences, and that talks are recorded. You could just watch them later. I disagree. As a speaker, I would say that I’d be pretty lonely presenting my research to an empty space, if everyone were to follow this guidance. Beyond my own ego, there are some reasons you should attend some talks.

It usually takes some time for recordings of talks to be posted. For 2024:

• DEF CON took about two months
• Black Hat USA took about five months
• BSides LV took about a month (live streams seem to have been archived to YouTube immediately)

If a presentation topic is of interest to you, ask yourself if it’s something you’d benefit from knowing, and having some notes on, before it’s posted publicly. Slides and other materials are usually made available immediately, but many presenters aren’t just reading from their slide decks. You may want to look at the slides ahead of the talk time if they’re posted at the beginning of the conference to see if it’s something you want to spend time attending.

Attending a talk doesn’t have to be a passive experience. If it’s a subject you’re interested in, chances are you’d benefit from getting to know the speaker. There’s usually some moments at the podium immediately after the talk where you have just enough time to express some thanks for presenting, ask a question, and give them your card. In my experience as a speaker, I enjoy meeting folks during this time, and I usually step out into the hallway with the group to continue the conversation.

Once the schedule and abstracts have been posted, read through them all and make a list of talks that would:

• …help you immediately in your current role
• …be related to one of your learning goals
• …simply be a “good show”. It either sounds like it would have an impressive demonstration or is by a presenter that has a history of presenting well-received talks.

Rule of thumb: Choose talks based on the above, but generally try to decide on one or two a day that are not-to-be-missed. Use the rest of your time for your other non-talk plans, or to wander the conference area.

During a talk, take notes. You should especially be writing down concepts and terms that you’re not familiar with. There’s a delta in skill and experience between you and the presenter, and you’re making a list of things to study and research to close that gap. If you don’t understand everything during a talk, that’s fine, but you will benefit from documenting “what you didn’t know you didn’t know”.

If you don’t take notes, you may be entertained, and might be able to recall some of what you need from the slides later on, but chances are that your in-the-moment thoughts and questions will evaporate before that overstimulating week is over. OBE.

Attending Workshops

A lot of the same advice applies here, but the difference is in preparation. Most workshops are structured like a class. They’re not presenting new research, they’re teaching a set of skills. They’re longer form (four hours seems to be the norm).

Critically, they require registration. Workshops that are free, like BSides LV and DEF CON’s, have limited seating capacity (for space and better teacher/student ratio) and fill up very quickly (on the order of seconds in recent years for the workshops I teach). You have to read the abstracts ahead of registration time and check on what you need to do (and when) to register. Have tabs open for a backup choice. While there are people that trade workshop registrations after they all fill up, it’s probably a lot more trouble than it’s worth to sign up for workshops that you’re not interested in.

Preparation is key. You’ll likely get an email telling you what you need to do to set up your laptop to follow along (OS, software to install, files to download). The abstract of the workshop will let you know what you need to know before coming into the workshop. For example, do you need to know a specific programming language, or need experience with the Linux command line? If you don’t get any information, track down the instructor’s social media, discord, etc. to see if they’ve posted about it. Get in touch and ask them. It really sucks to spend half the workshop just getting yourself to the point that you can follow along, when you could have done it ahead of time.

Show up on time and introduce yourself to folk sitting around you. You’re going to be with them for a while. Take notes (as above with the talks, especially note future study/research goals–for things you don’t understand). Don’t get too much in the weeds of making things work on your own laptop to the exclusion of paying attention to what the instructor is doing and saying. If at some point, you decide to go hands-off and just observe, that’s fine too and it may be for the best for you to get maximum value out of your time in the workshop.

Same as for talks, introducing yourself to the instructors is a great way to show appreciation, get some questions answered, and make some connections.

Villages

Specifically at DEF CON, Villages are a major part of the experience, and you should track down information on what’s going on at them. This can be challenging, as they all have their own websites and schedules of village talks, workshops, and events. The above advice holds for attending talks and workshops held by villages. There will be other activities or exhibitions going on at the villages, which you may want to keep track of and attend.

Contests

There are all sorts of capture-the-flag games going on, of any format you can imagine. This is just one genre of “contest” as well. Just go take a look at the list on the DEF CON site.

Things to keep in mind if you want to participate in a contest:

• What is the time commitment? If you take part in some of them, that’s what you’re doing this DEF CON, friend.
• Is there some well-defined part of it that you can take part in to learn and then jump ship, or are you committing to the whole thing?
• Do you have a team? Want to make some ad-hoc friends to make one? Do they have the same or compatible goals for the contest?
• What’s the skill level? Is it meant for people to demonstrate their world-class talent, or is it amateur-friendly?
• Are you playing to win?

Contests can be very rewarding towards your self-improvement goals, as well as in your personal notoriety, but make sure you understand what you’re getting yourself into and don’t miss out on other things you want to experience. Don’t do something that feels too much like you’re going to DEF CON to work.

