Hackers Descend on Las Vegas (as planned)
(All of the following views and statements are solely those of the individuals interviewed and are not necessarily representative of the views of Level 11.)
Loren: So we're gonna have a chat here about... about DEFCON. What number DEFCON is this?
Evan: This'll be 27? Yeah.
Loren: DEFCON 27. So what on earth has this community been doing for the last 27... iterations? Has it been years?
TJ: Yeah, years.
Evan: This is the 27th year of DEFCON.
TJ: In the US.
Evan: In the US, yeah.
Loren: Where did it start?
Evan: Well, it started in the US. They've been doing it for the past few years in China as well, which is an interesting place to do something like this.
Loren: Wow, okay. So let's give a basic overview of what DEFCON is. Pretend you're explaining this to me for the very first time because it's very close to my first time.
Loren: Assuming we know nothing: DEFCON. That sounds like that missile crisis thing. What is it really?
TJ: It's a conference. A security related conference. It tends to bring out the playful "security-paranoia", and puts it all in Las Vegas in the middle of the summer.
Loren: [ laughter ] Okay. Who shows up to this thing?
Loren: Well, okay. Is that why you guys are going? [ laughter ]
TJ: ...So like..., Security tinkerers, Cyber security experts, uh, the federal government?
Loren: All the way up to the Feds?
Evan: So hackers, [and] anybody that's interested in computer security or bypassing computer security, reverse engineering, electronics, (consumer electronics, non-consumer electronics).
Loren: Is it bound just to electronics?
TJ: No... There have been some years where there's physical security that gets talked about. Because it's a culture of security, there's a lot of "the real life things". So, [...] there's these "villages" [DEFCON] calls them and they tend to be single umbrella subjects where they talk about different kinds of "securities". So one of them that I've been to is the "Social Engineering Village". And that one's mostly about talking. Often it gets employed in the phone systems where you call into customer service and you pretend ...like you fake it until you make it. And so... [It is] just another aspect of security that you get to "play" with [and] it's not related to technology.
Loren: Let's just do an introduction here. I'm Loren O'Laughlin, I'm the Design Manager here at level 11. I have with me here two other Levelers. I have Evan...
Evan: Evan. I'm a production engineer.
Loren: Excellent. And we've got TJ...
TJ: TJ, also a production engineer.
Loren: We're gonna keep their last name secret because they're going to DEFCON, and we don't want to out them. (Although if anybody wants to out them... I'm sure they already could.) So ... as a production engineer, what is your major interest in this? And ... what does this conference mean to you as a professional? Obviously, both of you have deep interest in lots of different things that are outside your particular role. But ... what are some of the things that you hope to see and to learn while you're there ... that makes sense as to why? Like why, in an environment where you work with enterprise software, does all this "hacker stuff" makes sense?
TJ: In some cases, a lot of the "security related things" that we fall victim to are not the "highly complex". They're the "so simple, they got forgotten". And so going to a conference like that, you get exposed to a lot of people who've been there. Who are speaking up to say, "Hey guys, like I learned this thing. I got hurt and you shouldn't."
Loren: Oh yeah? So... Is there some war story swapping at that level?
TJ: There can be. Yeah.
Loren: Like what?... You've been before, correct?
TJ: I've been to one. I've been to DEFCON 20.
Evan: I went to DEFCON 26 last year.
Loren: 26. Okay. So you guys have both been before. What were some of the stories that made you go: "Okay. I think this is valuable for professional development.”
Evan: There were a lot of things that I picked up that were useful for just changing the things I look out for day to day as a production engineer. As a production engineer, you touch so much across an organization that you kind of have to be a renaissance man... You have to have breadth and you don't necessarily need to go super deep, but you need to know a little bit about, just about everything so that you can spin up on whatever somebody is working on really fast. So there was a lot of variety in topics... they were running into the same problems.
Evan: So, I went to a "Sky talk". Sky talks at DEFCON are unrecorded talks that are specifically in a different room.
Evan: They specifically say you cannot record this. If they notice that you're recording, they will escort you out. You have to demonstrate that you have turned off your phone and you're not bringing any recording devices in. That allows people to be a little bit freer about what they talk about.
Evan: So one of the sky talks I went to last year was about security in the power generation in critical infrastructure sector. So that's stuff like power generation. You know, diesel electricity plants or steam plants ... things like that. They did it in a Sky Talk because they were two professionals that worked as penetration testers in critical infrastructure stuff. And they didn't want to be like in public saying like, "Yeah... This stuff is super vulnerable."
