Fear and loathing at the Riviera: A noobs guide to Defcon

        I'm writing this post for two purposes. First, to recount my experience at Defcon 17, and second, to let anyone new to Defcon know what to expect. Think of it as sort of a supplement to the Unofficial Defcon FAQ.

        Things start off for me at about 4:30AM, getting up way earlier than my nature normally permits so my pal Mikey could drive me to the airport. The last time I was in a plane I was so young I can barely remember it, so I was somewhat concerned about procedure. Dr. John, my Defcon companion, talked be though parts of what I needed to do to keep the TSA happy. I ended up leaving my pocket tools behind, which gave me a slightly naked feeling. When I got to the TSA check point, I explained it was my first time, and hoped they would be gently. All my gear got through no questions asked, including my hardware keyloggers. I'd packed light since Dr. John recommend I not check any baggage.

        For Defcon, a netbook with long battery life and a cell phone so I could make an EVDO connection was enough for my computing needs. Defcon should be a social and learning event; using your laptop for taking quick notes or looking something up is about all you should need it for unless you plan to compete in the CTF event. Keep in mind, Vegas means a lot of walking, and the Casinos are designed in such a way that you have to walk past a lot of gambling opportunities to get where you are going. You may think your 17 inch laptop is light now, but wait till you have to carry it all over Vegas.

        While I'm on the topic of personal computing, let's talk about security for a moment. Sure, the Defcon network is pretty hostile, but if you follow the advice in my guide to hacker con networks I think you will be ok. The oddest thing that happened to me at Defcon was the bluetooth on my HTC Touch Pro phone kept turning itself on (but maybe it was just my paranoia making me think someone was up to some shenanigans). On the Defcon network, you can start to see every coincidence as some leet zero day attack. The network team there does a good job of making the wifi at the con pretty robust, and separating users into different VLANS helped lower the attack surface. We only had a 20Mbps connection out, but it seems fine for most things and if I was doing anything important I used the EVDO provided by my cell phone.

            Ok, back to my travels. I've found that I dig flying. I love the feeling when the jets kick in and you a pushed back in your seat, and looking down at the ground is beautiful. The hop from Louisville to Chicago took about 1 hr. The airports are cool structures, especial O'Hare. I'm into paleontology, so I loved the Brachiosaurus skeleton set up at the O'Hare airport. While at the O'Hare airport I kept looking around for folks that looked like they were heading to Defcon. Very few of the folks fit the stereotypical "Black shirt" crowd. Then someone asked me "Are you Adrian Crenshaw?", and that's how I met Corey, a visitor to my website. A few of the others around us were also going to Defcon it seemed, but they sort of kept to themselves while Corey and I chatted. Then I'm off again on the 2nd leg of my journey to Las Vegas, and while I'd not want to live in the desert, it sure is pretty from the sky. We touched down in Vegas, and while getting off the plane the heat hits me. It's not so bad since I live in the Ohio River Valley and am use to more humidity, but Vegas sure can dry you out. Drink plenty (of water), and bring lotion if you tend towards dry skin.

        There are slot machines even in the airport; lets hear it for Sin City and people who are bad at math! I figured out how to get to the outside of the McCarran International Airport, and find a shuttle that will take me to pretty much any hotel on the strip for $6.00. At one stop I try to ask the driver to make sure they are stopping by the Circus Circus hotel, but she had slipped out the side of the shuttle. I step out to find her and almost get left behind. I ask my question, and a rude fat guy behind me tells me to sit down. The pisses me off for a good portion of the day, I guess he could not wait to gamble away his kid's inheritance. There's something about gamblers that makes me feel like I need to scrape something off of my shoes. One of the problems I had communicating with the driver is that she had a pretty thick accent (and so do I perhaps). There seem to be a lot of folks working in Vegas whose first language is not English, so be prepared to ask folks to repeat themselves. I get dropped off at Circus Circus and wait in line a long time, luckily I had some cute French girls ahead of me to keep my mind occupied. Folks kept telling me before I went that Circus Circus was a very ghetto hotel, and maybe it is by Vegas standards, but by comparison to the ones I stayed at for Phreaknic and Outerz0ne I thought it was ok. I mean no disrespect to those cons. Skydog and crew do a great job and dollar for dollar they are better than Defcon in my opinion, but when you step out of the hotel to a nearby  convenience store and notice six inch thick bullet proof glass around the cashier you know you are in a bad part of town.  By comparison, Circus Circus seemed fine. While doing some research I found this Hunter S. Thompson quote I just had to put in: "The Circus-Circus is what the whole hep world would be doing Saturday night if the Nazis had won the war. This is the sixth Reich. The ground floor is full of gambling tables, like all the other casinos . . . but the place is about four stories high, in the style of a circus tent, and all manner of strange County-Fair/Polish Carnival madness is going on up in this space." Yeah, it's a weird place, and be prepared to do a lot of walking to get to the spot in the Riviera across the street where they hold Defcon. As I stated before, the Casinos are designed in such a way that you have to walk past a lot of gambling opportunities to get where you are going.

