Research Question(s): What is DEFCON like? What is this conference about? What can one learn from going to such a hacker conference? Can a member of DOCC Lab go to her first DEFCON and make friends while not getting hacked or stolen from?
Key Contributions: This is a three-part answer, and we’re going to start by summarizing my experience in Cloud Village. Not only did I learn about tools that modeled insecure microservice environments like CNAPPGoat and Unguard, but I even spent a lot of time hanging out with Unguard’s creators. Most of the talks I attended made it clear that there were distinct differences between logging as we know it in this lab, and security logging. The latter does not randomly sample as generally practiced in tracing, as attacks usually execute once, with less traces generated. In one talk, I learned how security logging outages and log delivery delays can both buy the attacker more time without detection. Another talk demonstrated a need for security monitoring in serverless environments, as it was recently discovered that an endpoint that turned on once a day was leaking Slack’s source code. A third one had some important things to say about how logs reporting system outages not directly related to security events made it harder for security teams to filter their logs for specific attacks. One may understand how this can get worse the larger your cloud is - as you add more things to your cloud, the chance of something failing in your cloud becomes more likely, and when folks are constantly building and updating new things, such failure from CI/CD workflows can make the security team’s search for legitimate security events harder. Now, I would have more snappy by-lines here for these good talks in Cloud Village, but in trying to stay for all the talks, I pretended to work on the Cloud Village CTF - until I wasn’t. By requesting some open-facing Google Cloud Platform queries with the right .json, I was able to secure an access token and go bucket fishing in a gnome-themed CTF. It was quite fun, and I can’t wait to return to DEFCON and actually throw more of myself into the CTF scene.
Next up is a recap of some of the policy talks I went to. Though policy does not always crop up in this lab’s work, I care about monitoring the evolution of technology, and policy has an important hand in shaping that. First, I learned about the Budapest Convention, and how Russia, China, and others are threatening to replace it with a far more draconian stature that hurts security researchers and goes against free speech on the internet. Consider the following: An unassuming security researcher in Country A breaches a database of trade records between authoritarian Countries B and C, and even though A subsequently does all the right things, the country hosting this database notices the breach. Rather than let Country A decide what happens to this researcher in their legal system, under this proposed statute it would be up to Countries B and C to determine whether or not the researcher deserves life in jail. The next talk was super relevant to work I did in undergrad. Even though safe harbor for grey hat disclosures is widespread, these two Canadian hackers talked about issues they came up against when disclosing to the government. I had a nice chat with Mr. Renderman himself after the talk about the paper I worked on about these issuesm, and I also vented about how unauthorized access is too nebulous of a law term for the kinds of things a hacker can be arrested for. Finally, I heard about the unique challenges women face when stealthily seeking abortions in our current legal landscape in the talk “Abortion Access in the Age of Surveillance.” Through this talk, I learned that most people reporting abortions to law enforcement are not doctors AND are close/formerly close contacts, that people are pressured into accepting device searches, that changing laws means your phone could tell on you if you did an abortion that was legal at least previously, that a lot of internet child protection laws don’t do what they claim to and actually make all this surveillance worse, and that privacy is super super hard to correctly standardize. It is important to have one foot in policy / the greater field of responsible computing / the space where you can keep companies like the ones that host abortion-related data (and other data, who knows), whether you are a software developer, project manager, or somewhere on the path to academia. There’s two reasons I say this as a privacy professional: one, sometimes work can be so divided amongst teams and distributed systems that what you work on and how you work on it may sometimes intentionally obscure the larger, possibly more oppressive thing that you may not be comfortable with contributing to, and two, knowing about different insider threats and privacy yikes can help one effectively build non-oppressive tools, or build a threat model for a tool in design that may have the capacity to be oppressive, but can have countermeasures made for it to prevent such manipulation. That is not to say that is always the case, but sometimes you do not know the scope of your work and who it effects without doing some digging.
Of course, though DEFCON is a skill and information share particularly centered around exploits of all kinds, it’s a hacker party, so fun was definitely to be had. In one fun talk, four high schoolers told the audience how they figured out they could clone CharlieCards by flipping them with slightly altered checksums, enabling the new clone to also contain the original money value of the first card, which was used for many joyrides on the MBTA. Although the MBTA had no vulnerability disclosure program at the time of this discovery, the high schoolers were taken seriously and together they worked well with the MBTA to address this vulnerability, which I think is neat. Another talk I saw that day had an abstract that led me to believe it would have something to say about observability, but instead I was in for a summary of how a few guys exploited outdated Lexmark firmware to make one (1) printer sing the Super Mario Bros. theme song. I have three more things to add in the “fun” category, but each of them deserve their own paragraph.
