DEF CON 30 - Hacker Summer Camp in 2022

- 111 min read - Text Only

DEF CON is a hacker convention. It welcomes the complete spectrum of actors in the security space. Every official function that requires money will only take cash. By design DEF CON executes in a way where no know-your-customer rules apply. No logs are recorded of who attends. And so no legal process can collect what does not exist.

There's a lot of lore and cautionary talk people give online. Bring a cell phone you don't mind being destroyed. Bring laptops you don't mind wiping. Only bring cash and no cards.

This was my first experience and I saw differences from the lore and hype in person.

What brought me to DEF CON

I knew several who were going, but not enough that it would be socially worth the time, travel stress, and expense to go. At the last minute I committed to going.

Phase Noise

i plan to defcon, will i be booping naga snoot?
Phase Noise
Ultimately this silly invite is what got me to finally commit to going. But DEF CON 30 was held August 11th... I practically had two weeks to figure this out.
Thankfully, despite the time constraints, I was able to get a room with someone, purchase flight tickets, submit for PTO and get it approved.
Unlike others I met at the convention, my time there was personal and not for business. I could not expense it. This was going to be a pricy trip.

It was not just furries, the community I feel a part of, that tipped the scales in me going. Several in the cryptography circle were going.

My goals were professional and personal:

  • to see what I'm missing in application and cloud security that others know or should know;
  • meet with other cryptographers and establish an in person relationship;
  • be exposed to different ideas;
  • witness what others in the hacker-space feel is important;
  • and meet with those I only know online and possible those who I normally would not meet online.

Traveling to DEF CON

Like any other trip, every single plane was full with no seats to spare. Still, the first one (of four) at had a shared destination.

Was next to several going to DEF CON on the plane, now at Denver. Will be at Vegas in a few hours
One was reading a book on incident response. When she mentioned Vegas to someone else I prompted and confirmed we were going to the same place. She mentioned interest in the Sky talks. The spicy ones where you don’t record.

We did not talk much though except when waiting to disembark.

When I arrived to Las Vegas, I followed other people to find the baggage claim. Unfortunately... there were two baggage claims physically distant from one another.

I went to Terminal 1's baggage claim when I needed to go to terminal 3's baggage claim. These terminals were about a mile apart and I had to pay for a taxi to get to the other since the tram was on the other side of security. The taxi driver said "That's *&cked up". That mistake cost me like $25.

Before DEF CON starts

Turns out, Black Hat (the more professional of the two) and DEF CON overlap on Thursday. Unlike DEF CON, Black Hat did not require masks in the conference space.

Well great. Some portion of the overlapping attendees are probably going to spread stuff.

RSAC branded a 'super spreader event' as attendees share COVID-19 test results
We don't have solid numbers for RSAC, but it sure doesn't sound great. Meanwhile, BH is apparently not planning to require masks or vaccination. Doesn't bode well for hacker summer camp this year.
I'm getting less and less excited about the prospect of spending a week in enclosed spaces with thousands of people in a city whose economy is based in large part on attracting people who don't calculate risk very well.
@SecuritySense @mattblaze The lack of a Black Hat mask mandate is super-disappointing. Lots of folks (vendors, folks that need to conduct business) are not going there by their own choice; their employer is forcing them to accept health risks. DEF CON mask mandate is the reason I plan on attending.

Thankfully at the time of writing, I appear to be negative and have no symptoms.

I meet with the room host and get my key and check in. The room in Harrah's had an open shower in the bathroom. There was no sliding door. What a weird design... Because of that a lot of water was constantly getting on the floor whenever I or another used it.

Line Con

The first thing I see once I get into Caesars Forum is this huge animated wall. This was the first of many wall-wrapping screens I've seen in Vegas, but the first time was eye-opening.

With any convention, the first thing to do is registration. "Where's Line Con?" someone asked a Goon while I was trying to figure that out for myself.

At DEF CON a Goon is an at-convention staff member. After enough service they get a free pass for life.

I oriented myself with a sign nearby and than managed to walk behind a map poster being transported to a newly set up info desk.

Line Con, as it is called, is waiting in line at a convention. The queue for human registration, yes it is called "human registration", took about an hour and much like any furry convention there were balloons and inflatable beach balls flying around to pass the time at the front of the line.

Near the front was a cute choose your own adventure sign.

A warning given to those who may enter the wrong side

I pay, in cash, for my badge to attend the convention and this gives me a badge. No ID check, no age check, no personally identifying information transcribed or written. A simple exchange of money for hardware.

def con 30 badge looks like a piano

During DEF CON


Turns out on Thursday nothing happens. Black Hat is still going. Some went into the swag line for 5 hours, but I did not. I still would not. A hat, a shirt, these things are not worth 5 hours of pain to me.

That night I met with Soatok in person. We have several things in common. He started earlier in his security focused journey than I did and it shows. I learned the details of what his professional circumstances and expectations are and the projects he is involved with. There's no way I would find his current project fun or engaging. I do believe that said project is incredibly important and impactful, but it would likely burn me out.


The next day I check out the Crypto and Privacy Village. A third of the convention space was held elsewhere, not in the Caesars Forum but in the Flamingo Hotel. It was an aged space with absolutely terrible navigation options. I wandered into the wrong space a few times and had to ask for help.

Later I find the closest elevator that would bring me there instead of using an escalator half way down the whole hotel.

The fastest route I had took around 13 minutes from the Caesars Forum. Unfortunately not enough time to go to back to back events. I missed out on a few talks because of that.

I head to the cryptography and privacy village to attend my first village presentation.

It was by Sc00bz about OPAQUE. For the slides, check out Demystifying Key Stretching and PAKEs.

A picture of a presentation. The top says P A K E s, how? Balanced noise, Augmented, Doubly Augmented, and Identity. Overall it is mostly names and jargon labels.

Talked about balanced, augmented, doubly augmented, and identity PAKEs. The Wi-Fi Alliance picked a known at the time to be broken balanced PAKE vs doubly augmented (or augmented since doubly augmented is not well known. See end of
Before and during this convention I was reading about binding tokens to specific clients for proof of possession with OAuth and OpenID Connect.
When I heard about "Doubly Augmented PAKEs" and I saw connections with my own self-teaching and a real cryptography talk–I got really excited. It was like I finally found the right place to be with my interests. This was the best first talk I could have gone to.
What's a doubly augmented PAKE?
I'm still figuring that out myself, augmented and asymmetric seem to be used interchangeably in the rare material I find online. So I suppose there is no shared state on either side. You could start learning with OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks.

After the high of a great experience at the Crypto and Privacy Village, I went over to the App-Sec village. The presenter was preaching about SAST and adding it to development flows. My employer, with some influence from me, uses GitHub for SAST. We had to negotiate away the hand-holding setup fee since we already figured it out during the trial. I did not hear much about DAST.

A photo of a presentation with an infinity loop mentioning happier customers, happier developers, ship faster, ship more securely, better experiences, faster feedback.

I got to see the dreaded dev-ops loop at the end and it did not warm my heart in any way.

The App-Sec village was very sponsor-heavy. Amazon and other brands were prominently visible in the backdrop. There were a few capture the flag challenges in the room, but I did not feel motivated to camp in a crowded loud space to figure them out.

The content of App-Sec is important, but about every topic and the tools presented had an obvious advertising motive behind it. I never felt compelled to go in again, even taking into account the titles of the presentations being shared.

