Skip to main content

Your First Hacker Con: A Comprehensive Guide for First-Time Attendees

You've decided to attend a hacker con - congratulations! Whether you're a 1337 master hacker, 10X engineer, or curious about the culture after watching the DEF CON documentary or HACKERS, stepping up to your first event can be both thrilling and daunting. This guide aims to help you navigate losing your hacker con virginity with grace and confidence.

What Is a Hacker Con?

Hacker conferences/conventions, known as hacker cons, are events where cybersecurity professionals, enthusiasts, and hobbyists gather to exchange knowledge, explore the latest exploits and developments, and network with like-minded individuals. Famous examples include DEF CON, Black Hat, BSides, GrrCON, CactusCon, SAINTCON, CypherCon, etc. 

Before the Con: Preparation

1. Choose the Right Event

Not all cons are created equally! Some cater to niche interests, offering in-depth sessions on topics like reverse engineering, blue/red/purple teams, and artificial intelligence, while others have a broader focus. Before attending, research the event's agenda, speakers, villages, and workshops to ensure it aligns with your interests! For example, CYBERWARCON focuses on Cyberthreat Intelligence (CTI) while Layer 8 is specific to Social Engineering and OSINT.

2. Register Early

Popular events sell out fast! Registering early not only guarantees your spot but often comes with a discount. The limited 'Early Bird' tickets for GrrCON were priced at $90, compared to the regular admission cost of $150 — and that’s not even including discounts for students and the military. Many cons, including SHMOOCON, are known to sell out in SECONDS! Consider volunteering; It can be incredibly rewarding, offering networking while often including free entry to the event! I  volunteered with Circle City Con in Indiana for five years, and I genuinely loved every moment of it!

3. Plan Your Schedule...or Don't

Most cons release their schedules ahead of time; Make sure to highlight the talks, workshops, and activities you don't want to miss. Keep in mind that some talks/events run concurrently, so prioritization is important! Hacker Tracker is an excellent resource for building a schedule, especially for larger events like DEF CON.

Don’t be afraid to deviate from your schedule, though! Some of the best experiences come from unanticipated adventures. Go with the flow; You never know what you might discover! Some of my favorite memories are when I wasn't in a talk or in a CTF but the shenanigans that took place in between.  

What to Bring to the Con

Let’s touch on Operations Security or OPSEC. Only you can assess your own threat matrix and determine the necessary mitigations. Think carefully about how public you want to be. Are you a recent graduate looking to network and find a job, or a nation-state actor needing to keep a low profile? Most likely, you’re somewhere in between. Personally, I haven’t found most cons to be nearly as hostile as I was led to believe, but there’s never any harm in having a stronger security posture than you might think necessary. Remember, the media isn’t your friend!
 

1. Valid ID

Some events require ID for registration, badge pickup, or age verification, especially if there are 21+ activities. Nobody wants to get stuck at the registration booth or miss out on the after-party because they forgot their ID! However, this is where OPSEC comes into play as your risk profile might mean you want to stay anonymous.

2. Notebook and Pen

While digital devices like tablets and laptops can be useful, going analog can be more secure (more on that later) and saves you from lugging extra weight around all day! Grab a notebook and pen from the vendor hall, jot down key takeaways and the speaker’s handle, and revisit the slides/talk when it’s posted online later.

3. Cash

Cash is king and always will be. Not all vendors accept cards, and ATMs can have long lines, run out of cash, be miles away, or even a potential OPSEC risk. It’s always a good idea to keep an emergency $20 on you, chances are, it’ll come in handy when you least expect it.

4. Business Cards

Great for networking, even if you’re already gainfully employed and haven’t been a student in decades. Want to really wow the crowd? Consider making a PCB-NFC business card or a laser-cut wooden one. 

5. Comfortable Clothing

Never underestimate the amount of walking you’ll do! Cons can be long and intense, so wear comfortable attire and good (BROKEN IN) shoes. Consider packing a hoodie, or grabbing one from the merch table. Talk rooms vary wildly in temperature, from an oven to a freezer. 

