Hacked - DEFCON: The Biggest Hacking Event in the World
Episode Date: August 16, 2024DEFCON: The Biggest Hacking Event in the World Every year DEFCON, the world’s biggest hacking conference, descends on Las Vegas for a weekend of digital mad science, security, and community buildin...g. We braved the desert heat to go find out what it’s all about and to see how many people would talk into a microphone at privacy-centric event. Check out the Capture the Flag replays here: https://www.youtube.com/@livectf Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
You're not allowed to record audio or video of the social engineering competitions at DefCon.
So we're just going to tell you how it works.
Picture a big room in a conference hall.
It's a couple hundred people watching the contest.
There's a table of judges up front and behind them are giant video displays.
Off to the side, there is a noise isolated booth, big enough for two people.
The booth is wired up with mics and cameras, which are being live broadcast onto the screens for everyone to watch.
and listen. Inside the sound isolated booth there is a phone. You can hear what
happens in the booth but the booth is isolated from the rest of the hall for reasons
that will become clear. The idea of the contest is simple. A team or individual
steps into the booth shuts the door and when they're ready a 22-minute timer
starts. The team has those 22 minutes to get a target onto the phone and
once they do the goal is to social engineer them into
sharing information they shouldn't.
You could call it competitive lying?
They call it vishing.
So we sat and enjoyed a few hours of the vishing competition, which I guess is the
same as fishing, but just voice fishing.
It was great to watch.
Tons of fun.
Sad, you couldn't record it because it would make amazing YouTube content.
The Target was a large phone company.
The competitors are trying to get information.
out of the company. And at the end, they're scored by the judges out of 10 like it's the Olympics.
It's not random social engineering. The competitor has to write what they call pretexts,
stories or premises for why they're calling. And I think if they want to change pretext,
they have to change literal costumes. I'm not sure if that's a rule or a custom.
No, I don't think that was a, I don't think that's a mandatory thing. I think that's like some
flavor for the points for the judges. Like a little flavor. Sure. A little extra sum,
some. So if you want to change from, you know, saying you're with customer service to saying you're
with an external vendor, you'd switch outfits. You toss on a new wig and a new shirt. They're also
wearing a heart rate monitor. So everyone can see on the screen when their heart rate spikes when someone
answers a call or a call starts to go south. Apparently, they do months of research and prep for this.
We're going to tell you about one of the last teams of the day that we saw. Two guys step in. One of their
costumes is a Guy Fierry wig. They go in with this whole bit and these Boston accents.
Most of the calls they make, either no one answered or the numbers were busy, so it forwards to an
automated system. But about halfway through their 22 minutes, they finally get someone on the phone
from the Target, which was a physical brick and mortar store for this big company.
And they start in with this story. They were from a local radio station.
The story had something to do with leaving equipment at the store for a radio remote they want.
to do the next day. It's honestly going pretty well. But then they get into this back and forth
about a verification number. And the target says she's just going to call back. So the call ends,
the audience lets out a big groan. Ten minutes has already elapsed. So they change story. The clock is
counting down. Now the pretext goes, they work for a big tech company. And they're trying to drop
off these fancy new VR headsets for an in-store cross-promotion type thing. And they just have some
questions. There's only a couple minutes left and a woman answers. She has this bubbly southern
U.S. accent and just like that, the main guy doing the vishing drops his Boston accent and
slips into a southern one. He just matches her enthusiasm and tone perfectly and starts to tell
the story. He locks in and so does the audience. Anytime she asks, is this a question for
someone else, he has a reason why she's the exact person he's supposed to be talking to. And pretty
quickly, he starts to get information out of her. He gets her to explain the security setup of the
store. She's so excited about the VR headsets. That sounds so fun. She totally gets the need for
security, but no, they don't have security guards. Oh, they want to keep them in the back overnight?
No, there's no security badge or anything to get into the back. They're just like keeps pulling
on threads, getting little bits of information at a time. And he walks right up to the good stuff.
he arrives at a question about connecting the headsets to Wi-Fi,
and if she could tell him a little bit about how the Wi-Fi network works,
and right as she's about to answer, the clock runs out.