Oh well, back to the Crypto Village.

Santiago Kantorowicz introduced himself as a security officer for Authy, which is a part of Twilio. Soatok, fursuit and all, joined me for this talk. But he was zoned out. Santiago introduced himself in this way: "I'm not a cryptographer, I am an enthusiast."

So... I was searching up how to do 2FA and the results were littered with links to Twilio(Authy) so I made a dev account just to have a look. THEY CHARGE 9 CENTS PER AUTH. That's literally charging 9 CENTS to generate a fricking smol ass number.
My opinion of Authy is not positive. I think charging for TOTP generation, which is a freely specified in RFC6238, is shameful. Push notification, OTP over SMS, I don't care about how you price that.

Twilio charges $0.09 per TOTP authentication

SMS service charges are in addition to 9 cents per authentication token generated. This is some high margin for a nano-cent of electricity and compute time.
What if you calculated a SHA-256 hash in pure Ruby?
Then I guess it would cost more than a nano-cent.
Anyway, while I do not care for the product Santiago works for, I hoped to find merit in his presentation. At least he has experience deploying this.

The presentation was titled "[T]OTPs are not as secure as you might believe". Indeed Santiago's delivery was successful and compelling. It was based on math. Even if that math was off by an order of a magnitude, it is truly scary to consider.

A photo of a presentation saying: T O T P s are not as secure as you might believe.

He showed how Uber does its OTP over SMS

Note to the reader, One Time Passwords (OTPs) are usually a sequence of characters which are delivered out of band from the current communication. It may be delivered prior like GitHub's emergency backup 2FA codes or in real time like SMS or push notifications. SMS realtime notifications are not bound to specific device or even process. Applications can request access to texts to grab an SMS delivered OTP for convenience. Malware applications can do that too... do not give access to your text messages to apps. You may have heard of sim swap attacks, see The rising risk of OTP hijacking & SIM swap attacks.
Also, in case you did not know, OTPs and Time-Based One Time Passwords (TOTPs) can be phished. You can be tricked into entering it into a field and someone or a program on the other side can use it just in time to compromise your account. Later at this conference I was convinced that processes involving humans copying secrets from one place to another is inherently dangerous and must be avoided.
That's why WebAuthn, FIDO keys, U2F, Yubikeys, whatever are becoming more important. Google and Apple are both introducing their own "passkeys" implementations too, though they are not the same or necessarily compatible. See Apple Passkeys and Google Passkeys. Understanding WebAuthn, how pairing curves are involved, the protocol and so on is in my future list to learn.

With Uber's 4-numerical OTPs, he found the security profile to be shockingly bad. OTPs can be noisy, but TOTPs can be silent. A system can check TOTPs over and over and never tell the user. Google might, they care about your account being compromised, but not other sites.

A photo of a presentation that reads So let's keep the attack going. In one hour, 20 windows of 3 minutes is 20. In a day, 480 windows. 91% chance of success in ONE day for a 4 digit O T P.

Well, what about the standard six we have? Turns out those aren't much better! The entropy is just not on our side.

Next he gestured and mentioned something like how we scale up key sizes. He may have mentioned RSA in kind. What about 8 numbers?

Parallelizing the attack for 8 digit O T P s. 100 users in parallel, in 100 days, 91% chance of success. 1000 users in parallel, in 15 days: 97% chance of success.


If you don't want to have any account compromised, user credentials have been successfully gathered and accepted by your system, you need to do a lot more than just have more characters. Per account rate limits are not enough either.

What options and mitigations should we consider?

A photo of a presentation with obama sweating on the side. Alphanumeric sucks but works. 58 character universe (upper and lower case) 6 character O T P length, 60 attempts per month per user (rate limit), For 6 months, ten thousand attacks in parallel meas a 0.47% chance of success.

Santiago suggests a wider character set, maybe base58. More characters. Per account and request-source rate limits. Even captchas.

Sheesh. Involving a human for security is just not worth the complexity here. People use phones for OTP and TOTP codes... let us get Apple and Google passkeys to people faster.

At the end, I asked if an interactive proof of possession could be considered by providing multiple subsequent 6-digit TOTPs when an account is under duress. Santiago agreed that it provided more entropy and could be used as a defense mechanism.

When the talk wrapped up, I concluded that Santiago knew what he was talking about, what he was working with, and had a mind attuned to the right perspectives as a security officer.

After the presentation, I got Soatok some water and took a picture with him in front of a bright neon sign.

Naturally, I agreed.

"Crypto" means Cryptography.

There were other signs throughout the con, though I do not remember them as vividly.

At this point I may have brought up a talk I was interested in but unlikely to have time for to Soatok.

A schedule listing Why organizations must consider crypto agility by Vikram Sharma in the Quantum Village.

Friday afternoon

Later, I checked in with the DEF CON Furries (a.k.a. "DC Furries") group, paid for registration in that group, and socialized for a short bit. DC Furries is more than just a social hangout though. A schedule for talks presented at that convention-within-a-convention was available in the hacker tracker app and everything. It even had a hotel specific deal made for room reservations within the DEF CON room block. This is not some fringe group of friends getting together, a real community exists here.

I learned how dire the supply chain shortage had become for those that make hardware. There is a reason the DEF CON badge this year used a Raspberry Pi micro-controller, others are "unobtanium".

A mere voltage controller for the furry-specific badge board was slated to be available December 2023.

Dancing ギンジ

I was invited by the speaker for one of the Sky Talks on his presentation on breaking DRM, so I was excited to do that.

Then for a moment Filippo dropped in for the scav hunt. He needed to find a "Flurry of Furries". I got one of his glow in the dark Age stickers too!

@DefConScavHunt @_bughardy_ @Eagle1753 @str4d @HarryBleyan ScavHunt is the weirdest, most shameless thing I do all year, and I love it. Thank you Matteo², Jack, and Harry for joining me. 63 submissions out of 100 ludicrous @DefConScavHunt items got us a #DEFCON Black Badge. Thanks so much to the judges for keeping it weird for us 💖
Photo included with tweetPhoto included with tweet
I made the mistake of requesting a custom drink from the bar. It seems I cannot safely handle mixed hard drinks anymore and I experienced head aches and pain for the next 10 hours.

As I was in bed napping the poison away, I saw flashes of light outside the window. It was raining!

The above video may seem amusing but the fact is: people died. Las Vegas does not have any storm drains on the road.


Thankfully the head aches went away and I was well rested after ten hours in bed.

DEF CON has a reputation of a lot of attendees drinking. "It is Vegas!" some say. Indeed, you can find a bar to drink at 24/7 in the area. Taxis and Uber is available at all hours at each hotel. It is insane how un-sleeping the area is. I brought eye masks with me to this event, if you ever visit I recommend the same. The shades never fully close to offer a truly dark night.

Soatok hinted that the OAuth talk this morning would be interesting so I headed that way. I arrived early, but not early enough to just walk in.

I had to wait in a line for twenty minutes to get in to the talk. Honestly that wasn't long compared to other aspects of this convention. Unlike Privacy and Crypto Village, Cloud Village had less seating, a shared room with an absolutely noisy neighbor (adversary village) and not enough loud speakers for the audience to hear.

Thankfully Cloud Village was physically next to Privacy and Crypto Village, so I could flit between areas quickly. The rest of the convention area was twelve to fifteen minutes away without traffic.

I go into this OAuth talk knowing a fair bit from my own self-learning. I am planning to implement an OAuth service, after all. OpenID too, maybe.

