Hack the House: Testing the Defense Readiness Condition of DEFCON
I’m walking up and down the Vegas strip with a motherboard attached to my chest, dangling from a lanyard. Wandering tourists and local casino employees give me the crazy eye. Most of them have no idea what a DEFCON is or where you would go to find one. That’s okay, I’m smiling back at them, mischievously.
I just pwn’d the House of Haxxor. And I’ve got the receipts to prove it.
My weekend journey to the world’s largest meeting of hackers began in Disneyland of all places. That’s where I pick up a rental car, which has a “buy one day, get three free” deal, as long as you’re back by 0800 Monday morning. I should be able to make it by then. At least, that’s the plan.
Pulling off the lot, I try to find some decent tunes without too much commentary on the analog radio, which is difficult even in a big city like L.A. It’s not a good idea to bring your phone, credit cards or laptops to DEFCON (so I’ve been warned). I’ve been experimenting with a no-phone protocol for awhile now. The rental car company gives me a cellular connected GPS, so I can follow the digital road to the Mecca of gambling.
I hit the desert between L.A. and Vegas, where there seems to be only Mariachi bands and Christian music for a good hundred mile stretch. Flipping off the radio, I’m alone with my thoughts and focused on the road ahead. What will Defcon be like? How many people will be there? Do I even belong here? It’s my first time, just a noob, and I’m planning on crashing the con, so I’m feeling uncertainty mixed with anticipation and excitement.
Parking only costs seven bucks on the Vegas strip, if you know where to go, another travel hack that’s handy to have at your disposal. “Remember to be back by eleven,” the parking attendant shouts to me, “Or you’re going to be locked in until ten in the morning.” I assure her that I’ll be back in time. A local buddy I met at the Burn invited me to a drum circle, so I have plans to leave the strip long before that time.
Across the street is The Forum at Caesar’s, which is the location of Defcon this year. As soon as I shim a door open near the Linq, I’m inside the perimeter of the conference. I blend into the crowds of twenty to forty year old men, mostly dressed in black with backpacks, all wearing computer chips strapped to their chests. This must be the place.
Walking toward the entrance to the conference, I still have no plan for how to get in. Before coming up with elaborate strategies uninformed by actual experience, it’s best to simply start by testing the gatekeepers. I strike up a conversation with some fellow DEFCON attendees who are talking about lock-picking and “physical security.” I don’t know the lingo of the realm, but I know a little bit about the first topic. Chatting with them means I’m now walking in with friends instead of going in solo.
“Uhh, I’m going to registration,” I mutter to the one security guard sitting at the gates of Defcon. “No, you gotta be wearing a mask. Here,” he says and doesn’t even bother me about credentials. In the post-pandemic days, large gatherings of people are more worried about becoming a super-spreader event than they are about guaranteeing everyone paid to get in.
Con crashed, check.
I walk into the main room at Defcon and it is massive. Imagine a rock concert for a mid-level band that’s on the verge of being famous. There are goons everywhere, the volunteer army of Defcon. I’m not sure how concerned these red-shirts are about checking credentials. So I grab a quick seat and roll a spliff while a kid explains how he Rick Roll’d his entire school district as a senior prank. Meet the heroes of the next generation.
Inside this room is an interesting mixture of the world’s most elite hackers, fanatical coding hobbyists, and government spooks. People who’ve hacked the banks and governments are sitting next to me somewhere. The legions of anonymous are here IRL. It’s an IRC message board of the internet’s most famous outlaws who decided to meet up in person. No wanted posters here — only hackers with war stories about being busted by feds. And how-to’s on hacking the legal code to get yourself out of trouble if caught.
Borrowing a Defcon program from a nearby attendee, I get the lay of the land. The talks are mostly in the big rooms. Practical demonstrations and hands-on hacking villages are in breakout rooms. It’s here that I realize hacking is a much bigger tent than I previously thought. There’s a biohacker village, a place for ham radio enthusiasts, and even a corner dedicated to hacking (and securing) voting machines. I fit in at least a few of these boxes. Maybe I do belong here, after all.
