Matt: And when we get those gifts often like I've forgotten what I ordered so it's kind of like Christmas Yeah, you know, I got a really crappy memory at my old age and and it's kind of nice Oh, I got a delivery. What is it? Oh cat food shit
You're listening to the Cyber Secured Podcast. Helping you become safer in every way. Now your hosts, Matt and Attila.
Matt: So folks, welcome back to the Cyber Secured Podcast. I'm Attila. I'm Matt. And if you haven't picked up on the fact that we were recently at DEF CON, we were at DEF CON.
Attila: DEF CON, the big one, the one that we've been hearing about for years. And years. And we finally decided to make the leap, go to Vegas,
Matt: beat the heat. Well, we decided to make the leap, I think, two years ago. And then, you know, life happened and things kind of just got off track. People kept getting hacked. People kept getting hacked. And then it just, it didn't happen. And then what was it, like two weeks before or a week and a half before DEF CON, you messaged me from
Attila: Yeah, I was like, we have to go because there's never a good time to just drop everything and spend a few days going to the biggest hacker conference on the planet. Because I think there's a bit of dilution here too, which is kind of the problem. Like there's B-Sides, there's other security conferences all the time. So you're like, ah, I'll just catch the next one. I'll just catch the next one. B-sides, whatever. But DEF CON is the big one. We said, look, we got to go. Besides, they had the best swag,
Matt: I hear. And being here in Hawaii too, we don't get as many of these big conferences. I did photography for years and we had one photo conference and the entire time I was shooting weddings and it was a
Matt: really big deal. We had people that came from all over the world and got to stay in Hawaii at a Hawaii resort. Me, I'm down the street from Waikiki so I didn't have that experience but it was still pretty cool, it was nice.
Attila: Well, and that's the thing is that when you're isolated, there's a benefit and a disadvantage to that benefit. Wonderful that we're a little bit separated from the mainland. Disadvantage is that we are like the gateway to Asia. So that means that anything from the east has to go through Hawaii. We're kind of like under this barrage of cyber attacks on a daily basis.
Attila: We get everything on
Matt: a delay to shipping and just don't have as many resources. It's a pros and cons kind of
Attila: thing. It's fun whenever we send a thank you package to a client on the mainland from Amazon, it's there like either the same afternoon or like the next
Matt: morning.
Attila: Unbelievable. And out here, we expect to this day, by the way, this is like 2025, at least a week. Yeah, minimum. Minimum. If you're on an outer island, probably two weeks. That's standard, yeah. So the next day, it's unbelievable. And I know everyone who's listening to this on the mainland is just laughing at us. But guess what? We got sunshine.
Matt: We got beaches. And when we get those gifts, often, I've forgotten what I ordered. So it's kind of like Christmas. I got a really crappy memory of my old age, and it's kind of nice. Oh, I got a delivery. What is it? Oh, cat food. Shit.
Attila: I think you've just walked through the entire life cycle of that product, that food, and then what comes out the end.
Matt: Yeah, that's true in one sentence. I think we got our tagline for the beginning of it. Yeah. Perfect. All right. So
Attila: Defcon, what did you think? So Defcon is in Vegas. I've done a lot of work in Vegas over the years in the form of trade shows and running infrastructure out there. I'm used to Vegas but it's been a few years since I went. I forgot how hot it was but it wasn't that bad. You know I'm not going to complain about the weather.
Matt: I mean if you're OK with the body size hair blow dryer hitting you?
Attila: It is a hair dryer. That's the temperature. It's a feeling of the heat. Like my eyeballs were drying out. It was kind of weird. Like I haven't experienced that in some time. The convention center, wonderfully large. They've done some nice renovations to it, so it's much bigger. I remember the convention centers being like There was two kind of halves to it. So one was like the overflow and the overflow. I think they've renovated to making this nice, big, brand new convention center. And then they're taking the old convention center. And they're renovating that now. So they kind of did it in two phases. Don't quote me on this. So this is just observational. However, the disadvantage is that the rail, that tram. Yeah, we took the first day. Yeah. The one we took the first day, because we stayed at the Sahara, which is where I was working at CES and these other trade shows. It's really convenient. Hop on the tram, go to the convention center you were in. but since they're renovating the original convention center it drops you off there and then you still have another 10-15 minute walk in that wonderful heat to the new convention center which I think at the end of the day was a longer walk than it was from the hotel directly.