OAuthsome magic tricks yet more oauth abuse by Jenko Hwong

This presentation primarily focused on two high value implementations: Microsoft and Google. Here's where Google and Microsoft are similar: both treat their own applications as special and tokens issued to one application can be used in other applications. You know YouTube? If you login to Google and visit Youtube, you never had to log in.

It turns out Microsoft especially has a serious problem. A token issued to an "Outlook" public client can be exchanged for Active Directory access. A successful phishing attack against an IT admin can be more than a business impacting event.

Defending microsoft device code flow phish. A diagram shows an attacker pivoting their token across microsoft products with an originally microsoft email access token.

Microsoft doesn’t revoke access tokens!?



Exchange tokens are valid for +24h after an account is disabled



So the only way to quickly insta-boot a user from their Exchange account (hostile termination) is to either entirely delete it, or iisreset the Exchange server and expire all tokens.
I could not believe my eyes.


I had a script that did it locally for a specific user by entirely deprovisioning their Exchange mailbox, changing their password, disabling the account for 30+ seconds and then re-enabling it.

It was hacky, but allowed you to kick a user without IISreset.


Also, Google Cloud CLI had an escalation problem. After this was reported, significant constraints were placed onto tokens issued to that client. Now lateral and escalating actions by a token acquired through that client are prevented.

Also, and I personally experienced this, Google CLI had this awkward flow step at the end where the user would copy a token from the web page and paste it into the CLI that launched the authorization.

The problem with this is... what if the CLI did not launch the authorization, what if someone was primed into this and then pasted it into some "Hey collect your Google raffle winnings!" scam? The correct action here is to have a local server set up and to have a redirect URI set to the local server to collect the authorization code grant.

At this point, I was thoroughly convinced that removing human elements in authentication flows is vital to the security of a person's online life. WebAuthn needs more rollout, less sso tax, and greater support for application authors to add in. Again, I look forward to mobile device passkeys become more widespread.

After my shocking experience with the OAuth presentation, I heard from Soatok that he was going to the quantum talk.


A schedule listing Why organizations must consider crypto agility by Vikram Sharma in the Quantum Village.

This is bait for me lol
I remember asking you about that




I saw it again and went "It's fursuit Q&A time"

I head back over to the Privacy and Crypto Village and attend a talk about PII being a zombie. I missed the start, but it was still a compelling presentation.

Why people don't want P I I to die. It is simpler to implement technically, easier to understand for non-privacy professionals, it is habit. The most important reason is... (the slide ends here)

So why call it a zombie? "PII" is not a useful term in practice. Any detail about you that can be correlated with high probability to you.

The presenter brought up a case study of Netflix releasing movie ratings. She said something like 60% of the customers could be identified with only three points of data.

The real definition of PII from NIST: Any representation of information that permits the identity of the individual whom the information applies to to be reasonably inferred by either direct or indirect means.

NIST's definition becomes more broad than just "name", "phone", "social security number", "age", "ethnicity", and the like.

In practice, 15 binary attributes can uniquely identify 99% of US citizens.


Meta is creepy

It recommended your Instagram to me

I do not have an instagram



<image here>


That must be automatically created from my FB account

but yes, that is creepy. I doubt I have done anything to signal our [real life] connection online?


No, me neither. I looked you up on LinkedIn like 5 years ago

But that's it


At this PII talk, I learned that Facebook is not only selling personal data, but is buying it back with enriched attributes from their partners. Google, Amazon, and Apple may not sell their data, but they're likely buying this data too.

Oh, and it is totally not against the law for federal agencies to also buy this data. What are they doing with it?

I came out of this talk with a better understanding of how literally any data collected about me can be used to identify or manipulate me.

The talks in Privacy and Crypto village really highlighted how much "by and for the hackers" the presentations were, unlike App-Sec which was commercialized shilling.

Around this time I saw that Thomas Pornin announced a new optimized variant of double-odd elliptic curves for use in signatures.

A slack message screenshot where pornin says: Some new elliptic curve stuff, the pre-quantum kind, if you feel bored this weekend. Then mentions there are implementations in rust, c, and python.

I took a look and saw several nice things. It prevents multiple canonical signatures due to the cofactor (Ed25519 has 8, Ed448 has 4), isn't quite a creative workaround like ristretto and decaf, has comparable performance and security strength, and has even shorter signatures!

Friendship ended meme with Cendyne and Jacobi (the characters) where it says j q 255 e is my best friend. The joke here is that jq255e uses jacobi quatrics and the fluffy character Jacobi represents the algorithm.
Fun fact: this involves Jacobi Quartics and my new character happens to be named Jacobi. You will see Jacobi featured in more posts in the future.

Between talks and when waiting in line I was eagerly reading about these double odd curves.

Before lunch, I went to one last talk in Cloud Village. This one also included OAuth! But QR Codes! How fascinating.

I still need to finish that series I started with QR Date.

Square phish, combining qr codes and oauth 2 device code flow for advanced phishing attacks by Secureworks

Unlike the TOTP talk, which describes brute forcing OTPs which can be noisy, this presentation is all about phishing the user into entering the OTP into an adversarial interface.

Again, the target was Microsoft.

Wow, Microsoft really is not being shown in good light at DEF CON.

Attacker sends the victim an initial phish with a QR code embedded

The idea with this attack (SquarePhish) is:

  1. A victim receives an email which prompts action. It says that they will receive a code and to put it into another link (also included) in that email .
  2. The victim scans the QR code, it goes to the adversary's own site that begins with something Microsoft-Official looking but gets truncated on the mobile device.
  3. The adversary's backend initiates an OAuth device flow for the official Microsoft public client in the official Microsoft OAuth consent process and redirects the victim to Microsoft.
  4. While the victim is occupied with the official consent flow, the adversary's backend collects a device code token and sends it via email to the victim. This meets the expectations set in the initial email.
  5. The Microsoft backend prompts the user for what the device token is, the user remembers to check their email and conveniently finds the token (which has a lifetime of fifteen minutes).
  6. The victim presents the device token to Microsoft and Microsoft accepts it. The screen says they can close now.
  7. The adversary polls for a refresh and access token and acquires it now that the user has completed the device code authorization flow.

But how? Re-Phresh. It uses 'foci' magic to swap tokens. The microsoft graph api can be used to search emails, users, groups, organizations, OneDrive, and SharePoint.

As mentioned in the last OAuth talk, the refresh token can be used across Microsoft products. Tokens for other services are acquired automatically without any consent or active prompting to the victim. The victim, their data, and their organization is now freely accessible to the adversary to ransom and destroy.

Again, the still vulnerable demonstration of allowing public clients to laterally escalate privileges is shocking, horrifying, and seriously puts into doubt Microsoft's decision making and agility in responding to known public threats.
If I were a security officer in an environment deploying Microsoft's suite of technologies for my organization, I would be demanding change from Microsoft and in the mean time quake in distress at my organization's weakness through this vendor.

Also they might have said "We used gmail for this attack, but if you want to seriously execute it to many targets, get your own SMTP server."

I went out to lunch while Soatok attended the quantum cryptography talk. There's a whole quantum village, but I never peeked inside. Same with the password village. The distances were just too much and waiting for food took 30-80 minutes just to get a seat.


