TL;DR – Day of Shecurity sent me to DEF CON 26. I had a wonderful time, did some cool things, and have already made plans to attend DEF CON 27. If you want the full details, keep reading…
Last year, when I quit my job as a web developer and threw myself head-first into the world of cybersecurity, there was a lot I didn’t know infosec, hacker spaces, virtual machines, and teams of various hues. Now, after nearly a year and half of reinventing myself, including 39 college units, three GIAC certifications, and a part-time gig as a SANS Subject Matter Expert, I have a clue. Part of me wishes I had done this years ago!
Going to DEF CON was another logical step in my ongoing education and development as a hacker and infosec geek, and the folks at Day of Shecurity[1] made it possible for me to go this year rather than putting it off for some indeterminate period while I wrestled with finances, logistics, and the ever-present anguish of imposter syndrome. Had I not won the raffle at the DoS event last June, I don’t know how long it would have been before I went to DEF CON. I had already registered for a couple of different hacker events and ghosted on them for various reasons, mainly because I was afraid I wouldn’t fit in, that people would think I was a poser, and that they would laugh at me.
Yeah. My imposter syndrome is pretty intense sometimes.
The good news is that, between friends who were going to DEF CON 26 and the support provided by the wonderful folks on the Day of Shecurity team, I had plenty of backup, immoral support, and encouragement to help me get there, and to have a great time, too.
First Impressions:
PEOPLE! OMG! I had not been to Las Vegas since attending COMDEX in Y2K, so I was not ready for the sheer number of people there, all of whom seemed to be milling around aimlessly on the sidewalks in various states of intoxication. And that was before I got DEF CON itself!
Within the con, the collective press of 28k people, all of whom are trying to get to various talks, villages, CTFs, and other events, was everything from daunting to overwhelming to downright comical. (Some of the costumes were pretty hilarious. And did you see those tin-foil hats?!? Some of those people have skillz! 😎)
Cool Things I Did:
I learned to pick locks
The Diana Initiative was one of several places where people could learn basic lock picking … oops… lock sport skills. Several of my friends had told me about lock picking before, so I was curious. Now I understand. The basics are simple, and working with locks is an interesting mix of fine motor control and kinesthetic sensitivity.
I participated in a spelling bee for cybersecurity terms and phrases
Brianne Hughes and others from the cybersecurity company, Bishop Fox, hosted and ran a hacker’s spelling bee. The event was partly to raise awareness about the Bishop Fox Cybersecurity Style Guide, and partly to have some geeky fun! Sadly, I did not realize that “Pornhub” did not capitalize the H, but 1) I didn’t bomb out on a technical term, and 2) a friend of mine won the event, so I am content.
I hung out at the Packet Hacking Village (PHV)
For those of you who may not know, a “village” is a space set up with a specific focus, whether that focus is about hacking packets, IoT, biohacking, wireless, crypto, or some other particular area of interest. Since my friend, Gh057, was working PHV I just had to stop by. And I was glad I did! I was very much surprised at how comfortable I felt there. The low lights, the techno music, the wacky people… My only regret is that I didn’t go sooner and stay longer.
I played a bit in one of the many, many CTFs
Capture the Flag (CTF) contests are a weird combination of penetration test and Easter Egg hunt. Hackers use CTF to demonstrate and hone their skills by breaking into systems that have been specifically built to be attacked and explored. I’m still working on my own CTF toolkit, but the more I play, the more I like it!
I Wandered and Watched the People
I’ve always loved people-watching, even when I was a kid. It’s part entertainment, but it’s also part information gathering. By watching a group of people it is possible to learn about their norms, preferences, and subculture. DEF CON has multiple common themes of sub-groups, from the stereotypical young, white, males wearing geeky t-shirts, to clusters of people who came from abroad who travel in packs, to older, grey haired folk whose eyes reflect years and years of staring at scrolling screens.
Things I Did Not Expect:
I was not the geekiest person in the room!
This is unheard of in my regular life, and has been the same in my professional one. Even when I was surrounded by programmers, DBAs, and network engineers, my geek factor has always been the highest of any team on which I worked. But while I was at DEF CON, I was not the geekiest person in the room. Ever! It was… lovely!
I didn’t have to dumb down my technobabble
In the “real world” most of my interactions are with “normal people”. You know, people who think a packet is something you open to get food or vitamins or Kool Aide out of. As a result, I have gotten really good at keeping my technobabble to a minimum so as not to intimidate or annoy the people around me. At DEF CON, that was not a problem! Not only did I get to listen in on some amazing talks and conversations that went from zero-to-hex in 0.0625 seconds, but there were a couple of times where I was talking shop with folks and found myself amazed at how I was able to converse in high geek without needing to translate (or transliterate) into English. Ah, such bliss!
I felt very comfortable and accepted
I have heard more than a couple stories from women who felt disrespected while at DEF CON, but I was fortunate in that I had no such experiences. Granted, I did spend a lot of time connecting with friends there, most of whom also happen to be female, cis or otherwise. I also spent a good deal of time at the Diana Initiative, and at other events which focused on women in cybersecurity, hacking, and/or infosec.
Even so, the diversity present at DEF CON 26, both in terms of gender and in terms of culture or nationality, was reassuring. Too many times I have been the only woman in the room, surrounded by male colleagues who routinely talked over me, ignored my input, or flat-out insulted me to my face. I know with certainty that sexism, racism, and bigotry exist in the hacker culture, and that it was demonstrated during DEF CON. Fortunately, I did not personally witness any, nor was I on the receiving end… Except maybe once, but he was just some random guy in a casino and was easy to handle and send on his merry way.
Things I Wish I Had Done Differently:
The weight of my 15-inch “disposable” laptop was a bit much to be carrying around during the con, and on the walk to and from DEF CON and my hotel[2]. That particular laptop is good for on-site trainings where I’m sitting in a hotel conference room for 8-10 hours of lecture/lab training, but it was a bit of overkill for the con. Next time, I’ll bring lighter equipment.
I’ll try to get to more talks and visit more villages. I know I’ll never be able to visit them all, but next year I will make a more concerted effort to hit more of them.
Upshot & Plans for the Future
Going to DEF CON 26 was not a “life changing” event for me, but it was another affirmation that leaving web development behind was the right choice. I cannot express enough how grateful I am to the folks at Day of Shecurity for organizing the raffle and helping with the dozens of details involved in getting me there. Likewise, I want to give a shout-out to the folks at BrainBabe/CyberSN, and to all the other Day of Shecurity sponsors for everything they did to make my trip to DEF CON possible.
As for the future, I’ve already started making plans for DEF CON 27, including hotel reservations and several to-do lists. Woo ha!
[1] Day of Shecurity (DoS) is a non-profit organization dedicated to encouraging and empowering women who work in or are interested in joining the cybersecurity workforce. Additional information about DoS can be found at their website (https://www.dayofshecurity.com/ ), or on Twitter at @DayOfShecurity.
[2] I did not stay at Caesar’s, and based on multiple reports, I’m really glad I didn’t!