This year, three members of Netsecurity's Red Team traveled to Las Vegas to attend the renowned Hacker Summer Camp. Anders, Tor-Erik, and John were the lucky ones chosen. Tor-Erik and John arrived first to attend BSides, where John gave his first talk in the US, on the PasswordCon track, about vulnerabilities in physical access controls. Tor-Erik was there in support. Anders followed, and together they attended Defcon.
BSides is a smaller conference compared to Defcon, with around 3,000 attendees and a compact and accessible space at the Tuscany Suites & Casino. This is a world-class conference that is often overlooked by many. This year, however, there were a surprising number of Norwegians in attendance, which may indicate that the conference is becoming more recognized.
Defcon is a conference in a league of its own, with an atmosphere and environment that is unique. This year's attendance is said to have reached up to 50,000 people, although official figures have not been confirmed. Defcon is known for its diversity, where everyone regardless of age and identity is welcome and no one judges.
This year, for the first time, Defcon was held at the Las Vegas Convention Center (LVCC). This was also the first time in several years that the entire Defcon was gathered under one roof. The LVCC is about 85 times larger than Oslo Spektrum, which made it considerably easier to navigate between lectures, villages, workshops and exhibitor areas.
One of the most valuable aspects of Defcon is that "everyone" is there. It's a meeting place for old acquaintances, new acquaintances, and some of the most well-known people in cyber security. We had the pleasure of meeting John Hammond at Red Team Village's party, and Jack Rhysider at his Darknet Diaries party, where disguises were required. Some of us visited the Red Team Alliance location in Las Vegas, while others attended a gathering hosted by the Microsoft Security Response Center (MSRC), where we made new contacts. We also caught a glimpse of Ed Skoudis, an important person behind many of our extracurricular activities in December, although unfortunately we didn't get a chance to talk to him.
In such contexts, competitors become more than just competitors; they become friends and like-minded people to have informal discussions with. This is an invaluable experience that strengthens relationships within both the Norwegian and international security communities.
John also volunteered at the Red Team Village, one of the most popular parts of Defcon. This gave him a unique opportunity to get to know the community better and to give something back. Once you get a foot in the door, more opportunities open up at future events, both to help out and to help further develop Red Team Village.
For Anders and Tor-Erik, who attended Defcon for the first time, the conference was overwhelming. With a huge selection of villages, talks, stands and exhibitor areas, they felt like kids in a candy store. Villages are gathering areas for different branches of security, and here we found everything from hardware hacking to biohacking, AI, web security, offensive and defensive security, and bug bounty. In between talks, we wandered around the villages, talking to people and soaking up inspiration. The vendor area at Defcon is a unique shopping area, especially for those working with offensive security, with everything from pike gear and radio equipment to keyloggers and interesting books from No Starch Press.
When it comes to lectures, there are few places where you can find as many interesting things as at BSides and especially Defcon.
At BSides, we attended lectures on topics such as the use of ePaper as a fake ID card, challenges with national characters such as æ, ø and å in IT systems, and a new tool for communication with serial ports for easier hardware hacking. We also learned about utilizing rights and rule sets in cloud services for pentesting, and about cost-effective automation of cloud services.
Defcon offered a huge range of talks, including vulnerabilities in IT and OT systems used in agriculture, innovative attacks on RFID-based access control systems, bypassing physical security mechanisms, risks associated with influencing learning models in LLMs, and alternative ways of obtaining NTLM hashes. Another highlight was Gareth Heyes from PortSwigger's presentation on email address parsing, where he showed how standards and different libraries' implementations can be exploited to bypass access control based on email domains.
Another talk, "Securing the Harvest: Cyber Defense for Agricultural Control Systems," highlighted an often overlooked area of critical infrastructure. Ray Baeza explained how agriculture, which is essential to food production and the economy, often has limited resources for IT security. He described how vulnerable systems, such as local fuel stations, are critical during the harvest season, especially to ensure the availability of fuel for tractors and combines.
Despite many of the talks being made available on the conferences' YouTube channels, there are many smaller talks in the different villages that are not filmed. The only way to catch these is to be present at the conferences.
Hacker Summer Camp, with BSides LV and Defcon, once again proves to be the ultimate meeting place for anyone working with security, especially offensive security.
Now we look forward to next August, and hope we get the opportunity to participate again in the world's most important meeting place for penetration testers, incident handlers, developers, and others who work with security, both technically and organizationally.
We thank Netsecurity for the opportunity to participate in this year's conferences and hope to return next year, where we all look for opportunities to contribute in different ways.
We'll be back!
Anders Rosdahl, Tor-Erik Thorjussen and John-André Bjørkhaug