Matt: Yeah, where it dropped us off to the convention center was I want to say half or maybe three quarters of the same distance going from the Sahara to whatever that other hotel was that we walked through.
Attila: Fontainebleau. Fontainebleau
Matt: is a nice
Attila: hotel. Really nice hotel. And it's right next door. That wasn't there. I was talking with the person who worked there at Fontainebleau. And she was saying that it took them 16 years to build that hotel. It kept going through different owners.
Attila: It wasn't open. It's huge. And they have great conference
Matt: areas. Just to back up, so the first day when we attended DEF CON, we took the tram. And it was a very long walk from where it dropped us off to the convention center. And then from then on, we walked. And so there's a decent distance where, I don't know, maybe like A little less than half a mile? Going from
Attila: Sahara to Fontainebleau? Yeah, I would say less than a 10. I clocked a door-to-door at nine minutes. Okay, so yeah,
Matt: that's probably a... Almost half a mile. And the silver lining of that crazy heat in Vegas was you get in a lobby in one of these places and you're not sweating, which was crazy. I don't know if it's evaporating off you as you're walking or just because it's so dry. I don't know how the physics of that works. Yeah, you get into the places and you immediately cool off. And then, yeah, so from then on, we're walking through Fontainebleau, going to the convention center. It's right across the street from the hotel. The craziest thing about that place is that exit lobby, I guess that's what you'd call it, going towards the convention center.
Attila: Well, this is a little bit of a shortcut. So I kind of scoped it out the night before the convention. I walked around at night so I wouldn't die from heat. And I noticed that there was this really nice exit. right across the way from the new convention center's entrance. So we're staying at the Sahara. So there's a Sahara, then there's like an empty lot, which I presume they're going to build something. And then right next to that is Fontainebleau. Then you got the convention center. And what you can do is walk from the Sahara. through the fountain blue lobby, and then you go out through the back. And this back has this escalator, which goes like, what is that, five,
Matt: six stories? It's huge. Well, let's reverse it. If you're leaving the convention center and you're walking into that lobby, the thing that you see is just mind boggling. That sculpture? Yeah. It's like this I guess the best way to describe it is if you were digging back in the heyday of the gold rush, and you found a giant ingot of gold. And then you took that ingot, cleaned it all up, and you made it, what, three, four stories tall? Huge. And then you put it inside of this lobby. That's what you see when you walk in, is this giant, crazy sculpture that really has no recognizable shape or form, but it's just hard to wrap your mind around. So I think the first time anybody walks in that lobby, you're just staring at it and you get closer, your neck just kind of cranes going straight up in the air. But then as Attila pointed out, next to it is an escalator that goes all the way to a floor above the Inka I paid no attention to it until I had me write it I think on day three.
Attila: Yeah, I insisted. I'm like, oh, you should write this thing. It's tall. You might get some vertigo. What did you say? You were like…
Matt: I'm not afraid of heights, but when I turned around, yeah, it was a little freaky. Like looking down. Yeah, and then realizing like, oh, I'm above the ingot now. That was nuts. The lobby is beautiful. There's some really interesting artwork, mural work on both sides, both on the entrance and the exit walls. And I think it's representative of a woman and the yoke or something. It looked like an egg. I'm not really sure how to describe it.
Attila: it's some sort of modern art thing that I guess there's no wrong way to interpret.
Matt: Well, somewhere someone that knows this art is probably like rolling their eyes like hard in the back of their head like these guys, oh my
Attila: God. Yeah. So they have a, and also another, you didn't see it because it was broken down, but when I first went in there, you know, I did my recon, they have a modern art sculpture in the beginning, in the entrance, the very entrance of the Fontainebleau Hotel, where it looks, it's like these little tiles. There are probably about like one foot by one foot, and there's a few hundred of them, and they're in the shape of a wave. And it's meant to mimic the wave patterns of different places throughout the world.
Matt: Oh really? So it would
Attila: like alternate and it would say like the waves of Singapore and this is like the waves of Australia. Oh that's cool. And then as you went next to it it had cameras so you just jump around and you would influence the wave. Yeah. So I'm the idiot, nerd, jumping around. And the security guy is like, yep, we got another
Matt: one. We got another one over here. There's probably a compilation video somewhere on YouTube of all the nerds.
