DefCon 22: The writeup.

The reason I've been quiet so much lately and letting my constructs handle posting things for me is because I was getting ready to attend DefCon 22, one of the largest hacker cons in the world. It's been quite a few years since I last attended DefCon (the last one was DefCon 9, back in 2001.ev) due to the fact that Vegas is, in point of fact, stupidly expensive and when you get right down to it I need to pay bills more than I need to fly to Las Vegas for most of a week. I'm also in the middle of finishing up moving out of DC, which would tie up most of anybody's energy and money. However, this year $work sent me with two cow-orkers so once the ink was dry we kicked into lockdown mode to get ready in the days leading up to our flight. I'll post later about what all of that entailed, based upon the hypothesis that transparently documented security protocols executed correctly should stand up to a certain amount of scrutiny; additionally, peer review and scrutiny for security protocols isn't a bad thing at all. Due to the no photography policy at the con I took only a handful of pictures outside of the conference space, and even then only of myself with an eye for keeping as many other people out of the frame as possible. Many of us aren't comfortable being photographed anymore because we as a society are under such tight surveillance in public that it's nice to not be recorded once in a while. So, I've got no pictures of and from DefCon this time around. Our flight to Vegas wasn't much to write home about. It was pleasant as short flights go and largely inoffensive. Protip: If you're flying Spirit Air and you've got baggage to check, do so at the front desk. Don't check your baggage when you print out your boarding pass even if you do it at home. If you do it'll cost you somewhere in the neighborhood of $50us. if you check your baggage at the front desk as an "Oh, by the way" you'll only pay $16. Save some money, you're flying to Las Vegas. You'll need it. When we stepped out of McCarran Airport to get on the shuttle bus the dry desert air slammed into us like a firm yet fluffy hammer. After a minute or two we were unable to tell the difference between the air and the exhaust from an idling truck. From the time we flew out of our home airport the three of us were operating in what we called autistic mode, a phrase taken from Ghost In the Shell which refers to the practice of operating while entirely disconnected from the global Net. DefCon's network is renowned as possibly the most hostile network environment on the planet, where no holds are barred, zero fucks are given, and it's aliens-from-Independence Day-nuke-dog-eat-dog. In short, you run at your own risk because there is no telling what's running loose on any of the wireless networks there. There is also no telling which of the wireless access points at any given hotel are legitimate and which might be booby traps. I've heard several people over the years mention that the number of hotel access points triples in the day or two preceeding DefCon and drops abruptly the day after the con wraps up. Additionally, it is generally agreed upon by the security community that the security measures on your average smartphone vary between "laughable" and "criminally negligent"; coupled with the state of the art in GSM and CDMA interception techniques even talking on the phone at DefCon is potentially hazardous. In a later post I'll describe our OPSEC protocol along with what worked, what didn't work, and what the pain points experienced were.We'd been advised by a friend on staff to not show up bright and early for badges because the lines were undoubtedly going to be long. Taking that advice to heart, the three of us had a leisurely breakfast and coffee on the Vegas strip, and shot the bull for a while before making the two mile hike to the Rio. Our hearts sank as we took in the line of people waiting to buy Defcon badges. It stretched the length of the main hallway in the Rio, through the back of the casino, all the way around the pool area, and probably out the front and down the sidewalk by the end of the day. It was comical. Absurd, even. I'd heard later that people started lining up for badges at 0430 PST8PDT on Thursday morning. I was afraid something like this would happen, so I brought a Nalgene bottle of water with me, a hat that I could collapse and stow in my backpack, and a tube of sunscreen to pass around because we'd be standing in the hot sun. We stood in line for a good four hours or so, periodically switching out to take breaks to go for water, run to the bathroom, or just duck into t