DEFCON: The Biggest Hacking Event in the World

Speaker 1: You're not allowed to record audio or video of the social engineering competitions at Defcon. So, we're just gonna tell you how it works. Picture a big room in a conference hall. There's a couple 100 people watching the contest. There's a table of judges up front, and behind them are giant video displays. Off to the side, there is a noise isolated booth, big enough for two people. The booth is wired up with mics and cameras, which are being live broadcast onto the screens for everyone to watch and listen. Inside the sound isolated booth, there is a phone. You can hear what happens in the booth, but the booth is isolated from the rest of the hall, for reasons that will become clear. The idea of the contest is simple. A team or individual steps into the booth, shuts the door, and when they're ready, a 22 timer starts.

Speaker 2: The

Speaker 1: team has those twenty two minutes to get a target onto the phone. And once they do, the goal is to social engineer them into sharing information they shouldn't. You could call

Speaker 3: it competitive lying. They they call it vishing. So we we we sat and enjoyed a few hours of the vishing competition, which I guess is the same as fishing, but just voice fishing. It was great to watch. Tons of fun. Sad that you couldn't record it because it would make amazing YouTube content.

Speaker 1: The target was a large phone company. The competitors are trying to get information out of the company. And at the end, they're scored by the judges out of 10 like it's the Olympics. It's not random social engineering. The competitor has to write what they call, pretexts, stories or premises for why they're calling. And I think if they wanna change pretexts, they have to change literal costumes. I'm not sure if that's a rule or a custom.

Speaker 3: No. I don't think that was a I don't think that's a mandatory thing. I think that's, like, some flavor for the points for the judges, like a little flavor.

Speaker 1: Sure. A a little extra some some. So if you if you wanna change from, you know, saying you're with customer service to saying you're with an external vendor, you'd switch outfits. You toss on a new wig and a new shirt. They're also wearing a heart rate monitor. So everyone can see on the screen when their heart rate spikes when someone answers a call or a call starts to go south. Apparently, they do months of research and prep for this. We're gonna tell you about one of the last teams of the day that we saw. Two guys step in. One of their costumes is a Guy Fieri wig. They go in with this whole bit and these Boston accents. Most of the calls they make, either no one answered, or the numbers were busy, so it forwards to an automated system. But about halfway through their twenty two minutes, they finally get someone on the phone from the Target, which was a physical brick and mortar store for this big company, and they start in with this story. They were from a local radio station. The story had something to do with leaving equipment at the store for a radio remote they want wanted to do the next day. It's honestly going pretty well, but then they get into this back and forth about a verification number, and the target says she's just gonna call back. So the call ends, the audience lets out a big groan, ten minutes has already elapsed, so they change story. The clock is counting down. Now the pretext goes, they work for a big tech company, and they're trying to drop off these fancy new VR headsets for an in store cross promotion type thing, and they just have some questions. There's only a couple minutes left, and a woman answers. She has this bubbly Southern US accent, and just like that, the the main guy doing the vishing, drops his Boston accent and slips into a southern one. He just matches her enthusiasm and tone perfectly and starts to tell the story. He locks in and so does the audience. Anytime she asks, if, is this a question for someone else? He has a reason why she is the exact person he's supposed to be talking to. Pretty quickly, he starts to get information out of her. He gets her to explain the security setup of the store. She's so excited about the VR headsets, that sounds so fun. She totally gets the need for security, but no, they don't have security guards. Oh, they wanna keep them in the back overnight? No. There's no security badge or anything to get into the back. He just, like, keeps pulling on threads, getting little bits of information at a time. And he walks right up to the good stuff. He arrives at a question about connecting the headsets to WiFi, and if she could tell him a little bit about how the WiFi network works. And right as she's about to answer, the clock runs out. Audience goes nuts, and the judges give their scores. Eight, seven, nine out of 10. This is Defcon, or just a a small, a teeny tiny, but very famous part of it. DEF CON is the biggest hacker convention in the world. It happens in Las Vegas every year, and we went. It's not strictly cybersecurity. That's Black Hat, a different security conference that happens right before. This one's really about hacking, hacking things together, hacking into things, hacking things apart. There were 89 contests and puzzles and talks and very fascinating parties. So we descended into the frankly foul Las Vegas heat to find out what it's all about. It's three days of people hacking software and hardware and cars and infrastructure and voting machines and occasionally each other. DEF CON twenty twenty four, here on hacked. Okay. It's morning one. We're walking to the convention center.

Speaker 4: It's bloody hot.

Speaker 1: It's really, really hot. There's no other reason I'm recording other than to say it's really goddamn hot.

Speaker 4: This might be a terrible decision. We probably shouldn't have walked, but we're doing it nonetheless.

Speaker 3: So Defcon is something that I've always wanted to do, and I don't actually have a reason why I've never done it before, which is, like, I'm old now. Like, when I started when I found out about Defcon, it would have been in the nineties, and it would have been like Defcon was a very different thing back then. I think it was, you know, people that were hanging out in IRC chats and bulletin boards that would get together and kind of have, like, the nerdiest party ever in Las Vegas where they would do, you know, crazy things. And that spoke to me on a very primitive level at that age because that's what I was into. And so to come back now like twenty some years later, and it's it like I try and explain it to my friends and I was like there were like 40,000 people there. It was most of the Las Vegas Convention Center, like the one of the larger convention centers maybe in the world, and it was packed. It's a crazy, crazy thing. What what was your first take on it when we walked up?

Speaker 1: I was so I had heard that it was it was a big event. I'd heard that it was historically thrown in, I think, a couple different casinos, and this was the first year for a bunch of reasons, that it was all gonna be happening in one place, this Las Vegas Convention Center, which is massive. Defcon is almost like a collection of different conferences inside of a conference.

