DEFCON 24 – Hacking’s Gone Mainstream

By Krista M. | Cyber Threat Intelligence Analyst

“I can’t believe this many people want to hack into computers,” the elderly woman said to her friend as they tried to navigate past the throng of DEFCON attendees at Bally’s Las Vegas Hotel and Casino, “there’s something wrong with that.” I heard this comment in passing and nodded slightly in subtle agreement.

This was my second time attending DEFCON and it’s obvious that the concept of hacking has exploded in popularity. Over 20,000 people were in attendance and, clearly, the organizers didn’t even anticipate this many people as they ran out of the electronic badges on the second day of the four-day conference. They ultimately had to print and laminate makeshift badges to keep pace with the demand.

 
 

Much like last year, there was a vast assortment of people filling the halls and ballrooms – young hackers, old sysadmins, journalists, white hats, black hats, researchers, government employees, and vendors, among others. Certainly, it seems that the stereotypical image of the basement-dwelling, antisocial young male quietly hacking out of boredom is quickly being replaced by a more diverse collective inclined to “hack out loud” for a purpose, whether it’s for improved privacy and security, for digital freedom, or in support of a social cause. Men and women of all different ages and backgrounds came together to learn about hacking and digital security, share ideas, and socialize with like-minded people.

 
 

I attended several of the talks myself, although I was disappointed that I could not attend as many as I had originally planned. The crowd was so massive that many rooms were filled to capacity within minutes, forcing organizers to quickly cut access citing fire code violations. At one point, they announced that Bally’s threatened to end the conference early if attendees did not stop blocking the halls and doorways. The organizers have already decided to move next year’s DEFCON to Caesars Palace as they’ve outgrown the current venue.

Personally, I’m not sure if that’s a good thing or a bad thing. On the one hand, I certainly support the concept of crowdsourcing vulnerability detection and sharing that information quickly in an attempt to improve cybersecurity for a larger amount of people in a shorter amount of time. I think educating as many people as possible about cybersecurity is very important as we are all becoming increasingly dependent upon technology in our daily lives. On the other hand, though, there will always be a large subsection of this group who hack to destroy rather than to improve and that’s what worries me about excessive information sharing. For instance, I was waiting to see a presentation titled “How to Remote Control an Airliner: Security Flaws in Avionics” when an organizer announced that it had been cancelled. I’ll admit, as much as I was curious about the topic, I was also relieved and wondered if there was some sort of government intervention that prevented that information from being released to the public.

It made me think that, since software, networks, and devices are getting hacked faster than people can implement solutions, do the benefits of this rapidly growing hacking culture truly outweigh the detriments? Or, is the rapid discovery and disclosure of vulnerabilities actually succeeding in pressuring companies to improve their products faster for fear of bad press or legal liability?

It remains to be seen if we’ll ever get to a point where we’ll no longer have to worry about vulnerable code, security holes, and massive data breaches as cybersecurity increasingly becomes a higher priority for everyone. Hacking has gone mainstream and, right now, nothing is truly secure. In the meantime, I’ll keep my eyes and ears open at events like these so I can continue to effectively serve the NJCCIC membership by providing the latest cyber threat information and solutions.

As always, please reach out to us with any questions or concerns and be sure to report any cyber incidents to us by emailing NJCCIC@cyber.nj.gov, using this form, or calling 609-963-6900 x7865.