My First DefCon
What I Wish I Knew Beforehand
DefCon, THE hacker convention where 20,000+ hackers in their black t-shirts, cargo shorts and skirts, and backpacks filled to the brim with tools and electronics all descend on the Las Vegas strip. There's so much to do during the conference that you literally cannot see everything even if you wanted to. It's almost brain melting how much stuff there is to do and see. There's mischief and mayhem abound; from putting googly-eyes on everything with and without a face, to cracking your hotel room key card, so you can emulate it with your Flipper Zero (for reasons). Stickers end up everywhere and on everything, and a sizable dent is put on the Vegas liquor supply.
This year, DefCon 31, was my first DefCon ever! I've wanted to go for years, but I was concerned that I wouldn't know anyone, or be a "good enough hacker" to really enjoy anything, or I'd be called a script kiddy, etc...
I'm here to say, if you're having any similar thoughts in your head, just ignore them. DefCon is for everyone no matter their skill level; even people who may not call themselves a hacker.
However... There are some things I wish I knew, that, after going to my first DefCon, I feel I need to share. So hopefully this post will help you get the most out of your first DefCon (or really any DefCon).
Pre-DefCon Prep
If you've decided you're going to DefCon there are some things I would personally recommend doing prior to going so that you can have the best DefCon experience possible:
Travel and Lodging
One of the most obvious things to do is getting your travel and lodging all situated.
I'm not going to bore you with hacks on how to get the cheapest or best flight out to Vegas or anything like that. As an obvious "No duh.", book your flight well out in advance so that it's as cheap as possible. Last-minute flights are usually very expensive and booking early can save you from paying out the nose later. Just because you're going to Vegas, doesn't mean you need to blow a bunch of money to get out there.
I will however mention that you should book a hotel room in the DefCon block that can be found on the DefCon website.
There's a very good reason for this! You may want to get an Airbnb or get a hotel room further down the strip from the rest of the conference. Don't!
The reason being is that while yes, the conference goes on during the day; at night is when all the really cool fun stuff begins. The amount of "after hours" stuff that goes on is huge. There are parties, raves, badge contests, even just grabbing a drink with some of the people you've met earlier that day. If you're not "local" to the conference, you will miss a good chunk of the fun of DefCon.
Making Friends Before You Even Get There
One of the biggest things I wish I had known to do was to get involved in whatever hacker circles I was tangentially related to.
If you have a favorite platform or type of hacking you like to do (or you're even just remotely interested in the topic) find the community Discord, Matrix room, IRC, Twitter (no I'm not calling it 𝕏) hashtag, whatever. Get to know some people and see who might be going to DefCon. They may even have a dedicated channel or room to chat about whatever projects people are working on for the conference.
This lets you have a "home base" as it were so that you get to meet some of the people you've been chatting with IRL. As a bonus you get immersed in the topics you want to learn about and can grow your skills!
(Maybe) Pre-order Your Badge
One of the major things about DefCon is the amount of privacy-centric folks that come to the conference. As such DefCon caters to those people by allowing anyone to show up and pay for their badge in cash, no questions asked.
If you're super paranoid about your privacy, and you don't want any way for someone to find out you where there then you don't need to pre-order your badge. You'll likely get a different style of badge than the ones that people pre-ordered, but you didn't leave a paper trail.
I will say if you're super into collecting badges and don't mind the privacy hit, pre-register your badge in advance. There's a lot of cool things people do with the badges such as custom-made PCBs or add-ons that allow you to show your hacker flair.
Make It! (Do It!)
If you're the type of person that likes to design things, I would highly recommend you make something to bring to DefCon. It could be something as involved as custom badge or a puzzle for people to solve, or just some stickers that you want to stick places or hand out to people!
It's really fun to be able to show off something you've made, and you'll likely get to chat with some really awesome people who share your similar interests.
Note: If you want to make a badge, learn how to design your own circuits and electronics, or grow your skill set with a fun challenge. I would highly recommend this talk by the BadgePirates group out of SecKC.
Should I Be Concerned About Getting Hacked?
If you've heard anything about DefCon you may have heard that you need a burner phone and laptop, a hacker handle (and never use your real name), cash without sequential serial numbers, sand off your fingerprints, etc... And that after the conference you need to wipe all of your electronics, snap them in half, and tape them to the underside of a semi-truck going in the opposite direction as you.
DefCon used to be a wild west where anything goes. People would hack everything and anyone just to say that they did it.