        After finally checking in, I drop my stuff off in the room and head across the street to the Rivera to get my Defcon badge. Figuring out where to go was interesting; casinos don't have a logical layout in my mind. I think the idea is to get vacationers lost in the maze so they just keep gambling. The first line I got into was not for the badges, but for Defcon swag, luckily I was told pretty quickly it was not the line I was looking for so I did not waste much time. I find the right line, and while it seemed long it moved pretty fast. Glad I got there early enough to get one of the cool hackable badges, even if I did not enter the badge hacking contest. Some folks got stuck with blank circuit boards as their badges. I start talking to those around me, and I meet so many people, but I feel bad that I have a hard time remembering people's names.

        A note on food. There is a food court near the entrance with the statue of the girls with their brass butts facing the road. It seems to be the cheapest place to buy food, and the Chinese fast food there was passable.  There was a food stand right outside of the Defcon hangout/DJ room, but it did not have much of a selection. If you want to buy an energy drink or soda walk down to the Seven-Eleven past the Peppermill because the prices there are more reasonable than at the hotels. More on food in a bit, but you may be best off packing some protein bars like I did (but be careful to keep them out of the heat).

        While sitting in the intro to Defcon track I heard the best quote of the con, which as I remembered went something like: "Using the ATM at Defcon is like leaving your kid at a NAMBLA convention for babysitting." The talk about what to do if arrested in Vegas was also very topical considering the guy that got busted for having a firearm at the Casino and the dumbass who decide he wanted to bungee jump off of the roof of the Riviera. While asking the AV guy some questions so I could do a better job recording the talks at the Louisville Infosec conference, I got a call. It was Fyodor of Nmap fame! While I'm not an Nmap developer (I just create videos about their tools) I was invited to go to dinner with them. We had some kick ass Thai food. Thanks for dinner Fyodor! After dinner, we take a taxi back to Circus Circus, and the cab driver tries to get us to go to some strip club/brothel/night club or something. The way it was explained to me, the cab drivers get kick backs for bringing in customers. We all take a pass on the offer, and I go back to the room Dr. John and I are staying at. Sleepy time for Adrian. It may be only 1am in Vegas, but that's 4am to me.

        Friday morning I get my butt up and go back to the Riviera. At some point in time, Scott Moulton and I cross paths and talk about upcoming project, then we take a photo with Jake. I debate if I want to stay in the talks, or go to the vendor/contest area. I go to the contest area and finally meet all of the Pauldotcom crew in person, and get my Pauldotcom skybox party pass. Also, I find that when you need caffeine warm Brawndo ain't all that bad. At some point in the day I end up in the hangout area and meet Joe Cicero and we talk about Infosec in higher education. The best talk of the day was Jason Scott's "That Awesome Time I Was Sued For Two Billion Dollars." The thing about Jason's presentation style is that even if I don't think I care about the subject, he makes it interesting to listen to.

        I was wanting to go to Johnny Long's talk, but when I see how long the line was I decide to wait till it's out on video. Lots of folks hate the goons kicking folks out of rooms to get back in line for a talk in the same room they just got out of, but this gives folks a chance to see a talk they may not have otherwise. I find out later part of the reason they do this is fire code compliance. Considering the onslaught of people (some counts placed it at 10,000), I think the goons did a good job. Some of the folks seem to get really pissed at the goons, but the folks that are complaining seem rather selfish at times. It would really help if they had the talks on closed circuit tv, but then some folks would be hotel room shut-ins. That brings up another topic - I don't care if the guy next to you has BO, in a crowded talk fill up all the seats in a row so folks can see the presentation. Lots of folks seemed to not get the idea, no matter how often the goons told them to move down a row and fill up seats.