Crowds and Lines

There will be lots of crowds and lines. Sometimes I find myself puzzled by them and walk up to them just to see what they’re waiting for. Plan for what you’ll do if you find yourself waiting, and if needed, make an adjustment in the moment (or have an idea for a backup activity). Since you have focused goals and some planning done for what’s important to you, you can make smart decisions about whether to stay in a line, or to go do something else that doesn’t have a line. Sometimes it’s worth it, sometimes you’re wasting a lot time.

The classic DEF CON rule is “3-2-1”. It’s meant to keep you tolerable to be around when you’re in close quarters, and vertical (not being carried out on a stretcher):

• Three hours sleep
• Two meals
• One shower

For me, it’s a minimum. I need more sleep than that, and I might wind up taking more showers than that if I can. It’s hot. Keep a really good stick of deodorant in your bag to freshen up on the go. You shouldn’t have to be told to keep yourself clean and conscious.

Keeping Up, Digitally

While I keep track of most of what I need and want to do in a notebook, the conference schedule can change out from under you. The Hacker Tracker app for iOS, Android, and web serves as an electronic schedule, and allows you bookmark events/talks and add them to your calendar. Its useful in the moment if you find yourself wondering what you’d like to do next, or to verify things that might have changed within the past day or two.

The DEF CON Info Booth site is the official place for up-to-the-minute announcements and changes, so use it as well. It may be more accurate for rapidly changing events. The conference itself is not immune to things becoming OBE. For any of the conferences going on during Vegas week, it is probably a good idea to set alerts on the official social media accounts’ posts.

Qumqats’ The One! (DEF CON 33 link) scrapes and accumulates information from a lot of different sources, and provides downloadable schedules that can be handy.

The DEF CON subreddit is active, interesting, and useful, but be mindful of how official or accurate any specific comment might be.

Update yourself based the above sources (and any village sites, etc.) often, and establish the provenance of anything you read. You are probably not being intentionally deceived, but things do move fast.

Personal Technical Security

It might be smart to stick to cellular networks where you can (but the WiFi can be fun in a wild-west sort of way). Meaningfully intercepting data on 4G/5G is outside the scope of what you could expect out of anyone working from publicly available knowledge. If you are targeted by intelligence or other sophisticated groups with the knowledge and equipment to intercept your cellular data, then your problems do not begin or end in Vegas during DEF CON.

Use the same best practices that you use for any sort of travel. Use applications that provide end-to-end encryption for communication. Use a VPN connection back to somewhere you trust.

DEF CON operates two accessible WiFi networks, the first being open and unencrypted. You might have a hard time identifying it amongst a sea of rogue APs set up with WiFi hacking “gadgets” that people buy and play with. For a second, more secure network, there is a web-based signup at https://wifireg.defcon.org/ that you use to create an account. Once you’re on that more secure SSID, layer your end-to-end/VPN on top of that and you’re good to go.

Context and common sense are important: If you’re sitting at your desk at work and get a warning about self-signed certificates, accessing a machine down the hall that’s very different from getting the same warning while on unencrypted WiFi at a conference with tens of thousands of hackers.

For the physical security of your devices, don’t leave them unattended or unlocked. Consider whole-disk encryption, such as with Bitlocker. Bring your own USB batteries, cables, and wall chargers rather than relying on whatever might be set up there.

I usually do a clean and updated OS install on the laptop I bring, with everything set up for my workshops, talks, and whatever else I have planned. That’s more about having a known-good state than security, but it is nice to know that there’s nothing sensitive there to lose. As above, install what you need for workshops you attend, and if you think you might work on a contest, puzzle, village activity (Packet Hacking Village is really great), a Kali VM installed from the “Everything” version of the ISO can help you make sure you have whatever tools you need. Bring an external USB WiFi dongle that is well-supported by Kali to pass into the VM.

Out of an abundance of caution, keep ID cards, credit cards, etc. in a RFID-shielded wallet. Cash is great, but you’re probably about as safe using your credit card as anywhere. You’re pretty well-protected on liability for fraudulent charges on a credit card, so it’s not that big of an impact. Avoid using a debit card, as your personal liability/risk is usually higher.

Gear

Here’s some ideas about what you might want to have. You can pare this down considerably if you don’t intend to take part in anything technical with your laptop.

• A comfortable backpack, and a smaller cross-body bag for when you don’t need as much “stuff” on you.
• An A5 or smaller notebook and pens.
• A water bottle you can seal up securely, that can go inside your bag or in an outside pocket (see if you can clip it to something so it doesn’t fall off). The convention center for DEF CON has refilling stations.
• Your phone.
• Your laptop, when and if you need it.
• A USB battery that you’ve tested as being able to charge your phone and laptop.
• A wall charger with enough power on USB ports to charge your battery and a device. Helpful if you can run your laptop off of it too.
• A small three-outlet, three-prong extension cord/strip.
• All the cables you need (USB, HDMI, a couple of Ethernet). I’ve tried as much as possible to standardize on USB C.
• USB port extender/dock for HDMI/Ethernet/etc.
• An external solid-state drive with what you need to restore/reinstall your laptop.
• A small interchangeable-bit screwdriver set.
• A travel router if you’d like to set up your own little local network, especially in the room.
• A recent generation ALFA USB WiFi adapter with Kali support. For Kali things, or for passing into a VM so it can get on a network instead of your host OS.
• Business cards, or similar for personal contact.
• Maybe a Meshtastic node, or, if you have a license, a handheld ham radio (the Technician exam is extremely easy to pass, and you can take it at DEF CON. Check the Ham Radio Village)

Thanks to a combination of poor signal areas, people playing around with software-defined radios, the heat, and you making heavy use of GPS-active apps (maps, Uber, etc), your phone battery will probably run down much faster than you’re used to. Make sure your phone battery health (somewhere in your settings) is in pretty good shape, keep it topped off whenever you have an opportunity, and have a USB battery/cable with you when it’s practical to do so. Running out of phone battery and not having access to your reservation/ticket barcodes, or not being able to call an Uber, really sucks.

