Every summer for the last 26 years, hoards of hackers have descended on the Las Vegas Strip for DEFCON, the biggest hacker conference in the US. There's a wealth of talks every season (DEFCON 27 has at least 95 scheduled), and there have been some essential topics to learn from in past discussions. We've dug through the last ten years and found the 15 most popular talks you should watch.
A couple of months after one of its conferences ends, DEFCON diligently posts videos of speakers' talks on YouTube, so you never have to worry about missing one. It's not uncommon for people that physically attend DEFCON to never go to a speech, and they can also rely on watching them on YouTube afterward.
DEFCON is all about socializing and networking, which makes it easy to wonder where all the time for talks went after leaving. But that doesn't mean that the discussions aren't worth watching. They can be profound, and it's not uncommon for zero-days to drop. Presentations can be anything from in-depth how-to guides and 101 classes to funny hacker storytime sessions.
Whether you're new to DEFCON or you're a veteran attendee, make sure to check out the following 15 talks. They're sessions over the years that every hacker or aspiring hacker should view. For the list, we've used view counts as the scoring metric, in order from lowest to highest. View counts come from all versions on YouTube, duplicate content included. The views counts of the videos embedded here do not represent all the view counts, so keep that in mind.
To start, we have a presentation about cracking massive password lists, an excellent primer on cracking passwords from large database breaches, from DEFCON 17. (The talks alternative title is "How to Explain to Your Roommate Why the Power Bill Is a High.") In particular, the talk covers the old phpbb.com breach which contained 340,000 username and password combinations.
The speaker, Matt Weir, then a doctorate student from Florida State University, discusses his experience in cracking that list and his troubles with everything from dealing with large password lists to salted lists. Then, he releases all the tools he used in the process. Watching this video is crazy and humbling now because of the massive computing power that we have to throw at such problems thanks in part to the cryptocurrency boom and GPU mining. With modern technology, it isn't difficult to find or make a GPU password-cracking rig that could burn through that same list in hours.
Be sure to watch the video to see the basics of password cracking and to appreciate just how far we've come in ten short years. Be sure to pause the video when passwords are being churned out, as the results can be hilarious.
If you've ever wanted to master the art of trolling, then this talk from DEFCON 19 is for you. Matt 'openfly' Joyce, best known as "the guy that has been banned from just about every server and forum known to the internet," dives into the history and misconceptions of what trolling is and how it has such a close relationship with hacking and hacking culture.
Matt looks at the history of trolling in society and the techniques that are used to maximum effect. Along the way, he tells stories about various projects and successful trolls, which all provide amazing lessons in social engineering and the practical application of trolling and disinformation. It's truly a timeless talk, as you can always draw direct relationships to the current times with examples like Russian troll bots and radical political entities.
If you are interested in social engineering and want to understand better the methods trolls use to combat them more effectively, or if you wish to hone your trolling skills, watch it. Then, practice your trolling skills in the massive training ground that is the comments section of the video.
This is a truly fantastic presentation from DEFCON 19 covering the basics of lock-picking and various other methods of opening or unlocking things that weren't intended to be unlocked. Schuyler Towne explains how to open virtually everything you would want into — cars, safes, briefcases, and more — all with commonly available objects.
It's a must-watch because someday if you lock yourself out or are illegally detained, you may need to know this sort of thing and become your own personal James Bond. If you're a physical penetration tester, I would suggest watching this several times and taking notes. It's amazing how some common trash can defeat costly locks and safes.
Zoz, a robotics engineers, had a talk at DEFCON 22 about civil disobedience and not getting caught. It's really a rant more than anything, but it's an entertaining rant. The presentation uses some spectacular screw-ups on the part of the surveillance state to analyze what their capabilities are and maximize your chances of maintaining your freedom and anonymity.
It involves covering your tracks online and using burner phones as well as other ways to collaborate with people privately. If you have anything you wish to hide, then the video provides a great starting point. But be aware, at this point, that even watching the talk will probably get you on some kind of list.
Now we've got an insanely entertaining talk from DEFCON 23 that anyone with an annoying neighbor can sympathize with. Plus, the speech by Michael Robinson came out when drones were first starting to become mainstream and has helped highlight their vulnerabilities. It serves as an excellent primer on various drone countermeasures, including GPS spoofing and targeted signal jamming. Life lesson: never annoy a hacker with lots of spare time.
Hackers and the government are not exactly known for agreeing with each other. There can be quite a lot of misunderstanding and animosity between the two groups. The video from DEFCON 21 doesn't exactly change any of that, but it's a fun hacker storytime that also serves to build a bridge of understanding between these two groups. It's a must-watch for anyone in the hacker community considering a job with any of the government agencies.
In his talk, Peiter "Mudge" Zatko, who was a part of DARPA, discusses four stories, those being:
- Julian Assange's story about the US government's involvement in WikiLeaks' origins.
- How the Department of Defense (DoD) unintentionally caused Anonymous to target their systems.
- How the defense industrial base's poor security works financially in its favor.
- Cases where the government missed opportunities for positive outreach and understanding with the hacker community.
While these stories have been in the news, you likely haven't heard this angle on them or listened to the behind the scenes and decisions that went on.