Attila: Yes. Or children. Or children. Mostly children, I think. Very large children. Large children. Look at me, mom. I'm splashing in the waves of Australia. So yeah, there's that. So it has some nice modern features. I know we're supposed to be talking about DEF CON, but we're just more intrigued by this hotel.
Matt: We're getting all the excess, all the stuff outside of DEF CON out of the way, because neither one of us have been to Vegas in a very, very long time.
Attila: Yes. And this time we went for the right reason, which was to learn things from others that are in the field. And, you know, I got to be honest, you know, DEF CON is interesting, but I think it's a different thing for different people. I think for us, we went to go see what we could learn. Well, we're mostly defenders too. I think that's part of it. There's a, you know, one thing that I've forgotten about, just because, you know, I kind of like when you're a fish in the water, you don't see the water around you. You're like, it's just water. We're in cyber all the time. We're doing defense. We're doing this and that. There are many others out there who see the label of hacker as an identity. Yeah, absolutely.
Matt: You definitely get that sense at DEF CON.
Attila: Yes. Like, I am a hacker. Like, OK. I mean, in my opinion, you are what other people call you. So if you're a jock, it's because you're good at sports and you play a lot of sports. But if you're kind of walking around saying, I'm a jock because I have some Nikes on, you would what other people might call I don't know. And you can't tell at a place like this who knows what they…
Matt: Yeah, there's definitely hackers that look like an everyday Joe on the street or even like a straight up businessman that you wouldn't expect to have serious tech cred but then they get behind a keyboard and knock your socks off.
Attila: Yeah, some of these guys, like the head of Wells Fargo, which I'm sure we'll talk about later, he looked just like some 20-some, mohawked kind of guy. But he was super sharp. And he found a vulnerability in 365 that was being actively exploited. So you never know what you're going to get with your looks. So conversely, when someone's walking around with a big shirt that says Hacker on it, it's kind of hard to tell. Are they the real thing or are they here to, you know, because they want to be the real thing? I don't know. But, you know, there's a lot of that. It's a very big turnout. I think this year was over 42,000 people or 40,000 people roughly.
Matt: So, I mean, it definitely was a lot of people there.
Attila: Well, compared to RSA, so RSA is the cybersecurity conference in San Fran every year. The RSA conference is also a combination trade show plus learning opportunities, much more corporate. And that one has about 42,000, I think, as of last year. So with around 42,000 attendees, know I was able to compare like an RSA conference to a DEF CON conference in terms of attendance and I will say that I think that Las Vegas one definitely seemed more expansive like there was more space but I didn't get the sense of organization
Attila: in the same way and Maybe that's just the spirit of the conference. I got to be honest, we got there and I couldn't find any resources on the DEF CON's websites.
Matt: The website doesn't seem to have any start here. kind of stuff. They post a lot of stuff that's happening. But yeah, I got that sense too. I was going to their site to try and find what to do first. And then I also navigated YouTube and looked up videos.
Matt: And there's a lot of tips on Kind of what to expect and you know shoes to wear and the lines you'll stand in and you know Don't be too set on any specific goals have an open mind, but there wasn't any like These are the first things to do and this is what you should expect like on the first day Yeah, that was a little Kind of threw me off for sure
Attila: Well, I understand what they're trying to do, which is build a community. And in a community, you're forced to talk to someone else about, hey, what's going on today? As nerds, we definitely need that. We definitely need it. And for us, we were traveling from far away to come visit this place. We were kind of hoping for just a little bit of guidance. And so the first night I was there, I saw a guy in a restaurant who was wearing a Def Con shirt. And I said, Hello. By the way, I know this thing's happening tomorrow. How do I find out what is going on? And he pointed me to this app, which was HackerTracker. And the HackerTracker app had the entire agenda on there. which I was like, wow, this is finally great. Now it was weird that that agenda wouldn't be on the website somewhere.
Attila: And I wasn't able to, I think that what it is with this HackerTracker app is that you can't like copy and paste any contents out of it.
