Sync Dev: DEF CON 22 Wrap-Up

Developing on the BitTorrent Sync API? Our developer evangelist is here to work with you.

As promised, here’s my write-up for DEF CON 22.

My journey to DEF CON this year started in San Francisco at BitTorrent HQ.  I stocked up on Sync t-shirts and stickers for contests before flying home to Orange County.  Last year, my college programming partner and I decided that it would be fun to road trip to Las Vegas for DEF CON and this year we decided to make the OC to LV road trip a tradition.  Driving into Las Vegas offers a few benefits – specifically that I can pack all sorts of gear without worrying that TSA will question why I have lock picks or what the Beaglebone in the clear acrylic case with add-on boards rubber-banded to it is.  We also get the added benefit of having a car in Las Vegas; this is really nice because taxi lines are long and it’s often too hot to walk in the Nevada summer.  The Rio’s dining options also become limited after a day or so; I can only have so much Pho, Burger King and Wetzel’s Pretzels in one weekend.

We left Orange County for Las Vegas around 10:15am on Thursday August 7.  The pilgrimage to DEF CON wouldn’t be complete without a little bit of geekery and tech during the drive, so I’ll mention that my road trip setup always includes a Valentine 1 radar detector at the minimum.  As a veteran road rally driver, I would love to geek out and tell you about digital trunking & CB radios, hidden laser jammers, etc., but we can save that for another time.  We arrive at the Rio in the early afternoon and get in line to check in to our room while my brother – who flew in earlier – waits in a 4-hour line for our conference badges.  The Rio has done a nice thing for Con attendees this year; they’ve waived the early check-in fee and they have an employee handing out water bottles at the check-in line.  Later in the day, I discover that my FoundersCard grants me complimentary Total Rewards Diamond status, which would’ve let us bypass the regular check-in line, but alas, I didn’t know about that beforehand and didn’t have a chance to sign up for it.  Oh well – next year!  Just as we finish checking in and handing over the customary $20 Las Vegas gratuity for a room upgrade, my brother shows up with our badges and we head up to the room to unpack.

photo 1

There are a lot of great guides out there on how to survive Las Vegas and they cover everything down to what to tell your cab driver to not get ripped off, so I won’t go into too much detail – I’ll just point out a few of the tricks that are particularly important to me.  First, I always request a humidifier for my room or I buy one at a local store and set it up in my room.  Newer hotels have humidifiers for customer use – the Rio doesn’t.  In the dry Nevada desert heat where we need to blast the A/C all day and night, the humidifier really helps.  I always ask for a room upgrade and offer up some cash at check-in to try to secure either a larger or more desirable room.  This is a tried and true Las Vegas “trick” and the worst that can happen is there are no available upgrades.  Last, for DEF CON, we have learned to drive to a nearby Target to stock up on bottled water and snacks that will last the duration of the conference.

In addition to the plethora of guides for Las Vegas, there are a lot of guides out there on how not to get hacked at DEF CON.  The infamous “Wall of Sheep” lists out the poor souls who make obvious mistakes like sending plain text credentials over unsecured WiFi and I don’t want to end up on that list.  I won’t go over all of my “best practices” to avoid being hacked, but I’ll just say that I bring all the cash I need and avoid all ATMs in the conference area, I turn off WiFi, Bluetooth, NFC, etc. on my devices and I try to travel to attend DEF CON with a laptop that is as clean and free of my personal data as possible – a burner laptop, so to speak.  After the conference, I wipe the laptop (or in the case of this year – revert the virtual machine back to a previous state).

photo 2

The popular talks at DEF CON were really tough to get into this year.  I found myself lining up more than an hour in advance to get into some of the talks only to find that all seats were taken once I got into the actual talk.  The good news is that if you stay at the Rio, many of the talks are available via CCTV in your room.  The bad news is that this isn’t really the best or most fun way to attend the talks.  This year, the talk the stole the show for me was “Extreme Privilege Escalation on Windows 8/UEFI Systems” – take a look at the PDF to see what I mean.  An added bit of good news is that there is no shortage of things to do if you can’t get into the talks.  I spent a lot of time in the various break-out “Villages” (lock picking, social engineering, hardware hacking, tamper evident) as well as watching the both the CTF and OpenCTF teams compete.  I had the pleasure of meeting the folks from team [SEWorks] Penthackon this year and enjoyed hearing about the various curveballs LegitBS threw at the teams during the competition.

photo 5

I ran some very simple contests at the Con this year for BitTorrent Sync t-shirts.  Before heading downstairs from my room, I’d tweet out my plans for the next few hours and challenge attendees to find me.  I didn’t make it challenging enough, clearly: I included a photo of the BitTorrent “Internet Better” shirt I’d be wearing and was pretty specific about where I’d be.  As a result, the quickest spotting was 9 minutes from the time I tweeted to someone claiming their prize.  If I do this again next year, I’ll have to think of ways to make it tougher; maybe I’ll incorporate some crypto for a Ham call sign or frequency or just let people try to find me based on my Twitter photo.  Any reader suggestions for cool contest ideas?  I’d love to hear them!

The vendor area is always a favorite. You can buy anything from high-power WiFi antennas to tubular lock picks (sold out this year because of the $5 soda vending machines in the hotel) to Blackphones and Pwnphones.  This year, Tesla was around recruiting infosec talent (they have these cool challenge coins for people who discover vulnerabilities in the cars) and Ghostery was onsite as well engaging with the community and giving away little toy ghosts and stickers.  The coolest things I picked up included a Kevin Mitnick business card (Kevin was onsite signing books), a RFidler, and a limited edition EFF T-Shirt.  There was even a used Cray for sale on the floor this year for ~$2k. Everyone who saw it was pretty enamored with it.

photo 4

My biggest takeaway from DC22 – like I briefly mentioned in my Top 10 list –  was the scale of everything.  There were more than 14,000 attendees.  DEF CON has outgrown the Rio and will be at Paris and Bally’s next year.  The lines were completely unreasonable for everything from talks to T-Shirts.  Although this kind of sucks when you’re in the thick of it, this is actually great news for everyone who values security and privacy and especially for folks like me who work on products like Sync.  This means that more and more people are aware of the importance of digital privacy and data security, as they should be.  This means that decentralized technologies won’t just be for the tinkerers and techies of the world.  Hopefully, this means that more people will speak up against some of the things like net neutrality, online spying and other things that we at BitTorrent think are important and relevant to everyone.