Speaker 3: I was gonna say just to give some context to the size of it. Like the very first day of the actual conference, we went the day before to pick up our badges and we can speak on that day a bit, but the very first day of the actual conference, we kind of just decided to walk around and see everything, get a full lay of the land, see all the different villages, see all the different capture the flag contests, kind of just get a read for the place. On that day, we walked 32,000 steps. That's how big it was. Twenty twenty some kilometers, like, 24 kilometers, I think, on average. And, like, what is that? Like, 16 miles, 17 miles. So, like, a massive day on the feet. Just don't walk around and see everything.

Speaker 1: It started in 1993 as a farewell party organized by, Jeff Moss for a friend who had to leave The US. It starts off as this one time thing, but it's such a hit that it becomes an annual tradition, and it's just grown from there. Grown to fill the one casino it was in, to fill another, to fill another, until now where it's this giant convergence of people in the middle of the desert. There's talks on hacking and cybersecurity, but everyone tells you while the talks are fun, what you really gotta get to is the villages and the hands on challenges.

Speaker 4: Just pop by everyone's favorite, game hacking challenge. There's, a number of capture the flag things. They have a custom Unity game, where it's all level based, and you have to apparently pass the levels by hacking the game. And then they have downloaded a common Steam game that has some anti cheat code in it, but not a full anti cheat. And that is, one of the extra challenges. So excited to come back. It doesn't start for another forty five minutes, but we're gonna check it out.

Speaker 1: There's capture the flags. There's lock picking. There's Wi Fi challenges. There's trying to cool a beer in the Nevada heat using, anything but a refrigerator. There's a, chill it yourself beverage section where there's two buckets with a bunch of tubes between them trying to cool them down. No idea what's going on there. Hackers. There's tech enthusiasts. There's also federal law enforcement and a whole sort of sub narrative about spotting the Fed. Somewhere between thirty and forty thousand attendees, it's a it's big.

Speaker 3: The thing with having so many people so the the pre day that we went to the, like, pick up your badge day was like they have a a term for it in the schedule and stuff, and it's called LineCon. And it's because the lines are literally monstrous.

Speaker 1: So our first LineCon is starting with finding the end of the line. We haven't found it yet.

Speaker 4: We've been walking we've been walking for, I don't know, about nine minutes, and, we are still what looks to be about 8,000 people away from the end of the line.

Speaker 1: The line is moving faster than we are.

Speaker 3: But the merch line, something like, you know, you go to a big conference like this. It's your first time you've wanted to go since you were, like, a teenager. You just wanna pick up a t shirt and bring it home.

Speaker 1: And

Speaker 3: then you find the tail end of the merch line, and it is literally 14,000 steps from the door to the merch room, and you're like, maybe I don't need to be

Speaker 1: escalators down escalators in a different building. Like Yeah. It's nuts. Nuts. Everyone got probably the coolest piece of merch in my opinion, which was the badge, which we'll get to.

Speaker 3: Oh, yeah.

Speaker 1: Defcon has a fascinating history. I won't tear into all of it, but there's just every couple years something really fascinating happens. In 2001, a Russian programmer, Dmitry Shkalarov, was arrested the day after for writing software to decrypt Adobe's ebook format. In 2005, the company Cisco used legal threats to suppress a talk, from a guy named Mike Lynn talking about issues he'd found in Cisco iOS routers. In 2007, this one was relevant to us. A reporter for Dateline NBC named Michelle Madigan tried to secretly record, a non recordable talk with a bunch of folks admitting to crimes, at which point she was outed by the founder, Jeff Moss, during a massive full hall assembly.

Speaker 2: It came to our attention that, you know, could be that there's people here under, false identities or pretend pretending to be something they're not. And our attention that a, a reporter might be here with a hidden pinhole camera, not his press, reporting people for a piece on hiring hackers.

Speaker 4: See?

Speaker 2: I'm not cool with that, especially when they turn down the opportunity to get a press badge. So I need a show of hands to do contests, spot the undercover reporter.

Speaker 1: Defcon staff had tried to get her to get a press badge. She had refused. It was a whole big thing, and that is why we got press badges. I'll say, Defcon is a fascinating place to roll into with press badges. Some people really don't like it. But the vast majority we spoke to were curious and happy to have us there and excited to talk, if not a little reluctant to be recorded because privacy is a really big deal at this thing.

Speaker 3: So I've had press clearance throughout my life for various different reasons to concerts, music festivals, functions, you know many things and normally having press clearance comes with value you can sidestep lines access talk like speeches and and talks without having to you know normally cue you You get some form of preferential treatment as you were part of the press corps. This felt completely the opposite. People would come up and be like, hey. What's the green badge? I haven't seen one of those. And you'd be like, press. And they'd be like, oh, press. And they'd run away from you. It was it was it was no, it

Speaker 1: would say oh press fuck you.

Speaker 3: It was it was a fascinating change from the everyday and I was like, well, we're not like the kind of press that I think you think we are like we're not here to out people or record conversations. We're just, like, here to kinda take it all in and and but the fact that we might talk about it after indicates that we needed this flashy day glow green badge so that everybody knew who we were, which was it was interesting. It was interesting.

Speaker 1: So we were just walking, and the guy said, what color badge are those? What's the green one mean? And then he read it, and he saw that it said press. And he threw his hands up in the air, and he said, oh, no. Press. Can't talk to you. Just kidding. Except he wasn't kidding at all. And he ran away. And then he ran away. He is here. He's right. Like every convention, there are talks. But as I said, the thing everyone told us was to check out the villages, these topic specific areas of the convention, almost like mini conferences. There's the aerospace village, the car hacking village, the IoT village, recon, biohacking, lockpicking, ham radio, and the social engineering village that we talked about. We started our first real proper day of the conference at the Car Hacking Village, where a group of people had gathered around a Rivian truck that the company had brought to let folks try and hack. The prize was a challenge coin sitting on the dash of the locked vehicle. Okay. So what were we just looking at?