Matt: Yeah, I noticed there was a few. I don't know if HackerTracker is an official app. I don't think it is, but they might not be. It seems to be like something that's used by besides another. I mean, it's definitely useful. Like I don't think we would have been able to attend and navigate as well without, I mean, everyone was saying use HackerTracker. The booklet that you get has all that information, but of course you got to flip through it and read through all the fine print. You can't filter for things. So that's what the app allows you to do.
Attila: The sense I got is that there are some things that are really advanced at the convention. Very highly technical people, very smart, smartest people on earth are there. And some things which I think an event planner would have been able to point out and say, you know, you could probably do this a little bit better. And I mean, Probably the biggest thing I noticed is there was just a lack of security. And they
Matt: pride themselves on their goon collective.
Attila: Right. Goons.
Matt: Goons.
Attila: Yeah. So the goons. So the goons are red shirts.
Matt: Yeah. The goons are red shirts that they're decked out in hacker culture wear, and apparently, this is something I heard from one of the guys, if they have one of those tatted sleeves, like literally like a sleeve that you can take on and off, or if they're wearing like a kilt, more OG, they're higher up on the totem pole. There's definitely some odd traits or memes or just things within this world that we're not aware of. Like stuff like that culturally. Yeah. Yeah, just the
Attila: cultural norms. Yeah, we saw a lot of kilts A lot of kilts, definitely not a cultural norm. But I guess this is your opportunity to come out and be a brony. Go for it. This
Matt: is your chance. So I know a lot of the stuff is definitely steeped in stories and the culture. And obviously, we're not really acutely part of this world. So we weren't aware of it. So yeah, it was different than what we were expecting. And I think that the main thing that Attila is getting at is with a conference of this size, you would and kind of should expect there to be full-on security. That does go against, I feel like, some of the paradigm or the culture of hackers and DEF CON because they're a little bit anti-establishment. There's definitely a bit of that feeling. So, yeah, we talked about this a little bit. I think there's a little bit of polarity going up against.
Attila: What's that famous quote by Mike Tyson? Everyone's got a plan. Exactly. So, you know, they can be all anti-establishments and, you know, no cameras and all that stuff. But then there's going to be an incident and it's not going to be any security. It's not going to be a lot. There's going to be a problem with that many people. It's just a matter of time.
Matt: Yeah. Yeah. Luckily, HackerCulture, DEF CON, The collective itself, I think, is very welcoming to people, all takes in life. So the likelihood of something odd like that happening is lower than maybe a more conventional convention. But, I mean, it just takes one time. Speaking of the term, though, convention, I was talking to Till about this earlier, but when I got back and was telling my wife about going to DEF CON, and I was talking to her about sort of our expectations and what we came across, she pointed out, she's like, oh, well, you know, that sounds more like a convention versus a conference. And I think our expectation was that it would be a full-on conference.
Attila: Well,
Attila: it does have conference elements. I mean,
Matt: they have. Yeah, yeah. So I guess what we're trying to say, you know, if you are a regular of DEF CON, you would know where you're going. But the first timer is definitely a little hard to navigate.
Attila: Well, and, you know, I. I got the sense that so I mean, I've been other conferences, obviously, and there's been plenty of other talks. And there are interesting speakers. And you want to give everyone the opportunity to go see them. And long lines and having to wait hours for anything. is symptomatic of just, you know, there isn't some professional organization, organizational people there that are either anticipating the number of visitors or anticipating the interest in a workshop or whatever else. And I don't feel that in this day and age there should be a need for long lines, I think it actually stops people from being able to intermingle. You
Matt: go to a restaurant. As an example, day one, we stood in line for four and a half, five hours? Yeah,
Attila: four and a half hours. So the first day, we're like, OK, we're ready to be here. What's on day one? We
Matt: knew it was going to be a long line, but not like that. Oh my goodness.
Attila: Now, merch is stuff that they're selling there. Now, it's cash only, which is like, okay, whatever. But why all the cash stuff? Is it the whole anti-establishment? I don't know, but you're opening yourself up for an Ocean's 11 robbery
Matt: at that point
Attila: with that kind of cash handling.
Matt: I can see that being a fun documentary. Robin Defcon.
Attila: And what were, I think, two to three hours in place when finally someone told us, like, hey, by the way, what did you put in your cart? Oh, yeah, we didn't even know about that.