As much fun (and as nerve-racking) as that sounds, DefCon isn't like that anymore and hasn't been for a long time.
Depending on your OpSec model, you may want to do certain things to give yourself some privacy. You shouldn't be concerned that you're going to immediately get hacked and have your bank account drained. There's a joke among the old guard that "No one hacks at DefCon anymore."
There's no need to get a Faraday bag to prevent any signals from reaching your phone or laptop. Nor do you need to get disposable devices and destroy them post-con.
A few rules to severely reduce your attack surface:
- Don't connect to the DefCon Wi-Fi, a lot goes on in that network that may be unsavory.
- If you do connect to the hotel Wi-Fi, use a VPN to encrypt your traffic and avoid the hotel snooping on your traffic causing possible privacy leaks and any other shenanigans that might be going on that network.
- Preferably use your mobile data (with a VPN for privacy) to do any general web-browsing, prevents the first two points from even being in play.
- Don't plug in, tap, or scan anything with any device you wouldn't mind wiping afterwards. While "No one hacks at DefCon anymore" doesn't mean that everyone has your best interests at heart.
Follow simple rules and there shouldn't be any need for you to have to nuke your devices post-con (unless you want to).
You've Made It to DefCon!
After way too many hours in a plane, bus, or car, you're finally in Vegas, and you're going to DefCon! You've checked into your room (and maybe taken a much-needed nap). Now what?
Hacker Tracker
Finding out what's happening when you may not have a group of people you know is tough as there's so many things going on even before the conference officially starts. Luckily there's an app for that!
It's called HackerTracker!
It is the guide for finding official events when you're at DefCon. All the villages and other hacker group's events are displayed, and you can see what time and where you need to be.
There are some other goodies in the app as well that help out with planning your DefCon experience.
Getting Your Badge (a.k.a. LineCon)
If you get to DefCon on the first official day of the conference, you'll have to wait in line to get your badge. For DefCon 31, you could get in line at 4am to make sure you are one of the first people in. They didn't start handing out badges until 7am. So, unless you want the greatest shot at getting a pre-ordered badge with cash-at-door, getting in line at around then will ensure you won't have to wait super long.
On Merch and F.O.M.O. (LineCon - Part 2)
You've got your badge. Great! You'll notice on HackerTracker that almost no villages are open (at least on the first official day) and not a lot of events going on at the venue itself.
Well, if you're a fan of merch, then as soon as you get your badge you should get in the merch line.
DefCon's official merch booth has a lot of cool swag for sale. The only problem is that as soon as they run out for the year, they close down. They only make so many of each size, so, if you want merch and wear a more common size, get it ASAP.
Note: The DefCon Merch Booth is USD cash only. They don't accept credit cards at all. Not all vendors in the vendor's area will accept cards either. Cash is king at DefCon, so bring plenty of it.
At DefCon 31 they added a cool feature to HackerTracker where you can see the stock and add merch items to your "cart". This way while you're in LineCon you can select all the items you'd like (or could get), the Goons just scan the generated QR code on your device, and it should be all allocated for you! Easy, quick and efficient!
DefCon Talks and Villages
One of the best things about DefCon is the really informative and fun talks people give at the conference. Because there are multiple talks going on at the same time and in possibly wildly different parts of the conference, DefCon records the talks and uploads them to their YouTube channel a few weeks after the conference.
Because that all the talks (and even some events) are recorded for you to watch later, to get the most out of your DefCon experience, I would skip most of the talks. I would instead recommend do things at DefCon that aren't recorded like the villages, contests, or even just meeting new people.
If there are talks you absolutely want to go to and would be sad if you missed during the conference. By all means go to those talks! But just going to talks because it's something to do or because that's what you think most people are doing would mean missing out on meeting some awesome people or doing some really cool things.
But I'm a Lonely Hacker!
You've decided on the talks and villages you really want to go to, but let's say you didn't have time (or didn't really know how) to join your "local" hacker group. Good news! There are plenty of amazing groups that will take on a lonely hacker (or two) and give them a tribe to call home. The two I'll discuss here are the ones I'm familiar with, but there are definitely more that I don't know about. So ask around!
Lonely Hacker Club
The Lonely Hacker Club is an amazing group of people. I met a few of them at my first conference ever (ShmooCon). They will take hackers of any level and make them feel at home.
At DefCon 31, they even had their own room where you could go in and meet some new people. Seeing all the people on Twitter who got new hacker handles or just shouting out the group because they found "their people" by going to their room was awesome!