Speaker 4: Well, we were looking at a beautiful new Rivian truck, but next to it was, a few of the control units for the infotainment and telematics, things that they pulled out and they had three capture the flag challenges.

Speaker 1: To race ahead, we came back the next day, and we were able to hunt down the guy who had won the contest, and he was nice enough to talk to us. One of the few people who would. Okay. Can you tell us about what you did with that Rivian over there?

Speaker 5: Right. So on the head unit over there, there was a web interface that allowed you to disclose files on a file system. You could leak a key and then log in. Once logged in, you could talk to a diagnostic server that the TCU was able to, you know, reach over the interface. And you could then read out some memory or you find some, like, leaked token or whatever. And with that leaked token, you can then get on a VPN the car's on and do a little bit of some routing shenanigans and then pivot internally into the car and perform an unlock of the doors.

Speaker 1: And then just to back up a little bit, can you tell me the story of like coming here and doing this? You show up yesterday, you sit down, how has the process been?

Speaker 5: It was pretty quick honestly. I had like a slight issue with trying to talk to one of the wrong IP addresses. But other than that, it was all very straightforward. The review people were super nice. I had a lot of fun with them. Seemed pretty cool. Cool.

Speaker 4: How long, how long in general did it take for you to do it?

Speaker 5: I'd say maybe four to six hours for all of them.

Speaker 4: Oh, and what's your background? Is this kind of what you do for a living?

Speaker 5: Yeah. I work in automotive. I'm a red teamer. So This is right in your wheelhouse? Yeah. Yeah.

Speaker 4: You showed up yesterday morning. You came right here. Sure did. Nice. Nice. Congratulations.

Speaker 1: Thank you so much. I appreciate your time, man.

Speaker 6: Work is very I

Speaker 3: don't think I really like, being somebody who's been, like, outside looking in on Defcon forever, I always knew about the main capture the flag event, like, the big kind of, you know, reverse engineering app hacking one that everybody kind of talked about externally. Like, I always knew of that one, but I don't think I really understood just how many of these village based CTFs there were capture the flag CTF. And and the car hacking one was fascinating because you had people from rivian who would not speak to us and then just teams of people trying to Capture three flags. So there was like the three flags to get in there were so many technical challenges in one place that had been specifically designed for a specific group of people It was kind of beautiful as somebody who's like from that world like the amount of work and like this is this is I think a big you know this is me appreciating and thanking all the people that put time into putting this conference together is because every single one of those flags would have taken tons of planning drafting debugging pro like there would have been so much work put into creating these challenges and the amount of companies that did it volunteers that were a part of it it's it's it's honestly, like, the coolest thing I've ever seen in the cybersecurity culture. So it's like I understand why so many people love this conference, and I can understand why we're probably gonna be back next year with our bright green badges getting told to fuck off.

Speaker 1: I didn't really know what it was gonna be. And I had a similar thing where it slowly dawned on me that people had spent months, if not the entire proceeding year, building these little real world puzzle boxes, these themed contests that people some extremely smart competent people would show up on this day, sit down, hunker down, and dig into. As we walked into the conference hall on that first day, walked up to the the car hacking section, We were passed by these, like, teams of people running towards it. And there were, like, you know, four or five folks. They would run up, they grabbed a table, and they just hunker down. And they were clearly there to do this. I don't know if they did it every year or they'd come the previous year and decided we're doing it next year. But it was people that were they were there to do that. And the the Rivian, the guy who hacked the Rivian, I think was no exception. He'd showed up and he just grinded on that thing and he he got in. It's really cool to see the amount of love and attention that went into building all of these different, very niche, very challenging little puzzles for people to solve.

Speaker 3: Mhmm. Mhmm. There was there was one puzzle that was quite literally a vending machine that gave out Hackboys, which were like Game Boy style. I I'm we never actually got to play with one because they were all gone by the time we got to that challenge. Yeah. But the but yeah. So, like, there were so many cool things. Like, I can't say it any other way. Like, it it coming from a cybersecurity background, it's like and have never having experienced it. It was beautiful to see the commitment from and to the community to put on something so cool.

Speaker 1: The first puzzle that most people encounter was the badge itself. Most conferences you go to, you have to line up and go through jump through a bunch of different hoops to to get the badge. And the badge is typically, a lanyard. It's like a piece of cardboard on a lanyard. It's very boring, and it's a lot of work to just get a thing that lets you in. That's not the case at Defcon. I talked to a buddy who was there two years ago, and the badge that year was a literal it was a little synthesizer, and you could plug them into other people's badges and jam together. This year, it was a little video game. It was a raspberry pi, a custom raspberry pi in the shape of a little kitty cat face. And when you're wearing it as a lanyard, the hooks go through the little ears and it looks like a cat. But if you flip it upside down to face you while you're wearing it, it turns into a little Game Boy. It was the the first day everyone gets the badges and immediately people are sitting down at these tables And they're prying the thing apart, cracking it open, and they're just figuring out how it works They're plugging it in, they're seeing what's on the SD card, they're tearing apart the firmware, they're just really getting into it immediately You turn the thing on, and you're greeted by this game. And it says, DEFCON thirty two engage press start. And it says, Greetings hacker. Welcome to DEFCON. Text starts to scroll, and shitification has fallen over the net and all we hold dear. We need your help to make a better place for us all. Would you like to play a game? And you choose yes. When you do, it enters into a date and time screen. If you plug in the real date and time for the rest of the conference, the game itself is a live schedule of the event. If you walk your little sprite into the real room of the real conference hall, it will show you what event is playing. And you start playing, and it's like a little Pokemon Red style RPG where they have recreated the entire Las Vegas Convention Hall. It's a game about trying to find these little cats in the hall. It's full of Easter eggs. It's so cool. The team that built it had members of, like, GB Studio, which is some software for creating custom Game Boy games. And the device is a a full blown, you know, Game Boy emulator. You'd see people walking around with A Link to the Past on it, and Mario playing on it. They just basically gave out a little Anbernic retro gaming handheld to every single person that was in attendance.