Audience goes nuts, and the judges give their scores.
Eight, seven, nine out of ten.
This is DefCon, or just a small, a teeny tiny, but very famous part of it.
DefCon is the biggest hacker convention in the world.
It happens in Las Vegas.
every year and we went.
It's not strictly cybersecurity.
That's Black Hat, a different security conference that happens right before.
This one's really about hacking, hacking things together, hacking into things, hacking things apart.
There were 89 contests and puzzles and talks and very fascinating parties.
So we descended into the frankly foul Las Vegas heat to find out what it's all about.
It's three days of people hacking software and hardware.
and cars and infrastructure and voting machines
and occasionally each other.
DefCon,
2024, here on Hacked.
Okay, it's morning one.
We're walking to the convention center.
It's bloody hot.
It's really, really hot.
There's no other reason I'm recording other than to say
it's really goddamn hot.
This might be a terrible decision.
We probably shouldn't have walked,
but we're doing it nonetheless.
So DefCon is something
that I've always
wanted to do. And I don't actually have a reason why I've never done it before, which is like,
I'm old now. Like when I started, when I found out about DefCon, it would have been in the 90s.
And it would have been like, DefCon was a very different thing back then. I think it was, you know,
people that were hanging out in IRC chats and bulletin boards that would get together and kind of
have like the nerdiest party ever in Las Vegas where they would do, you know, crazy things.
And that spoke to me on a very primitive level at that age because that's what I was into.
And so to come back now like 20 some years later and it's it like I try and explain it to my friends and I was like there were like 40,000 people there.
It was most of the Las Vegas Convention Center.
Like one of the larger convention centers maybe in the world and it was packed.
It's a crazy, crazy thing.
What was your first take on it when we walked up?
I was, so I had heard that it was a big event.
I'd heard that it was historically thrown in, I think, a couple different casinos.
And this was the first year for a bunch of reasons that it was all going to be happening in one place,
this Las Vegas Convention Center, which is massive.
DefCon is almost like a collection of different conferences inside of a conference.
I was going to say just to give some context to the size of it, like the very first day of the actual conference, we went the day before to pick up our badges and we can speak on that day a bit.
But the very first day of the actual conference, we kind of just decided to walk around and see everything, get a full lay of the land, see all the different villages, see all the different capture the flag contests, kind of just get a read for the place.
On that day, we walked 32,000 steps.
That's how big it was.
20-some kilometers, like 24 kilometers, I think, on average.
And like, what is that, like 16 miles, 17 miles?
So like a massive day on the feet just to walk around and see everything.
It started in 1993 as a farewell party organized by Jeff Moss for a friend who had to leave the U.S.
It starts off as this one-time thing, but it's such a hit that it becomes an annual tradition.
and it's just grown from there.
Grown to fill the one casino it was in,
to fill another, to fill another until now
where it's this giant convergence of people
in the middle of the desert.
There's talks on hacking and cybersecurity,
but everyone tells you,
while the talks are fun,
what you really got to get to
is the villages and the hands-on challenges.
Just pop by everyone's favorite game hacking challenge.
There's a number of Capture the Flag Things.
They have a customer,
community game where it's all level-based and you have to apparently pass the levels by hacking
the game. And then they have downloaded a common steam game that has some anti-cheat
code in it, but not a full anti-cheat. And that is one of the extra challenges. So excited to come
back. It doesn't start for another 45 minutes, but we're going to check it out. There's capture the
flags. There's lock picking. There's Wi-Fi challenges. There's trying to cool a beer in the Nevada
heat using anything but a refrigerator.
There's a chill-it-yourself beverage section where there's two buckets with a bunch of tubes
between them, trying to cool them down.
No idea what's going on there.
There's hackers, there's tech enthusiasts.
There's also federal law enforcement and a whole sort of sub-narrative about spotting
the Fed.
Somewhere between 30 and 40,000 attendees, it's big.
The thing with having so many people, so the pre-day that we went to, the like pick up your
badge day.
was, like, they have a term for it in the schedule and stuff, and it's called line con.
And it's because the lines are literally monstrous.
So our first line con is starting with finding the end of the line.
We haven't found it yet.
