This past weekend I had the pleasure of attending DEFCON, the world’s longest running and largest underground hacking conference. I was grateful for the opportunity, courtesy of WISP – Women in Security & Privacy – a non-profit organization whose mission is “advancing women to lead the future of security & privacy”.
This past year I have connected with some phenomenal allies in the Information Security world via Twitter. Typically I only used Twitter personally, to either talk to my friends or find the latest news thanks to #BlackTwitter. Since finding the #InfoSec community on twitter I have been fortunate to have been able to take advantage of great opportunities. One of which is being awarded a scholarship to attend this year’s DEFCON conference. To those not familiar with the conference, it is a 4 day conference featuring the world’s latest and greatest in the hacking community. It usually takes place sometime in August and is hosted in the very dry, very hot, Las Vegas. Going on it’s 27th year I had no idea what I was walking into. I have heard about the conference prior to going, as well as its notorious rumors – things like being super careful of shady characters, having to buy burner phones, and not getting on the “Wall of Sheep”. Luckily, WISP gave away a phenomenal 92 scholarships to women wanting to experience DEFCON so I knew I wouldn’t be completely alone in this new experience.
On the first day I had to pick up my badge from the WISP leaders in order to get into the conference events. This year’s badge is small electronic disc – about 3 inches in diameter with a quartz crystal front covering. According to resources, it was made by prior conference badge maker, Kingpin, and the crystal material comes from Brazil. The backstory on these badges is pretty cool so if you are interested I suggest you check out the story here. The fun part about it is that there are 6 different (I think, maybe higher) badges – one for speakers, Goons, regular attendees, etc – and they each sync to each other when in close proximity. You can tell if it is syncing by the blinking on the front and the badges exchange information and apparently there is a message to decode. I haven’t broken into mine yet (it’s so pretty) but I definitely plan to see what information I can get out of it.
Okay, badge secured – what’s next? Luckily, I was not alone in my journey to find what was next as I had the pleasure of meeting and connecting with the lovely Myeshia, aka my instafriend (lol), another scholarship recipient and fellow WOC in Security I first met on Twitter. She was my first highlight of the conference, as we just clicked instantly. So off we went to explore what the conference had to offer.
DEFCON was spread out over 4 hotels and it was overwhelming figuring things out, even with the maps, apps, and resources they provided. This conference hosted thousands of people, on top of Vegas already being a popular tourist destination, so fighting through the crowds was our first battle. We were able to jump online to get into one of the talks, “Intro to Embedded Hacking—How you too can find a decade-old bug in widely deployed devices” and rest after what seemed like an eternity of walking. The theatre was packed and after an hour or so we were ready to see what’s next. Many of the talks and workshops on Day 1 required pre-registration, a frustrating process to secure tickets that sold out in seconds might I add, and if you were unfortunate like I was to not secure a ticket had to wait online in the hopes for some empty no-shower seats. I wanted to participate in a Purple Team Capture The Flag event but unfortunately, after an hour and a change of waiting, did not happen. So Day 1 then becomes just a lot of exploring for me to get the lay of the land before I wore myself out and left to get some food.
Quick random FTW of the day – though my mission to get into the purple team workshop was a fail i DID however find the pop up Rick and Morty truck and scored some limited edition merch =] including this Pickle Rick pin!!!!
Day 2 was much more successful, and jam packed, since I already knew what I wanted to do. I met up Myeshia again and we journeyed over to The Westin Hotel to take part in the Diana Initiative. This is a two-day conference, held at the same time as DEFCON, and came about when 9 women decided to create something for “all those who identify as women/non binaries, and to help them meet the challenges that come with being a woman in Information Security with resilience, strength and determination“. Their mission is great and I was happy that I went. My favorite talk of this conference by far was the “All Aboard: Let’s GoPhish-ing and learn new tricks!” talk by Emilie St-Pierre, a penetration tester.
The talk consisted of walking the audience through what it means to “phish” (which is the act of pretending to be someone fraudulent to trick a user to give away sensitive information via email) and the various tools she used to accomplish this to help organizations better understand what they need to focus on in order to increase their security posture. It is a task I do at my own current role, so I was all ears. Other talks during this conference involved OSINT, better known as Open Source Intelligence – a topic not too foreign to me and I plan on exploring, as well as as talk about Github and their security practices and initiatives for students.
After the Diana Initiative I ran over back to DEFCON to catch my second favorite talk of the day (honestly, they might be tied the more I think about it). This one was about Exploiting IAM (or Identity and Access Management) in the Google Cloud Platform.
I’ve been taken an affinity to GCP and has been my focus platform for the past few months (hence the involvement with their certification *wink*). This talk definitely taught me more about circumvention possibilities to escalate privileges (meaning an attacker being able to make themselves go from a basic user to an administrator on a compromised account) via Service Accounts. The concept can definitely be confusing to those not familiar with the Platform or Cloud Security but I can bring back this knowledge to my everyday work! So happy.
Okay…four talks down. Lunch time. I highly recommend Bobby’s Burger Palace ya’ll. Their onion rings (diet, who?) and Cactus Pear Margaritas are HITTING. LOL, okay back to the conference.
After a well-needed break I came back to the conference for an evening of mixers / panels. First up was WISP’s Leadership Panel, highlighting various women in the industry and their thoughts on a variety of topics. They asked everything from their thoughts on industry changes in the field, what it takes to be a Security Professional, and personal experiences of their journey in a male dominated field. It was a great discussion and I was able to speak to some phenomenal women, one of which schooled me on cats because I want one despite my allergy.
The Last event of the night was a meetup/mixer hosted by the #BlacksinCyber Twitter group. It was great to see so many Black Professionals together in one sitting and am happy I was able to take part.
Will I be coming back? Absolutely. Despite being overwhelmed, I thoroughly enjoyed the experience. I was able to listen in and learn, and if you know me I am all about learning something new, as well as meet some fantastic people. I wasn’t able to do all four days, due to personal reasons, but next year it. is. on!
DEFCON still has a long way to go in terms of diversity – the conference is overwhelmingly male and lacking in diverse ethnicities – but this year there was an enormous push to get as many women as possible to attend. I remember being in line for a talk and seeing only one other woman and person of color on line with me, out of about 100 or so people waiting to get in. I am fully aware that this is still a male dominated field despite the efforts to change this narrative. I may be comfortable pushing the needle but it can be very intimidating for others who are not as comfortable as I. I hope this year’s precedent sets the tone for the future of DEFCON and even more women and POC can attend.