        After the Dan Kaminsky talk I head back to the vendor area and say hello to Stankdawg (who I accidentally called Skydog earlier in the day), Jason Scott and Seal. Jason Scott takes Seal and me to the Peppermill diner and buys us dinner - thanks Jason! The Peppermill is a nice place to stop by while you are at Defcon, and it's within walking distance. Afterwords, Jason takes us to see his room at the Encore, and yes, it's  a lot nicer than the Riv or Circus. Earlier in the day Skydog had given me a pass to the HackerPimps skybox party, which I knew I had to go to based on pictures I'd seen from previous years. They had a strict "no photos" policy this year, which is understandable. Girlfriends back home would not like the idea of their man going to the event, and bosses might ask "Why am I paying you to go to this conference again?". There's a lot of good tech info to be had at Defcon, which justifies work paying for it, but there's also much partying.  Before the strippers show, intx80 does his performance, which is enjoyable as always. The HackPimps party was fun, but Dec0de and Skydog wearing latex gloves gave me pause (glad they're not TSA). While at the HackPimps party, Matt and I exchange Irongeek and SecurityJustice stickers. I also run into my fellow Hoosier DOSMan, who I did not even know was coming. Now it's back to Circus Circus for some more sleep.

        I wake up on Saturday and go to Nathan and Shawn's talk "Weaponizing the Web: New Attacks on User-generated Content", and realize I need to look into MonkeyFist for automating some CSRF attacks. I miss most of Renderman's talk, and wish I had come earlier since he mentioned zombies a lot (I love me some zombies).  I stayed in the room for the next talk, since I did not want to fight the crowd to see Adam Savage. Then my bladder got the best of me. When I tried to leave, I was stopped at the door by a goon. It seems that the Adam Savage talk had the hall a mess and I'd have to wait. Eventual the goon went away, and I saw other folks heading out the door so I followed them. By that time the hall was pretty much clear and I walked right in to Adam's talk and even found a seat with little problem (other than having to hold off mother nature for a little longer). I got in the question line to ask Adam "Are you aware of what rule 34 and slashfic are, and how do you feel about the fact that a Mythbusters variety exists" but the question time ended before I got my chance.

        I head for the restroom, then to get some Chinese at the food court. When I get back I checkout some of the Metasploit track, and they seemed to be in live demo hell. Been there before, so my heart went out to them. I sat in on the Cyberwar panel, and gave Ed Skoudis some stickers after I asked my question of the panel. After the talk, Kevin Johnson, Justin Searle and Frank DiMaggio of the SamuraiWTF dev team gave me a signed copy of the CD, kick ass! They told me they added my Mutullidae project to the CD, which I found very gratifying.

        After the Q & A for the Cyberwar panel, I chatted with Stank some more then got ready for the Podcasters meet up and the Pauldotcom party. I had a good time at both. Mick, Paul, Larry, Carlos and John, thanks for the party! I sat out on the balcony most of the time. Helped Jero get past some people blocking her in by picking her up and placing her one level up, which elicited much giggling. Then it was time for more sleep.

        Sunday morning I got up and listened to Ne0nRa1n's (love the hair) and then Tottenkoph's talk. I met both of them at Notacon earlier in the year. I also went to Trip's 4th ammendment talk, and Tom and Kevin's Social Zombies talk. I did not sit in for all of the closing ceremonies, though I'm glad to see Shane did well in the lock picking event, and I think the guys who made the noise avoiding blimp out of the con badges should have won the badge hacking contest. I went back to my hotel, grabbed my gear and took a $6.50 shuttle back to the airport for my red eye back home.

        It was a grand time, and I may see you again next year.

Thanks to Dr. John for the room and plane ride, Haxorthematrix, Sereyna, Minoad, Mr. Bradshaw, George and anyone else who donated to my Paypal so I could go, and Mikey for the ride to and from the airport.