Evan: This entire industry doesn't pay attention to how their test environments closely resemble their production environment. So if you can get into a less well-secured test environment or staging environment, you can learn about vulnerabilities that are probably present in their production environment. So things like that.
Evan: Also internet of things (IoT) stuff is really big at DEFCON now... And you know... We do IoT work. We do magic devices and things like that. And in one of the Sky Talks, a guy did a talk about his auditing of internet connected "marital aids ;)"... and how he was able to do an enumeration attack against the end point that one of these devices talks to. And [he] was able to enumerate the profiles, profile pictures and like down to granularity of like what city they're from.
Evan: ...Last known IP address, lots of personally identifying information on an internet of device thing. And so maybe we don't make those devices, but we make other, IoT devices. And so now I know to look out for enumeration attacks that gets to profile services that might be used by a IoT device we produce.
Loren: (I'm doing everything not to ask if this guy was also doing penetration testing.)
Evan: Yes.. He also made that joke... He brought out one of those waterproof Pelican case suitcases and opened it up and everything was in their own little sized cut out. And he was like, "it's really fun to bring through the airport". Uh... [ laughter ] cause he just gets to open up this thing with all these sex toys in them.
Loren: TSA gets to go. "Um, sir, could you please, uh, you know, uh, handle the item," not "your item." [ laughter ]
TJ: Oh man. Speaking about TSA... That's always a really interesting experience... Because they make, they make small talk and once you make it known that you're going to a security conference... Sometimes they treat you with a little bit more thoroughness.
Loren: Oh yeah? Is this something you've experienced firsthand?
Loren: Are there things that you can't take through TSA that you're taking with you? You don't have to divulge your plans, but...
TJ: I think that that's the thing. Most of the stuff that we bring, you're allowed to bring with you.
TJ: They might be a little socially off-putting to see them just because "normal people" won't see lockpicks and be like, "Oh yes! Good will be happening with [lock picks]".
Loren: [Are you] bringing a set of lock picks?
TJ: I'm bringing a set of lock picks.
Evan: Oh yeah. The Lock-Picking Village is huge!
Loren: Okay. So that's when you're talking about things like physical security. It's down to like, you know, old school lock picking.
TJ: Yeah. But you, ... become aware of how you stand out in public too. So, you know, uh, like I said, lock picks might not be great by themselves, but you can play to that scenario by, you know, bringing practice blocks, (which you probably want to bring practices). So you have a, like a legit story says, "I have practical non-threatening use of this. I'm going to a security conference." All of these pieces check out.
TJ: And so you get to be a little bit more discerning of details like that, which you get to scratch a lot of that like mystery itch when you're at DEFCON as well, like pretending that you're a spy and all that.
Loren: So there's definitely a little bit of a role-playing aspect to attending the conference?
TJ: Yes. So one of the big things about DEFCON is, uh, the amount of effort that's made into putting the conference together. These badges, (especially the electronic ones), they're actually part of a social game that if you choose to participate in them, there's, there's a pretty rich set of game mechanics that's mostly around, [...] just talking to each other. I think that that's one of the big things. Security is not in a bubble and they've designed the game rules so that you must communicate with your fellow other, in order to succeed, you just have to be skilled to break all the rules, (which is also encouraged).
Evan: The badge puzzles were originally envisioned as THE way to get shy nerds to talk to each other. Because it was a situation where, you know, like you get a lot of really technically minded people (that aren't necessarily the most social), together into a situation. And then there's a lot of shoe-staring. And if you make a puzzle that you can't solve alone, then that's a great way to get a lot of antisocial nerds together talking to other antisocial nerds.
Loren: That's fascinating. This makes me think about things like, you know, the experience economy in general, the fact that we're heading into a time and a place in the world where ... essentially we are manufacturing shy nerds. It's like never before. And so basic principles of game mechanics like this that apply to an industry that's hyper-focused on this particular set of constraints like this is like broad applications for all people everywhere. Evan: Well, especially anybody that's trying to build magical objects. Build things that at first glance are kind of, [insourceling?]... and really catch your attention and make you think "well how does that work"? That's the literal point of these things is figuring out how they work. "This one more than this one. This one is just a bunch of tools".
Loren: So you [Evan] were showing me this badge that you've got. It looks like Jerry from Rick and Morty. It's got his eyes lit up [on the circuit board].
Loren: So there's that one. And so did the Jerry's head come with the badge?
Evan: No, actually… [Pulls on badge]
Loren: oh, it's detachable.
