Defcon is the largest hacker conference with something for everyone, whether it be the talks, parties, villages, or any of the hundreds of events. In this guide, we'll take a holistic view at everything that goes into attending the con for the first time, from securing your electronics and making the most of your time to the logistics of getting there and finding the right place to stay.
Thousands of new people attend Defcon every year, and Defcon 25 was said to have 25,000 attendees, forcing it to expand to two venues. No single hotel is large enough to hold all the hackers that descend on Las Vegas every July/August.
Not all of those people attending will be familiar with the security industry and culture. Sometimes they are sent by employers, some are reporters hoping to get the latest scoop, and a handful are just curious tourists and happen to be in Vegas at the time. Most, however, are fellow hackers and tech nerds just like you. This makes Defcon one of the best places for hackers to go and meet like-minded individuals.
So for those who are unaware, the networks are hostile, and the Wall of Sheep is real. The con is the combination of some of the most brilliant minds in the industry, some of the most annoying pranksters, and a few well-meaning drunks. With that in mind, I'm writing this article to help those new attendees or noobs have a fun and exciting experience.
If you only know the name Defcon (sometimes stylized as DEF CON or DEFCON) with nothing but a vague notion that it's a hacker conference, then you should know that it was started in 1993 by Dark Tangent (aka Jeff Moss). As he put it:
[I]t was ... meant to be a party for member[s] of "Platinum Net", a Fido protocol based hacking network out of Canada. As the main U.S. hub, I was helping the Platinum Net organizer ... plan a closing party for all the member BBS systems and their users. He was going to shut down the network when his dad took a new job and had to move away. We [were] talking about where we might hold it, when all of a sudden, he left early and disappeared. I was just planning a party for a network that was shut down, except for my U.S. nodes. I decided what the hell, I'll invite the members of all the other networks my BBS (A Dark Tangent System) system was a part of including Cyber Crime International (CCI), Hit Net, Tired of Protection (ToP), and like 8 others I can't remember. Why not invite everyone on #hack? Good idea!
The first Defcon was so successful, with the hundred hackers that went, that there's been a Defcon every year since.
For a complete history of the con, I highly recommend watching the full documentary embedded below, which is nearly two-hours long and goes into much greater detail than I could ever possibly do in this article. There are some fantastic interviews by Dark Tangent and the other founders, which provide a rare behind-the-scenes context for how the con grew to be what it is today.
My first time at Defcon, I was little more than a script kiddie who had watched this documentary and got excited about the con, yet some people mistook me for a veteran con-goer of several years. Plus, it's quite nice to know what people mean when they talk about Alexis Park. At the very least, download the documentary and watch it while you're traveling to the con. This way, you'll feel more a part of the culture, and people will take you more seriously without just writing you off as one of the thousands of noobs.
So you want to go to the con? Great! If you can spare the ~$750 and a few days during the summer (usually during the first half of August, sometimes with a few days at the end of July), then here are the steps you need to take to go!
At first glance, planning when to go may seem simple, however, counterintuitively, some considerations could change the exact dates for you. Defcon is always near the beginning of August and goes on for four days Thursday through Sunday. Check the Defcon website for details on upcoming events.
- Defcon 26 = Aug. 9–12, 2018
- Defcon 27 = Aug. 8–11, 2019
- Defcon 28 = July 30–Aug. 2, 2020
Something that is not often mentioned is that many people cut out Thursday and Sunday for various reasons, ranging from not being able to get off work to travel times. Thursday is mostly a registration day, so it's okay to plan on visiting Defcon then. There are usually a handful of talks in the evening, either in various villages such as Skytalks, or one or two official Defcon talks.
If you want to guarantee that you get a Defcon badge or to be one of the first ones to hold it, then you'll need to arrive sometime on Wednesday and lineup in the early a.m. hours of Thursday to be first in line. Also if you're into target shooting, plan on coming Wednesday to attend the unofficial Defcon shoot. On the other hand, if you have an employer with a few thousand to spare, you can try to convince them to send you to Blackhat, the corporate version of Defcon. It takes place in the week leading up to Defcon, Saturday through Thursday.
A majority of people leave sometime during the day on Sunday to be back home for work on Monday, although there are some people that stay and leave on the earliest flights on Monday. If you do decide to leave on Sunday, you're not missing much. Most of the talks, parties, and villages go on during Friday and Saturday. On Sunday, it's mostly just wrap-up events with a handful of lectures and parties.
If your schedule is flexible, I highly recommend adding a day or two onto either end of the trip to spend some time exploring Las Vegas. The price difference from taking a flight during the middle of the week can often be enough to pay for the extra day at a cheap hotel or Airbnb.
TL;DR version: You can skip most of Thursday and Sunday if you want or need to. Otherwise, consider adding a day or two on either end of the trip.