We've been walking for, I don't know, about nine minutes.
And we are still, what looks to be, about 8,000 people away from the end of the line.
The line is moving faster than we are.
But the merch line, something like, you know, you go to a big conference like this,
it's your first time you've wanted to go since you were like a teenager.
You just want to pick up a t-shirt and bring it home.
And then you find the tail end of the merch line and it is literally 14,000 steps from the door to the merch room.
And you're like, maybe I don't need a T-shelators, down escalators in a different building.
Like, it's nuts.
Nuts.
Everyone got probably the coolest piece of merch in my opinion, which was the badge, which we'll get to.
Oh, yeah.
DefCon has a fascinating history.
I won't tear into all of it, but there's just every couple years something really fascinating happens.
2001, a Russian programmer, Dmitri Schuylerov, was arrested the day after for writing software to decry to decrydoburned Adobe's ebook format.
In 2005, the company Cisco used legal threats to suppress a talk from a guy named Mike Lynn talking about issues he'd found.
in Cisco iOS routers.
In 2007, this one was relevant to us.
A reporter for Dateline NBC named Michelle Madigan
tried to secretly record a non-recordable talk
with a bunch of folks admitting to crimes,
at which point she was outed by the founder, Jeff Moss,
during a massive full-hall assembly.
It came to our attention that, you know,
could be that there's people here under false identities
or pretending to be something they're not.
and for our attention
that a reporter might be here
with a hidden pinhole camera
not as press
recording people for a piece
on hiring havers
I'm not cool with that
especially when they turn down the opportunity to get a press badge
so I need a show of hands
a new contest spot the limit cover reporter
DefCon staff at
tried to get her to get a press badge. She had refused. It was a whole big thing. And that is why
we got press badges. I'll say, DefCon is a fascinating place to roll into with press badges.
Some people really don't like it. But the vast majority we spoke to were curious and happy to have
us there and excited to talk, if not a little reluctant to be recorded because privacy is a really
big deal with this thing. So I've had press clearance throughout my life for various different reasons
to concerts, music festivals, functions, you know, many things.
And normally having press clearance comes with value.
You can side-step lines, access, like speeches and talks without having to, you know,
normally cue you.
You get some form of preferential treatment as you were part of the press corps.
This felt completely the opposite.
People would come up and be like, hey, what's the green badge?
I haven't seen one of those.
And you'd be like press.
and they'd be like, ooh, press, and they'd run away from you.
It was, it was.
No, they would say, ooh, press, fuck you.
It was a fascinating change from the everyday.
And I was like, well, we're not like the kind of press
that I think you think we are.
Like, we're not here to out people or record conversations.
We're just, like, here to kind of take it all in.
But the fact that we might talk about it after indicates that we needed this
flashy dayglow green badge so that everybody knew who we were,
which was interesting.
It was interesting.
So we were just walking, and the guy said, what color badger those?
What's the green one mean?
And then he read it, and he saw that said, press.
And he threw his hands up in the air, and he said, oh, no, press, can't talk to you.
Ha ha, just kidding.
Except he wasn't kidding at all.
And then he ran away.
Like every convention, there are talks.
But as I said, the thing everyone told us was to check out the villages, these topic-specific areas of the convention, almost like mini-conferences.
There's the aerospace village, the car hacking village, the IOT village, recon, biohacking, lockpicking, ham radio, and the social engineering village that we talked about.
We started our first real proper day of the conference at the car hacking village, where a group of people had gathered around a Rivian truck that the company had brought to let folks try and hack.
The prize was a challenge coin sitting on the dash of the locked vehicle.
Okay, so what were we just looking at?
Well, we were looking at a beautiful new Rivian truck.
But next to it was a few of the control units for the infotainment and telematics.
Things that they'd pulled out and they'd had three capture the flag challenges.
To race ahead, we came back the next day and we were able to hunt down the guy who had won the contest.
And he was nice enough to talk to us, one of the few people who would.
Okay, can you tell us about what you did with that Rivian over there?
Right.
So on the head unit over there, there was a web interface that allowed you to disclose files on a file system.
You could leak a key and then log in.