Speaker 3: My wife loves it, I have to say. The badge, huge hit. But the other thing I will because the other thing the Jordan bypassed is and because there's just so much to talk about the badge itself is that it has controllable LEDs so you can make the cat's eyes different colors and

Speaker 4: you can

Speaker 3: do all this fun cute stuff with it. But there's also six control pins coming out of the top of its head, which I think you can probably I'm not sure if they release the specs for the hardware on it, but I saw a lot of custom badge adaptations, so people had plugged little pseudo smaller badges into the head of the cat, which would then light up and do, like, have their own little LEDs and signs and stuff. So it there must be power coming out of it at the very minimum, but I'm not sure what other control port. But the the fascinating thing is is on the the very first day we went, Jordan and I sat down in one of the hallways and just were, like, chilling at a table chatting about things, making a plan for the conference, looking through the schedules, and this team of security people, all corporate professional security people, I won't say who they were with. They asked for anonymity. They didn't love that we were pressed, but we're still nice enough to talk to us. Just started, like, taking out, like like tool kits physical tool kits and breaking the badges down and like tearing into them like pulling the pieces out checking on the chips looking at everything and they were just like oh, this is the first puzzle you know, there's definitely a bunch of hidden easter eggs inside of not only the software of this, but the hardware. And this is the first puzzle to solve. So they were all just jumping into it, which is, again, just speaks to the amount attention to detail that the organizers and people that participate in this conference put into

Speaker 1: it. Mhmm. There was unfortunately, like, a little bit of drama surrounding the badges, which we won't dig into too much. There was sort of a a back and forth about the contractor who made the badge, Defcon, the business arrangement between them. I think it's much less interesting, unfortunately, than the badge itself, which is such a perfect little encapsulation of how kind of this community. It's this wonderful little thing that a bunch of people had to come together. They designed it, hacked it together, built it, and it was built to be hacked apart to, you know, take out the SD card, run your own stuff on it. It's such a perfect little metaphor for the whole exercise. And a great probably the best piece of merch. The merch was really cool. Great shirts, great hats, a neat fanny pack. I wish I'd gotten one. But, honestly, one of the best pieces of merch I've ever gotten, is the badge itself.

Speaker 3: Yeah. You know what I'm most heartbroken about? Is that I didn't get like, I came home with probably 100 stickers and not a single Defcon sticker, and my water bottle needed a Defcon sticker. But the sticker packs were one of the first things to have sold out. Like, in the Hacker Tracker, which is like an app built to track security conferences and, like, show schedules and stuff. They don't actually have a Defcon one. They use this one called hacker tracker and it tracked also the merch and what was available and the sticker packs were sold out like the day before the conference had started So I probably would have had no chance of getting a sticker, but, man, I would have liked one.

Speaker 1: The thing I was really excited about for this was this thing called the Wall of Sheep. Do you remember which village the Wall Of Sheep was in? Because I don't.

Speaker 3: Yeah. Data packets. Data packet village, I think.

Speaker 1: Because that makes sense. So we're trying to find it, walk down a hallway, walk down another hallway, and as you do, I think trans music just starts to get louder and louder in the background.

Speaker 4: The packet security and packet hacking workshop areas and villages are definitely the most fun. They have live DJs. They brought looks like all the equipment was provided, so they're giving, like, very basic overviews on, like, packet sniffing, port scanning, you know, network security forensics. And, I was telling Jordan that a lot of what's going on in here and people are learning is what we were seeing the people on the Rivian challenges doing, which is, like, just accessing the network that they're connected to, looking for what, you know, services those those units are running and connecting to them. So it's kind of like a a full loop. Your first year here, you can do workshops, learn a bunch of the skills, and then the next few years, do the challenges.

Speaker 1: And you walk in, and there's a giant display up on the wall at this this one particular village, and it's called the Wall Of Sheep. They described it as an interactive demonstration of what can happen when network users let their guard down. They passively observe the traffic on a network, looking for evidence of users logging into email, websites, and other network services without the protection of encryption. They find them and they put them up on the wall of sheep as a good natured reminder that a malicious person could do the same thing they did with much less friendly consequences. That's directly from the site for the village itself. Long and short of it is that if you, connect to an insecure network at Defcon and you log in anything that doesn't have encrypted username or password, it is going up on that screen for everybody to see.

Speaker 3: There was a lot of there was a lot of reasons to turn off Wi Fi and Bluetooth on all your devices before you go into this conference. But the I was actually, you know, I think, like, knowing and having known of the wall of sheep, I think that it probably was a way bigger deal, like, ten years ago. Like yes, like point to point encryption is such a key thing now like like web browsers don't even like you to go to websites that don't have HTTPS enabled like they'll warn you you know that most services these days use some form of point to point encryption but I bet ten fifteen years ago that thing would have just been a rolling list yeah but but I feel like just given some of the steps forward that that the community's made in pushing encryption as a standard and things like that, a lot of that it's not it's not as impactful as it probably was ten, fifteen years ago. But, again Mhmm.