DEFCON has had a reputation of attracting a lot of cis straight white guys, and because of how some guys who hack are, a slightly larger proportion of those guys are worse to queer hackerwomen like me, but also others unlike them (or me). However, even though minimal opsec is needed to traverse DEFCON without getting hacked/stolen from/messed with, DEFCON has taken a lot of steps toward making the conference safe for people like us, but also fostering community spaces for minorities in cybersecurity, like QueerCon. I would find myself going to the QueerCon mixer when I was bored, but I’d always walk away with more friends like myself. Both I and the people I met were snowballed into a very big and gay and trans groupchat on Signal that we still ping regularly when one of us sees a dog, encounters a hacking conundrum, or needs support. Through that groupchat, we were able to organize shenanigans like a ten-person dinner at Guy Fieri Las Vegas before we all went our separate ways. There’s this thing the group Lesbians Who Tech always say about their organization: Wherever you go, the lesbians will find you. Regardless of how many lesbians I met at DEFCON, it made me feel safer to venture into this somewhat risky conference, find friends like me, and get assimilated into the Borg, no, I mean a really good network where we all took care of and showed up for each other when it mattered, and some of us had crushes on the Borg Queen and that was fine. Still, though, to any LGBTQ+ folks considering whether or not to go to DEFCON, we’re here if you know where to find us (at the QueerCon Mixer, it’s probably going to be in Chillout again next year), and you can make friends who also know what it’s like being something like you, and feel stronger because you have buddies now.
Something else rather interesting happened to me when I was on the floor headed towards Cloud Village. I saw someone in a shiny-looking helmet that reminded me a ton of Guy-Manuel’s helmet from Daft Punk, so a compliment was in order. They were very nice and let me have some stickers, as well as a small porcelain duck. Right as I’m walking away, though, I notice on the sleeve of their shirt are the words Cult of the Dead Cow. The cDc (no, not the health organization) is a hacktivist circle that has been around for quite a while, and since DEFCON originally was a hacker party, members of the cDc can usually be found walking amongst the other attendees. It is rumored that every year, each cDc member attending DEFCON is given one unique duck to hand off to someone at random. If this is true, I do not know how members decide who to hand it off to or if the duck has some secret significance, but like many a duck recipient, every time I see that little friend, I remember that means I met a particularly nice member of the cDc.
Last but never least, there is the tale of the challenge coin. At some point during the CTF, I left Cloud Village in search of food, and while working on the CTF and eating a little something, a HackerOne person comes up and gives me this heavy challenge coin. He says that if I decode the message on the coin and post it to a website, I could be entered in a giveaway and win a hoodie. (I cracked the coin on time, but sadly they didn’t choose me for the hoodie list). Messing around, I can tell that the front of the coin has a message that isn’t ROT13. It’s not until later that night that I realize there is also ciphertext on the other side too - and not only is it ROT13, it says attending DEFCON is a BEAUtiful efFORT. So I gather that the front might be encoded in some scheme with BEAUFORT in the name, but I need sleep, so this becomes a breakfast problem…and I don’t know how it hit me sooner. The Beaufort cipher is a variant of the Viginere cipher, which I should have known, especially since I was very much online when everyone was using the Viginere cipher to decode secret messages in the second season of Gravity Falls. DEFCON was capitalized on the back, I thought, because it must be the key to the cipher rotation used in both Beaufort and Viginere, so with some help from dcode.fr, we find that the message I then post on the website is We have a new community website, looks dope, right? . Sigh. Even if that’s what I ended up finding, the search was still pretty fun. All in all, my first DEFCON was pretty fun, I didn’t get hacked, stolen from, or otherwise messed with, and I learned what DEFCON was about while making friends.
Opportunities for future work: Personally, I know I will be going back next year. People have been known to amass knowledge from multiple DEFCONs like moss grows on a rock, and I aim to do that. I will also be serving as the lab’s unofficial DEFCON correspondent while I am still working on my doctorate. Whether you are more immersed in cybersecurity than I am, someone who has more of a background in a related area like policy or aerospace, a thrill seeker, or someone not working in computer science at all who wishes they knew a little more, if you are at least a little interested or you see yourself benefitting from learning at DEFCON, it is definitely more than worth it to go at least once. Plus, play your cards right, and you will end up in group chats and make friends you will meet in Vegas year after year to learn and live together for a bit. Speaking of friends in Las Vegas, Tufts’ own Ming Chow has had a history of running the Packet Hacking Village, and every DEFCON, he will take any Jumbos attending out for dinner. (Greetings from the CS 116 pcap!) That said, some words of caution to anyone who has not gone before: While some sources on the internet will fear-monger with lines like “trust nobody, not even yourself” and “put your phone in a Faraday cage,” you don’t have to obsess over security to the point that it obstructs your enjoyment of the conference. Goons (the staff/moderators of DEFCON) have worked to foster a culture of friendliness around DEFCON, it is less likely that something bad will happen to you on the conference floor, and if it does, Goons are always here to help. Also, if you spend your time not trusting anyone, you may miss out on quality opportunities like having breakfast with someone new every day because you both signed up for the same thing and got your egg sandwich here. I brought a door jammer, installed VPNs on my phone, and I was fine. When you go, plan to always have a buddy, and use your common sense whether you are up to something or not. Also, keep yourself boosted and safe: even though there were 10k of us, wear a mask (especially in crowded areas) and be sure to isolate and test as needed as soon as you come home, as some of our groupchat still caught COVID after all of this. I am available over at sarah dot abowitz at tufts dot edu if you have more questions or comments about opsec or other DEFCON. Still, though, many somewhat unconventional opportunities abound at DEFCON for learning, and I hope one day to see you there.
Presenter: Sarah Abowitz
ps: to that one attendee who jokingly called me a demon for using Vim…guess what I wrote this blog in. :)