“You too may be a hacker,” I think to myself.
Avoiding the goons, I make my way over to the lockpicking room. I’ve got a gift for Deviant Ollaf, who helped inspire a piece of jewelry I wear every day. I hear he hangs out there. There’s a guy giving a basic lock-picking 101 talk and a handful of people at a cocktail table trying to pick locks. I talk shit about Master Locks then struggle for far too long to break the lock, which I finally figure out after some helpful advice. We make fast friends and I show them some tips and tricks. I also gain some insight from the presenter on how to improve my practice (“use more gentle pressure”).
John is from DC and he asks me about pen testing. “What’s that?” I ask him. He gives me a startled look like I don’t belong here, the first one I’ve received so far. Rut roh. “Penetration testing. Looking for gaps in physical security,” he replies. “Oh, I’ve done plenty of that,” I assure him, “I just don’t know what you all call it.” We talk shop for a bit about his consulting practice and my personal history with the Secret Service, where I’m somewhat infamous.
Together, we walk over to a large dark room that reminds me of a rave from my college days. There’s people in costume wandering around, neon lights, banks of computer screens, and a vending machine with a throng of college co-eds learning how to hack free food. A hacker comedian is on-stage performing magic tricks and the results of a hacking contest being announced in another corner of the room.
There’s something for everyone here, fun for the whole family.
After this, we wander over to the physical security village, which is where the handcuffs hacking demonstration lives. I show off a piece of jewelry with a hidden handcuff key and unlock a set of cuffs from my wrist. A skeptic asks, “Yeah, but how are you going to get to it when your hands are behind your back?” I let him cuff me and then proceed to jump on the table and pull my knees through my cuffed hands, then extricate myself from the cuffs in less than a minute. Then I show John the basics of picking handcuffs with a hairpin, and we both practice shimming doors at the numerous example doorframes Defcon has set up on the tables.
I invite John out to smoke that joint, but he’s got some place to be. I get the feeling that he’s on the clock, so we part ways without exchanging contact info. The premium on anonymity is so high that Defcon organizers only accept cash and won’t let you pay with a credit card at registration (not that I would know that from personal experience). So every connection made here feels destined to be lost, unless you randomly find each other on the web during an op.
See you at the next con, John.
On my way outside, I hear some intense drum and bass banging inside a room with a sign labeled “Capture the Flag.” I peek inside and wander around the room, marvelling at screens filled with code. Teams of competitive hackers grasp their foreheads in collective frustration. Unlike the sexy visuals depicted in movies about hacking, this is the real deal. It’s just an endless array of white letters on black screens. One team in this room will win the prize of the black badges, which gain you free entrance to Defcon for life. I compliment the DJ, then continue on my merry way.
Outside, I bum a light off a guy wearing a Monero t-shirt. We strike up a philosophical conversation about crypto with another random Defcon attendee. “Every time a transformational technology comes along, like the printing press or the internet, it changes society, government, and money. You think we’re still going to be handing out dirty tissues to pay for things in thirty years? Money is already 1's and 0's, right now.” A compelling argument. But you still can’t buy a badge into Defcon with handfuls of Bitcoin. For now, cash still reigns supreme, even in Hackerville.
As we’re talking, another person walks up with a QR code on a magnet. He’s saying something about badges to the other people in the convo, definitely fishing for noobs. He’s not dressed like a goon and technically I’m outside the conference, so I figure I’m in the clear. I don’t even have a phone to download whatever malware lives at that QR code. But I whip out the rental car company’s gps, which is technically a phone. I recklessly point their phone in the direction of the QR code. “Is that enough?” I ask. “Yes, that’s enough,” a nearby hacker replies. “Wow, just that much, huh? Funny part is I don’t even own a phone.” They dubiously stare at the phone in my hand.
Now that I’m a little bit high, it’s time to party. John told me about a party at the Flamingo and there’s also a charity thing for the Electronic Frontier Foundation, who are the people who helped save the internet with Aaron Swartz. I once dressed up as Rick Astley at an EFF protest outside a Verizon store in Boston, so I count myself among supporters of the cause. I bump into a few Defcon organizers at the Flamingo, but no one can point me in the direction of the EFF party, so I decide to go back outside to smoke some more and meditate for a bit.