Speaker 4: A

Speaker 3: lot of reasons to turn off Wi Fi and Bluetooth on your phone and your other devices.

Speaker 1: And I think that the Wallachube has become, like, a cultural thing. I think there's people that go there and, judging by the amount of pretty inappropriate usernames and passwords up on that screen or intentionally finding unencrypted sites to log in to to get the credentials up on that screen. So I think it's a it's a mix of legitimate security compromises and just, like, a cultural thing that's become part of the conference.

Speaker 3: Totally. And and you know what this reminds me of is is one of the days Jordan and I stayed right next to the convention center because we thought we'd walk to it every day. But as you know, you've heard it is too bloody hot to do anything in Las Vegas in the middle of summer. So we ended up Ubering a lot and we were chatting with one of our Uber drivers.

Speaker 1: Oh, yeah.

Speaker 3: And his partner worked in the accounting department at the convention center and apparently the entire staff was given the term of the conference off and they shut down all of the technical infrastructure in the building they turned off the accounting systems they turned off everything there was even an issue with the like soda machines Not being able to use the internal Wi Fi because they had turned it off To so you couldn't buy water out of some of the vending machines that were on Wi Fi and not hard lined And they ought to also plug most of the hardline ethernet ports in the building that probably weren't explicitly given to the conference for access. So it was this this you could tell that the precautions were high.

Speaker 1: Yeah. I wonder what the blue team at that Dunkin' Donuts that was just getting railroaded the whole time was up to that whole time because I feel like or maybe no one's maybe it's like, don't mess with that Dunkin'. Nobody's messing with that. On. Mhmm.

Speaker 3: They they probably pour I would love to know how many donuts they sold and how many gallons of coffee they sold because the other thing coming from Canada, we'd get, like, a regular coffee at this Dunkin' Donuts, and it was, like, like, 800 milliliters. Like, they were massive. Yeah. Get a massive cold brew.

Speaker 1: Down there? Yeah. It was nuts. It's like a pint. I I I was just like, I will have a cold brew coffee. And they're like, do you want do you have a Camel pack you wanna fill up? You got one of those Nalgene bottles? I was like, no. Just like a normal normal human amount. Like, oh, you wanna be anxious for the next four days? Got you. And and I was. It was great. Jordan. What a country. What a company.

Speaker 3: Jordan, we'd gotten a coffee on the the first day. Like, the day that the conference hadn't started when we went to get our badges. Jordan was tired from coming in. You know, we'd had some flight delays and other issues. And Jordan's like, hey. Let's go back to the hotel for a nap. But first, I'm just gonna crush one liter of cold brew.

Speaker 1: They just stared at the inside of my eyelids for ninety minutes just having a panic attack and trying to sleep. It was great. Let's kick it over to some ads. And then when we come back, we'll talk about a kind of AI village contest thing put on by DARPA. Uh-huh. It's fascinating. Starting something new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 7: When you finally find your thing, you want the whole world to know about that thing. So you use a thing called Canva to make it an even bigger and better thing. Whether you want to create flyers for that thing, make presentations for that thing, or design merch for that thing, You can do anything so people can see your thing, feel your thing, love your thing. The next thing you know, it's a thing. Canva, the thing that makes anything a thing.

Speaker 6: Study and play. Come together on a Windows 11 PC. And for a limited time, college students get the best

Speaker 1: of both worlds.

Speaker 6: Get the Unreal College Seal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft three sixty five premium and a year of Xbox Game Pass Ultimate with a custom color Xbox wireless controller.

Speaker 4: Learn more

Speaker 6: at windows.com/studentoffer. Law supplies last. Ends June 30. Terms at aka.ms/collegepc.

Speaker 8: When you need to build up your team to handle the growing chaos at work, use Indeed sponsored jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications, and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit at indeed.com/podcast. That's indeed.com/podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed sponsored jobs.

Speaker 1: Alright. We just stepped out of a normal conference into a really, really extra larp, I would call it. I don't know if you agree, Scott.

Speaker 4: I strongly agree. We are in a virtual city built in the middle of a conference that has the splashiest groups in it. There's a Microsoft, a Anthropic, and OpenAI, and a Google village where you can talk to their AI consultants, as well as the DARPA and ARPA villages.

Speaker 1: You know how when you do laser tag, it smells like fog machine juice everywhere?

Speaker 3: Mhmm. Mhmm.

Speaker 1: Smells like fog machine juice everywhere is what I'm trying to say.

Speaker 3: AI DARPA village thing is was fascinating, a, for the fact that Spot the Fed and all of these things and government distrust and Co intel Pro and all these things from old school hacker culture. It was interesting to walk in and find that the single largest installation there was paid for by the government. Mhmm.

Speaker 1: And it was different from everything else.

Speaker 3: It was very different.

Speaker 1: Was big, gray, collapsible tables. Like, good good old fashioned conference tables, with stuff on them and little chairs, and you could sit at them in a conference hall. But in the middle of it, there's this giant, like, cube. A giant voided off thing covered in display panels on the outside and a lineup to get in. Set the scene, Scott. What how did this thing go down?

Speaker 3: This thing went down. They had the all of the lights off in this section of the hall, which was like one of a whole hall in itself, essentially. It was an artificial cosplay city built inside of the hall that you accessed by riding a Cosplay rail system into it so you got into a fancy little room that was sitting on airbags and rode essentially a train car into the city. It was very very going from very low production value, very high content value and the rest of the conference into this place that was incredibly high production value was shocking to say the least had led walls that had like it was it was beautiful. Like kudos to everybody that was got paid to make it. You guys did a really good job, but it stood out like a sore thumb. But but it kind of housed this contest, which in itself was fascinating.