I went to a village talk for a quantum cryptography shill in fursuit and asked a bombshell question about his entire business proposition. He pawned me off on his CTO, so I made sure to email him just now too :)
To find out how that went, check out Burning Trust at the Quantum Village at DEFCON 30 feat. Vikram Sharma of QuintessenceLabs

After lunch, I was with two others in line to go to Sky talks. We wander around until we finally find the location and join the end. My intention was to go to the one I was invited to about DRM. It was quite a wait so I read more of the double-odd curves to figure out its properties.

There was quite a bit of math that I only understood at the shallowest of depths. I could follow the logical transformation from the double odd curve to jacobi quatrics, but I would not have seen or guessed that kind of transformation.

Someone, not a Goon so likely a volunteer, was wandering along the line selling some sort of "Sky Talk" badge. Something about how to support sky talks and staying back to back between talks. Others would be sweeped out. He was only accepting cash.

Well I was in line for the four pm talk, so I didn't think I needed it.

Thirty minutes later everyone ahead of us moves in. I thought the previous session ended and we were finally being seated for the four pm sky talk. I go up at 3:45 and someone is talking. Lots of people were already seated. I heard discussion from several panelists about war and Ukraine.

I'm not in the right talk? No, what happened was: I was shoved into the very end of the prior talk, one that lasted two hours. I did not have a badge.

I get separated from my friend because there are no seats near each other.

Goons are carefully examining everyone's lap and hands, they are serious about not allowing any recording. There were signs that said people would be asked to leave. The threat of "We will break your phone" was not visible anywhere. Everyone is quiet as the panelists talk. One person's phone starts going off with some amber alert or something. Then their Apple Watch goes off. A Goon was standing near her to ensure as she shut things down it was not some disguised recording.

I took out my note pad and wrote notes down, as others were doing.

In short here's a redacted bit of what I heard.

  • Ukraine isn't doing well, for several reasons.
  • Russia has several hidden data centers throughout Ukraine.
  • Russia's security is actually quite bad, there were passwords on the wall in the hidden data center presented to us on the projectors.
  • We will never have any sort of "cyber gun". We cannot reliably assess if a technical resource has been disarmed remotely.
  • We are seeing an emergence of "information warfare". The US is behind. Other countries are ahead and it shows.
  • The US press is only reporting on information from English sources and has repeatedly spread Russian-sourced misinformation because it is the only English information available.
  • Ukraine has permitted some Russian-sourced misinformation to spread among their own people, the warning that all male adults must stay in the borders in case they are called to fight is misinformation. (I have not personally verified this.)
  • More families are staying in the country because their male family members are not leaving, for fear of being denied at the border for asylum.
  • This has lead to constrained resources and space in the country as many are made homeless due to the ongoing war.
  • Russia is translating their story for China and India. Those countries are hearing only that side of the story. The English side is also incomplete.
  • Your identity online will not be tied to name / ssn, it will be tied to the web of devices that are bound to you, that is: the internet of things.

In retrospect only thirteen minutes passed and it was a lot of information. (I did not include everything here). But the thought of being kicked out for the next talk was unsettling me. I felt my heart skip a few times and even though I had lunch about two hours prior, I could tell my gut had ceased.

I had to get out. Despite my preparations to get into the talk I intended, which would only be held there at that time, and one that would not be recorded, I would not meet my expectations to a personal invitation. An anxiety attack washed over me and I got up and left.

As I was heading down the escalator, Soatok went into the room wearing one of the sky talk badges on his fursuit ears. He was able to attend the DRM talk despite the current one being about warfare.

I turned on my phone, ranted a little and headed to the Crypto and Privacy village. I sat down at one of the tables, but I could not stop cradling my head. So I tried to go through and read some fiction. I could not. I tried to continue my reading of the OpenID specification. I could not.

When I concluded I could not function in that space I headed to the DC Furries place. I was a wallflower of a zombie for an hour and found I was not finding any comfort.

Then I move to my hotel room and just do nothing for an hour.

I got a compassionate invite to go to another talk, this one was closer since it was in the Caesars Forum: Digital Skeleton Keys. On the way, I had to keep myself from clenching my teeth. My friend who invited me there could not make it, so I was alone for this presentation.

This talk was held at Track 4, one of the live streamed and professionally recorded stages. The room was at ten percent capacity. Huh, with rooms so big I would have expected more people, but it doesn't work that way.

Digital Skeleton Keys - a bone to pick offline access control systems

You know how hotel keys use RFID to authorize passage through exterior doors, elevators, and ultimately the specific hotel room? The general means for RFID access was described in this talk.

A key can be programmed with a set of data and the reader can read that set of data. The reader may decide if the data presented is authorized to unlock that portal.

What the speakers described was that every door in an organization had its own unique logically incrementing identifier and that just having the identifier was sufficient for access.

I did not see any discussion about signatures or forgeries. They could just stuff more data on the card.

The authors found that the reader did not care where the door numbers started so long as an offset was properly set. They found they could add over 800 doors to a single key card and any reader would accept and authorize them.

Skeleton Keys presentation snippet

They dropped a bomb shell after showing how the data fits together and how they achieved access to any installations with this vendor's system.

The vendor took like six or nine months to respond and their response was not great.

The transition process would require every door to be removed from site, upgraded at another location, and reinstalled twice. Existing cards would stop working with the first upgrade. All existing cards would need to be reprogrammed or re-issued and would not work until the second upgrade.

Given that there were two upgrades, I think that they meant that existing cards would stop working at the second upgrade as the reader would be in a state which accepts old and newly issued cards with a proper fix. Assuming the fix is proper.

Here's the bomb shell!

The vendor's customers include education, healthcare, and infrastructure. The vendor is not going to do this for free. Every customer would have to purchase a new license to perform this upgrade.
Holy bananas! I get that this isn't going to be free to fix but is that how you respond to a catastrophic flaw in your core product? Imagine if Tesla got away with defective motors or airbags in their vehicles and did not have to do a recall and do due diligence on contacting every owner affected with a free servicing?
Treating secure access–which should have been delivered originally but was flawed–to infrastructure and health care facilities as a business opportunity disgusts me greatly.

By Miana and Micsen

Most of the presentation looked like a CLI. While cute and with the theme, it was hard to read from the audience. Pretty much every projection surface was washed out because of poor lighting or cheap fabric which reflected ambient light.

The one who invited me was still busy with a capture the flag, so I headed back to the room. To get back to the room without breaking down I had to employ breathing exercises, continually check and unclench my jaw, and similarly un-ball my fists as my fingers dug into my palms. I received and recalled the information clearly from that moment, but I was still not okay.

I get to the hotel room, others are there and I just chill on the bed. I try reading and make more progress this time on the OpenID Connect Core specification. Later I shower, a self-care activity for me, and after I get out I finally feel my stomach function again. The intense anxiety had finally lifted away and I was in a far better mood.

Still, due to head aches and the anxiety attack, I feel like I lost about a full day of the convention now.


I woke up around 6 AM and saw that people were already departing DEF CON on Twitter. I close my eyes and sleep some more.

The next time I open Twitter I see panic.

#lasvegas airport flights grounded after ‘unfounded’ reports of shooting spark panic Las Vegas police said reports of a shooting at an international airport terminal were unfounded after a loud noise sent crowds running for cover. #TheOZNews

But it turns out to have just been some noise and people moved as if there were an active shooter. Gosh... the US is getting traumatized by gun violence. The answer isn't more guns.
After a false alarm incident at Harry Reid Airport in Vegas officials say to expect delays for travelers to be screened/rescreened. Planes being held @ gates to accommodate the process. Looks like it could be awhile. #vegas #vegasairport 🎥 @ArashMarkazi

That sure was a way to start the morning... It seems organizers of talks and events knew there would be departures Sunday, so everything else on the schedule felt a lot like leftovers.

