Milling with the hackers at Black Hat and Def Con

Attending both for the first time was a chance to compare and contrast

Las Vegas was invaded by hackers this month. The Black Hat and Def Con conventions were in town. I attended both this year, which gave me an opportunity to compare and contrast them.

Black Hat was first. Held the first week of August in the Mandalay Bay Convention Center, this conference hosted thousands of attendees, offering varying levels of activities. At the cheap end of the spectrum, the vendor floor teemed with dozens of security products — the same ones you see at RSA. In fact, it was virtually indistinguishable from the venerated RSA conference I attend every year at the Moscone Center in San Francisco.

This was my first visit to a Black Hat conference. Being only somewhat cheap, I paid for the $500 business pass, which allowed me to get into vendor-sponsored sessions (all of which felt a lot like sales pitches to me), as well as an open room containing several tables manned by representatives of open-source and noncorporate technologies — which I found very interesting. But the good stuff — hacking demonstrations like the ones that show how to take control of a Jeep or Tesla — was out of my price range. These cost thousands of dollars to get into, and some required additional special fees of thousands of dollars more. I’m not sure who has that kind of money to spend to see real-life demonstrations and get hands-on mentoring in hacking techniques — it’s hard to imagine individual hackers spending that kind of money (unless it’s someone else’s, ha-ha).

In any case, the parts of the Black Hat conference I went to felt very corporate and not underworldy at all. From the online registration process to the hotel booking, everything was streamlined and smoothly managed. There were even big vendor-sponsored parties each night, just like at RSA, with plenty of booming music, smoke and laser effects, wall-to-wall people, free drinks, and not enough food. What more could we ask for?

In contrast, the Def Con “hacking conference,” as they call it, feels much more down-to-earth and closer to its hacking roots. Following immediately on the heels of Black Hat, also in Vegas, Def Con took place the second week of August. I’ve been going to Def Con (on and off) for nearly 20 years, since its early days as an underground gathering of technophiles. More affordable and less glitzy than Black Hat, Def Con was nearly as fun and interesting to me this year as it was in the late ’90s. I saw some great demonstrations, chatted with some interesting people, and generally learned more than I did at Black Hat. One of the most interesting topics was the Internet of Things. There are so many exploits — from refrigerators to thermostats to baby monitors to cars — that look so easy to perform, I just can’t feel safe anymore. And that’s surprisingly exciting. I got so paranoid, though, that I turned my phone off, just to be safe.

A classic diversion at Def Con is known as “spot the fed” — a fun game of differentiating representatives of our government’s three-letter-agencies from the corporate suits and hackers at the conference. I didn’t see anyone this year who looked like an obvious employee of an agency, but I saw plenty of people who looked just like me, in their business casual. And I thought I could spot the hackers pretty easily — brightly colored or unusually styled hair and edgy looks like leather and Goth struck me as clear indicators of underground denizens — but who knows? In any case, I’m sure I rubbed elbows with people from many different walks of life. It was, as always, a memorable and energizing experience.

Of the two conferences, Def Con is hands down the winner for me. I enjoy delving into that world from time to time, and it was nice to get out of the office and my mundane corporate existence for a while. I’m already looking forward to next time.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickRSATesla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts