Your Guide to Hacker Summer Camp 2021
This will be my 21st year attending Hacker Summer Camp. Back in 2000, it was just Black Hat USA followed by DEF CON, and only a handful of people knew about it. Now it’s a full nine days of technical conferences starting with Black Hat training sessions on early Saturday, followed by BSidesLV, then the Black Hat briefings themselves, followed by DEF CON ending the following Sunday. And several thousand of my closest friends all in one place. It’s draining to stay for the whole thing; and it’s even draining if you attend just a small part. So pace yourself.
That said, what should you expect to bring to Hacker Summer Camp? Well, don’t sweat it. ForAllSecure’s got you covered.
The Conferences Themselves
Black Hat Briefings USA (Jul 31, 2021 through Thu, Aug 5, 2021). Started in 1996, the Black Hat Briefings are a corporate version of its older sibling, DEF CON, with registration fees starting at $1600 USD. This year will be hybrid, in person and virtual. The Black Hat Briefings start with four days of hands-on training (Saturday through Tuesday) followed by two days of cutting-edge talks (Wednesday and Thursday). There are also events, such as the Pwnie Awards on Wednesday Night. The audience tends to be more corporate and professional, not quite RSAC-level but approaching that.
BsidesLV (July 31 and August 1, 2021). BSidesLV will be entirely virtual in 2021. This conference started out eleven years ago as a way for speakers who are rejected from Black Hat to still give their talks. This conference is put on by volunteers and is largely free--however, tickets are impossible to get (often you have to volunteer during the con to get a ticket).
DEF CON (August 5-8): This is the original hackers in the desert event. Started in 1993 as a going away party for a friend, DEF CON is now in it’s 29th year. The cost of entry is only $300 USD, and this event, too, will be hybrid, in person and virtual. If you are going to attend both Black Hat and DEF CON, you can purchase the registrations together. DEF CON is not Black Hat. The talks at DEF CON are more technical and edgy. Given its huge size (really, the hallways are not passable at times), there are more villages and things to do outside the talks and outside the conference hotels themselves. And of course, there’s the famous DEF CON Capture the Flag contest held throughout the weekend.
There’s also a bunch of other mini-conferences and parties throughout the weeks. For example, FuzzCON 2021 will be hybrid, in person and virtual, the Thursday night between Black Hat and DEF CON.
This isn’t Burning Man, but it is the Nevada desert nonetheless. Over the last two decades, I have been caught in heavy monsoon rains, a dust storm, and even a plague of locusts one year. That said, it’s always very hot outside, up over 100 degrees Fahrenheit during the day and only down to the 80s at night.
The casinos on the other hand are over air conditioned, so if you’re sitting through an hour-long session, you might get cold. I usually wear long sleeve shirts and jeans and I’m fine. Others may want to bring a light jacket. There are those who insist upon wearing beachwear -- shorts, sandals-- to the talks, but don’t say I didn’t warn you about the air conditioning.
- Dress: For Black Hat, it’s business casual. For DEF CON it’s anything goes -- I’ve even seen Federal Agents wear t-shirts and jeans.
- Shoes: Above all else, please wear comfortable shoes. You’ll be walking a lot -- a lot more than you might think. The Black Hat convention space is on the second and third floors and set back from where the restaurants and the hotel begins, so just meeting someone for coffee will rack up your step count. DEF CON is on several levels of Caesars and also across the street at Bally’s and Paris (and additional sites), so you’ll be walking.
- Hydration: It’s the desert, stupid. Really, with every cup of coffee (which dehydrates) you need to drink a cup or more of water. And even without coffee, you need to drink more water each day than you’d normally consume at home.
- Vitamin C: There’s something called “Con Flu” which usually hits a few days after your return from Hacker Summer Camp. Seriously; it’s real. And, because of COVID 19, we all haven’t been out and about much, so this year you need to be especially careful about letting your guard down around others.
- Snacks: For Black Hat, they do a really good job with sponsored snacks throughout the day. For DEF CON, you’re on your own.
You don’t need to bring a lot of devices except if you're taking a class or want to show off your l33t skillz in the hallways. That’s up to you. But if you do want to bring electronics, what should and what shouldn’t you do?
- Burner devices: I get asked this a lot-- “Should I buy a burner laptop/phone for Black Hat or DEF CON?” Back in the day, I would get hit with weird stuff -- I once returned from Hacker Summer Camp with an early version of MS Blast worm; and when it hit the internet two weeks later, I knew exactly what was going on because I’d already experienced it. In general, those types of attacks are less frequent today
- Passwords: Make sure you have strong passwords on your phone, on your laptop, on all your apps and services. Two Factor Authentication is a must. I was once in the press room at Black Hat when my colleague’s unencrypted password was hacked.
- Wi-Fi: And don’t sign into Starbucks123 for free wi-fi--just don’t. It’s not the official Starbucks wi-fi and you should already know that. The official Black Hat conference Wi-Fi is reasonably good. The one at DEF CON is hit or miss.
- Tether: If your data plan will allow it, you might be better off tethered to your phone’s hotspot. The wi-fi at Mandalay Bay and Caesars/Bally/Paris is not the most robust. If you really have to be online you might be better off with a tether
- VPN: I do recommend a VPN, especially if you’re using a hotel Wi-Fi system. It’s an extra layer of security.
- TOR: If you’re really paranoid, then you can add The Onion Router to your internet connection, but it’s not necessary.
With Black Hat, there’s a lot fewer fun and games (aka “experimentation”) these days. Elevators no longer get hijacked; the internet doesn’t get shut down either. In reality, though, you might not really need your phone always on during the conference given the generally crappy reception at Mandalay Bay. If you do need wi-fi, the network for Black Hat is pretty secure.
With DEF CON, I generally turn off my phone as a standard practice; it’s not going to work well inside Caesars/Bally/Paris, and, if it does, I don’t want it to get caught in someone’s homebrewed IMSI-Catcher or otherwise fake base station. Yeah, that’s me standing on the sidewalk in the blazing sun checking my messages.
And -- do I even need to say this?-- never leave your phone or laptop open/on unattended. Seriously, just getting up to get a glass of water is long enough for someone do something really stupid to your device.
Remember, Have Fun
If anything above has set you back and made you wonder-- don’t be afraid. First, you can attend all of this from the comfort of your own home if you want. All the talks will be provided virtually (but you’ll still have to register for them). And, if you do go to Las Vegas, you won’t be alone. The night before the Black Hat Briefings and the night before DEF CON you can find talks that welcome first-timers, with answers to allay your residual concerns.
Whichever attendance you chose -- in person or virtual -- you’ll come away smarter and better prepared for the year ahead in information security. As always it promises to be as action-packed as the year before. And, if you need CPE credits for your various ISC2 and other certifications, you’ll get those as well.