10 things we learned — and relearned — at DEF CON 29 (some that have nothing to do with security)

A lot of it has to do with cryptocurrency fallacies, hacking buildings, bizarre contests, furs, bad IoT security and other wonderful and intriguing elements of infosec culture.

DEF CON has always been weird, and that’s the way organizers and attendees like it. But this year was more unusual than most — owing mainly to the fact that it took place under the cloud of Covid-19 and its surging Delta variant, which cut normal attendance numbers by about a third. As a result, everyone was masked — and there were some amazing ones like this and this — and many of the presentations were delivered via video. But that didn’t stop the hacking, badge tinkering and collecting and high-jinks that took place alongside brilliant security talks from some of the brightest people in the industry. As the slogan this year put it: “You can’t stop the signal.”

Here are 10 of our highlights from DEF CON 29:

  1. Yes, blockchains can be hacked. Cryptocurrency boosters and other advocates of Satoshi Nakamoto’s famous protocol are fond of asserting that the blockchain “can’t be hacked.” It is true that — “51 percent” attacks aside — the underlying cryptographic protocols of the blockchain are robust (and likely to remain that way until the advent of quantum computing pretty much breaks all contemporary encryption). But to make it work in the real world, blockchain has to be implemented — and implementations, like every other piece of software, are hackable. One of DEF CON’s buzzier talks this year was about the first published attack to covertly steal user assets by employing remote code execution (RCE) obtained through a JSON deserialization 0day. Security researchers for the Chinese tech giant TenCent demonstrated a proof-of-concept exploit against Tron cryptocurrency, a $5 billion blockchain implemented using a version of Java. The researchers say classic web vulnerabilities like this will have serious consequences for the future security of cryptocurrencies.
  2. There are always feds at DEF CON. There was much controversy last month about the DEF CON decision to invite DHS Secretary Alejandro Mayorkas to take part in a keynote interview with founder Jeff Moss. In the end, Mayorkas didn’t come to Vegas and organizers opted to cancel rather than try and stage the conversation remotely. “It would have been weird and might have been glitchy,” Moss told README. CISA Director Jen Easterly also opted not to attend. But feds were there anyway, including a dozen or so from CISA. Defense Digital Services Acting Director Katie Olson staffed an exhibit that featured a mini Mars Rover that Twitch users controlled remotely and Lego mining robots that DEF CON attendees could tinker with. The feds are there because it’s the cutting edge of research into vulnerabilities and exploits, Olson told README. “It’s an incredible opportunity to get at what the vulnerabilities might be [in satellite systems, say, or automobiles] before an adversary” can. They’re recruiting, too, but more importantly, Olson said, with the longer-term mission of bridging a cultural divide. “For too long, it’s been hackers over here, security researchers over there, and the government right over here. I want those people to be on my team,” said Olson, unphased as hackers at the Aerospace Village dismantled one of her lego robots to build a paper airplane launcher.
  3. Hacking isn’t just about IT. Lots of people come to DEF CON to talk about defeating/getting around/ultimately improving physical security. One of the best anecdotes at the war stories session concerned physical pentesting at a bank (the session was strictly off the record, so that’s all we can say.) There are whole villages (mini cons-within-a-con) dedicated to lock-picking and social engineering.
  4. It’s all about the badges. As anyone who’s been to DEF CON knows, badges are big. This year, more so than ever, since the official conference hardware medallions were accompanied not just by a harrowing tale of triumph over supply chain misadventures, but a flashable firmware update released as DEF CON opened. After all, virtual participants who chose the paid option (the talks were also broadcast free on Twitch and Discord) received badges early. And “We didn’t want to give you a two week head start” on unlocking the various puzzles and other challenges built into the programmable chip mounted inside, said badge designer Michael Whiteley. One easy way in-person participants could unlock additional functionality was to “mate” their badge with someone else’s, either via one of the USB connectors at each end of the lanyard/cable or directly, via one of the connectors at the badge’s lower edge. This was a particularly ingenious social hack for an event where most participants had spent almost a year-and-a-half locked down and some had, by their own accounts, forgotten how to interact with new people. Attendees were advised to connect to as many different types of badge as they could — a boon for your README correspondent since only a handful of journalists were in attendance, giving his green-hued press badge the advantageous patina of rarity. In addition to the firmware update, the designers provided a troubleshooting guide for hardware and software issues.
  5. Hackers are (mostly) part of a caring and supportive community, who strive to uplift their colleagues and be as inclusive as possible. From the imposter syndrome cure stickers being given out in the women’s restrooms to the hygiene products in all the bathrooms, DEF CON was trying hard not to have any women crying in stalls this year. Many commented on how emotionally supported they felt. There was a Blacks In Cybersecurity Village with a lot of allies in attendance and the annual talk-that-everyone-loses-their-everloving-minds-over was given this year by Ian Coldwater, a non-binary security researcher. Just as importantly, the attendees, though still skewing very white and male, seemed a little less male than usual.
  6. Hackers are still enormously competitive. CTF events led to many sleepless nights for hundreds of attendees. A big chunk of the two-hour-plus long closing ceremonies were devoted to CTF winners (yes, they looked very tired), including a competition between competition designers.
  7. Some hackers like to dress up as furry animals. This is charming, but I have absolutely no idea what it’s about. (Editors note: Someone please explain this to Shaun.)
  8. Health care cybersecurity is suffering. Panelists at the 5th annual “D0 no h4rm” health care security panel painted a depressingly familiar picture of hospitals as “archaeological sites” for outdated IT. (Yes, many connected medical devices really do still run Windows XP.) Stephanie Domas, director of cybersecurity strategy and communications at Intel, explained that many medical devices are made to function for 15-plus years — a lifespan that makes software security very challenging. On the other hand, the fact the explosion of tele-health services was driven by new policies (principally the decisions of insurers to reimburse for it) shows that “policy can drive change,” and provides at least a glimmer of hope, according to panel organizer Beau Woods, a fellow at the Atlantic Council and a senior advisor to CISA. Woods urged attendees with cybersecurity skills to volunteer with local healthcare institutions.
  9. But it doesn’t matter, because the Internet of Things dooms us all to live with poor security forever. Apparently there’s no way to stop people attaching stuff to the internet. Why? “Convenience … has become the root of all evil,” according to Cheryl Biswas, strategic threat intelligence specialist with TD Bank. How bad is IoT security? Its practitioners are looking to policymakers to help fix things. This is like an oncologist calling in a priest or a witch-doctor — it ain’t good news for the patient.
  10. DEF CON lasts four days, but it takes the other 361 days of the year to make it happen. Supply chain issues aside, one of the reasons the badge-makers had such a hard time was, they only got started three months out. The decision to stage a hybrid DEF CON wasn’t made until April 15. Normally, planning for next year’s event starts as soon as everyone’s recovered from this year’s con. Almost a 1,000 volunteers, creators, organizers work with fewer than a dozen paid staff to put the event on. The organizers announced the dates and venue for DEF CON 30 next year (Aug 11–14, the new Caesar’s Forum convention center) at the closing ceremony, suggesting that contracts have already been signed. See you next year!

With additional reporting by Brandon Torio