DEF CON Survival Guide

This guide is aimed at some of my co-workers who are going to DEF CON for the first time. If you aren’t my co-workers, the advice may be less useful.

I’ve been going to DEF CON since 2003. Since then, we’ve moved hotels 3 times, and grown about 5-8 times larger. It’s a blast, and something I look forward to each year. It’s called hacker summer camp for a reason.

Basic Survival

You are going to Las Vegas. It’s a desert and inherently hostile to human life. You are then going to an establishment that’s inherently hostile to your finances while capable of feeding all of your hedonistic needs. This is a very fun, inherently hostile environment. Do enjoy it, but do so with your eyes open.

Operational requirement 1: Come back alive

Follow the 3-2-1 rule, which is the reduced version of the 5-3-1 rule.

3 Hours of sleep.
2 Meals.
1 Shower.
Minimum Daily.

This is designed to keep you functional and reasonably clear headed. Drink water. Drink lots of water. This is for your own survival. It’s worth it.

Operational requirement 2: Bring your team back alive

I strongly recommend traveling with or making contact with a trusted friend at DEF CON and having regular check ins and touch points. This is basic traveler safety, at some level, but is uncommon during domestic travel in the US. I treat DEF CON like I’m traveling internationally, and act accordingly. You need to know somebody is going to go find you if you go missing. And sooner rather than later.

Aside: Technology security

Remember all the vulnerabilities you’ve heard about that require you to be on the same layer 2 as the hostile attacker you’ve read about in the last year. You are about to be on the same layer 2 with them. That applies even if you are planning on using cellular only, as cell site simulators are now common in the area of DEF CON. You’ll be connected to something, but it’s never quite clear what.

Here’s my suggestions: Don’t take your work laptop. Assume any local area network in the area of DEF CON (within a quarter mile of the Paris or Bally’s) is compromised. Don’t update any software while on the DEF CON network. Use a VPN. If you are going to use a network the DEF CON supplied wpa2 network is actually your best choice. I’ll update this post when I have more data on where to set this up. (update http://wifireg.defcon.org ) I carry a burner chromebook, and a phone that I wipe before and after DEF CON. I suggest you do the same.

Doing DEF CON

DEF CON started off as a party, and in many ways, still is. It is now a party with staff, talks, contests, prizes, rewards, and a significant history.

DEF CON is a full participation sport. The best way to experience DEF CON is by actually doing stuff. Over half of the event space is used for not talks. Visit the villages, booths and other gathering spaces. Ask people what they are up to and what they are doing. Not everybody is friendly, but most are willing to show you the cool toy they are working on.

If you want to see the talks, you have a few options. First, show up in the room with the talk. Depending on the popularity of the talk, that might require you show up in line a hour before the talk. Sorry about that. As a second option, if you have a room in the hotels, DEF CON TV is an option. The main tracks should be on 4 channels on your in room television. Lastly, I get a digital copy of the talks shortly after DEF CON each year. If there’s something you are interested in, we can watch it.

Skytalks are not recorded. That’s a feature of them. If you want to see something listed as a Skytalk, you’ve got one shot. Go see it in person.

There are a lot of parties. An awful lot of parties. The best way to find parties you like is by finding people you want to party with and getting them to invite you. That means socializing, so see the above options to walk up and chat with people. Also, be very wary of who you party with. The really bad stories I’ve heard start with going to random parties. It’s a multi-edged sword. Remember, Eyes open.

Speaking of people, there’s lots of people from many walks of life here. Breakers, builders, testers, policy people, feds, locals, military, academics, business, and everything in between. There’s no reason to take anybody at their word. If you are going to act on anything you’ve heard, find a way to verify it first. Messing with people is considered an art form here. See the twitter hash tag #baddefconadvice .

Finally, explore the event. The nature of my role at DEF CON is that there’s a lot of stuff I know happens, but I have never seen. Explore the whole event floor. Read the website. Then read the forums. There’s DEF CON, and then there’s the greater community of things happening around, near, and at the same time as DEF CON.

Hope some of that helps.