Evan: The Jerry's head was given to me in an elevator by a guy who asked me if it was my first DEFCON and I said yes. And he's like, well then here you go. Welcome. So this is an Indie badge.
Evan: So lately people have been producing independent badge add-ons. In fact, They're designing an entire protocol and standard for the interconnect. So this is a "Shitty add-on v1.0" interconnect.
Loren: So is "Shitty add-on" the official name of these things?
Evan: Yes. And They've revved it. And They're gonna do a "Shitty add-on v1.69-biz" this year. (Which adds two pins to the connector.) This is power and ground. And then it's got two pins for serial. So this one is just dumb and all it's got is LEDs on it.
Evan: But there are other ones that have their own microcontrollers and can talk over a local area network between badge add-ons, and sync up their lights and things. So some of them flash and do different things and you can talk to the underlying badge through I2C protocol through those pins. And so you can add firmware to the mother ship badge to control these if it's got a microcontroller on them. (This one does not, but others do.) But theirs were really cool last year (which was the first year that they started doing Shitty add-ons) that was a tide pod, um, that would do different things if it was plugged into different badges.
Loren: Was it an actual tide pod?
Evan: It was a circuit board like this.
Loren: Oh. It's just printed to look like a tide pod
Evan: Yeah, it was printed to look like a tide pod.
Loren: We don't have tide pod IoT?...
Evan: No, not yet! But there's a lot of work into making circuit boards that are both functional and art.
Loren: So... Rick and Morty ... it's a pretty prominent cultural touchstone at this point for a certain generation. But like... Tide pods?... We're starting to dip really deep into meme culture here. Is that like a big part of the whole ethos? What are you talking about?
TJ: There's so many different people coming together and their only common ground is security. And so you have some playfulness. I think that historically a lot of the culture you'll see is the rave or cyber punk sort of "gritty" culture.
Evan: There are a lot of dudes wearing full length leather dusters in 110 degree Las Vegas weather. I'll tell you that.
Loren: ...So are there hygiene rules?
Evan: There actually is! There's the 3-2-1 rule
TJ: They're very formal about the hygiene rules.
Loren: Oh dear. What? Okay. So break that down for me.
Evan: 3 hours of sleep minimum a night.
Evan: 2 meals a day
Evan: 1 shower!
Loren: These things have to be enforced?
TJ: It's a social rule. They kick off every DEFCON with like several iterations, re-iterations... Just saying, "Hey, we're all in this closed space together guys. We all know the reputation [of poor hygiene] that this group [SW/HW engineers] has and therefore please present yourselves like decent human beings."
Loren: ... I imagined that something like this: You start with this sort of core of very unique individuals, but then there are probably concentric circles of different culture around them. Do you see people at these conferences that don't sort of strike you as being the typical neckbeards? What are some of the surprising participants that you've seen?
TJ: So the one participant that that strikes me is the commander of our, (I can't remember his title...) Of Cyber Command? He came in wearing shorts and a Hawaiian shirt walking around. But we can tell that it was him because he had a full armed security walking around with him.
Loren: Do you think that he was putting on or do you think that's just how he rolls?
TJ: He definitely was playing for the attention because his, his talk ended up being some sort of a pitch for "join the Cyber Command". Yeah.
Loren: And that was, that was recruiting?
TJ: He was recruiting. He wasn't, he wasn't shy about that.
Evan: The NSA did a talk last year in one of the main halls.
Loren: Does that get much traction in a group like that? It seems like some people would be interested and, other people would be offended.
TJ: The whole thing is that they are invited. They're actually invited. This [DEFCON] should be something like a “demilitarized zone (DMZ)” where we can share ideas and not fear retaliation as long as we're not breaking the law... But for the Feds, that don't want to be in "outed", there is another game called "Spot the Fed", where you publicly identify (“out”) a Federal Agent and there's a wall where you just show the list of feds who've been outed.
Evan: Speaking of games, there's also the "Wall of Sheep", ... A wall of television screens that show who got "busted" So ... They'll put your name and any identifying information they can find out about you if you didn't properly secure your stuff and somebody breaks into your laptop or your phone or whatever. Which is why like every year I bring a burner laptop and a burner phone. And the burner laptop gets wiped of all identifying information before I leave. And then the moment I come back, I don't connect it to the network, I wipe it out again. And the burner phone is a prepaid, cheap phone that I can bring. And that, somebody [could] bust into it. I import my contacts, but then I change all the names of my family members and stuff.
Loren: Um, so, protect the innocent?
