• United States



Senior Staff Writer

A practical survival guide to Black Hat and DEF CON

Jul 29, 20148 mins
CybercrimeIT LeadershipSocial Engineering

If you're heading to Vegas for the annual gathering, here's a realistic list of expectations and precautions

Every year, thousands gather in Las Vegas to attend Hacker Summer Camp, or collectively the Black Hat, B-Sides Las Vegas, and DEF CON conferences.

There’s always a discussion surrounding personal and technical security before the events start, but in recent years most of these guides have focused on FUD instead of useful tips.

Other than FUD, many of the survival guides contain a good deal of technical advice. Truthfully, some of the more technical offerings make sense for a few, so I’ll link to those where needed. However, the tips below are for the generalists, the passive attendees, and the not so technical, among us.

So with that said, here’s the Salted Hash guide to existing for a week among hackers, sales types, the media, and tourists.

You really don’t have anything to fear:

Each year, there is always plenty of talk about how dangerous the networks are at Black Hat and DEF CON. Sometimes, you’ll see mention that one or both of them are the “world’s most hostile network.”

So if the network scares you, don’t use it. Just disconnect and enjoy your time at the show. However, if you’re heading to Las Vegas on business, and Internet usage is required, then your best bet is to limit Internet access to essential functions only and to use a VPN.

Your IT department should already require VPN access for remote workers, but if not, ask them how to enable such features. If they can’t enable VPN – or won’t – then the options are to either avoid the Web entirely or use a commercial VPN service such as IPredator (one that I’m fond of).

If you’re going to use the Web, limit the attack surface. For example, only check your work email in your room. Check it once in the morning and once in the evening.

When it comes to phones and tablets, again the idea is to limit the attack surface; which can be done by disabling the data options (mobile and Wi-Fi), in addition to Bluetooth access.

Personally, I use airplane mode and check for text messages and missed calls on a regular basis. If you need to tether the device for Web access, lock it down with a solid password and use it sparingly.

In all of my years going to Las Vegas, I’ve only encountered one instance where a device I was using was passively attacked, and that’s because someone thought it would be funny to sniff the traffic in the press room.

While there is risk with regard to the public networks at Black Hat and DEF CON, it’s no greater than the passive risk that’s associated with any other public access point.

As SANS put it a few years ago:

“…try to recall all of the attacks you have seen in the last year and dismissed because the attacker needed to be local to your network. Then realize that you are about to connect to that network.”

You really do need to travel light:

When I travel to Hacker Summer Camp, I don’t bring a lot of gear with me. You’ll do a lot of walking in Las Vegas, and the hotels where the conferences are held are designed to make you feel as if you’ve traveled for miles. After the first day, lugging around a backpack with tons of equipment can be painful.

If you need a computer, try and use a tablet over a laptop, if you have a good battery, you won’t need to carry the charger. Otherwise, that isn’t going to weigh you down all that much. After that, grab a notepad, some pens, a voice recorder (assuming that you don’t have an app for that on your phone), and business cards. These are handy items to have around, and anything else is optional really.

Traveling light while on the show floor is great, but you’re still walking. So plan for this, and wear comfortable shoes. It will save you on the aches and pains even if you have even a light schedule.

Also, be flexible. Remember, these conferences are social events, as well as a chance to learn and to network. Stick to carrying only what’s essential to your overall goals while in attendance, and leave the rest behind – either at home or in your hotel room.

It’s wise to make plans:

Another commonly overlooked tip centers on knowing (or at least having a good idea of) what you want to do before you get to Las Vegas. This means identifying the talks of interest and scheduling dinners and meetings in advance. To put simply, form a plan of attack before you go.

But remember, it is entirely possible you’ll be making some new friends or even professional contacts during the week. So if a scheduled talk overlaps with the chance to grab some food or a drink, stick to the social aspects and watch the recorded talk later.

Remember 3-2-1:

This is a long running rule, and there are various reasons for it, but the essential message applies to anyone who is traveling to Las Vegas next week.

Each day, get at least three hours of sleep, eat two meals, and take one shower. It might not seem like it, but you will sweat buckets, especially if you travel outside. After a day of walking you’re going to be ripe.

Sleep and food are essentials, but you’d be surprised at how many people forget that aspect of the week. Protein bars will work in a pinch, but you need to store them properly, and they’re not a solid substitute for an actual meal.

The only other item for this list is water. Drinking at the bar is fine and dandy for some of you, but that doesn’t help. Water is your friend in Las Vegas, and you’ll need to be hydrated if you plan on walking the Strip. If you’re out in the heat, avoid soda and beer – no good will come of it.

From the unofficial DEF CON FAQ:

“You need to remember when you are in the desert your body needs fluids. Just because there is a lack of sweat or your body “feels cool”, it does not mean that you’re not becoming dehydrated. Drink plenty of fluids and even more if you decide to drink some alcohol.”

On lines and talks:

Some of the talks at Black Hat and DEF CON will have long lines. The best advice is to head to a talk you want to see early, so that you can get in and get a seat. However, remember that most talks are recorded, so maybe heading over to the hardware hacking village, or the swag area is a better use of time. (Then again, perhaps lines are your thing, and if so that’s cool too.)


Use a credit card if you must, and carry some cash, but not a large amount. The one rule about money that you need to remember, this goes for Black Hat and DEF CON, is to never – EVER – use the ATMs. Not only are the fees outrageous, it is likely that it might be tagged with a skimmer or they’re completely fake. It’s happened before.

Interact with your peers:

It’s been mentioned before, but it can’t be stressed enough. While there is plenty to learn at Black Hat and DEF CON, the chance to interact with peers you’ve only known online is priceless.

My personal rule is personal interaction over everything else, including training and talks. And thanks to BSides Las Vegas, you can actually do a bit of both. BSidesLV takes place on August 5 and 6, at the Tuscany Suites and Casino on Flamingo Ave. So if your in town around then, it’s worth checking out.

Protect your social interactions:

Now that the point has been hammered home that the social aspect of Hacker Summer Camp is top notch, it’s important to remember that some topics are not up for discussion. Be mindful of whom you are talking to, and what you’re talking about.

If you’re meeting someone for the first time, general discussions based on your line of work are fine, but discussing the project list for the coming year in great detail isn’t.

Use your best judgment, but remember that some secrets need to stay that way, especially if sharing details could lead to a forced career change.

“…just think critically about your environment and what you’re doing. There are plenty of malicious attackers out there who get their kicks from compromising the toughest technical and human systems. But like anyone else, most will simply take the lowest hanging fruit.” –