PepperCon
Do you like spice? Do you put hot sauce on everything? Would you respond to a random dude asking "Hey, you want to do a bump of pepper flakes?" with "Hell yes!"?
Well then look no further than the PepperCon Discord!
They're a group of hackers who love their spicy food. Every year they go around DefCon and induct new members by having them try their pepper blend made of some of the spiciest peppers in existence.
If you do survive the hit of pepper you'll get a PepperCon poker chip as a reward!
They are a really awesome group of folks who are spread all around the world. If your local hacker scene is lacking, and you can handle your spice, definitely hop into their Discord.
Where Are People Getting All of Those Cool Badges?
One of the things you'll notice as you're walking around DefCon is all the badges people are wearing. Some of these are from DefCons past, however some are available this year, and you'll have to find someone or do something to get it!
DefCon badges can be a way for different groups to identify each other, or they could just be something cool someone made, and they want to show it off.
Some badges, however, are rewards for completing some challenge or puzzle. You'll definitely want to listen around or look on Twitter or Mastodon for contests.
As an aside: I got my first contest badge this year from IronWood Cyber. They do a contest where, at midnight, they drop the first hint on their Twitter. You have to solve all of their challenges and paste the final code in their Discord. I would definitely recommend getting a group together and trying to do it!
Three Hours of Sleep is More Than Enough, Right?
As mentioned previously, once the talks for the day end and the villages close down that's when DefCon really kicks into high gear. There's a lot to do once the sun goes down!
In HackerTracker you'll see some "after hours" events, I would really recommend taking a look at those and finding some events that speak to you.
There's also nothing wrong with just grabbing dinner and sitting at one of the bars in the casino and just chatting with your fellow conference goers!
Note: If you're someone who abstains from alcohol or that just isn't your vibe. No worries! There are plenty of people who don't drink that go to DefCon. Ask around, and you'll find someone who knows a group of people with whom you can do after hours things that fit your vibe. If anyone gives you trouble or is pressuring you, report the person to the Goons! DefCon is for everyone, and everyone should feel welcome.
After hours is when things like badge contests and other shenanigans go on (much to the chagrin of the hotels and other guests). Even just walking around the convention venue you'll find things to do and people to meet. It's a lot of fun just exploring Vegas, chatting with different people, and straight up hacking things!
DefCon is Over, Time to Go Home
You've done your first DefCon, the convention is clearing out, you've done nothing but immerse yourself in hacker culture for most of the week. You might be a little sad on your journey back home. All the people you met in the past few days all had similar interests as you, they understood and got excited about all the same things you do.
The post-conference blues are a very real thing. Being surrounded by like-minded people non-stop for a few days can do that to you. I will say that on my way home I was a little sad, but the people I met and will keep in contact with will help.
Once you're home, however, there might be a way to stay involved with your new-found hacker friends and communities.
BSides and Hacker Clubs
One of the things that you should look into when you get home is to see if there are any local BSides conferences by you that are coming up. They're an InfoSec conference that caters to a local geographic area. Everyone is welcome to join, but it's more focused on the groups that are local to the area. As such there will be vendors and sponsors who are local (maybe you can even get a contact to get your first cybersecurity role!). They're like a local DefCon.
If there aren't any BSides or other InfoSec conferences that are local to you. There may be hacker groups such as your local DefCon chapter or groups for organizations like TOOOL in your area where you can meet hackers who share similar interests as you.
Just because DefCon is over doesn't mean you can't get involved in your local hacker scene!
If you're unfortunate enough to not have any groups local to you, I would recommend joining some Discord servers that may have been mentioned to you by some of the people you met at DefCon. This way, while you may not be able to meet these people IRL until next year, you can talk with people who share your interests, and maybe even collaborate with some of the people you talk with to make something to bring and hand out for next year.
Closing Thoughts
My first DefCon experience was awesome, I got to see people whom I had met at previous conferences, made some new friends, and got to meet some really awesome people. I'm hoping this guide will help anyone who's on the fence about going to DefCon; to just do it. It really is an experience that anyone even tangentially related to InfoSec or Cybersecurity should have.
If you end up going to DefCon and are having trouble finding people or want to just have a chat. Feel free to shoot me an email or message on Mastodon. From this point forward, I'm going to try to go to every DefCon I can. It's my goal with this post to help get as many people involved in the hacker community as possible, because hackers are an amazing group of people. I'm hoping that after your first DefCon you'll want to call yourself a hacker too.