Another hacker storytime-style talk, the video below highlights inept computer users and their attempts at "anti-forensics." Eric Robi, a forensic examiner, and Michael Perklin, a cyber investigator, are both your stereotypical super awkward turbo-nerds, but they know what they're talking about.
In their DEFCON 21 talk, they provide some powerful life lessons on how and when you should delete data and how deleting data can come back to bite you. Innocent people have nearly gone to jail for removing the wrong bit of data, so be sure to watch the talk so that it doesn't happen to you.
You may not realize that they ever-present SIM card is a tiny CPU itself. Small Java programs can even run on it separately from and without knowledge of the phone's operating system, which is precisely what the DEFCON 21 talk below covers.
Karl Koscher and Eric Butler use their experience building SIM card apps for the Toorcamp GSM Network, and they explain what those applications are and how they can be used, including the Java card standard. It's a more profound technical talk, so consider yourself warned. If you're into phone hacking, it's worth a watch. (If you're watching and wondering, they renamed it from Isis to Softcard for obvious reasons.
Have you ever wondered how spammers make their money? Well, you don't have to be a Nigerian prince to find out. Grant Jordan wondered the same thing and embarked on a four-month-long odyssey of attempting to make money off spammers.
In the DEFCON 17 video, alternatively titled "How I Learned to Stop Worrying and Love the Spam," he talks about how he tried and failed along the way until he eventually developed a program that was able to target stock trading spammers by reading thousands of emails, eventually out-trading them. It's more of a thought exercise than a real attempt at making money, but it gets some gears turning in your head about other ways to hack the hackers.
Again, we have another talk which is more story than an explicit how-to guide. Nevertheless, it's worth watching if you're at all interested in botting, web scraping, or otherwise manipulating products sold online.
In the DEFCON 21 talk, Michael Schrenk goes over his experience building a used car buying bot for a car dealership and the evolution of the bot over time as other competitors, namely Russian hackers, attempted to do the same thing. It provides some pretty surprising insights into bot optimization and working with websites as fast as possible, as well as tips on staying below the radar, so others don't catch on to what you're doing.
We've got another fantastic video for physical pen-testers, and this is something we've covered before in-depth on Null Byte. Elevators are often integrated as part of the access control systems for buildings, yet due to fire safety concerns, there has to be a manual override for firefighters. Overrides can also be easily exploited by anyone with a little bit of lock-picking skill or a unique key. Be sure to watch the DEFCON 22 presentation by the CORE Group and Deviant Ollam for an in-depth history of elevators and everything you could want to know about hacking them.
Now for one of, if not the best, social engineering talk that appeared at the hacker conference. The DEFCON 19 talk serves as a powerful reminder of just how much chaos can be sowed by a single person with a nefarious purpose. What sets the conversation apart from the others is the fact that the speaker spends just as much time covering the counters and the defense for everything that he's talking about, which makes it a valuable presentation for anyone organizing physical security or training employees about social engineering tactics.
It's not hard to see why the DEFCON 19 talk below is popular since there's a lot of overlap between hackers and gamers. There are also a lot of misunderstandings, particularly in the gaming world, where the term hacker gets thrown around every time someone loses. The talk does a lot to clear up what is and isn't possible in MMORPG hacking and just how it's done.
A lot of people get very annoyed with one of the speakers (Josh Phillips), but don't let it dissuade you from watching. The discussion serves as a great base of knowledge if you're interested in hacking video games yourself, as it covers software bugs such as item and money duplication, as well as botting. With gaming being a multibillion-dollar industry, there's a lot of money up for grabs for hackers and developers alike.
With the evolution of Internet of Things devices, the hackable attack surface of virtually every home and business has grown exponentially. The growth of IoT coincided with startup culture, and they combined to create products where security was an afterthought — if a thought it all. Naturally, this led to a festival of hacking carried out by The Exploiteers team in which they hacked everything, including TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways — 20 devices in all.
Thanks to the talk, as well as broader security concerns by the public in general, IoT devices have made steps towards being more secure in the following years. However, they still leave something to be desired. Be sure to watch it to find out about the most common mistakes developers make and how you can exploit them yourself.
Finally, we have the most popular DEFCON talk of all time. At least, according to YouTube. It's another legendary hacker storytime talk about Jason Scott, filmmaker and archivist. He's founder and operator of textfiles.com, a website which archives the early internet, and it got him sued for two billion dollars! So be sure to watch this hilarious recounting from DEFCON 17 of getting sued, and maybe you'll walk away a little wiser.
Overall, DEFCON is an excellent conference with the long and storied history of producing amazing talks. We've only looked at the 15 most popular talks today, but they are plenty more worth watching on the DEFCON's YouTube channel.
It's also worth looking into talks from the various sub-conferences, aka villages, that go on. Once you plow through all of those, it might be worth looking deep on the internet for talks from the early years of DEFCON. They can be quite challenging to find due to how small it was at the time, and since it was 30 years ago before YouTube was ever a thing.
There will likely be more great talks to come, and some may be right around the corner. DEFCON 27 runs from August 8–11, 2018. Future DEFCONs run once ever summer, so there will be plenty of presentations to come.
Disagree with our picks? Did we miss your favorite? Let us know in the comments below! And thanks for reading. If you have any questions, you can ask here or on Twitter @The_Hoid.