Sunday was a slow start but I did get out bed and my anxiety had waned.

I reviewed the schedule and chose a few to go to. In retrospect I wish visited some of the other villages but my comfort zone was important given how sensitive yesterday made me.

First up was Finding Crypto: Inventorying Cryptographic Operations!

A photo of a slide reading Finding Crypto inventorying cryptographic operations

The slides were pretty wild at times, out of context they make little sense.

The premise though is when weak algorithms like MD5, RC4, and DES are declared weak and they should no longer be used for cryptographic purposes. The first step to not using something is to know where it is used so it can be removed!

The ending of PKCS#1 v1.5 RSASSA is in sight and its direct replacement is PKCS#1 v2.2 (RSA Probalistic Signature Scheme) which has been available but not required in standards for years. How will you change away from something vulnerable today or tomorrow? This whole concept of change is under the umbrella of cryptographic agility.

Jeff Bezos shoots lasers out of his eyes on NIST and amazon braket something to do with quantum computing research

The speaker specifically mentions, yes there are paid solutions to all this. But the Privacy and Crypto Village is not a place for paid sponsorship presentations. He specifically and intentionally described how to use free open source tools to achieve cryptographic inventories that provide SAST to discover algorithms in use. Remember the App-Sec village? They did not show any open source solutions, only a paid solution which the presenter had an employment relationship with.

Tweak or create new rules, next in continuous integration, use SAST analysis tools to create SARIF files, post process with python and get a report. Send the report to slack with post run hooks.

“This is how dinosaurs went extinct, standards bodies killed us.”

I found this comment on standards bodies being slow to be quite funny. But seeing An efficient key recovery attack on SIDH come out after SIDH had been in consideration (as SIKE) by NIST for a few years gives some respect to the slowness for the mathy parts of cryptographic constructions.

@Ernest_Chang_27 Yes, both rainbow and SIDH were broken so thoroughly you can break both of them on a laptop on a single weekend (with rainbow taking the vast majority of the time)

But back on the topic of crypto agility. It appears that Google Tink (I use Tink at my job and I am the one that introduced it) has crypto agility built into its goals and design.

Consider Software Engineering at Google, a book about lessons learned in the field of software engineering, with the subtitle "lessons learned from programming over time". In it, the authors go to great lengths to implore the implications of the fact that things change. This fact also impacted much of the design of Tink. In cryptography, it is important that one prepares for change. Keys will be leaked, and algorithms will be broken. Being able to switch out keys and algorithms is crucial for many users, and being prepared is prudent.
See Goals of Tink: Cryptographic Agility
@SoatokDhole Crypto agility is necessary for PQC, but not because PQC algorithms might turn out broken, but in order to switch to PQC in the first place. The way to do this securely is using Tink, without Tink it's a very difficult and error prone process.

But Quantum Key Distribution (KQD) which QuintessenceLabs sells hardware for seems to be snake oil. No offense to snakes intended.

@SoatokDhole QKD is obvious nonsense, in order to defend against things like broken PQC algorithms we should use hybrid techniques between classic and PQC as well as PQC and PQC
Cryptographic Agility commentary
If you're interested in another take about crypto agility, see: Cryptographic Agility and Superior Alternatives.
Check out my perspective on Cryptographic Agility.
I have migrated sensitive data from plaintext to PKCS#1 v1.5 and learned my mistakes a month later. Then I migrated that data to Google Tink with automatic key rotation. The window of time that both formats were accepted was under an hour since the data was encrypted at rest. After the migration the prior format was no longer referenced or accepted.
How did you make that mistake in the first place?
I used Google and referenced the first Stack Overflow java implementation that looked right to my inexperienced eyes. Then I was challenged to do a presentation for the engineering team on cryptographic code. In preparing for that lesson to the others, I learned that something was wrong.
What did you learn?
I was using asymmetric encryption in a use case where symmetric encryption should be used. I learned that PKCS#1 v1.5 had a weakness (I was not sure exactly what at that time). And I learned that what I had done constituted as "rolling my own crypto" in production. Ultimately, this realization is what lead to me developing my skillset in applied cryptography.
The issue though is not everyone (even my past self) has the knowledge on what to migrate to and how to safely migrate. While I have the attention to detail to perform a migration safely, I have seen application developers and their project managers not consider the full story of a migration. The engineers and project managers take down production repeatedly for anything migration-like outside of security.
Taking down production? That's a heck of a way to burn trust.
So I can see why executives would rather place trust in some other party for cryptographic agility than their own organization. They are not willing or capable of providing leadership and are unwilling to set realistic expectations on attention to detail. Instead they only push for results and set goals. That is not leadership to me.
Security vendors market to executives in ways that prey on their organizational failure to deliver. They get convinced further that they cannot trust their developers outside their business domain. The sad fate of this situation is developers and managers are not educated or equipped or trusted to do the right thing in security. Further, they do not or cannot pay for a full time team to focus on security. "We have cyber insurance" is their answer.
Even if executives were convinced they should hire or develop their own security-aware team, the market is not producing capable people who can intelligently develop solutions. Instead, the market is producing certification programs and certified contractors that apply a rote check list to whatever they see without regard to the content. It is not true education, it is a factory that aligns with the executives who make financial decisions.
That sounds eerily similar to all that crypto DAO smart contract stuff.
When everything looks like a nail and all you have is a hammer... Anyway there are workshops by individuals (e.g. Dr. Philippe De Ryck) who teach engineering teams secure development within a small well defined domain. I am not aware of any general and holistic program out there that can be applied to most development.
A commercial solution for cryptographic agility may give you nothing more than a higher bill. Instead, learn how to properly migrate and version your signatures and secrets. If you want to encrypt something for free that includes cryptographic agility in its goals, see Google Tink. The first step to crypto agility is to know where your cryptographic code is.

Post quantum encryption contender is taken out by single core PC and one hour. An efficient attack on S I D H. The news about this just came out before the conference.

The presenter is absolutely in touch with the times and I am glad to see that at DEF CON.

This is a rant, you can definitely skip
Do you know who is out of touch with the times? US university educators in computer science (CS). Microsoft is still finding that junior engineers add MD5 to their codebase because that is what those they were taught to use in school. The only thing that stops them now is static analysis, not their senior peers.
CS educators are transitively responsible for insecure contributions to the US's private and public systems by teaching their graduates outdated and known vulnerable knowledge. However, there is an existing problem: the tech industry needs more teaching talent. As it stands, this growing field will continue to experience strained educational resources.
What about those code camps or self-taught developers? I'm the latter.
I have someone from a code camp on my team. He is a great hire and I hope that through my recommendation he is promoted above a junior position soon. That said, I and others on my team are having to teach things about secure development and we are coaching him throughout the process. My team has several competent security-conscious team members. Most application teams do not, and I have had to learn how to support and communicate to a team from the side which has no security evangelist inside.
My wishes for educators to actually teach modern technologies, concepts, and safe practices are impossible to meet in this environment. I do not believe that the commercial world will educate their employees after hire to develop secure applications. Instead it is more lucrative for predatory shilling from security vendors who cannot even manage their own security properly. Some of them were at DEF CON.

