Reflections on a Las Vegas Con-a-thon
Or: BSidesLV, Black Hat and DEF CON
I have survived a week in the hot desert and returned safely and smoothly to the Mile High. While the memories are still fresh, I wanted to reflect on my time at the three large conferences and what I liked, what I didn't and lessons learned.
Formed initially as an answer to the other conferences getting too large and too commercial, BSides is a meta-conference hosted in cities around the world, with BSidesLV being one of the largest and on its 5th year running. It is smaller, free (even with an open bar and free/cheap food!) and is trying to recapture the feel of the more cozy venues of yesteryear.
- Less crowded
- Interesting variety of "tracks" that were organized in a nifty way, some were "underground" and no recording was permitted, others were a place for new speakers to be paired with a more experienced mentor and get their first talk out of the way and a number of others
- High quality attendance, while it was smaller than the others last week, the folks who did make it out were technical, motivated and generally friendly, this made for ad hoc discussions to be very enjoyable
- Talks that may be outside of the scope of a normal "hacker con"there were a number of more pure math talks that didn't revolve around the typical Grugq's conference format and failings
- Shuttle to and from the venue was a great addition, made staying off-strip easy
- Some talks were hit-or-miss, especially in the "Proving Ground" track
- With so many concurrent tracks, there was always a conflict and I felt as if I was missing out on something
- Limited badges: I know the goal was to keep it small, but towards the end, many folks had left with their badges, preventing later arrivals from joining in on the fun
Black Hat USA
One of the more "prestigious" conferences, it targets a much different crowd than the others, with tickets costing upwards of $2000 and a highly technical and well-respected review board. The vendor booths were a very high production value affair, reminded me of the DISA Mission Partner conference, or an RSA-like event.
- More consistently technical and vetted speakers and talk
- Larger venue
- Excellent keynote by Dan Geer
- Wide technical ability of attendees, hallway meet-ups were always interesting
- Room to hallway size ratio left long lines to get to talks
- Countless emails from vendors post-con (badge scan to get contact information)
A huge affair, with folks flying in from all over, and generally getting up to no good, this year proved no exception. Pictures of the line to get a DEF CON human badge were hard to believe, and there was a large percentage of first-timers. A generally more mixed crowd, some very non-technical folks and a smattering of experts. Far less corporate feeling and with a good spread of "villages".
- Villages: communities of interest grouped together to have their own mini-con about their topic, such as wireless, SCADA/ICS, hardware and anti-tamper
- @ihuntpineapples: a prankster found a vulnerability in the WiFi Pineapple and was (reversibly) bricking the devices interfering with the wifi at the conference/hotel
- Meeting friends: it is a cheap enough ($220) conference that it can be a central event for all the folks on Twitter and IRC you never see to all get together
- Crowded: the running joke this year was "Linecon 2014", though hopefully this will be fixed as it is moving to Ballys/Paris next year
- Tin-foil hats: a majority of the crowd were non-technical and just wanted to be part of the "in crowd" by hating on the government
- Iffy talks: I attended the worst talk I had ever seen and a number of the others were marginal, it was also sad to see people walking out of some of the good talks the moment they became technical
- Party pressure: the less technical and more "counter-culture" in attendance put a high value on being outrageous and intoxicated, rather than accepting of people's wishes and/or self-imposed restrictions. Being drunk is very cool here, even if you end up looking like a fool (hint: you do)
In hindsight, I think this year's DEF CON will be my last, after four days in Las Vegas, I just want to get home, and fighting through the crowds to see iffy talks is not worth it. If I had my way, BSidesLV will continue to be a day before Black Hat so I can attend at least one day before heading to Black Hat, then home. I am hoping to branch out to check out some other conferences in the next year, such as REcon, Derbycon, TROOPERS and CanSecWest.
Cyber-security Philosopher and Boffin