Speaker 1: Yeah. So you get into it and they kind of unpack how this contest works. And I'm sure more technical people than me can explain the mechanics of what people were doing. But what I gathered was that in this fake city with this narrative of being a connected city of the future and oh, no, hackers are taking it over. There's this, two year competition of which this was the first year. And they're trying to figure out how to create automated systems to safeguard open source software. So people are competing on this. They're creating stuff to try and fix this challenge. And everything that they're creating, as I understood, it is gonna be open sourced at the end, which is why you had sponsorships from Microsoft and Google and OpenAI, all putting a little bit of money into this competition.

Speaker 3: And Entropic. Don't forget Entropic.

Speaker 1: I forgot about it. Can never forget about Claude. And at the end of which, I think is a $4,000,000 reward, I wanna say. A big fat cash money reward.

Speaker 3: Yeah. First prize is, I think, 4,000,000. We never actually saw so this is another thing. While on-site, in all of the cosplaying and the the theatrical design, There was very little detail about the actual contest. There was posters up that explained certain parts of it, but we didn't understand that it was a two year project. We had to speak to people who mostly told us what the contest was, all of which refused to be on microphone. So you're gonna get it back from us.

Speaker 4: Shout out with Google. They've got, like, a red team, blue team AI thing. So they had a couple of red team pen testers and a couple of the blue team, secures, and they're talking about the AI that they're building and reusing. They also let us in on the fact that Google just released a real time voice changer that will footprint any voice or thumbprint any voice in about fifteen minutes of audio. So don't do this to us, give it that there's hours of us fucking talking on the Internet. Yeah. And turns it into a real time converter. So they use it for their phishing attacks and phone attacks and social engineering and sounds cool.

Speaker 1: What I can't figure out is why would Google make that public. I mean, like, listen, we've created a tool for real time pretending to be someone else. Google.

Speaker 4: I think it's because it exists like 800 other places maybe. So they just like, we may as well release our own that's better. I don't know.

Speaker 3: Let me see if I can wrap this up. So what they did is they took five massive open source projects. The NGINX web browser, the Linux kernel and three other ones which I can't remember sorry people and they took the code bases for them so millions and millions of lines of code like these are all massive projects and they introduced subsets of known vulnerabilities into the code so they introduced you know it was at least 10 vulnerabilities into each code set and they would have been different styles of vulnerabilities and have different complexities And then each competitive group or team had to create what they were calling a cyber reasoning system. So they weren't creating an AI to solve it, which is kind of where I thought it was going. But it seemed like they were building a cyber reasoning system which included different types of like static analysis looking for you know structures dynamic analysis like looking through the code at execution time they were they created a whole model like an algorithmic model to test code bases identify vulnerabilities and then patch them. And that was the contest is that each team submitted their cyber reasoning system, which then was launched against these code bases one after another, and there was this beautiful Settlers of Catan map. And if you understood what it was, and it was all of the little hex tiles were the different vulnerabilities that they had introduced, DARPA's obviously got public interest governmental side. They want code to be more secure so that you know so The United States is less vulnerable to cyber attacks you've got Google and Microsoft who probably have large corporate desires of creating web or not web just development environments that auto flag potential security vulnerabilities and tell you how to patch them in real time. You know that that that's a huge value to anybody that's building in Visual Studio or any of the other Microsoft products or or whatever Google's up to. And then you've got the AI bodies who are looking at this, taking what they can from the for the contest and these cyber raising systems and seeing what they can train AIs to do. So I assume that's that's that's my assumptions, but I'm assuming that's how the playground works in that village.

Speaker 1: The AI village that DARPA put on was the only one I think that had a big fat cash prize. The majority of these contests that people are doing, they're competing for, and we'll talk about this, these black badges. They're sort of this lifetime pass to Defcon and a symbol that you you showed up and you crushed it. They don't give out many of them. They're a pretty big deal. The entire closing ceremony is giving them out. And we don't have time to dig into every single one of these contests that we saw, but we should definitely talk about the capture the flag contest because though there are many of them, it is sort of the big one.

Speaker 9: Welcome back to the second day of live CTF here at Defcon thirty two in Las Vegas. We will be starting our match really soon. I think we have all the players in place right now. So, all the players, are you ready? We are, now starting in five, four, three, two, one. Go. Good luck. Alright.

Speaker 3: Capture the flag is cool. If you are if you are into that world, it is very neat. Like, I was watching like, we didn't sit and watch it in real time, a, because it's nothing to watch, really. Yeah. You don't have the insight, but they were live streaming everything on YouTube, and you can watch the replays of it. It's live CTF. If you YouTube that, you'll see kind of a purple logo, and then if you go to their live functions, you'll see previous streams, and you can watch the entire like, the primary Defcon Capture the Flag contest replays. And it was it was hosted by either a the flag producers or the puzzle creators and other technical people who who were giving insights and talking through the problems as people were solving them, and I've watched I think six hours of it at this point. If the replays and it is awesome if you're from, it is I would say strongly technical. The reverse engineering, the reverse engineering, disassembling Decompiling software, you know, they're they're writing Pone scripts and things and they're you know digging through memory heaps like it is it is not for the everyday average person But if you were into that it is very cool to watch and it is amazing the speed that these people are doing this stuff at because I remember doing this stuff and I would spend like, weekends in the coffee shop to get where these people would get in, like, five minutes. And I was like I was like, wow. They are the they they have made a sport of this, and it is a sport of optimization.

Speaker 1: Alright. We're looking at the teams for the capture the flag. It's like a big in the round space, huge tables. We've got friendly Maltese citizens, maple mallard magistrates, great names, Hype Hype Boy. I like Hype Boy. ColdFusion and Blue Water. Blue Water.