Matt: Like, what? We're just sitting here waiting. Oh, no. That was in the Hacker Tracker. So I guess maybe it is an officially sponsored app because we used Hacker Tracker to do
Attila: it. And so we would choose what items we wanted. Because we wanted to bring back stuff for the team, invite.
Matt: Yeah, so same thing again. Someone had to tell us that we didn't. And I actually did see a lot of people in line right at the end. But the thing is, if they're actually using an app to track what we're purchasing, they could have also done some kind of ticketing system so we wouldn't have to stand in line. I don't know.
Attila: Yeah, exactly. Because when you're standing in line, you're surrounded by what? The same four people, roughly, in front of you and behind you.
Matt: We did
Attila: talk to that gal for a while. We talked, which was nice, but how many people would we have been able to talk to if they just said, look, put in your cell phone number and we'll text you when your order's ready,
Matt: and just mingle. And then the other thing that we heard was in previous years, there were talks and events happening on the first day, but because I think LineCon, getting merch, was taking so long, they decided to just cancel that in lieu of people being able to mingle. But then, as Attila pointed out, when you're staying in line, you're surrounded by the same people the entire time, which you may or may not like.
Attila: Yeah. I think people are
Matt: getting kind of, what's the right word, salty by the end of it. Angry, salty, tired. My ankle actually kind of went out on me as we were trying to leave the convention center.
Attila: Yeah. You're like, I'm done. I've got to sit down. Yeah. I don't know. I think if you really want to have the spirit of community and communication and making new connections and friends and that kind of thing, that has to be consistent throughout the entire thing. Don't just make people stay in the line for unnecessarily. Because the following days, they also had merch. So we could have just done it on the second or third day.
Matt: Yeah, there's definitely a lot of staying in line for no reason. Like when we showed up the second day, there were lines. We didn't know what the lines were for. People were asking us what the lines were for. We're asking people what the lines are for. And then at one point, I think you said, well, let's just sit down and just watch. And we sat down and watched, and then they opened the doors. And we didn't know when the doors were opening or what the doors were opening for. We didn't really know what was on the other side of the doors.
Attila: And by this point, we had the HackerTracker app.
Matt: And we had the HackerTracker app. And so we just decided to do a phone hacking thing that some guy handed us, which We couldn't really figure out where we're going with it, and it was fine. I figured it out. You figured it out?
Attila: Yes. I was just a half hour into
Matt: it. It was a lot of typing in the answers with the touch keypad.
Attila: Yeah. I'm the
Matt: freaking guy. Freaking is phone hacking. Eventually, the doors open. and the line disappeared, and it was just the inside of the convention center. It wasn't like they were standing in line for one particular thing. They were just standing in line for the doors to open. So we stood up and just walked through the doors. And that was it. And that was it. I don't know what the line was for. It's like line craziness. I mean, I don't know, we recently had an event here in Hawaii made and people were standing in line for like four hours for that in the sun. Maybe it's a thing people like to stand in line, I don't know. There's definitely a herd mentality issue. But I think for us, for first timers at DEF CON, it was a little bit of a sour taste to the beginning of our experience for DEF CON. There were some amazing talks and there were some amazing things. And it was a lot. It was definitely kind of overwhelming. And then I did hear that on some of the YouTube videos that I watched that, you know, it's easy to get overwhelmed. You know, don't try and do everything kind of thing.
Attila: Right. It's really about expectation too. Just don't get stuck in your ways. One thing I like to do all the time is I see something interesting, I bust out my phone, take a picture. Oh, yeah. You can't do that at DevCon.
Matt: For the talks, if you zoom it, you're
Attila: OK. And this is what I couldn't understand about the whole anti-camera thing. Like, I get it. It's anti-establishment, whatever. But this is Vegas. I mean, there is
Matt: a camera pointed at
Attila: you at all times.
Matt: Right. All times. All over the convention center. As soon as you walk outside, cameras in your face. I mean, you don't see them unless you look up. They're in the
Attila: convention center,
Matt: too. Yeah.
Attila: I mean, there's not like this mysterious, I mean, I know they're worried about like... I
Matt: think it's mostly social media though. It's not like those security cameras are streaming to Facebook.