There is a lot of walking, so wear comfortable shoes, and try to stay close enough to the conference that you can go back to the room and drop some things off if you don’t need them. If you’re anything like me, as you walk around the conference center, you’ll wind up picking up, buying, and being given all manner of stickers, shirts, gadgets, and stuff that you don’t want to lug around all day. Also keep in mind that the typical hacker uniform, black t-shirt and jeans, absorbs every single bit of heat put out by the Vegas summer sun. Light colors reflect. Dress for physics.

Vendors

The DEF CON vendor area is a little different than at most conferences. It’s not a set of information booths for service-based companies. It’s more like a flea market, with lots of gadgets, tools, and books you can buy right there on the spot.

Check online prices before you buy anything, but also keep in mind that you’re supporting companies and individuals in the community. If you can afford it, don’t sweat it too much, but don’t bother with stuff you’re not likely to ever use.

Check out the github for any hacking gadgets you buy. Is there source code? Build instructions? Was there one firmware release two years ago with no further updates? It’s fine to buy a proof-of-concept to tinker with, but know that a lot of devices are supplanted by new hardware, rather than new firmware versions.

If you’re tinkering around with gadgets that implement attacks, as many are, just be mindful of the folks around you:

• Don’t broadcast as DEF CON, convention center, or hotel/casino SSIDs.
• Don’t do anything suspicious in the hotels/casinos, especially around the gaming areas. When you get kicked out, you’re likely banned from a lot of other places on the strip as well, really ruining Vegas for yourself.
• Don’t degrade service for others: Deauths, jamming, etc. It’s bad enough as it is.
• You might not be the top predator.

Parties

You know your own appetite and limits for this better than anyone else. Drink more water before and after alcoholic drinks than you would if you were back home. Hydration mix-ins (such as Pedialyte) help. Even if you’re not drinking alcohol, you will likely become dehydrated faster than you’re used to. It’s the climate and level of activity. Hang out with friends and take care of each other on that front.

DEFCONPARTIES gathers up information on parties, especially the ones hosted by vendors during Black Hat USA. Show your appreciation and sense of style by buying a DCP shirt. Skim Dale Carnegie on the plane ride to Vegas and try to talk to some people.

There are several parties going on each night at DEF CON in the convention hall ballrooms. The hacker community has some very impressive artists, DJs, and musicians among them. Keep an eye on DEF CON A&E for the official DEF CON music lineups, and many parties will have their own lineups of DJs.

Also, laugh with us at “Whose Slide is it Anyway” (where you might find me on stage) and “Hacker Jeopardy”!

Vegas

Immediately upon arrival, identify where the closest CVS/Walgreens/etc is to your hotel and stock up on snacks and drink for the room. Get some granola bars and such for your bag as well (nothing that will melt!). This will save you money and will keep you from running out of energy.

Walking on the strip, there are lots of scammers. Avoid dressed-up “photo opportunity” folks on the strip: showgirls, cartoon characters, superheros, etc. They’ll pose for a photo and then ask for much more money than you expected, causing a big scene. Anyone selling or “giving away” anything is probably someone you should avoid engaging with. There are lots of entertaining YouTube videos about these scams that go into more depth than I will here, but a little common sense will keep you from being a victim.

Don’t let open drinks out of your sight, especially if you’re around people you don’t know, and try not to get too drunk to make good decisions without someone around to look after you.

For inexpensive food, check @JacobsVegasLife on X for the “Cheap Food & Drinks” list he publishes every month. Just scroll back through his “Pictures” tab to find the latest one. If you can, though, treat yourself to a couple of nice meals with old or new friends while you’re there.

After-Con Review

After you’re back home and “recovered”, take some time to review:

• Read back over your notes
• Make master lists for to-dos, to-learns, books to buy, etc.
• Make some plans for near-future learning
• Go through cards and contacts you’ve acquired and write them a quick note, if it makes sense to keep that connection/friendship going
• Think of ideas for making your own content: research for a talk, a village you’d like to work with, etc.

If your company paid for you to go, or you’d like for them to in the future, it would be good to be able to easily bring up skills, knowledge, and ideas that you acquired on the trip.

Conclusion

You’ll have fun either way, but with a little mindfulness, you can get the most out of your time and money at the conferences going on in Vegas the week of DEF CON. If you actually set some learning goals and reach them before the next year’s conference rolls around, you’ll get the satisfaction of making some real progress.

I hope to see you in Vegas, so get in touch!