6. Backup Power

If you bring a phone or laptop, assume it’ll run out of juice at some point. Don't get caught plugging into some random outlet or USB-hub lying around. A portable power bank will be your best friend (shout-out to Anker), and depending on the model, it might support USB-C power delivery, letting you charge your phone, laptop, Steam Deck in fell swoop. If you’re competing in a CTF as a team, consider bringing an extension cord and power strip. More than once, I’ve been in a room with only two outlets and a hundred hackers scrambling to plug in!

7. Swag, Stickers, & Hard Hat

It’s almost guaranteed there will be challenge coins, sticker swaps, badge trades, and more. So whether you made a batch specifically for the event or have some leftover from last time… bring them! On top of that, if you’re planning to participate in specific events like the Hard Hat Brigade, be sure to bring any extra gear you need!

Digital Security

1. Assume the Network Is Hostile

Public WiFi can be a malicious dumpster fire but that's not to say the con's NOC hasn't put in hundreds of hours securing their network. There's a big difference between 'ST4RBUCK$ W!F!' and the official DEF CON wireless network. If your OPSEC calls for it, don’t connect to the WiFi at all. You’ll likely have a usable cell signal, and cell boosters can help, though they’re not always reliable (looking at you, GrrCON vendor hall). Of course, a cell signal doesn’t guarantee security either, with emulated towers and StingRay. Disable Bluetooth and Near Field Communication (NFC), or at the very least, be mindful of which devices you’re connecting to. If you must connect, use a VPN to encrypt your traffic (shout-out to Mullvad) and turn off settings that automatically connect to available networks! Nobody wants to see themselves on the Wall of Sheep!

2. Burner Devices

Burners...the most contentious topic! I've brought burner devices to exactly one conference out of the hundreds I've attended. I was told that I had to bring a burner to my first DEF CON because of how hostile the networks were. Personally, I've found this to be categorically false, and I haven't used burner devices since. That said, I wouldn't bring my company device and I certainly wouldn't bring an unpatched machine loaded with personally identifiable information! Consider using a live-boot Linux distro, swapping SSDs, limiting your data to only what’s necessary, and, above all, ensuring your devices are up-to-date with the latest security patches. Please don’t be one of those people who sets their phone down or leaves their laptop unlocked and walks away. It’s embarrassing for all of us.

Etiquette

1. Respect Privacy

No photos without permission; Most attendees value their privacy and don't want their presence at the event documented. Beyond this, there’s likely a conference-wide policy outlined in the Code of Conduct regarding photography. Check out this blog post from the Nautilus Institute that outlines some excellent tips and techniques for hacker event photography! Be sure to respect any guidelines regarding recording talks or conversations as well. The community is large yet close-knit and will likely remember those who fail to respect others.

2. Code of Conduct

Each con will have its own set of rules designed to ensure a safe and respectful environment for attendees. This doesn’t necessarily mean the event is child-friendly or not intended for adults. The Code of Conduct (CoC) exists to cover topics like embarrassment, discrimination, and intimidation. You might encounter content that you find offensive or objectionable, but this doesn't mean the CoC was intended to address your personal taste. Feel free to remove yourself from the situation.  
 

3. Open-Minded

The hacker community is diverse, with people from various backgrounds and skill levels. Be respectful and open to different perspectives, opinions, and approaches, but don’t hesitate to ask questions and engage! Welcome newcomers and be patient with those who may still be learning about the topic you’ve already mastered. Everyone has to start somewhere, bring something valuable, and deserve to be treated as important. The people I respect the most are those who treated me like everyone else when I was just starting out. Encourage inclusivity!

4. Network, Don't Sell

Networkings encouraged, but overtly hawking your product or service isn't. That’s what the vendor hall is for, and no one will bat an eye if you’ve got a table, a vendor badge, and an AI-blockchain-SIEM you’re trying to sell there.

Participation

1. Capture The Flag (CTF) Competitions

Capture the Flag (CTF) competitions are cybersecurity challenges where participants exploit vulnerabilities in systems, applications, networks, or perform tasks like open-source intelligence (OSINT) to uncover hidden "flags" that serve as proof of success. CTFs provide a valuable learning experience by featuring a variety of puzzles, from web apps to cryptography, allowing individuals of all skill levels to test their problem-solving ability! While the puzzles might not mirror everyday work in cybersecurity, they're excellent for practicing skills that might not be used regularly.