Blue Muse

I can see why it happens in real time. Getting a new class approved can take 2-4 years, and changing the content of an existing course requires that the instructor keep up to date with the profession and revises their materials constantly.
Blue Muse

Blue Muse

Most professors aren't going to do that. The pay is low, there are lots of time pressures unrelated to teaching, and since the majority of classes are now taught by adjuncts (new grads, retired teachers, desperate people) who would get better pay working at Walmart, the care and craft just isn’t there.
Blue Muse

Blue Muse

Many professors want to be good teachers, but the system isn’t set up to prioritize that. Excellent teaching happens despite the educational system, not because of it.
Blue Muse
I do not see a successful future where a privatized push to raises the bar for security in the US. PCI compliance, as an example, is a check-box-security joke. I know it is. I just completed auditing with someone the day I got back from DEF CON. In the public sector we have representatives who propose policy that will deny any positive movement in security while chasing after security. Those with money or authority are not making decisions that will improve our safety and security. Instead our personal details are being sold on the market like oil.
The House passed a defense spending bill saying you can't sell software to the DoD that has *any* known CVEs in it.
Photo included with tweet
Okay, I'm done now on that, sorry it was something I had to get out.

Back to back with the crypto inventory talk came another, IAM Deescalation! Whoa, what is that? AWS Identity and Access Management (IAM) is the core machine and human authorization policy infrastructure of AWS. It comes with authorization impersonation known as AssumeRole. Thing is, it is possible with organically created IAM policies to end up in a world where one user can escalate their privileges by jumping across roles.

Privilege escalation techniques. IAM escalation methods by rhino security lab. Privilege escalation. Misconfigured IAM roles lead to thousands of compromised cloud workloads.

This talk was especially hard to hear, the Adversary Village was so loud, had more speakers, and this speaker had a very soft voice.

He described a process where one analysis tool would explore all IAM roles and permissions and develop a DAG of all roles that could be escalated to. Then, by consuming the output of that process, he could apply inline policies to prevent that role from escalating to roles beyond the intended purpose of the user's authorization.

Several diagrams that can be used to examine how permissions can be used.

After running the analysis again, he was able to negate every finding provided by the original analysis software. Other implementations either did not account for inline policies or had more findings than his chosen source provided.

I am used to thinking in an enable-only mindset, so the deny capability in IAM never really clicked for me. The presenter's inline policies that deny assume roles made sense in practice and helped me understand that feature of IAM.

After getting some water, I returned to the next talk in Cloud Village, this one was also about AWS! Curious... I have not seen much about GCP or Azure at all at DEF CON. Besides Microsoft being a bad example with cross-product authorization.

Sign of the times: exploiting poor validation of AWS SNS signing cert URL

Ah yes, SNS webhooks. So SNS won't just blindly start pushing somewhere to accept SNS events! There's a handshake involved here and it is annoying for sure as an application developer.

Almost no one got JWT tokens and webhooks right on the first try. With webhooks, people almost always forgot to authenticate incoming requests. By Ken Kantzer.

See, the web request from AWS will include a field that says, look here! Here's my PEM key I used to sign the request! And it literally could be hosted anywhere. It is up to the application to verify the key is trusted prior to acting upon the request. It is also up to the application to check the signature in the first place too! And many do not!

Whoa, this sounds eerily similar to my last post How Google played with bad cryptography!
Similarly, this is why including a JWK or JWK URI in-band with a JWT is considered a dangerous practice. The key source can be agreed upon out of band and fetched prior to authenticating a request which provides a key ID to reference in that key source. If you naively accept whatever key you get with the token, then you have not actually authenticated the token!

A break down of the URL that SNS libraries parse.

So how did the official AWS library verify the FQDN was authentic? Regexes of course!

They show they can create an S3 bucket that matches AWS's SNS regex.

And like any regex, there are unanticipated gaps. Someone made a publicly writable bucket and the discoverer of this issue could write any PEM they wanted to it! The official library accepted it as is.

When brought up to AWS, they banned the bucket, put in preventions for similar bucket names in the future, and did not update the library.

OAuth 2.1 (the so called future spec now that we've learned our mistakes) requires complete string matching of request URIs. No pattern matching. No one implements these things right. Do the dumb thing and have an allow list in a hash set and match against that.
AWS releases library updates all the time. Like one a day, oh my gosh shut up Dependabot. The correct move here would be to have a static list of accepted URIs and if they ever add a availability zones or regions just add it to the next published library. It is not like they add availability zones and regions every month.

The day was winding down and the schedule did not have much interesting for the next 30 minutes in this area. I did want to attend Cryptosploit in half an hour but it would take half an hour to walk back and forth from the Caesars Forum.

I shrugged and headed to the platform abuse talk in the Privacy and Crypto Village. Turns out that this was a fantastic move. The content was very interesting.

Why does platform abuse happen? Technologists design for themselves and the average user which is cis white mail and don't adequately consider the vast majority of other users and edge cases. They do not build with safety in mind and are reactive about harms. It is not easy to find information about platform abuse and most teams are not practiced in adversarial thinking.

First, I want to mention that the presenter was one of the Privacy and Crypto Village staff volunteers or members and was presenting with three others on a zoom call. All of the presenters were women. Most of the people at this convention are white men.

They called out specifically technologists are creating platforms that facilitate their demographic and not others. That other demographics are not considered or not handled adequately and it leads to significant harassment.

Teams are not set up to consider bad actors. Product managers only dream of their demographic's golden path.

As a consequent Twitter Fleets (an ephemeral tweet feature no one asked for) was an instrument of online harassment. See Twitter users say fleets are ripe for harassment. Fleets were removed July 2021 and Twitter did not acknowledge their use in harassment.

A diagram about how instagram business accounts were abused by minors.

Honestly it's like these companies that create platforms for people to share their thoughts only react to negative events after significant harm has been done and they are pulled to testify to governments.

This talk specifically got me thinking of parallels in security systems and human systems.

Philosophical thoughts

Several application issues happen because untrusted data is being acted upon before it is ensured to be trustworthy. Online harassment is generally between parties where one does not deem the other as trustworthy but the human has to make the decision on whether to engage. Unfortunately, the human is harmed during that decision process because they cannot forget what they were exposed to immediately after observation. A computer can make that decision without harm if done right (again not acting on untrustworthy information). That is direct abuse.

Then there is lateral abuse where the supporting people around someone is stripped away or used to redirect harmful content in a trusted relationship.

The definition of trustworthy is different for human and computer systems though I think the pattern looks similar.

This kind of eye opening days-later pondering content is the kind of stuff I cherish from DEF CON.

I got water again and rejoined for Cryptosploit. The first ten minutes were a disaster. This was going to be a tag team presentation where the remote fellow was responsible for most of the content. Unfortunately the local presenter never confirmed the other side could hear him. We could hear the remote presenter. We could see him move his mouse. That remote presenter responded over text. Honestly having a presentation ruined because the guy on stage couldn't check if he was on mute or if he had his mic misconfigured was embarrassing to watch.

A slide reading CRYPTOSPLOIT

He gave up and got the slides going locally but he stumbled and just gave up part way through.

Confusion and inability to present

He gave up again and then started showing the tool in action with a pre-recorded video.

So what's going on here? The two made an interface that can work with Padding Oracle hints to try other encrypted RSA content.

Padding Oracle cracking in action, there is audio. The presenter just does not speak because he does not know the content.

