DEF CON 2012 Conference Review

As a general software consulting company, we have to be knowledgeable in many different domains of software. In today’s software world, security is one of the most important domains. To keep my knowledge in this domain current, I attended the Black Hat conference last year and decided to attend the DEF CON conference this year. I only attended one day but my impression of the conference was much better than Black Hat. In my limited time, I went to only two talks because there were so many other interesting activities besides the talks. Out of the two talks, one was much better than any talk I had heard at Black Hat and the other was on par. The better talk had to do with setting up a malicious proxy server that allows you to inject JavaScript into every website returned to a user. Though the concepts individually are not advanced and could easily be replicated, this was a clever combination of ideas that makes it evident how insecure proxy servers can be.

Other than the talks, there are a lot of capture the flag activities where you can try your hand at testing the security (aka hacking) of various problems. So a whole conference room of security teams was dedicated for this purpose. In the same conference room was an entertaining display of hacked systems cleverly named the Wall of Sheep. Even the DEF CON badge was a challenge problem and came complete with monitor, keyboard and mouse connectors. The exhibitors were also more interesting than they were at Black Hat with various real-world tools that had real utility. The exhibitors in Black Hat were mostly just there for advertisement.

Overall, I was much more impressed with DEF CON than Black Hat. I think DEF CON attracts more talent than Black Hat. There are multiple reasons for this but I think mostly it has to do with cost. With such a high cost for attendance (thousands) Black Hat mostly attracts employees sponsored by their companies. On the other hand, many hobbyists and talented security researchers or hackers are willing to pay $200 for DEF CON. For example, I went to a corporate-sponsored event one of the evenings and got to meet Moxie Marlinspike, a famous computer security researcher who has contributed many developments to the field. And the talent is what makes the talks more interesting and teaches us conference-goers more about the evolving field of security. So I would highly recommend for people trying to learn more about security to attend the DEF CON conferences and not Black Hat next year. I’ll definitely be going again!

Leave a Reply