Evan: Exactly! And so that they can't use the Facebook graph algorithm to figure out who I am based on these friends that I have in my address book. So there's all of that kind of like paranoia. There's lots of paranoia at DEFCON.
Loren: Is the paranoia healthy?
Evan: Well last year my phone got hacked. Somebody was running a rogue cell tower and they forced downgraded my phone's firmware and to a vulnerable version. And then they were gonna try to hack into it. And I noticed that it was rebooting and pulled the battery and then just didn't use that phone again. But yeah, there's a lot of paranoia and I don't know if it's healthy, but it's definitely warranted.
Loren: Thinking about this as an opportunity ...here in the office we sort of can get comfortable about the fact that we have certain environments and we are here in a nice clean space. But I imagine that there's some value in going... It's kind of like camping. You go rough it a little bit, just remind yourself you can survive. So when you go to DEFCON what are some of the things that you're looking to prove to yourself while you're there?
TJ: With the Villages ... (I've only been once, but this upcoming...) I'm hoping that there are some challenges presented in the common space where it's like, "Oh yes! I actually have the skills to compromise this test scenario." So there's some of that. And maybe in the short time that I'm there I can grow my skills in order to [participate]. I show up and I'm like, "oh no, I can't do this", but then I leave and I actually have a better understanding of the exploit and therefore how to protect against it or how to, you know, isolate it. Just how to take care a little bit more.
Evan: There's a lot of shared resources. Last year I spent some time in the IoT village and this year I plan to spend even more. Last year I rolled in and I had a laptop. But I didn't really have a lot of the tools that I realized I needed to be able to really take advantage of the hands-on time in the IoT village. And so that's going to be one of my challenges is getting all of these weird bare PC boards and rest wires that I can hook into devices and stuff through TSA so that I can actually be prepared and properly outfitted to take advantage of the IoT village.
Evan: I think DEFCON is a great safe place to learn. And it's a great opportunity to be 50% into hacking some wifi connected tea kettle and be like, "Oh, I'm stuck". And the guy next to you is like, "Oh, hey, have you tried this?" And it's a great place to learn from other people that have a lot of experience or maybe the same amount of experience as you. Or less experience but they think differently. It's a lot of fun to go there and just immerse yourself in it. And be open to learning stuff that you didn't know you didn't know.
Loren: Are there any "kinds" of friends you're hoping to make?
Evan: I like making friends with people from other continents. At a security conference that I went to in Chicago recently, I met a guy from Santo Domingo and we worked on some car hacking stuff that was in one of the villages. So that was a lot of fun.
Evan: And it was fun talking to him at the party the night before the conference when we worked on stuff together.
TJ: Yeah, I like to meet people who either use obscure tools that I'm using or maybe work on tools that I use. There's a big open source community and so that's really cool too. That we have this big conference and everyone is using open source software and we're the shitty add ons and all that is open source hardware or just like powered off of a lot of that.
Loren: So do you guys have any ambitions to make Shitty add-ons of your own?
Evan: I'm planning on making one for next year because this year is not an electronic badge year. So I won't necessarily have anything to hook it up to new this year. But next year I want to make "Oscar the grouch wearing aviators", which is my avatar on everything, like on Github and Slack and everything.
Loren: So what are you taking with you this year? That's cultural touchstones?
Evan: Hmm. Well, I am making some graffiti slaps -- some graffiti stickers, that I want to trade for stuff. And currently I'm working with is the old punk rock adage: "All cops are bastards". So I'm making some stickers that have the old bell telephone logo on them and it says "ATAB. All telcos are bastards." I'm going to see if I can't trade that for some cool stuff.
Loren: Is that a personal vendetta you have or is it just opportunistic?
Evan: I mean it's, it's... All telcos are generally bastards...
Loren: Well... It's just a fact?...
Evan: Yeah, I think it's fairly uncontroversial.
Loren: The fact that they had a monopoly, were broken up and they are re-creating their monopoly all over again. It's pretty self-evident.
TJ: So culturally there's this whole edginess that's kind of "on brand" with DEFCON as well.
Evan: And there's a lot of stickers that you get there. Everybody has their own stickers and all the laptops are covered in stickers. So I want to sort of get into that collaborative environment of "barter", right? Like "that thing is cool. Do you have any to give away? Cool. How about if I give you like five of these stickers, can I have one of those?"
