You've decided to attend a hacker con - congratulations! Whether you're a 1337 master hacker, 10X engineer, or curious about the culture after watching the DEF CON documentary or HACKERS, stepping up to your first event can be both thrilling and daunting. This guide aims to help you navigate losing your hacker con virginity with grace and confidence.
What Is a Hacker Con?
Hacker
conferences/conventions, known as hacker cons, are events where
cybersecurity professionals, enthusiasts, and hobbyists gather to
exchange knowledge, explore the latest exploits and developments, and
network with like-minded individuals. Famous examples include DEF CON, Black Hat, BSides, GrrCON, CactusCon, SAINTCON, CypherCon, etc.
Before the Con: Preparation
1. Choose the Right Event
Not
all cons are created equally! Some cater to niche interests, offering
in-depth sessions on topics like reverse engineering, blue/red/purple
teams, and artificial intelligence, while others have a broader focus.
Before attending, research the event's agenda, speakers, villages, and
workshops to ensure it aligns with your interests! For example, CYBERWARCON focuses on Cyberthreat Intelligence (CTI) while Layer 8 is specific to Social Engineering and OSINT.
2. Register Early
Popular events sell out fast! Registering early not only guarantees your spot but often comes with a discount. The limited 'Early Bird' tickets for GrrCON were priced at $90, compared to the regular admission cost of $150 — and that’s not even including discounts for students and the military. Many cons, including SHMOOCON, are known to sell out in SECONDS! Consider volunteering; It can be incredibly rewarding, offering networking while often including free entry to the event! I volunteered with Circle City Con in Indiana for five years, and I genuinely loved every moment of it!
3. Plan Your Schedule...or Don't
Most cons release their schedules ahead of time; Make sure to highlight the talks, workshops, and activities you don't want to miss. Keep in mind that some talks/events run concurrently, so prioritization is important! Hacker Tracker is an excellent resource for building a schedule, especially for larger events like DEF CON.
Don’t
be afraid to deviate from your schedule, though! Some of the best
experiences come from unanticipated adventures. Go with the flow; You
never know what you might discover! Some of my favorite
memories are when I wasn't in a talk or in a CTF but the shenanigans that took
place in between.
What to Bring to the Con
1. Valid ID
Some events require ID for registration, badge pickup, or age verification, especially if there are 21+ activities. Nobody wants to get stuck at the registration booth or miss out on the after-party because they forgot their ID! However, this is where OPSEC comes into play as your risk profile might mean you want to stay anonymous.
2. Notebook and Pen
While
digital devices like tablets and laptops can be useful, going analog
can be more secure (more on that later) and saves you from lugging extra
weight around all day! Grab a notebook and pen from the vendor hall,
jot down key takeaways and the speaker’s handle, and revisit the
slides/talk when it’s posted online later.
3. Cash
Cash
is king and always will be. Not all vendors accept cards, and ATMs can
have long lines, run out of cash, be miles away, or even a potential
OPSEC risk. It’s always a good idea to keep an emergency $20 on you,
chances are, it’ll come in handy when you least expect it.
4. Business Cards
Great for networking, even if you’re already gainfully employed and haven’t been a student in decades. Want to really wow the crowd? Consider making a PCB-NFC business card or a laser-cut wooden one.
5. Comfortable Clothing
Never underestimate the amount of walking you’ll do! Cons can be long and intense, so wear comfortable attire and good (BROKEN IN) shoes. Consider packing a hoodie, or grabbing one from the merch table. Talk rooms vary wildly in temperature, from an oven to a freezer.
6. Backup Power
7. Swag, Stickers, & Hard Hat
Digital Security
1. Assume the Network Is Hostile
Public WiFi can be a malicious dumpster fire but that's not to say the con's NOC hasn't put in hundreds of hours securing their network. There's a big difference between 'ST4RBUCK$ W!F!' and the official DEF CON wireless network. If your OPSEC calls for it, don’t connect to the WiFi at all. You’ll likely have a usable cell signal, and cell boosters can help, though they’re not always reliable (looking at you, GrrCON vendor hall). Of course, a cell signal doesn’t guarantee security either, with emulated towers and StingRay. Disable Bluetooth and Near Field Communication (NFC), or at the very least, be mindful of which devices you’re connecting to. If you must connect, use a VPN to encrypt your traffic (shout-out to Mullvad) and turn off settings that automatically connect to available networks! Nobody wants to see themselves on the Wall of Sheep!
2. Burner Devices
Burners...the
most contentious topic! I've brought burner devices to exactly one
conference out of the hundreds I've attended. I was told that I had to bring a burner to my first DEF CON because of how hostile the
networks were. Personally, I've found this to be categorically false,
and I haven't used burner devices since. That said, I wouldn't bring my
company device and I certainly wouldn't bring an unpatched machine
loaded with personally identifiable information! Consider using a
live-boot Linux distro, swapping SSDs, limiting your data to only what’s
necessary, and, above all, ensuring your devices are up-to-date with
the latest security patches. Please don’t be one of those people who
sets their phone down or leaves their laptop unlocked and walks away.
It’s embarrassing for all of us.
