I’ve been going to Las Vegas for “Hacker Summer Camp” for eleven years now, and figured it was about time I put together a guide for the newbies who haven’t been yet. The full “Hacker Summer Camp” experience consists of three conferences – BSidesLV (Tue-Wed), Black Hat (Wed-Thu), and DEFCON (part of Thu-Sun). My first few trips to Vegas were for DEFCON, the largest hacking convention in the world. Once I had an employer willing to pay my way, I added on Black Hat (the commercial / corporate conference), and eventually BSidesLV (the less commercial alternative to Black Hat).
I’m going to focus on BSidesLV and DEFCON here.
BSidesLV started as an alternative to the over commercialized Black Hat. It’s got a small community vibe, and great talks and workshops. While there are some vendors present, most of them are focused on hiring vs. trying to sell participants things. I’d say the crowd at BSidesLV is more comprised of the “doers” in security organizations.
DEFCON is not a commercial / corporate conference. Vendors can’t sponsor it, and you won’t get spammed by vendors for attending. They keep no attendee records, and they don’t want to. While a bunch of attendees are in the security industry, a ton of attendees aren’t, and consider themselves makers or inventors, artists, etc.
People who attend DEFCON can look pretty normal, but there are also a ton who like to “let their hair down”. There will be lots of crazy colored hair, crazy dress, and plenty of shenanigans. Freak flags are on display.
Note: As I think of other things over the next few days I may add to this article. As of initial publication I’ve already added a few more tips. Latest Update: [2019/07/15 11:17]
Arrival to Vegas
- Luggage service to the carousels in Vegas can take 30-45 minutes! If you’ve arrived with a few people, why not grab a six pack of beer or your favorite beverage from the liquor store to the right at the bottom of the escalator and have a drink while you’re waiting? Relax, it’s going to take a while.
- There may be people in a vendor T-shirt at the airport saying they’re the official Black Hat ride service to take you to the hotel. No, they’re not. HP did this last year and you had to give them a business card and watch a commercial on a tablet on the way to the hotel… and get spam from them for a while. Not worth it. Just take a cab or rideshare.
- Taxi, Uber, and Lyft are all options. The Uber and Lyft rideshare area is across the street in the parking garage. Note that it’s good to make friends in the Taxi line or at baggage claim. You’ll recognize the hacker types… Chat them up and find out where they’re staying. You can share costs if you’re headed to the same place or real close.
- If you’re going to BSidesLV and staying at the Tuscany you should follow the @BSidesBus on Twitter – https://www.bsideslv.org/shuttle-schedule/
- Each conference has room blocks, but I typically like to stay in the DEFCON room block and keep the same room for the week vs switching from one hotel to the other like some do. See the DEFCON site for the room blocks. You could also check in with BSidesLV for room blocks to save money.
- It’s good to stay at the DEFCON hotel if you can because DEF CON TV streams talks to the conference hotels. That can save you if you miss the alarm, can’t get into a talk, or just want to hang out with a couple friends somewhere that isn’t packed and loud.
- Especially if you’re staying at an off-strip hotel, it’s a good idea to call a day or two in advance and confirm your room and smoking preference. I’ve seen people get stuck in a smoking room.
- Don’t leave much of value in your room – at least nothing that you can’t afford to lose. Hotel safes are “OK” but remember that hotel staff does have access to unlock your safe.
- See my hotel related blog links below about hotel safety and inspections!
- There are only like three companies who own most of the strip, with Caesar’s being one. Caesar’s owns all of the properties that DEFCON will be at. Caesar’s management works with DEFCON to identify people doing nefarious stuff on their premises, and their Security Operations Center (SOC) is pretty sophisticated. Don’t try to Man In The Middle (MITM) the hotel or conference network. Seriously, don’t screw with it.
- The cleaning staff will have a manual showing them what Yagi antennas, lockpicks, and other hacking tools look like, and if your stuff looks too shady they may call hotel security. Security has wrongly confiscated equipment in the past. Keep your hacking gadgets packed away in a box or bag if you’re not in the room!
- Caesar’s has been known to plant honeypot ATMs, gambling machines, and internet kiosks around their floor to see who is targeting them … and to waste your time. You may get arrested or kicked out of the hotel if you try to screw with their machines.