There are two primary ways to get to Defcon: drive or fly. If you live on the west coast, packing a bunch of hackers in a car and road-tripping to Las Vegas is a traditional hacker pilgrimage. However, driving may not be practical if you live on the east coast or outside the US, which means that a vast majority of attendees will be flying.
If you are flying and not familiar with the general tips to flying cheap, Nomadic Matt has an excellent guide. Not all of those tips are super helpful for us, though. The biggest things for us to keep in mind is to fly in the off times as much as we can and book at the right time.
Thankfully, in this day and age, services like Google Flights and Hopper do most of the hard work for us. With Google, in particular, you can even look at the prices as flexible dates or price graphs by clicking "Dates" or "Price Graph." The "Dates" tab is best if you want the cheapest flight and have a flexible schedule.
Don't forget to factor in the cost of your accommodations. Depending on where you end up staying, it could be cheaper to stay an extra day, or you can stay extra time for the same cost and get a little extra vacation.
If you have your dates locked in, then use Hopper. It will predict when is the best time to book the flight and can track it, giving you push notifications on your phone when it's time to buy. However, don't purchase it through Hopper. Go directly to the airline when it comes time to buy, and you'll save a few dollars off Hopper's commission.
TL;DR version: If you and or your friends live within a two- to three-hour drive of Las Vegas, then drive, otherwise, fly and use Google Flights if you can use flexible dates or Hopper if your dates are locked in.
The main advantage to staying at the hotel hosting Defcon, such as Caesars Palace or The Flamingo for Defcon 26, is the convenience of being centrally located. Don't underestimate how nice it is to be able to go back to your hotel room and drop stuff off or pick things up throughout the day and the ease of stumbling back to it when it's late and your brain isn't working at full capacity.
However, all of this convenience comes with one major downside: the cost. Even with the Defcon room rates, it can easily be three times as much as staying at a cheaper hotel or Airbnb farther away.
If you are on a budget, I highly recommend getting an Airbnb a few miles away from the strip and Ubering to the con each day. It's the cheapest option if you're traveling solo to the con. Just remember to factor in the cost of the Uber. The nightly average Airbnb rate for Las Vegas is $191, but I have had luck consistently finding one for around $50 a night. Either way, you can save as much as $200–$300 just by doing Airbnb.
TL;DR version: If you're going alone and your budget isn't an issue, stay at the hotel hosting the con, otherwise, get an Airbnb a few miles off the strip. If friends are also coming, cram as many as of them as comfortably possible into the hotel room and split the cost.
Now that you know when you're going to be there, how you're going to get there, and where you're going to stay, it's time to plan what to take. If you're flying, try to pack light and travel carry-on only — it will make your life much more comfortable at the airport. If you need help with coming up with a general packing list, then use the PackPoint app for Android and iOS. Otherwise, let's look at some of the significant things you don't want to miss.
The first major decision to make is whether or not you're bringing electronics and, if so, which ones. As mentioned before, the networks and airwaves at Defcon are very hostile. If there's a zero-day for a device, Defcon is one of the places it would be demonstrated.
The safest thing to do is not bring any electronic devices at all. However, that can be hard sometimes because it's impossible to fall along with talks, do workshops, and access the Defcon app. If you have a burner phone or an old laptop that you can wipe, this is the time and place to use them.
If you do bring a laptop, it should never be out of your sight. Install a fresh OS with the latest updates and the bare essentials as far as programs go. Do this at home before you even get to Vegas — there are attacks that can look like firmware updates and they can be impossible to remove from the device after.
When you get home after the con, do the same thing: a completely fresh install. You can protect your primary machine, but you have to account for the value of the data on it and understand the implications of what you are doing. If possible, use a self-encrypting hard drive/SSD or a software solution like BitLocker and PGPDisk store the keys in memory; This should deter most of the average pranksters.
Defcon does provide a secure Wi-Fi network which should be OK for most people to use. Although, if you do go this route, be sure that you can positively ID the network and it's not some random hacker spoofing the network name. Just remember not to buy anything online, enter passwords, etc. while at Defcon regardless of the network. Also, always use a VPN. If you don't have one, buy one, and disable your 3G network to help deter sniffing.
Defcon is a cash-only event, so at a minimum, you'll need $280 to get into the event itself. Additionally, assume that all the vendors inside only accept cash, so your best bet is to get enough money for the entire con out of the ATM before you land in Las Vegas. There are lots of rumors about ATMs in and around the con being unsafe, so if you do have to use one, either go several blocks away or visit a banking location and get it in person.
The next major thing to remember is to bring water — you're in a desert, after all. If you're flying, remember you can take an empty water bottle through TSA, and then fill it up at a water bottle refilling station or water fountain inside the airport. It's especially important to drink plenty of water while flying to fight the effects of jet lag.