I wake up to a police officer asking me for identification.
Must’ve dosed off to the sound of that waterfall. “Am I being detained or am I free to go?” I ask the officer. “You are not being detained,” he replies, “Let’s just see some identification or you’ll need to leave.” I start gathering my sparse possessions and reply that I’m ready to leave. “You know the way out?” The officer asks me as he walks away. “No one knows the way out of these places,” I say in reference to the endless indoor mazes that are casinos. But he’s not listening.
When I arrive back to the valet where I left my car, the place is empty except for my car. How long was I passed out? I discover that it’s past one in the morning. I’m way too late to get my rental car. I missed the drum circle to boot. Most of the advertised parties of Defcon have long since ended. Since all my gear is in the car and the valet has my keys, I don’t even have a credit card to book a hotel room or a car to drive to my friend’s house. Looks like I’m walking the strip until sunrise.
Now that it’s the middle of the night, it’s the perfect time to acquire credentials, so I head back to the Forum. The perimeter is locked up and the cleaning crew is on site. But there’s always a way inside. Earlier in the day, while stepping outside with that joint, I cracked a door, which comes in handy now. On the forums, Defcon attendees talk about Linecon, which is the hours-long line it takes to get badges on day one.
The line at 0100 on day two is nonexistent.
Since the room is empty and no one is present to help me register, I help myself to some credentials. I pick one that is bluish green instead of the standard white. Different colored badges are a status symbol in this land, which identify you as human, goon, or speaker (as well as a bunch of other colors).
The Defcon badge is highly functional. It’s a drum machine and loop board with a multi-colored LED light flashing at the top. Picking up a lanyard, I notice packs of unattended red goon t-shirts. Tempting. But I decide it’s probably more trouble than it’s worth since Defcon has posted signs about fake goon badges all over the walls.
After a few hours of visiting the randomly themed casinos on the Vegas strip, which are all open all night, I head back to my rental car and call my local friend using a VOIP connection at the nearby Starbucks. We grab brunch at The Cracked Egg, which is the kind of place you eat at if you live here. I regale him with the story of crashing Defcon and invite him to join me for part two. He accepts the invitation and we head back toward the Forum in my rental car.
This time, security stops us at the front entrance. “You’re not supposed to be here, gentlemen. Turn around and go the other way.” It is a surprisingly true statement of fact. How does he know that though? I nudge my buddy to flash the blue-green credentials I borrowed while I wave the DEFCON program in the air like we belong here. “Oh, you are in the correct place. Go on in fellas, just wear a mask,” the guard says.
The only close call with security I had in forty-eight hours at Defcon (besides the cops at the Flamingo).
Everyone is in the large room watching the Defcon awards ceremony, which hands out those highly sought after black badges. We head toward registration, which now has a handful of people inside, all looking down at their phones. I drop a copy of my presentation, “Pwn’ing the House of Haxxor: Pen Testing DEFCON 30” on top of the keyboard sitting below the display screen of the security cameras. No one notices us.
I grab a guy heading up to the stage. “I just came up from registration. Can you put this on the podium for us?” In sloppy handwriting, the slides are marked, “For Honorable Mention.” Signed, Lucy.
He proceeds toward the stage and hands the deck to a goon off stage right. If the guy at the podium actually gave us an honorable mention, we didn’t stick around to see. We only stayed long enough to make sure the slides made it onto the stage. That was enough to consider the message delivered.
When I first left Disneyland two days prior, I was on a self-assigned mission to hack the hackers. There is much talk about “OpSec” or operational security in these crews. DEF-CON stands for “defense readiness condition.” We put their name to the test.
But that’s only half the story.
By the end of the weekend, I had made some new friends, learned a few tips and tricks, and realized I belonged among the throngs of hackers at Defcon more than I had originally thought. The theme of DEFCON30 was “Homecoming.” For me, it felt like coming home indeed.