If you have to stay with RSA, use PKCS#1 v2.2. Based on the quickly flitted slides, there was nothing for me to learn from this presentation.

Big sigh.

Okay, the last talk. This one had "(Pre-recorded)" in the title.

Since the Cryptosploit one ended early, they had time to get it working. Except it didn't. The laptop used for presentation did not detect the projector. They asked around if anyone had a flash drive. In this day and age? So after technical difficulties, the village staff set up another laptop, and opened a Twitch stream. Huh, the guy had a backup as a Twitch vod? Interesting choice.

Then we all suffered 60hz ground loop hums for a while. Aaaaand they finally got it and started the video.

This one was about AES GCM pitfalls. Turns out it is by the same guy who did the TOTP talk, Santiago! And just like the TOTP talk (I did not mention earlier), nearly every slide had Rick and Morty or Spongebob. This one had a few Simpsons gifs and pictures too.

A slide reading AES GCM common pitfalls and how to work around them.

Again, he introduced himself not as a cryptographer but as an enthusiast.

The focus of this talk was on how many times you could use keys. There were several other issues or pitfalls mentioned but his talk was primarily on key reuse. The keywords were "Crypto Period" and "Key Life".

Crypto period vs key life. Crypto period is not the maximum amount of encryptions you can perform with one key. Crypto period is suggested or enforced through regulations like PCI and standards like NIST.

Crypto Period appears to be an agreed upon threshold where another key should be rotated.

He introduced what AES GCM was (AES CTR with GCM tags), mentioned nonces are standardized at 96 bits, and a bit about how things are combined together.

Diagrams of how AES Counter mode CTR works in manipulating plaintext into ciphertext, how keys and nonces are related

If a multiple payloads are encrypted with the same key and nonce, then by simply xoring them you can recover the plaintext of the other message. This is a common problem with stream ciphers.

Stream ciphers have no padding, they are like a one-time-pad (except not one time) which is XOR'd with the plaintext to produce the ciphertext. A symmetric block algorithm, key, and nonce can produce the same stream in CTR mode. If an adversary can control the nonce and plaintext and can access the ciphertext of both the target and their own, then the adversary can decrypt the secured content.

Santiago then brings up libraries. Do they have protections in place to prevent nonce collisions?

Cryptographic libraries solve this, right? Libraries expect the implementor to keep encryptions below the upper threshold of two to the power of 32. LibSodium and Google Tink do not track or enforce this. Never use more than 2 to the 32 random nonces with a given key because of the risk of a repeat.

They prevent the application from specifying the nonce upon encryption. However, they do not track key life or the Crypto Period of a key. It is up to the application to implement Crypto Period and key rotation as that requires either state or some external (i.e. cron job) force to apply.

I heard that the Amazon Alexa team, four or so years ago, would have a dedicated Dynamo table for storing AES GCM keys. A new key would be added each day for their project, even if they only added 50 rows per day to their production environment. The guy wondered about that and I was like "Well if you're making like a billion rows a day at Amazon scale, it makes sense" but he said no several times that it was not operating at that scale.
While I think that specific case was overkill, I suppose I have to give Amazon some credit for having Crypto Periods built into their patterns which application developers will implement and deploy at amazon scale.

A work around: use a 32 bit time stamp in the nonce. Overflows in the year 2038.

What are some other ways to work around nonce reuse if randomness can be dangerous? Include a timestamp! Well, the timestamp leaks some information, so do consider that. But if you use an unsigned 32 bit timestamp for the time, you still have 64 bits of entropy to safely pull from at scale.

He also mentioned AES SIV, but it is not FIPS certified.

Why use it? It is FIPS compliant, less error prone than CBC, FED Ramp requires FIPS compliance. If you don't need these then consider libsodium or X ChaCha20-Poly1305

At the end he also recommended trying out libsodium if you do not need FIPS as the interface is less error prone.

That ended my day of talks so I headed back to the hotel for the closing ceremony with the DC Furries. DEF CON was officially ending.

The DC Furries room had several TVs tuned into the closing ceremony. But each TV had a slightly different time so there were echoes in the room. Several were chatting and drinking, I passed on the option given my Friday experience. It was quite loud so I barely caught what was going on in the actual closing ceremony stream.

Someone was showing me their humongous badge, four layers of PCB + acrylic for a daft-punk style icon.

I looked up and heard the transparency report. They just banned One American News Network (OANN) for breaking the code of conduct.

DEFCON reports that one news outlet was banned this year, the second in DEFCON history. "It was OAN."
Photo included with tweet

Twitter had more of the story:

OANN Drama, you can skip.

OANN (a.k.a. OAN) is known for promoting misinformation around voting machines. They were in fact at the Voting Machine Hacking Village at DEF CON to construct their own story.

It’s true. OAN was indeed banned. I can confirm because I saw it go down. I was at the voting village yesterday afternoon when I noticed Chanel Rion approached a table with 2 hackers diving into a vote tabulator. Her cameraman was near by. She started asking them questions 1/n
Photo included with tweet
Look at this slide: 70+ press creds were issued, about half to “non-traditional” outlets. Def Con tends to be pretty non-partisan, and if anything skews libertarian. I can’t imagine (though could be wrong) that they would have denied OAN creds. So why was OAN there without them?
For those that found this thread and have this very legitimate question: they were there because they’ve been trafficking in election disinformation since after 2020. So much so that Dominion, a voting machine company, is suing them for defamation and seeking over $1billion
@mattblaze @jhalderm So, while working on her piece, did Rion ever attempt to reach Blaze or Halderman for assistance, fact-checking, etc? Nope. She relied on Ron Watkins, the 8kun sysadmin that some suspect may have posted as Q, who had 0 election security experience & 0 to do with the DC27 report
Photo included with tweetPhoto included with tweetPhoto included with tweetPhoto included with tweet
@mattblaze @jhalderm And that is how you spot someone acting in bad faith. You can see in the deposition that they show a long list of election security SME's, and ask if she attempted to speak to a single person on that list. She did not. Instead she relied on Ron Watkins.

Consider the perspective that those here are trying to convey.

We spent the weekend with hackers in Las Vegas who were breaking apart voting machines. w/@jmoorheadcnn @GabeRamirez

Some time during closing ceremony, a group of fursuits did a short parade. Unfortunately I did not see it in the room. I don't think the cameraman bothered to move the camera to the audience to show the distraction.

Online drama, feel free to skip.

Naturally this got at least one response.

we used to live in a proper country where hacking conferences had actual hackers.
@TheD3vineOne Furries have done more for Internet Security than you have Also ratio
@SoatokDhole DefCon has been fed central for years. Doubt I've missed any major OPSEC innovations by grown men in cosplay playing nice with statists. Anon femboy gays with anime p4ps in crypto provide much more value then furries could dream of. Cope.
Photo included with tweet

Wow, that was bigoted.

Like DC Furries, there is literally another convention within a convention called Queercon. As mentioned in the platform abuse talk, there are other demographics we need to be considerate and accepting of.

#Queercon 19 will be at #DEFCON and holding events inside of the conference space. Daily mixers, Friday night party, and other community-driven events. Badges will be had. And hanging with @DCFurs on Friday night (8-10pm).
Photo included with tweet

Not everyone here are straight white males. Those we create technology for are definitely not all straight white males.

I do a double take as the closing ceremony ended.

It is now safe to turn off your def con

That screen sure brought back some memories.

