For U.S. officials, the world’s largest hacking conference isn’t all fun and games
The DEF CON hacking conference presents some very real risks, say current and former U.S. cybersecurity officials and conference regulars.
LAS VEGAS — The easiest way to embarrass yourself at DEF CON, the annual Las Vegas confab of the world’s largest collection of hackers: ending up on the Wall of Sheep.
The live, interactive display board lists the username and password of every attendee who’s just committed the worst sin imaginable at a hacking conference — getting hacked.
Silly as the Wall of Sheep may sound, keeping your phone, tablet or laptop secure at DEF CON is no laughing matter. And that’s especially true for the growing group of U.S. officials who travel West each August for the conference, named after the alert status the U.S. military uses to classify the threat of nuclear war.
When you spend three days with 30,000 people who love cracking code, you’re always just one errant click away from sheep-dom. In fact, fending off the maze of Wi-Fi sniffers, hardware hackers and social engineers at DEF CON is a little like going toe-to-toe with elite, state-backed cyber spies, according to one senior State Department official.
“Almost treat it like going to China,” said the official, granted anonymity to offer frank and colorful advice to a DEF CON first-timer. “Really treat it like going to a technologically sophisticated peer competitor.”
At this year’s conference, which wraps up Sunday, the Wall of Sheep was located in a dimly lit auditorium off the main conference floor. It included, for the first time ever, a live feed with the location of individuals who were leaking data. As of Friday afternoon, there were at least 2,000 sheep at DEF CON, per the floor-to-ceiling projection. Their personal information was, mercifully, partly blacked out for privacy reasons.
Since the first-ever convention in 1993, DEF CON has brought some of the world’s most talented computer security wizards into the Las Vegas desert to scour software, hardware and networking equipment in search of vulnerabilities.
Operating under the principle that the best way to secure computer code is to expose it, attendees have demonstrated some truly jaw-dropping research over the last three decades. They’ve taken over the controls of cars, tricked ATMs to spew out cash and sent insulin pumps into overdrive, to name a few memorable hacks.
Feats like that have turned the convention into an increasingly common pit stop for top U.S. government officials, dozens of whom are in attendance this year. DHS Secretary Alejandro Mayorkas, CISA Director Jen Easterly and Acting National Cyber Director Kemba Walden are all in Las Vegas for DEF CON and Black Hat, its more corporate-friendly counterpart.
But the convention didn’t earn its reputation as “the world’s most hostile network” just because of what happens on the main stage.
“There is a criminal ecosystem out there,” said Marc Rogers, the conference’s head of security. “You probably don’t want to access your corporate email over the DEF CON Wi-Fi.”
One White House staffer who works on cyber issues said he received a security briefing before making the trek down to Vegas. The staffer, granted anonymity to speak openly about the briefing, said he was advised to turn off Bluetooth and Wi-Fi, to avoid bringing unnecessary devices, and, when possible, to use a Faraday bag — a pouch made of conductive metal that can block wireless signals from hitting your phone.
Rogers also recommends bringing cash to the event. In part, that’s because attendees in past years have snuck fake ATMs into DEF CON. It’s also because on-site vendors refuse to use point-of-sale devices — which let consumers tap or insert a credit card, for example — for a simple reason: they don’t trust them.
“PoS doesn’t stand for Piece of Shit, … but it probably should,” said Monika Hathaway, the DEF CON staffer to whom a POLITICO reporter recently handed $440 in cold hard cash, the price of admission into the conference.
The several hundred red-shirted security staff like Hathaway who patrol the 550,000 square feet of Caesar’s Forum are all volunteers — a sign of how many people find the event irresistible, despite the security risks. They even get their own official moniker: “goons.”
In addition to its own vocabulary, DEF CON has given birth to its own games (“Spot the Fed”), its own swag (nothing here is as valuable as those $440 badges) and its own fashion style, the type that encourages the non-Irish to wear kilts and at least one attendee to strap a Nintendo 64, TV and four controllers onto his back.
“DEF CON is as much about security as Comic-Con is about comic books,” said Mick Baccio, the former chief information security officer for Democrat Pete Buttigieg’s presidential campaign and, more recently, a goon.
A host of non-cybersecurity events have sprung up at DEF CON. There is the tin foil hat contest, a martial arts competition and countless puzzles and trivia contests.
On paper, the government brass that appear at DEF CON are there to recruit new talent or forge ties to the hacker community. But if you pry, it’s clear that showing up to a place like this also is a welcome break from buttoned-up Washington.
“Most NSA folks would be more comfortable in a room full of DEF CON attendees than they would be at a traditional government event,” said Rob Joyce, the director of the NSA’s Cybersecurity Directorate.
Joyce, who has attended multiple DEF CONs, said that the technical nature of the conferences meshes well with the work of the National Security Agency. And judging by six bullet points and several hundred words that Joyce — one of the country’s most important cyber officials — emailed POLITICO, it’s clear he means it.
DEF CON is “the happiest place in the world,” added Chris Inglis, the nation’s first national cyber director, who stepped down in February.
For some, the security risks facing U.S. officials aren’t even all they are cracked up to be.
“They’ll tell you to turn off your phone, but I don’t really think that’s an issue,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency.
Basic measures, like turning off Wi-Fi and Bluetooth, can significantly reduce the risk of getting hacked, while many modern mobile applications now come with stronger built-in security than they once did. Moreover, with so many U.S. government officials now in regular attendance, it's not uncommon to hear that the conference has lost some of its original edge.
Perhaps. But that doesn’t seem to have dampened the mood for many of this year’s attendees.
“The event is much more content-focused and much less party focused” than it once was, said Rogers, the DEF CON security lead. “But the parties are still pretty epic.”