Once logged in, you could talk to a diagnostic server that the TCU was able to, you know, reach over the interface.
And you could then read out some memory or you find some like leaked token or whatever.
And with that leaked token, you can then get on a VPN, the car's on, and do a little bit of some routing shenanigans, and then pivot internally into the car and perform an unlock of the doors.
And then just to back up a little bit, can you tell me this story of like coming here and doing this?
You show up yesterday, you sit down.
How was the process bit?
It was pretty quick, honestly.
I have like a slight issue with trying to talk to one of the wrong IP addresses.
But other than that, it was all very straightforward.
The review people were super nice.
I had a lot of fun with them.
It seemed pretty cool.
How long in total did it take three to do it?
I'd say maybe four to six hours for all of them.
What's your background?
Is this kind of what you do for a living?
Yeah, I work in automotive.
I'm a red teamer.
So,
right in your wheelhouse?
Yeah, yeah.
You showed up yesterday morning,
he came right here.
Sure did.
Nice.
Congratulations.
Thank you so much.
Yeah, I appreciate your time,
man.
I don't think I really, like,
being somebody who's been like
outside looking in on DefCon forever,
I always knew about the main capture the flag event,
like the big kind of, you know,
reverse engineering app hacking one,
let everybody kind of talked about externally.
Like, I always knew of that one.
But I don't think I really understood
just how many of these village-based CTFs there were,
capture the flag CTF.
And the car hacking one was fascinating
because you had people from Rivian
who would not speak to us.
And then just teams of people
trying to capture three flags.
So there was like the three flags to get in.
There were so many technical challenges
in one place that had been specifically designed
for a specific group of things.
people, it was kind of beautiful as somebody who's like from that world. Like the amount of work and like this is,
this is, this is I think a big, you know, this is me appreciating and thanking all the people that put time into
putting this conference together is because every single one of those flags would have taken tons of
planning, drafting, debugging. Like there would have been so much work put into creating these challenges and the amount of
companies that did it, volunteers that were a part of it.
It's honestly like the coolest thing I've ever seen in the cybersecurity culture.
So it's like I understand why so many people love this conference.
And I can understand why we're probably going to be back next year with our bright green badges getting told to fuck off.
I didn't really know what it was going to be.
And I had a similar thing where it slowly dawned on me that people had spent months, if not the entire preceding year,
of building these little real world puzzle boxes, these themed contests that people, some extremely
smart, competent people would show up on this day, sit down, hunker down, and dig into.
As we walked into the conference hall on that first day, walked up to the car hacking section,
we were passed by these like teams of people running towards it. And there were like, you know,
four or five folks, they would run up, they grabbed a table and they just hunker down. And they were
clearly there to do this. I don't know if they did it every year or they'd come the previous year
and decided we're doing it next year. But it was people that were, they were there to do that.
And the Rivian, the guy who hacked the Rivian, I think was no exception. He'd showed up and he
just grinded on that thing and he got in. It's really cool to see the amount of love and attention
that went into building all of these different, very niche, very challenging little puzzles for
people to solve. There was one puzzle. There was one puzzle.
that was quite literally a vending machine
that gave out hack boys,
which were like Game Boy style.
We never actually got to play with one
because they were all gone by the time we got to that challenge.
Yeah.
But the,
but yeah,
so,
like there were so many cool things.
Like,
I can't say it any other way.
Like,
it,
coming from a cybersecurity background,
it's like,
and have never having experienced it,
it was beautiful to see
the commitment from and to the community
to put on something so cool.
The first puzzle that most people encounter
was the badge itself.
Most conferences you go to,
you have to line up and go through,
jimp through a bunch of different hoops
to get the badge.
And the badge is typically a lanyard.
It's like a piece of cardboard on a lanyard.
It's very boring,
and it's a lot of work to just get a thing
that lets you in.
That's not the case of DefCon.
I talked to a buddy who was there two years ago,
and the badge that year was a literal,
it was a little synthesizer and you could plug them into other people's badges and jammed together.
This year, it was a little video game.
It was a raspberry pie, a custom raspberry pie in the shape of a little kitty cat face.