Speaker 4: Also, it doesn't look like it's any individual. Everybody looks like they're here in large teams. They're very set up, some with, like, external displays and laptop stands. And there's a group called Live CTF setting up a broadcast studio where it looks like they will be doing the capture the flag live, probably on Twitch or YouTube. So we're gonna have to check that out after.

Speaker 1: It's a very fascinating contest. I way over my head, but the amount of excitement in the closing ceremony for who got who won that black badge for it was, it was palpable. And it went to the Carnegie Mellon University's Plaid Parliament of Pwning or PPPP. I guess there's three piece. It was their, third consecutive title and a record eight victory in the past twelve years. These folks just rock this thing pretty much every year.

Speaker 3: The, they were playing under the name, the Maple Mallard Magistrates, and hit a lot of the replays that I've been watching. It they are very

Speaker 1: good. One of the best pieces of advice I heard from someone going into this, and it proved out to be very true, is that, you you gotta be able to resist FOMO at this thing. If you have a really bad fear of missing out, you're you're gonna drive yourself nuts at Defcon. There's just too much stuff going on. You could probably hunker down at any one of these things and spend the whole time there and have a pretty fascinating time. So in the spirit of that, there's no way we can get to everything that we saw. Mhmm. We spent, you know, two, three days just bouncing from thing to thing, but more on the culture side was just the parties. Mhmm. So Las Vegas Convention Center ends at five or six, the sort of, like, primary stuff every single day. And then a few hours later, 09:10 type thing, the conference center is still open. And these conference halls have turned into parties. Much like the villages, they're put on by different people, outside of the convention itself. You've got gothcon. You've got queercon. You've got furrycon. You've got a whole bunch of different cons as parties inside of this big event. The one that we mentioned it earlier that Scott unfortunately wasn't able to make it to was Jack Rhysider's Darknet Diaries party, which I was very excited to go to. I was just excited to to go in and talk to Jack and hang out with him at a party because I

Speaker 3: thought that was gonna be

Speaker 1: a thing I was gonna be able to do. And I gotta say one of the coolest moments of this, we've had, if anyone doesn't know, Dark Knight Divers is a fantastic cybersecurity show. They tell hacker stories. It's it's it's a great show. It's a cultural phenomenon. And Jack was putting on this big party. And I roll up on the last, you know, proper night of the con, to go to it and I walk up and I was so happy to see this. The lineup went outside, went around the corner, went all the way up the hall, turned another corner, went all the way down another hall. Full of people who were excited to go there and meet Jack and celebrate this communal thing that they all loved. And it was such a perfect metaphor for the whole thing. You know? In that case, it was that one show. But this whole event was this massive celebration of a thing that I think people typically associate as being isolating. It is the flawed, incorrect archetype of the lone hacker in a basement somewhere. And it's not. It's tens of thousands of people all coming together to in the desert, to to meet each other and form community and build things. And that party was just such a perfect little metaphor for the whole enterprise.

Speaker 3: Well said. Still sad I couldn't make it, but well said.

Speaker 1: I didn't mean to hype it as I was hyping it, man. I feel bam.

Speaker 3: No. No. No. Hype it up. Jack's a friend of the pod.

Speaker 1: He is, and it was a very cool party. It was great to see him. I went to the closing ceremony where they give out these, these black badges. So as we've talked about, there's different types of badges. We had a green one. It was press. The default one was a cool clear plastic. There's, I think, red ones for goons who we never even talked about, which are the sort of volunteers that run the whole thing. There's vendor badges, there's presenter badges, but the badge you want, the Uber badge is the black badge. And the end of this whole event is the closing ceremony where they give it out. And it's really fun to watch. One by one, the different teams go up, and they give them one black badge that entitles you lifetime access to the conference. They were handmade versions of the same badge with, like, gold detailing and, crystal that's been I don't know if it was a radio, but had some connection to Las Vegas' nuclear history. The designer of it went up and she explained it beautifully. Really cool little objects, and they're this this symbol of, you know, you know, I won. I did it. I showed up. Beat everybody else. I got the thing. And there's so much pride. It was it was a lot of fun to watch.

Speaker 3: So I think they get line privileges. Like, they get it comes with, I think, you know, not only free entrance to the contest, but also kind of priority entrance into the conference. So, yeah, it's it is I I'll say that in our days there, I did not see one.

Speaker 1: Mhmm. That's true.

Speaker 3: Which tells you something.

Speaker 1: Probably just means that they were whoever had one was hunkered down at some contest with their head into the computer just, like, tearing in trying to win another one. So we probably wouldn't see him running around too much because they probably weren't running.

Speaker 3: I didn't the one other thing I was looking for in the notes and stuff when we got there was what CTFs qualified you for a black badge, and I'm not sure. I know the main one does. The team can win. I believe it's one, but I think that there's a bunch of other contests throughout that end up giving away a black badge. I'm not sure which ones they were. Maybe I'm wrong on that, but that would be a fascinating point for if somebody wanted to return and maybe try to get one for themselves.

Speaker 1: There was a funny story about the badges. It had to do with I think it was the goons. And it was that so at the end of the event during this final ceremony, it was really well done. There was a whole transparency section talking about the number of times, you know, say emergency was contacted or people who had some kind of report to safety or security. They went through it all one by one, very itemized, very broken down. But, apparently, someone fakes this is not encouraging this, but someone faked a goon badge and social engineered their way all the way through the, like, back end security system, all the way until the point where they, like, were talking to one of the bosses, revealed they'd done this, and they promptly hired this person for next year. So that was pretty fun.