Badges / Getting In:
- BSidesLV used to have free badges at the door, but you had to arrive early and supplies were really limited. They started focusing more and more around staying at the hotel, as well as individual and corporate sponsorships in exchange for badges, and this year there are no free badges at the door. The key to getting into BSidesLV is to book at the conference hotel (Tuscany this year) or to buy a sponsorship months in advance. Update: Thx to digish0 for the info – If you’re a local and can prove it you can get a badge but you have to pre-register. See: https://docs.google.com/forms/d/e/1FAIpQLSdcDwUdeuhG3jqUmn1s_aVw72ni52foxt4odhiFCXtd6jSctg/viewform
- The line for DEFCON badges can be EPIC if you go on Thursday AM or Friday AM. If you are going to Black Hat you can pre-order a DEFCON pass to pick up there on Thursday vs standing in line at DEFCON. That said, standing in line is tradition. It may take a few hours, but take this as an opportunity to talk to the people in line with you and make new friends!
- DEFCON badges are CASH ONLY, and $300 this year. If you need a receipt for work, there’s typically one online and/or on the DEFCON CD.
- There is an electronic badge this year at DC27. Bring various USB data cables / connectors for your laptop if you want to program it and participate in the badge hacking. FTDI, mini and micro USB are good ideas to have.
- Once you get in to DEFCON, go right to the merchandise area if you want something. Stuff sells out quick. Merch is cash only, just like badges.
- Don’t use ATMs right in the casinos. Use them off strip if possible. It might also help to just bring lots of cash for food and drink, tips, and vendors around the conference area.
- If I’m not using cash, I use a credit card that is NOT a family credit card so if it’s popped it won’t mess up any auto-payments on accounts I have. If someone DOES pop your card then your card company will cover it so don’t stress. Just don’t use a debit card.
Mobile Phone / Laptop / Gadgets:
- Only charge devices via 110v outlet, no USB ports, OR use a USB condom
- Turn off WiFi and Bluetooth. People MITM WiFi as well as set up fake mobile base stations called rogue femotocells to MITM 2/3G, and MAYBE even 4G LTE this year from what I can surmise. Because of that you will want to:
- Turn off app auto-updates on your devices to prevent MITM updates to a rogue application
- Update all the things before you leave home! Check for patches, do the upgrades, etc. If you can’t do this, don’t bring it, or keep it powered off.
- Uninstall or do not use applications that have access to financial or personal data. I know you’re going to use Twitter, Facebook, Slack, etc. Just make sure to change those passwords when you get home.
- Get a mobile VPN service or configure one at home so you can foil MITM while using mobile data. I use OpenVpn to my house.
- Make sure to take a portable phone charger (maybe more than one). Your phone WILL die halfway through the day due to poor coverage in the casinos and it switching back and forth between legitimate towers and femtocells. I also have a USB octopus cable and plug to charge my phone and battery at once from the random 110v outlet I see.
- I’ll use my laptop to take notes sometimes, but I’m typically in airplane mode. I never connect to the DEF CON network, and never use hotel wireless. If I really need to get online, I use WiFi tethering to my phone plus the VPN to my house. Assume all WiFi you don’t own is pretty much evil for miles around.
- Closer to the con, install “Hacker Tracker” from the play store. You can build a schedule there and/or see what’s going on at any point, etc. Also, here’s another alternative depending on how you like to consume your schedule data. http://defcon.outel.org/
- Don’t scan any random QR codes or NFC tags (duh?!)
- Don’t be that person who buys a WiFi Pineapple and tries it out at the Con. It WILL get owned and locked on you. Plus, that’s just not nice.
- If you connect anything to a DEFCON network, make sure it doesn’t have any personal information on it, and make sure that you can wipe / re-image it when you get home.
Food & Drink:
- Usually lines for coffee and breakfast are insane at the conference hotels. You can also hit the strip for other options. I bring ground coffee, a reusable K-cup, and coffee filters since many Vegas rooms have Keurigs or some kind of coffee maker. Check with your hotel to see what they have.
- I bring snacks to eat throughout the day if I don’t want to miss a talk. Trail mix, peanut butter crackers, protein bars, etc. stashed in your bag will keep you going.
- DEFCON will have the hotel provide refreshment stations in the chillout areas so you can get food without leaving the Con. It’s typically not awesome, and a bit overpriced, but it’s OK, and you don’t have to go anywhere. While they don’t like outside food, you can get away with it if you buy something else on the strip and stash it in your bag.
- Drink a LOT of water. The dry desert heat will cause you to sweat but it’ll evaporate quickly. You won’t think you lost much water but you have. If you start drinking alcohol in the evening it will hit you much harder and the hangover will be epic.
- Treat yo self! Vegas has some amazing restaurants in and around the casinos or just a short ride away. You will be tempted to eat fast meals so you can get back to hacking or to a party. Don’t eat crap the whole time! Take the time to get together with a few friends for a really nice meal. Plan, and make reservations in advance.