Etiquette
1. Respect Privacy
2. Code of Conduct
3. Open-Minded
4. Network, Don't Sell
Participation
1. Capture The Flag (CTF) Competitions
Capture the Flag (CTF) competitions are cybersecurity challenges where participants exploit vulnerabilities in systems, applications, networks, or perform tasks like open-source intelligence (OSINT) to uncover hidden "flags" that serve as proof of success. CTFs provide a valuable learning experience by featuring a variety of puzzles, from web apps to cryptography, allowing individuals of all skill levels to test their problem-solving ability! While the puzzles might not mirror everyday work in cybersecurity, they're excellent for practicing skills that might not be used regularly.
Want to learn more about CTFs? Check out the CTF 101 course!
2. Villages
Villages are specialized areas that focus on specific topics like lock picking, car hacking, industrial control systems (ICS), biohacking, blue/red/purple team, radio-frequency (RF) wardriving, and physical security. Most offer hands-on learning opportunities and workshops with each con offering a different selection of villages! These villages are operated by dedicated volunteer experts in their fields, who are eager to share their expertise!
3. Talks
While
many might advise arriving early to talks because sessions tend to fill
up quickly, at most conventions, save for DEF CON, arriving at the
scheduled time will usually guarantee you a seat. Some talks will be
recorded and posted to YouTube after the con; others will be strictly
unrecorded, and in some cases, you'll be kicked out if you're seen using
a cell phone during the presentation - make sure to follow the rules and
be respectful! Don't hesitate to ask the presenter questions if given
the opportunity, but make sure they are genuine questions rather than statements of opinion. You might be saying, but INIT6, I don't know the difference? Easy enough...
Example of a Good Question
- You
mentioned using RP1210 shimming attacks to hack Vehicle Diagnostic
Adapters (VDAs) in semi-trucks. Where can I learn more about this? Are
you able to post the slides online?
Example of a Statement of Opinion
- You
mentioned using RP1210 shimming attacks to hack vehicle diagnostic
adapters (VDAs) in semi-trucks, but I've worked as a diesel mechanic in
the trucking industry, and I don't believe this is feasible...
Example of a Bad Question
- You mentioned using RP1210 shimming attacks to hack Vehicle Diagnostic Adapters (VDAs) in semi-trucks...what are your thoughts on nootropics?
Know the difference!
Don't
forget the "keynote" presentations at the top and bottom of the con.
These keynotes are likely to be meta discussions of the industry, rant fests,
or returning frequent speakers. Talks are likely to be organized into
"tracks," meaning that there will be separate spaces for long vs short
presentations, first-time speakers, or sessions grouped by topic.
Health & Well-being
1. Three, Two, One
3 Hours of Sleep, at least
2 Meals, at minimum
1 Shower, no exceptions
2. Hydrate and Eat
It's really easy to forget to eat and hydrate when you're amidst the excitement and it's the reason I've come to so highly appreciate the cons that provide food, even if it's just a cafeteria burger. Granola bars and a good water bottle are your friend! When in doubt, there's likely a vendor giving out snacks and water bottles. I'm not insisting you eat healthy, although you might feel better if you did, but at least have something to eat and drink some water! Nobody enjoys propping up your body after you pass out.3. Hygiene
4. Mental Health
5. Alcohol & Drugs
Harm Reduction: The content of drugs can vary widely and using reagent testing kits can help identify potentially harmful contaminants (fentanyl). You might trust your hookup, but there’s no way to guarantee how reliable their source is or theirs, and so on. If you’re unsure about the potency, start with a low dose and take it slow. Stick with trusted friends who can look out for you, and avoid mixing substances. Combining drugs and alcohol can significantly increase the risk of harmful interactions. Recognize the signs of an overdose - watch for symptoms like difficulty breathing, unconsciousness, severe agitation, or unresponsiveness. Narcan, a medication that can reverse opioid overdoses, is available at grocery stores. Good Samaritan laws also provide immunity from prosecution for drug possession when someone experiencing/witnessing an overdose calls for emergency assistance. Don’t hesitate to act; It could save someone's life.
Legal
1. Know the Law
Hacking is to celebrated; being a criminal, not so much. When I say this, I don’t mean to say “Don’t do crime.” I’m not here to tell you how to live your life. However, there’s a reason so much of the community gets upset when vendors confuse the term hacker with criminal. It’s about protecting the culture and meaning of what we do. With that being said...
Laws related to cybersecurity, privacy, hacking, and even tools like lockpicks can vary widely by country, state, and even city. One state might classify lockpicks as a burglary tool, another may only consider them illegal if you’re already involved in a crime, while yet another might not care at all. If you're traveling internationally, take note of laws regarding the import and export of encryption technology and electronic equipment. Customs regulations can be strict and lead to your stuff getting confiscated.
After the Con
1. Reflect & Follow Up
Go through your notes and swag. Digest the new information you've gathered. Look online to see if any missed talks have been uploaded. Consider how you might apply new knowledge and skills in your projects or professional work. Identify the areas of interest that you'd like to explore further! Reach out to the people you connected with (email, LinkedIn, Mastodon, or Bluesky) and shoot them a simple message thanking them for chatting. Joining any online communities you discovered and engaging with them to maintain the momentum.
2. Secure Your Devices
How you secure your devices after a con will largely depend on the precautions you took beforehand. You might swap your SSD back to your daily driver, remove VMs, and update passwords. Most important, revert any WiFi or Bluetooth settings and remove any network configurations you added during the conference.
Comments
Post a Comment