Want to learn more about CTFs? Check out the CTF 101 course!

2. Villages

Villages are specialized areas that focus on specific topics like lock picking, car hacking, industrial control systems (ICS), biohacking, blue/red/purple team, radio-frequency (RF) wardriving, and physical security. Most offer hands-on learning opportunities and workshops with each con offering a different selection of villages! These villages are operated by dedicated volunteer experts in their fields, who are eager to share their expertise!

3. Talks

While many might advise arriving early to talks because sessions tend to fill up quickly, at most conventions, save for DEF CON, arriving at the scheduled time will usually guarantee you a seat. Some talks will be recorded and posted to YouTube after the con; others will be strictly unrecorded, and in some cases, you'll be kicked out if you're seen using a cell phone during the presentation - make sure to follow the rules and be respectful! Don't hesitate to ask the presenter questions if given the opportunity, but make sure they are genuine questions rather than statements of opinion. You might be saying, but INIT6, I don't know the difference? Easy enough...

Example of a Good Question

  1. You mentioned using RP1210 shimming attacks to hack Vehicle Diagnostic Adapters (VDAs) in semi-trucks. Where can I learn more about this? Are you able to post the slides online?

    Example of a Statement of Opinion

  2.  You mentioned using RP1210 shimming attacks to hack vehicle diagnostic adapters (VDAs) in semi-trucks, but I've worked as a diesel mechanic in the trucking industry, and I don't believe this is feasible...

    Example of a Bad Question

  3. You mentioned using RP1210 shimming attacks to hack Vehicle Diagnostic Adapters (VDAs) in semi-trucks...what are your thoughts on nootropics?    

Know the difference!

Don't forget the "keynote" presentations at the top and bottom of the con. These keynotes are likely to be meta discussions of the industry, rant fests, or returning frequent speakers. Talks are likely to be organized into "tracks," meaning that there will be separate spaces for long vs short presentations, first-time speakers, or sessions grouped by topic.

Health & Well-being

1. Three, Two, One

For many years, DEF CON has had a daily "3 2 1" rule. Tangent: I'd love to know what year this was created and if there was some particularly "smelly" incident that led to it, haha. Anyway, the rule is as follows:

3 Hours of Sleep, at least

2 Meals, at minimum

1 Shower, no exceptions

2. Hydrate and Eat

It's really easy to forget to eat and hydrate when you're amidst the excitement and it's the reason I've come to so highly appreciate the cons that provide food, even if it's just a cafeteria burger. Granola bars and a good water bottle are your friend! When in doubt, there's likely a vendor giving out snacks and water bottles. I'm not insisting you eat healthy, although you might feel better if you did, but at least have something to eat and drink some water! Nobody enjoys propping up your body after you pass out.

3. Hygiene 

Please, for the love of all that's holy, take a shower and wear deodorant! We'd all appreciate you brushing your teeth too, but if all you can manage is a shower and deodorant...we'll understand. Body spray isn't a substitute for a shower either. When a large group of us is packed into a small venue, excessive body odor can make for a noxious event. Two caveats...there's this sentiment that if you could afford a badge for the event then surely you could afford a hotel room to shower in and deodorant. I don't particularly subscribe to this sentiment as there's a plethora of reasons someone might be at the con but unable to maintain hygiene, e.g. mental health, accessibility, etc. If you're without a shower or deodorant, please reach out to me, and if nothing else we'll get you hooked up with what you need.

4. Mental Health

It's incredibly easy to become overwhelmed; It's hot, crowded, and there's lots of bright lights and loud sounds. Don't be ashamed to find a quiet space or step outside for some air! Cons are overstimulating environments, and they can become too much even for the most seasoned of us. DEF CON provides a hotline that one can call or Signal/Discord message and most other cons have safety volunteers on staff if you need assistance!

5. Alcohol & Drugs

Many of us, including myself, enjoy a libation or two. I'm not here to judge how you spend your time or decry what substances you decide to use. All I ask is that if you choose to partake, do so responsibly.
 
Know Your Limits: Pace yourself...overindulgence can leave you down for the count, and that’s no fun for anyone!