Attila: But social media is a wonderful ally to promote an event. I mean, if you really want to build community, You can't ignore social media. You really can't. And if it's like a private community, like, OK, who are we keeping in and who are we really keeping out? And we went to the Red Team village, and there was a sign right there that said, hey, we're going to take your picture. So if you don't like that, leave the village. So there were villages within DEF CON themselves that were just kind of ignoring that rule. So, you know, I get it. Maybe that's part of like the culture of not taking pictures. But in my opinion, if you want to build more community, you have to give people the freedom to do those kind of things. So maybe like a picture safe spot, you know, or like if you want to take a picture in front of the sign, you know, you should be able to do that.
Matt: Now, I think there's a line being very clearly drawn that you may be hearing in our discussion and talking about DEF CON and expectations and sort of their values versus ours. And the line I'm seeing in my head is there is a difference between someone working in cybersecurity and someone that is a hacker.
Attila: I see.
Matt: You can be a hacker that works in cybersecurity or not. And you can work in cybersecurity and not be a hacker. Let's talk about what hacking is
Attila: in the next episode.
Matt: We don't want to make this episode too long. We wanted to go over the high points, the high level of this. What were some of the interesting talks? We won't talk about what were in the talks. What were some of the interesting talks to you?
Attila: Oh, I really liked the ones where they were showing vulnerabilities in cloud resources. Some of these neat tools. It was nice to have some people who had actually worked on the tools themselves like Metasploit. Yeah. And say, look, here is the tool. This is why we designed it this way.
Matt: PowerShell Empire for me. That was a cool one because I've actually used PowerShell Empire and they're on version 6 now.
Attila: Well, I like the honeypots without software. I thought that was cool. Yeah. Using canary tokens. That was definitely cool. And I wish there was more, but that was a cool one. It's nice to see some representation from Malcolm.
Matt: Yeah. From
Attila: Prowler. We'll talk about Prowler. There are some really neat. There's some very smart, smart people there, who I think were actually surprised that they were being listened to
Matt: for, for, well, I mean, that's part of why I think you go to event like that is, you know, to be amongst your peers. So right. And get some, some cred within the world you live in alone.
Attila: I did like the, uh, the red team exercise. There was like a space camp 33. Oh,
Matt: right. Yeah. Fake space camp. Yeah. We left the fact out that you brought your son Adam.
Attila: Yeah, Adam came to, he's a, what's it called, aerospace nut. So he had so many holes to poke in the space camp scenario, but it doesn't really matter. I mean, the point of any tabletop is just to get you thinking. So that way, when you do come across an actual scenario, it's not so catastrophic. You know what to do. So interesting talks in terms of tabletops, talking to some interesting people when we were there, just making connections with others I think was valuable. And I do know that we are probably too old to party, or maybe we're just in a phase of life where we're in between party phases. Maybe that's what it is. I think the DEF CON parties are supposed to be like a whole
Matt: thing. Yeah, they had parties, movie nights, they had lots of activities going on every single day. And you see it, it's like on the list in the HackerTracker app, like as soon as the stuff is over, there's stuff listed for events that are happening, there was a pool party people were lined up for. I definitely got the sense that the majority of people that were at DEF CON were probably a little bit more than half our age.
Attila: I did see some exercise things. So they had like a 5K run, and then
Attila: I really wanted to do the bike one, but I didn't find out about it until like six hours before, because that's when the Hacker Tracker started. Evaluated in terms of like what the temperature is going to be.
Attila: I mentioned riding the bikes, they're like, it's going to be 98 degrees. or 100 degrees when we're writing, and I'm like, I can do it, but I got to do a little
Matt: prep. I mean, that's like a full marathon. Like, if I really wanted to, I could do it, but do I want
Attila: to? I do want to do it. I think if I go back, I think that's what I want to do. 15 miles, 100 degrees, can be done. If you scoop me off the pavement, at least I'll go down happy. So we'll pick that up. But yeah, I do want to talk more about the details of some of these wonderful workshops we attended. So let's save that for the next episode. Perfect. OK. I'm Matt. I'm Attila. Stay tuned for the next episode when we're going to go into more details about DEF CON.
Matt: Stay safe out there, guys. Stay safe.
This episode was brought to you by CYPAC. To learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.