Drinking water is also critical if, like many Defcon-goers, you plan on drinking (alcohol, duh). Water at the hotels can be quite expensive, so take a few bottled waters or a refillable water bottle. You want to maintain a 16:1 water-to-booze ratio. So remember, one bottle of water for every ounce of alcohol, and you can thank me in the morning.
Las Vegas is extremely hot during the summer. It can go above 100ºF during the day and remain there even into the evening, so pick your clothing accordingly. Jeans and tee-shirts are relatively standard. And don't forget swimwear for all the pool parties!
Badges are a vital part of the con culture. You get one badge from Defcon itself, but there are many more out there. Different villages will make there own, as well as individual indie developers. Besides being cool and useful, they are an easy way to communicate to those around you what groups you support or which villages you're interested in.
So if you're into Badge life, remember to be on the lookout for indie Defcon badges on Kickstarter and other websites. They usually pop up a few months before the con. They can also be purchased for cash at various villages but the lines can get long, or they may sell out, so if you go this route, try to get there early Thursday and purchase them then.
There are a few other things you want to be sure to bring:
- A lightweight and comfortable bag for swag and gear.
- Snacks, as food can cost a lot on the strip.
- Something non-electronic for notes such as a notepad (vital if you're going to Skytalks).
- RFID blocking wallet.
- PGP fingerprints on business cards or something similar.
- Power strips so you can plug a lot of stuff in.
- Battery pack for when you can't find an outlet.
The first and foremost thing you'll do at Defcon is follow the 3-2-1 rule. If you're unfamiliar, that means three hours of sleep, two meals, and one shower every day. Everything else you do at the con is optional. With that as your core schedule, you can build upon it as you wish.
While the talks are extremely valuable and exciting, I would discourage you from having them as your sole focus, because you'll miss some of the best parts of the con. All the talks will be online later, so you don't have to worry about missing them. Do note, however, that Skytalks are not recorded, so you may wish to give them slightly higher priority if that's your sort of thing.
There is one talk that I recommend every one of you go to though, and that is the Defcon 101 panel, which is usually on Thursday evening. It's a great place to go and learn about many facets of Defcon, as well as to meet other individuals that are new to the con. If you're brave enough, you can even be given a hacker name in front of hundreds of fellow hackers and tech nerds. If you're interested in seeing what's in store, the video below will give you a much better idea of the kinds of villages and contests at Defcon.
With that information in mind, read the program, visit all the villages, and participate in some contests and events. Don't forget to enjoy the various entertainment and parties at night too. As much as Defcon is about learning, it's even more of a social gathering. It can be quite daunting with all the activities, so try to narrow in on what you find most enjoyable, perhaps a particular Village such as social engineering or wireless hacking, and spend the majority of your time there.
The Villages are like mini-cons unto themselves with talks, workshops, and contests of their own, so you can very easily pour all of your time into just going to one and doing nothing else at Defcon. If you insist on going to different talks and villages throughout the day, be careful not to waste too much of your time in "line con," the joking name for standing in long lines. Be sure to get to talks early to be near the beginning of the line, as some of the more popular discussions can fill up quite rapidly. Even being 20 minutes early for them, you can be so far back that you aren't allowed in the room because of fire codes.
If at any point you're lost or need help for any reason, you can look for the Defcon "goons" in red shirts for help. They're there to help you with whatever you need. They're the security team, and their job is to make everyone feel safe and ultimately happy. Don't be deterred if they come off as gruff, though — they probably have been asked the same question 200 times and may be frustrated, but they are there to help you.
Like I mentioned before, parties are perhaps the most significant draw of Defcon, and there's one every evening. In fact, multiples. Some parties are open to everyone as well as invitation-only ones. Several are hosted by Defcon itself and will be on the program, while others you'll have to hunt down yourself. You can always Google "Defcon parties" and find websites like Defcon Parties which will help you find the lesser-known ones, but by far, the best way is to make new friends and socialize. If you're nervous about meeting new people, try doing this:
Buy a six pack of beer and walk up to the first group you see, say, "anybody want a beer and let's hang out!" No kidding, you'll make new friends, some of the people that I've met in similar ways have been my friends now for 20 years. Oh, if that group sucks, and it does happen, there is, in fact, suck at DEFCON, just say bye, get 6 more beers and walk up to another group.
Hopefully, now you have enough necessary information to make your journey to Defcon for the first time. I've had to gloss over a lot of details but the videos linked can help fill some of that in, so be sure to watch them. Go to the con, take yourself out of your comfort zone, meet some new people, and learn a lot of new stuff.
Thanks for reading! If you have any questions, you can ask them right here or on Twitter @The_Hoid. If you think we missed some vital information or have tips of your own, let us know!
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.