Stay Hydrated and Fed: You're likely to be dehydrated, with substances or otherwise, so drink water! Don't forget to eat either. Anecdotally, the one time someone passed out and had a seizure was before them telling us that the only thing they'd had in their stomach all day was alcohol. This was poolside in Nevada; No beuno.

Look Out for Others: If you see someone who's had too much, offer some assistance (if you feel comfortable) or notify the cons safety/security staff. Don’t feel obligated to step in directly, as there’s always some level of risk, but if nothing else, make sure to let someone know who can help! Look out for your fellow hacker - we're a community, and we've got to take care of each other.
 
Harm Reduction: The content of drugs can vary widely and using reagent testing kits can help identify potentially harmful contaminants (fentanyl).
You might trust your hookup, but there’s no way to guarantee how reliable their source is or theirs, and so on. If you’re unsure about the potency, start with a low dose and take it slow. Stick with trusted friends who can look out for you, and avoid mixing substances. Combining drugs and alcohol can significantly increase the risk of harmful interactions. Recognize the signs of an overdose - watch for symptoms like difficulty breathing, unconsciousness, severe agitation, or unresponsiveness. Narcan, a medication that can reverse opioid overdoses, is available at grocery stores. Good Samaritan laws also provide immunity from prosecution for drug possession when someone experiencing/witnessing an overdose calls for emergency assistance. Don’t hesitate to act; It could save someone's life.
 
Shout-out to Lys (@ly7ine) for dead-dropping kits and test strips by the hundreds last year! For liability purposes, DEF CON isn't aware of, condones, or endorses this.

Respect Others' Choices: Not everyone chooses to partake, and that's perfectly okay. You don’t need to know why someone made their choice; Just be supportive and respect everyone’s personal decisions. Too much of this industry suffers under substance abuse one way or another. Shout-out to the Friends of Bill W.

Legal

1. Know the Law

Hacking is to celebrated; being a criminal, not so much. When I say this, I don’t mean to say “Don’t do crime.” I’m not here to tell you how to live your life. However, there’s a reason so much of the community gets upset when vendors confuse the term hacker with criminal. It’s about protecting the culture and meaning of what we do. With that being said...

Laws related to cybersecurity, privacy, hacking, and even tools like lockpicks can vary widely by country, state, and even city. One state might classify lockpicks as a burglary tool, another may only consider them illegal if you’re already involved in a crime, while yet another might not care at all. If you're traveling internationally, take note of laws regarding the import and export of encryption technology and electronic equipment. Customs regulations can be strict and lead to your stuff getting confiscated.

After the Con

1. Reflect & Follow Up

Go through your notes and swag. Digest the new information you've gathered. Look online to see if any missed talks have been uploaded. Consider how you might apply new knowledge and skills in your projects or professional work. Identify the areas of interest that you'd like to explore further! Reach out to the people you connected with (email, LinkedIn, Mastodon, or Bluesky) and shoot them a simple message thanking them for chatting. Joining any online communities you discovered and engaging with them to maintain the momentum.

2. Secure Your Devices

How you secure your devices after a con will largely depend on the precautions you took beforehand. You might swap your SSD back to your daily driver, remove VMs, and update passwords. Most important, revert any WiFi or Bluetooth settings and remove any network configurations you added during the conference.

4. Con Drop

After the event, it's common to feel a sense of fatigue or sadness - often referred to as "Con Drop." Don’t be surprised; It’s a bit like returning to the 9-to-5 grind after a vacation. Rest, recharge, and give your body and mind the time they need to recover. Process your experiences and talk with friends who might be feeling the same way. Stay connected with new acquaintances and share post-con experiences to help keep the excitement alive. Channel your energy into planning your next steps - whether it's attending another con, starting a new project, learning, or getting a new job. Having something to look forward to can ease the post-con blues. Consider writing a blog post to inspire others!

Final Thoughts

Attending your first hacker con is more than just attending an event - it's joining a community that thrives on curiosity, free knowledge, and mutual respect. No matter who you are, seasoned professional or greenhorn, there's a place for you in this world. Pack your bags, check your gear, and dive into the hacker community. We're waiting to welcome you!

Comments