Evan: That's how a lot of the Shitty Add-ons work is that you don't buy them. You trade yours for the other guy's. ... I'm looking to sort of get into that environment cause it's interesting as a production engineer... I don't really get a lot of opportunity to do anything that you would consider art. It's a lot of engineering. And so this is a good creative outlet for me. To make up some goofy graffiti slaps.
Evan: ...And trade some stickers with some people. Maybe slap it on somebody else's laptop while they're not looking.
Loren: And there you go. Well cool. What about you, T.J.? You got any ambitions for...
TJ: So from my last time, I was still straight out of school. This year I want to at least have the competing equipment I need in order to participate in some of the things. [Last time] I didn't have a computer, it was just like whatever was at the Con is what I interacted with. Or whatever I was able to buy, I would do that. So it's a thing. I think I just want to do a little bit more of that. Get some hands-on experience with some of the security tools that I might come across. Anything that is in the villages that I might need to download or whatever, I will probably do that beforehand and prepare for that. Hopefully soon we'll get more of the talks and more information about what will be offered that we'll be able to prepare for it.
Loren: Cool. So if somebody wanted to go to DEFCON this year... Are they already sold out? How does that work?
TJ: Tickets. Tickets are... It's all cash. And you have to line up.
Evan: They call it "LineCon". It starts at like 1:00 AM and you usually bring an 18 rack of Tecate, you know, whatever. And then you stand in line and barter for different alcohols. Hang out in line and drink it at 1 in the morning. And then you get up to the front of the line at about 6:00 AM and you trade $200 for your badge. And then you take your badge and either it's an electronics badge and if you care, you start trying to reverse engineer it and take it apart and figure out what all the components are. And that's when the long, but fun death march of DEFCON can begin.
Loren: So you just show up and you hope you get a ticket.
TJ: They don't sell out.
Evan: They don't, they always have enough.
Loren: Okay. Okay. So I thought the answer to my question was that it was already sold out.
TJ: No, they don't sell out.
Evan: Hotels are probably sold out. That's the hard thing. The housing. You can show up and you can get a badge to DEFCON. It's the question of where are you gonna stay? And some people, the answer is they don't. They just hang out and couch surf on people's floors or whatever.
TJ: Or they drove here so that they can bring things they couldn't fly with, and just hang out.
Loren: And sleep in their car for the mandatory allotment of time. And then go wash in a fountain or something. The poor YMCA down the street is just completely abused that week.
Loren: If somebody wanted to go this year, what would a good primer... By chance they're reading this... And they're like, "that sounds like something I want to do." What, what would they need to prepare themselves?
TJ: There's some extreme things that we're doing, like burner [phones, laptops]. The reason why you do that is just that you don't identify yourself or you're not opening yourself to be increasingly identified by the, the aggressive... Like a skimmer of data for wireless stuff.
TJ: But you probably don't need anything! If you're just going there to immerse yourself. You can come in. You can have a good night sleep and show up when the line is gone and just pick up your badge. You can just look at the schedule and just visit talks. And that's fine! That's a completely valid experience and that was my first experience.
TJ: But if you are more seasoned... Then you might come in and prepare in advance. And send your development materials through the mail to the hotel you're staying at. (So that way you don't have to go through TSA)
Loren: ...And how do the hotels feel about all this?
TJ: Security researchers are not even the seediest of their clientele.
Loren: ... I guess it is Las Vegas, right?
TJ: ...[Casino] Security in general. They don't really appreciate the presence of DEFCON and Black Hat, (which is the, the more hardcore security conference that precedes DEFCON by a few days.) They don't really like us being there. Because there are a few people who kind of push their luck and intimidate the other casino goers. And that's a thing that might happen in a group like this...
TJ: You can experience it in many other ways that it's not just the conference itself too. When you're there during business hours and all that. There's the activities that happen around it too.
Evan: There's a lot of hotel room parties.
TJ: But there's also some official DEFCON stuff that goes on too. It's all trying to make sure that everyone is appropriately engaged just being there.
Loren: Cool. Well, thanks for taking some time and sharing why it is that you're going and what you find to be really interesting about DEFCON. Hopefully this is a good intro to someone who didn't know what DEFCON was or certainly didn't have any idea about why on earth enterprise software people would be going and doing something so seedy and nefarious. [laughter]
Evan: All right, cool. That was fun.
TJ: Yeah. All right.
About the Interviewer
Loren O’Laughlin is Experience Design Manager at Level 11 where he leads the teams that build immersive brand experiences with clients. His favorite guiding questions are “Who’s it for?” and “What’s it for?” As any great partner, he expects good answers and will help you uncover them. Probably while standing at a whiteboard.