Speaker 3: I was gonna say I feel like that's a bit of a metaphor for the Yeah. The conference has become. Like Yeah. The gentleman that hacked the Rivian. Like, sure, you get a challenge coin, but I'm sure you get a large technical job offer that follows that tech that challenge coin. I feel like there was a lot of that. There's probably a very cloudy layer of technical recruiting going on. Actually, one of the running jokes that Jordan and I had was I hadn't seen a technical recruiter here. Like, I just assumed there would be it would be full of, like, recruitment people and, you know, like people looking to place people into high paying tech jobs and this is a place where they come to farm contacts to do that because you can meet tons of people like just chatting in the donut line. You'd meet some senior person at Nvidia and then the next time you're in another line, you'd meet some other person who's got some sophisticated red team job at like Mandy and it's like it was just an ongoing thing that everybody you'd ran into and chat with was like had a senior technical job and I was like, I wonder where they're hiding all the tech recruiters because I'm sure those people would be salivating and maybe they maybe they have a process for keeping those people out of there which would be great but I feel like a lot of the CTFs and stuff aside from the fun ones probably have a back end of, like, if you're the person to do this, then Mhmm. Maybe maybe you should come work with us.

Speaker 1: So There's a little bit of drama throughout this thing, reference the badge thing, which is one of it. The other thing that was fascinating was there was a a hotel. So the conference books out these blocks of rooms at a couple different hotels nearby that you can walk from in less time than our hotel. And one of them, I think we named this because it's publicly disclosed at this point. It's called Resorts World. And it became clear partway through, that Resorts World was searching rooms for hacker tools. They were sending security up to the rooms, knocking on doors, going into the rooms, going through people's stuff looking for flipper zeros, Wi Fi pineapples, soldering kits, looking for hacker stuff. And boy did that, boy did that piss some people off. People weren't very happy. There's a lot of anger, directed towards that hotel, which I'll be honest with you. If I was in the hotel business, I'm not sure I'd wanna piss that crew off.

Speaker 3: And the they had given apparently, they had given, like, photo sheets to the house cleaning staff to be like, if you see any of these things, make sure you report

Speaker 1: it. Mhmm.

Speaker 3: So it was very targeted at the DEF CON crew. But with that being said, I'll say that we heard a lot of tales of DEF CON crew people mucking with the previous in the previous years mucking with the host environments which is probably why the las vegas convention sent center shut down all of their infrastructure also why Yeah, I don't know. I I got also if you remember I think we had an episode last year about certain casinos getting malwared and shutting down and losing billions of dollars of revenue So they're probably all very sensitive to this topic right now not that that, you know, allows them to violate people's privacy, but at the same time, I can I can see where their heads were at?

Speaker 1: It's a it's a push and pull of do you want 30,000 people's worth of economic injection into your city more or less than you don't want that many, slightly mischievous hackers converging in your city. I don't know the answer to that, but I hope that they keep letting it happen there because it was it was a very cool experience.

Speaker 3: Yeah. 100%.

Speaker 1: This is our, I think, our ninety ninth episode, which was a pretty fun one to get to do in this place with this community of people. Yeah. There was a there was a line during the closing ceremony that I really, really liked, and it it encapsulated something that I think we both kinda saw here, which was the sense of people each with their own thing. Their own thing that in the rest of the world is an obscure niche, but here, there's just enough people that you can build a community and you can create a physical space where you come and celebrate it. And the person on stage said, I've dreamed a lot of things and they've happened here. And I get that. You see that a lot walking around in this hall is that people that just they they get an idea in their head and they're able to hack it together and they were able to hack together a community and this is where those people come.

Speaker 3: You know, to everyone that puts it on, helps organize it, volunteers, the goons, everybody, the people who play the music in the halls, the DJs, the people that come up with the puzzles. Like, the list goes on and on and on. You guys all do a fantastic job, and I was so impressed the entire time and and the people that come and just sit at a table and put up a sign being like ask me about this thing. I'm an expert in it And you can just sit down and have a one hour conversation with somebody about some topic, and they'll tell you they'll give you an advanced class in what it is and how it works. And it's just like it's like a knowledge I don't know. It's beautiful. Like a knowledge melting pot. So it it was it was awesome and and and very cool, and thank you to everyone that, you know, puts it on.

Speaker 1: To play us out, I think this episode wrapped this bad boy up. I think I was gonna drop more of that wall of sheep trance music we were playing earlier. Hell, yeah. Just, you know, what you hear is you slowly walk up to that wall

Speaker 4: of sheep.

Speaker 1: Thanks for listening to another one. Catch you in the next one. Take care.

Speaker 10: If you're a lineman in charge of keeping the lights on, Grainger understands that you go to great lengths and sometimes heights to ensure the power is always flowing, which is why you can count on Grainger for professional grade products and next day delivery so you have everything you need to get the job done. Call 1800, click grainger dot com, or just stop by. Granger, for the ones who get it done.

Speaker 11: The right window treatments change everything. Your sleep, your privacy, the way every room looks and feels. At blinds.com, we've spent thirty years making it surprisingly simple to get exactly what your home needs. We've covered over 25,000,000 windows and have 50,005 star reviews to prove we deliver. Whether you DIY it or want a pro to handle everything from measure to install, we have you covered. Real design professionals, free samples, zero pressure. Right now, get up to 45 off-site wide, plus get a free professional measure at blinds.com. Rules and restrictions apply.

Speaker 12: There's a new way to sweetgreen. Meet wraps, handheld, hearty, and made for life on the move. With bold chef crafted flavors, fresh ingredients, and over 40 grams of protein, they're built to satisfy without slowing you down. Try wraps today in the app or at order.sweetgreen.com. Available at all participating locations.