The Top Five Highlights of Defcon 27

Voting Village at Defcon 27

I love Defcon. For years, since I was a young script kiddie in high school, I had attending Defcon, the crazy huge hacker convention held every year in Las Vegas, on my bucket list. Now, Defcon 27 was my third Defcon and I seem to enjoy the conference more every year.

I could, and have, talked about Defcon and my love for the Defcon community at length…but I won’t here. What I do want to share is a short list of some of the best things I saw, learned, and experienced this year at Defcon.

5. Social Media Manipulation

One of the first main conference talks I attended this year (meaning it will be posted online at some point) was about social media manipulation. The primary point of the talk was discussing a particular botnet worm that a group is using to generate fake clicks, comments, and other engagement, but the talk was an interesting tour of the dark side of social media all together.

When I attend Defcon I do it as myself and work hard to keep my “day job” at arms length so that I can enjoy the conference and not feel like I have to tie it back to my professional work in any way, but obviously in my role as CTO of Studio71, this topic is of particular interest and I think there’s more the Studio71 team can do to research this topic in the future.

4. Everything Your Dev Team Does is OSINT Fodder

I’ll be very short here as this talk was off the record, but it’s amazing to think about how much information you and your teams leak by using standard development tools, such as Jira. Click a link from a ticket and your referrer information tells that site little bits of info. Is all of it bad? No, but added up and it could be. Something to think about.

3. Biohacking Disclosure Issues

Some people go to Defcon and hyperfocus on one or two topics they are particularly interested in, such as hanging out the whole time at the lock picking village. I love to talk to those people, but I’m more of a Defcon omnivore, roaming around the conference popping in to lots of lots of different things that sound interesting even if I have no plans to follow up with that topic later.

For example, on a whim, I walked in to a talk on biohacking and it was a panel discussion on the issues involved in biohacking (ex: finding security flaws in medical equipment such as a pacemaker). It’s not entirely shocking, but the medical industry has a long way to go in regards to responsible disclosure of exploits and ensuring all devices are as secure as possible. Really interesting stuff, and the key take away for me is: If I ever have to use a device like a pacemaker, dialysis machine, etc, ask a lot of questions and search the internet for the device maker before you move forward. The last thing you need is a pacemaker with exploitable software lodged in your chest for years.

2. The Fake TSA

There was a long line (no uncommon) to get in to the Defcon Arcade party on Saturday night. Just as the doors opened and the line started moving a group of guys wearing blue polo shirts ran up next to the line, set up a table, put bins on the table and started asking people to present their bags, take off their shoes, and walk through a metal detector. This was a joke. It was very much a joke…and yet…that wasn’t clear or that bit of monkey brain we all have that was programmed by almost two decades of travel didn’t want to question it for a lot of people. People started to grumble while taking off their shoes, and as I walked around the TSA stunt I heard one of the “agents” telling someone: “Dude, calm down. It’s a joke!”

Don’t let security theater seep in to your monkey brain.

1. Hack the Vote

The Voting Village is always equal parts awesome, enlightening and depressing…ok, maybe it’s 60% depressing, 20% awesome and 20% enlightening. This year, I took part in a group discussion, again off the record, with various election officials on what they can do to improve their security. I really feel for the gentlemen we worked with. I really believe they are doing everything they can to protect the vote in their counties (from a midwest state) but they are handcuffed on two key elements: The antiquated, potentially un-patched, voter registration system managed by the state, and the lack of decision making power to force a move to paper ballots.

I’d love to find ways to help on this, but the red tape and infighting make that so difficult, but even if I could step in an officially help these two midwest counties, what could I do that they haven’t? Maybe tighten a few things like forcing longer passwords, but if the State is unwilling or unable to upgrade their system and confirm that basic system maintenance is taking place, what can anyone do about it? The Federal government is the only entity that can, and we all know that one party is…disinterested…in making these critical changes.

See you next year, Defcon.

(And see you in October, ShellCon!)