What the hell is Razoyo doing at DEF CON? July 30, 2017 by Paul Byrne Before coming to DEF CON, I had only heard 2nd hand accounts of attendees, many of whom where tight-lipped about the experience. I assumed that the first rule of DEF CON was, well, you’ve seen Fight Club. If not, go see it and you’ll know what I’m talking about. After 3 days here, I noticed that my friends who attended weren’t secretive at all, but struggled to explain DEF CON. In fact, without attending yourself, it’s very difficult to understand exactly what is going on here. First of all, there is definitely a heightened sense of secrecy among attendees. This is not because they are afraid of the NSA, though, a, few attendees may fit that description. Rather, we are at a gathering full of people who like to push the boundaries. Mantras like, ‘hack the world’ and ‘disobey,’ were printed on official materials. However, the vibe is more one of pushing boundaries, exercising freedoms, and assuming one has the right to do something rather than asking permission. So, keeping your private stuff close to your vest here just seems like a really good idea. At the same time, none of the speakers wore ski masks or scrambled their voices when they spoke. Some talks even become part of college courses on cybersecurity. No, the real reason attendees appear tight-lipped is because it is simply hard to describe. I’ve been to software and industry conferences before and DEF CON is less like those and more like a gathering. We came in order to better understand evolving threats to ecommerce security. Especially in the context of IoT (internet of things), and many were here for similar reasons. However, many were here for opposite reasons (i.e., they are looking to exploit vulnerabilities), unrelated reasons (to learn lock picking, for example), for research, and so on. There is no typical attendee, though, there are some things you see at DEF CON that you don’t run into very often. For example, you can get a mohawk for free (reminiscent of late 80’s techno-punk culture), meet the FBI agents attending at the ‘Meet the FEDs’ event, learn how to hack a car. DEF CON feels more like a social function than a conference. There are heavy drinkers and ‘developers who love Jesus.’ There are talks, workshops, ‘villages,’ parties, contests and events. ‘Goons’ keep the peace (except when one of them is responsible for breaking it) some of whom seem like corporate PR people and some who feel more like they are directing traffic in a war zone. Yet, the attendees and organizers seem to agree on one thing, we need to better understand the invisible world. Whether we’re just looking to improve the world in our own space or for humanity, that agreement seems to define this. The voting machine hacking event is great evidence of that, as is the multitude of software and hardware companies that gladly submit their devices and code to the collective hacking force and offer prizes (some quite substantial) for those who uncover new weaknesses. From our point of view, Razoyo aspires to anticipate threats that interrupts commerce technology and help clients. Attending DEF CON will certainly pay off for us. If you are wondering if you should attend, I can tell you that the discussion, content and activities run the gamut of super-technical to newbie -friendly (here they are ‘noobs’) and from mature audiences only to kid-friendly. What will you do if you come? The obvious thing is to attend speaking sessions. Even the ones you don’t fully understand technically will help you understand the mentality and methodology of attackers. There are workshops where you can learn everything from lock-picking, to building a UART interface client. There are some crazy hacking contests for the true pros in the crowd. Some people just hang out in the ‘chill zones’ and talk to others. In short, whether you know anything about hacking or not, you will likely find the event fulfilling and worthwhile.