My Social Engineering Village (DEFCON) experience
This was my second time going to DEFCON. I was previously at DEFCON in the early 2000s. At the time information security was not my sole focus. I was serving in the Navy as an Electronics Technician. I did a little bit of everything.
Being stationed in San Diego, California, allowed me the opportunity to be dragged out to Las Vegas in August by a first class petty officer. At the time I had no idea what I was getting into. I just knew I was going to Vegas (baby!). I attended some talks and was fascinated by the capture the flag competition. The weirdest thing that happened to me was crashing at a hotel with on of the speakers my friend knew. I expected them to show up at some point in the wee hours. After waking up, I realized no one had come back to the hotel room we just stayed in. Odd.
You might think this sparked my desire to get into the field. Nope, I was more interested in playing black jack, hitting some slot machines, and taking in the complimentary drinks. It would be another eight years before I knew I wanted to get into infosec. After I got in I had no desire to go to BlackHat (too vendory) or back to DEFCON (been there done that). Instead I started hitting the smaller cons like BSides, CircleCityCon, ShowMeCon, and DerbyCon. Those conferences (much more affordable) satisfied my desire to contribute and network in the community.
That all changed in early May. While attending Converge and BSides Detroit my friend Dan asked if I wanted to go to DEFCON and volunteer at the Social Engineering Village. I was interested, but needed to check the logistics. After getting approval from my wife and manager, I started working on hotel and transportation. Last Tuesday I found myself in Las Vegas for the first time in over a decade. The TL;DR version is that I had a blast.
The crew running the Social Engineering Village (SE Village) are some of the most friendly people I've met in infosec. I not only got to know Chris Hadnagy and Michelle FIncher, but I also got to know their wonderful family and friends. They couldn't have been any more welcoming to a new person (I'm tearing up a little bit). I spent the entirety of DEFCON in the SE Village (HallCon was not an issue for me).
On Wednesday we grabbed a truck and loaded it up with everything needed for the village. We then started setting up and didn't finish until well into the evening. For dinner I had my first taste of Thai food (ever!). The next day Mission SE Impossible began.
Mission SE Impossible involved contestants picking their way out of hand and leg cuffs. Then they had to pick a door lock. After that they had to make their way through a laser field. The first dude (looked like military) literally jumped through the big hole we left at the top of the field. The hole was easily 4-5 feet off the ground. Unfortunately, he hit a laser and it didn't count. It was still cool to see him do it. Then they had to run through a micro-expression exercise. Finally, they picked another lock. They had 15 minutes to complete all these tasks. The guy that won did it in just over three minutes.
Friday and Saturday the village had the capture the flag (CTF) during the day and talks in the evening. I was exhausted by the end of both days. I showed up around 9 a.m. and didn't finish at the village until 9:30 p.m. that night. Most of that was on my feet helping with crowd control. Which by the way, if you're reading this and you were at the SE Village and you complied with any of our requests to move seats or move out of doorways, thank you. Most people complied with our request to push people around, which I appreciated.
The village was packed practically all weekend. DEFCON really needs to try and get them a bigger room next year. The first two days we had people packed into every seat and standable space and still had a line outside the door. Saturday was a different experience, because it came down that anyone in the room had to have a seat (did I mention they needed a bigger room). This moved any fire hazard from the room into the hallway, where people were lining up down to the end of the hall. A goon came in and asked if I could estimate wait time. I told him an hour plus, for anyone near the end of the line. Side note, the goons were very friendly and nothing like the jerks I had heard stories about the last few years. They were absolutely fantastic to work with.
Half the time I didn't know what was going on the room, because anyone that left we had to fill their spot in the room. This meant either pushing people down or directing someone to the vacated seat. What I did catch was awesome. The talks were talks. I don't have many takeaways, because I usually only got to listen to bits and pieces. Things did start winding down when talks got started and I was thankfully to be sitting down. The calls were easily the most interesting part of the village (and the most popular).
The SECTF (calls) consisted of contestants calling various video game companies. They would try to get points by getting the person on the phone to divulge bits of information. These were basic things like browser or third-party software information (think Flash version). The success of contestants seemed to hinge on how well they did their research. Leading up to the competition each contestant was given a target and about two weeks time to find as much information as they could. This allowed them to collect numbers to call and pretexts to put together. The ones who did better research got live people on the phone. The CTF was on a Friday and Saturday, which meant the contestants had to get creative with their numbers.
For about half of the contest we had the pleasure of listening to ringtones and voicemails. The other half varied. Some companies were very good about not divulging information. While others were more helpful. The winner of the competition, Chris Kirsch, got a couple people on the line who provided him with almost every flag. Each call started a new set of flags, so contestants could rack up points with multiple calls. He had individuals going to thismachine.info and had them reading from the website, which just allowed him to rack up point after point. We didn't have many people leaving the room during his calls. Our biggest challenge was keeping the laughter down from all the information he was getting (yes, there was potential for the other person on the line to hear the room). I walked up and down the aisle trying to help shush the room. I watched as the look of humor turned to anguish as Chris raked up points. It was epic. At the end he got a standing ovation from the room. The dude straight crushed the competition. During Q&A he mentioned that he spend 40-60 hours doing research, in a two week period. This was the highlight of the competition.
On Sunday, Chris and Michelle recorded a podcast with Tim Larkin. I didn't get to listen to it all. What I did get the opportunity to listen to was fantastic. Tim talked a lot about situational awareness. After that we packed up and I headed to the airport. I took with me a bunch of new swag and hugs from everyone who worked the SE Village. The experience is one of the highlights of my infosec career. I can't wait for next year!
This blog post first appeared on Exploring Information Security.