Black Hat 2023 and DEF CON 31: Two Conventions, One Long Week

Ron Temske, VP of Strategy, gave us a little insight into what he saw at Black Hat 2022 and DEF CON 30 last year when he attended by himself. This year, a small group of Nexum folks attended these conferences together. Ron and I participated in both Black Hat 2023 and DEF CON 31. Cory Kramer, Principal Engineer, and Jody Hodge, Director of Engineer Solutions, joined us later for DEF CON.

It was my first time attending these conferences, though I network with several frequent attendees on social media. Some of them I have never met in person, others I have. Looking at DEF CON especially, the common thought is that “it is what you make of it.” Meeting up with friends you only see once or twice a year at events like this, a significant motivator is hanging out, food, and drinks (and maybe some shenanigans). For others, it is a learning conference with training, talks, and workshops in the various “villages.” And with these varied viewpoints, different elements of DEF CON can be great or not so great. There were ups and downs, but overall, I had a blast and met up with some folks for the first time! I am looking forward to going back next year.

Black Hat 2023

Ron and I started the week off at Black Hat. For those who don’t know, Black Hat is the “more professional” conference that grew out of requests by folks attending DEF CON. This was its 26^th year and felt like a familiar industry convention in so many ways. We opted for just the Business Hall passes and spent time on the show floor talking with vendors, looking at solutions, and all the “normal” things you do at an industry convention. Here are my general observations:

1. Cloud security posture management (CSPM) and variations of it are BIG. As we’ve seen in the industry, this segment is gaining speed. Many of the more prominent, longer-established vendors and the newer entrants (many in the Startup Village) were giving their take on both CSPM and the growing attack surface management (ASM) security segments. There will be some market consolidation, but seeing how each vendor put their spin on things was interesting.
2. Governance, risk, and compliance (GRC) are beginning to weave into more products. While somewhat expected with the growth of CSPM and ASM as part of their framework mappings, there were other places where it also showed up. GRC is not new, but I haven’t historically seen it being translated into product-addressed features as much as it seems to be today.
3. Creative swag wins the day. I appreciated the mini retro gaming platforms (think of a nostalgic portable console made by a certain Japanese gaming company). I can now relive my formative gaming year by playing some Contra.

While we spent a reasonable amount of time on the floor, there is so much more at Black Hat that you can do. There are trainings, vendor briefings, keynotes, and much more. You could certainly make this one of your primary security conferences for the year.

Jody and Cory joined us on Wednesday. We enjoyed the evening with our partner, Appdome, at their VIP Night of Comedy featuring Howie Mandel and Gina Yashere. We appreciate our partnership with Appdome and look forward to hosting many more incredible events.

DEF CON 31

We were all up bright and early on Thursday for the first event of DEF CON: LineCon (the colloquial name for standing in line to get your badge to enter the conference). As a “hacker conference,” a great deal of attention is given to anonymity. While in the past this was a somewhat essential requirement, I feel these days it is more a nod to tradition than an actual necessity. Part of this is the forefront of cash-only purchases. While several tickets are available for pre-purchase, on-site purchases of your badge and official merch are cash only. We waited for roughly two or three hours in two different lines, passing the time by chatting and working on our situational awareness to avoid getting bopped in the head by the inflatable objects bouncing around the halls.

Properly badged and merch acquired, we were off to the conference itself. Here are some of Cory’s observations:

• I learned a lot at the villages.
  • Turns out I’m better at lock-picking than I thought. Sessions discussed lock picking and how to use it during physical penetration testing (and how to look/act like an elevator tech during an engagement). One of our customers was a judge for the lock-picking tournament.
  • Social Engineering Village is one of the busiest and most entertaining. I attended the cold calls portion, which locked an attendee into a soundproof booth who made a call to a random business to have the target divulge a few critical pieces of information. The crowd roared when one participant acting as a compliance auditor got a pet store manager to expose a ton of information.
  • Car Hacking Village showed us how to exploit vehicles with the car’s controller area network (CAN bus).
  • Packet Hacking Village had a few great workshops to learn hands-on.
  • Password Village had great hands-on workshops as well for modern authentication.
• Organizations invite you to hack them so they can improve their security.
  • The Pentagon asked people to hack their satellites with a $50k prize to the winning team. Through this process, the Pentagon discovered weak points and tactics an attacker would use to compromise their satellites.
  • Biomedical manufacturers had a similar setup where they invited people to find and disclose vulnerabilities.
  • AI Village invited people to train the large language models (LLMs) with incorrect information. For example, someone convinced the AI that 9 + 10 = 21.
• Everyone had a ton of blinky badges.
• Lines were no joke.
• It was the most diverse group of people and the most inclusive conference I’ve attended.
• I’d return now that I know what to expect and probably spend more time skilling up on areas I’d like to use to enter competitions.

Like Cory, I spent much of my time focusing on the villages. One of the things reiterated by many seasoned DEF CON attendees in my research before going was to focus on just a few things and not try to do everything. DEF CON is massive, and trying to do everything is impossible and overwhelming. Here are some things I hope to do when I return next year:

• Spend more time learning in the various villages. They all have amazing volunteers who are willing to help and guide you.
• Take part in at least one Capture the Flag (CTF). I’m not a Red or Blue Team resource, but there are so many different options in CTFs that I think I could have at least a little fun with some practice ahead of time (especially with a team).
• Bring a trading item of some sort. DEF CON is a fun community of folks. Trading stickers, poker chips, coins, and badges are part of the fun!

But That’s Not All

While we’ve only focused on Black Hat and DEF CON in this post, there were other events in the area around the same time (in addition to smaller special events at DEF CON itself). Some of them are new, others have been around for years:

• SquadCon, presented by Girls Hack Village
• The Diana Initiative
• BSidesLV

These events, parties, meetups, and sessions fall into the “Hacker Summer Camp” arena. It was a fantastic experience, and I look forward to returning next year!