- Use the buddy system, especially in the evening. I recommend going places with a group of friends, and make sure you all stay together. You can coordinate via text, Signal, WhatsApp, Slack, whatever. Buddies are important if someone has too much to drink, gets roofied, or just has someone harassing them. Like any large gathering, when alcohol gets involved people may behave irresponsibly, and conferences aren’t any different. Just be aware of creepers.
- If you’re looking for social gatherings at night, BSidesLV has a pretty awesome pool party, and DEFCON has lots of parties in the conference areas at night. If you’re looking for events outside of the official program you might want to check http://defconparties.com. Of course there is also the time-honored tradition of just wandering the halls of your hotel listening for a bunch of noise! Lots of people at DEFCON are willing to welcome you into their event.
- If you are in Vegas on Tuesday or Wednesday during Black Hat that’s when most of the “free” vendor parties are around the Mandalay Bay. You can find the vendor parties at the DEFCON Parties link above. Many of these parties “require” a Black Hat badge, but sometimes a business card is sufficient. Some of the parties and/or clubs where the party is at have dress codes. Business casual is expected, and I’d recommend against jeans since some clubs have a no jeans policy.
- If you’ve never been to DEFCON, I say you have to go to the talks your first year and mix it up with the villages. When you’re coming back for your second time, the agenda might be different (more on this in a bit).
- If you’re interested in talks, plan in advance. You will NOT get into see one talk after another if you pick the big popular talks. People may wait in line for an hour or more for a talk. So, strategy and prioritization is key. If you see two talks in the same room, don’t count on staying in the room. Sometimes the Goons will clear the room between talks.
- The talks will be online in a few months, so my suggestion is to spend time in the villages!
- If you do stand in line for a couple of talks that you can’t miss, talk to people! Linecon is a tradition. Ask people what their favorite talk or event has been. Ask them if it’s their first DEFCON or not.
- If you do see a speaker outside of their talk and you want to ask them questions, please DO. Many of them are just excited to talk to people about their research. Respect their time however. Buy them a beverage or a meal, and give them an out if they want to go.
Around the Con:
- Listen to the Goons and follow the 3-2-1 rule; Three hours of sleep, Two (or more) meals per day, and at least one shower per day!
- Avoid wearing a red shirt unless you want the Goons to hassle you. I’ve had younger people come up to ask me questions as well assuming I was a Goon just because I had a red shirt on.
- Definitely bring a small backpack, satchel, etc. In it you’ll want:
- A refillable water bottle – there are water stations in most speaking rooms and some villages
- Portable battery pack
- Room for vendor purchases
- Laptop if you wish
- Pain reliever like Ibuprofen
- Cash for vendors, etc
- Chapstick (lips get cracked and dry in the desert)
- Medication – Take any controlled substances you may be on with you. I know someone who had their medication stolen and they had to go quite some time without.
- Make sure you have very comfortable shoes
- If you’re considering walking somewhere make sure to note the distance according to your favorite map software. Something that looks like it’s only a couple blocks away could be a long walk. Vegas blocks are HUGE. You may melt before reaching your destination. That said, the strip is very walkable. Take advantage of the pedestrian bridges, and the fact that many of the casino hotels and shopping areas connect to one another. You can walk a long distance all inside.
- Mind your photography etiquette. If you’re going to take a picture, get consent from everyone in the frame or don’t take the photo! People at DEFCON really value their privacy.
- Double check your hotel and restaurant bills. It’s really easy for someone to charge something to your room or table, especially if they know your name. Much worse if they know your room number.
- Get a mohawk at the MohawkCon booth! Overpay to support the EFF or other charities!
Here are some other resources that you might find useful.
- The official DEFCON FAQ: https://defcon.org/html/links/dc-faq/dc-faq.html
- DEFCON Documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg
- DC27 Planning Thread: https://forum.defcon.org/node/227570
- DEFCON TV: https://dctv.defcon.org/
- DEFCON Reddit Mega-Thread: https://www.reddit.com/r/Defcon/comments/bw9t25/def_con_27_mega_thread_info/
- An older but decent FAQ: http://defcon.stotan.org/faq/rules.htm
- Lonely Hackers DEFCON guide: http://lonelyhackers.club/post/defconguide/
- Hotel Safety: https://theplaceboeffects.wordpress.com/2018/09/15/safety-in-around-your-hotel/
- Hotel Searches: https://theplaceboeffects.wordpress.com/2018/08/16/leaving-las-vegas/