Sunday after closing

I had to fly out the next day at 6 AM, and I already made mistakes on the way here so I wanted to be as well rested as possible going back home.

I went out with two others to get some all you can eat sushi, ended up talking with someone who was on stage during closing ceremony, and then we Ubered over to the location. Turns out the waiting time was an hour to even get a seat. NO WAY.

As a crew we wandered through the area and I recommended the Mongolian place after previewing its ratings online. It was a great choice in the end! And also the first solid food I had that day...

I learn one that came with us had been a Rust developer for seven years and I described my own experience with it. I said something like: If I put it down for a month, I feel like I'm biking uphill again for a few hours, every time.

On the way back we get a fantastic driver, a guy who worked in Alaska for 40 years and then came to Vegas. The car we rode in was barely a week old. He's just doing this to pass the time. Somewhere in the conversation, another in the crew mentioned they rode in a Tesla earlier.

Wait, people are renting Teslas from Uber? And they're paing a thousand or so a month for that privilege? Of course, they also do not gain any ownership of it over time. How does anyone make a living doing that?

I get back, pack up, and then sleep early.


I wake up at 3:30, before my 3:55 alarm and finish packing. Thanks to that I did not wake anyone else in the room.

I message a friend I made at a prior convention, who does light shows as a hobby for dances and raves. Turns out he was involved with the manufacturing of the badges we wore at DEF CON and he just finished a meeting with their staff.. at 3 am.

I hear about reel machines and how much packaging is involved with transporting these boards between his place of work to DEF CON's final assembly center. DEF CON put the final screen, speaker, and cover on top with a 3d printed assembly.

Before heading out myself, Soatok comes down the elevators looking tired. We greet and give goodbyes and he heads out. I wrap up my conversation with the first friend and then we separate.

There's always a taxi waiting in Vegas at any hour of the day. Though the ride was, with tax and tip, around $40.

Pre-checking and paying for my luggage is the right move. I got mine in at the curbside within five minutes and headed through security.

Las Vegas airport security line was 5 stars today. Little wait and I got both the smiths detection and metal detector. None of that “assume the submission pose”.

It went quite fast! The only thing that made it slow was people stalling the line because security called them out on cutting in front of others. Or not realizing their fancy bling was setting off the metal detector.

Anyway my stuff went through the smiths detection machine, I did not have to take out my laptop or tablet. Then I walked through the metal detector. No microwave scanning stuff.

On the way in, I find a neat statue.

A rocky rabbit with text next to it reading for your safety please do not climb

I get on the tram to go from the E gates to D gates. When I get out, I see my mistake on how I got to the other terminal. They have two tram lines, one for terminal 3, and another to get to terminal 1. Where's terminal 2?

I sigh at my learned mistake and head to my gate. Nearby I talk with someone about solar panel stuff, the new bill seems to be giving some people new opportunities to install solar. It seems my installation was overpriced. That knowledge won't reduce how much I have to pay.

Flying home

The trip home went well. One of the planes had TVs in every seat and the person a row in front was watching Fox News the whole time. I was astonished by the things I saw between reading Overlord on my iPad.

On the flight home there were ads for child friendly guides for Donald Trump.

It seems that all that news channel could talk about was Trump this and that, even their ads were catered to an audience that treats him like some religious figure. I listen to several news sources on my smart speakers at home, NPR, Reuters, Fox News. The Fox News audio segments were never this hypnotically focused on Trump. Other ads on that channel were.. very techno-phobic and quite scammy. You know, the level of Norton Security bundled with your motherboard firmware update kind of scammy.

Arriving at home

I briefly catch up online and see some things on Twitter.

Political stuff
@defcon 30 just wrapped up and I am so impressed! One thing (I’ve said this before) we need more VISIBLE Conservatives in tech. Many left leaning ideologies/communities were represented, and NO conservative communities. We are in tech and need to show up.
@Amal4Congress @defcon After all, it was a conservative man that tried to deny funding to a public library in Mississippi earlier this year on the basis of LGBTQ books being against his personal religious beliefs.

For reference, Soatok is refering to Ridgeland Mayor Gene McGee withholding $110,000 of funding from the Madison County Library System.

@Amal4Congress @defcon Conservatism doesn't really work with the hacker ethos. We have plenty of gun-toting libertarians and ancaps that vote red. There's your conservative representation at DEFCON.
@Amal4Congress @defcon What benefit can conservatives bring to the hacking community? Not just representation for representation's sake but rather what does conservatism have to offer? Last I checked it was a dogma of exclusion, denial of social responsibility, and authoritarian tendency.

Ben really spells it out.

Conclusions and take aways

Although memories of it all are still settling in, I can confidently declare that my viewpont has changed because I went to DEF CON. Here's a condensed set of what I took away from Hacker Summer Camp.

Applied cryptography is a sliver of a sliver of the tech community. Like many of the others in the security community, I have to find my own way to master this skill.
Commercial presentations must be considered with a critical eye. Their priority is making a profit, not raising the bar for security in the industry.
Presentations by small research groups and individuals should be given favor and priority. They are by far the most honest and educational sessions you can attend.
Buy the sky talks badge. Bring cash ($40) for it. You will be waiting in line for two hours. Also bring a paper pad and pencil or pen.
Microsoft is not agile (who could have guessed) and does not prioritize fixing known issues that can, when attacked, destroy a business that depends upon them.
We are vulnerable to information warfare and US media institutions do not vet their sources or explore sources outside of the English speaking world. I should consider learning another human language.
We should not rely upon OTP or TOTP for second factors if the authentication provider does not respond to adversaries with increasing difficulty. TOTPs do not support dynamic difficulty changes.
Any authentication or authorization flow that relies upon a human copying information between devices or processes is vulnerable to phishing. For a few more thoughts, see Two Factor Authentication.
Big companies (e.g. Microsoft) and social platforms (e.g. Twitter, Instagram, Facebook) do not put sufficient resources behind analyzing their systems under adversarial conditions. They are all reactive instead of proactive and as a result the security, privacy, and wellbeing of people are harmed. Hackers that participate in bug bounties are not satisfied.
The internet of sh*t is real. IoT (including phones) will be used to identify us between commercial entities and possibly state entities. We can not rely on or expect that IoT manufacturers actually update or mitigate security issues tied to their products.
Any collection of binary or categorical information can be used to uniquely identify most humans on the planet. Government entities are buying this information off the market, it is totally legal and does not require bribery as it once did.
Developers should stop using regex around security.

None of DEF CON was expensed to work. My employer does not have enough "professional development" budget per person to even handle THAT conference entirely and I don't even have to fly to get to THAT conference to attend. Over half of those I met were expensing DEF CON, so I am a bit jealous of that.

I did make new friends and better cemented some friendships that had only been online prior. It was highly educational, but I did not get the social fulfillment within applied cryptography that I had hoped for.

I think I'd have a better time at DEF CON if I go again next year.

And finally, to be as open and supportive to those who wish to learn. I write about security topics because I want this content to be accessible and interesting, rather than intimidating.
We will never close the talent gap in cybersecurity with gatekeeping. We also won't close the talent gap by lowering standards. Be welcoming to newcomers. But nobody is served by pretending core knowledge isn't necessary to understand and apply complex topics.
Judge people in Security by how many people they help come up in Security. Be a friendly on ramp. It is never to early to help someone else learn what you know : )
If you feel you have learned and developed interest in security or cryptography or even the soft skills I talk about, please let me know.