And when you're wearing it as a lanyard, the hooks go through the little ears and it looks like a cat.
But if you flip it upside down to face you while you're wearing it, it turns into a little game boy.
It was the first day everyone gets the badges and immediately people are sitting down at these
tables and they're prying the thing apart, cracking it open, and they're just figuring out how it works.
They're plugging it in. They're seeing what's on the SD card. They're tearing apart the firmware.
They're just really getting into it immediately. You turn the thing on and you're greeted by this
game. And it says, DefCon 32, engage, press start. And it says, greetings hacker, welcome to
DefCon. Text starts to scroll and shittification has fallen over the net and all we hold dear.
We need your help to make a better place for us all.
Would you like to play a game?
And you choose yes.
When you do, it enters into a date and time screen.
If you plug in the real date and time for the rest of the conference,
the game itself is a live schedule of the event.
If you walk your little sprite into the real room of the real conference hall,
it will show you what event is playing.
And you start playing it's like a little Pokemon Red-style RPG
where they have recreated the entire Las Vegas Convention Hall.
It's a game about trying to find these little cats in the hall.
It's full of Easter eggs.
It's so cool.
The team that built it had members of like GB Studio,
which is some software for creating custom Game Boy games.
And the devices of a full-blown, you know, Game Boy emulator.
You'd see people walking around with a link to the past on it and Mario playing on it.
They just basically gave out a little Anne Burnick retro gaming handheld to every single person that was in attendance.
My wife loves it.
I have to say.
The badge, huge hit.
But the other thing I will.
Because the other thing, the Jordan bypassed, and because there's just so much to talk about the badge itself, is that it has controllable LEDs.
So you can make the cat's eyes different colors and you can do all this fun, cute stuff with it.
But there's also six control pins coming out of the top of its head, which I think you can probably, I'm not sure if they release the specs for the hardware on it, but I saw a lot of custom badge adaptations.
so people had plugged little pseudo smaller badges into the head of the cat,
which would then light up and do, like have their own little LEDs and signs and stuff.
So there must be power coming out of it at the very minimum.
But I'm not sure what other control for it.
But the fascinating thing is, is on the very first day we went.
Jordan and I sat down in one of the hallways and just were like chilling at a table,
chatting about things, making a plan for the conference,
looking through the schedules.
and this team of security people, all corporate professional security people,
I won't say who they were with, they asked for anonymity,
they didn't love that we were pressed,
but we're still nice enough to talk to us,
just started like taking out like tool kits, physical toolkits
and breaking the badges down and like tearing into them,
like pulling the pieces out, checking on the chips,
looking at everything.
And they were just like, oh, this is the first puzzle.
you know, there's definitely a bunch of hidden Easter eggs inside of not only the software of this,
but the hardware. And this is the first puzzle to solve. So they were all just jumping into it,
which is, again, just speaks to the amount of attention to detail that the organizers and people
that participate in this conference put into it. There was unfortunately like a little bit of drama
surrounding the badges, which we won't dig into too much. There was sort of a back and forth about
the contractor who made the badge,
DefCon, the business arrangement between them.
I think it's much less interesting, unfortunately,
than the badge itself,
which is such a perfect little encapsulation of how,
kind of this community.
It's this wonderful little thing that a bunch of people had to come together,
he designed it, hacked it together, built it,
and it was built to be hacked apart to, you know,
take out the SD card, run your own stuff on it.
It's such a perfect little metaphor for the whole exercise.
And a great, probably the best,
piece of merch. The merch was really cool. Great shirts. Great hats. A neat fanny pack. I wish I'd
gotten one. But honestly, one of the best pieces of merch I've ever gotten is the badge itself.
You know what I'm most heartbroken about is that I didn't get, like, I came home with probably
100 stickers and not a single DefCon sticker. And my water bottle needed a DefCon sticker.
But the sticker packs were one of the first things to have sold out. Like in the Hacker Tracker, which is like
an app built to track security conferences and, like, show schedules and stuff.
They don't actually have a DefCon one.
They use this one called HackerTracker.
And it tracked also the merch in what was available.
And the sticker packs were sold out like the day before the conference it started.
So I probably would have had no chance of getting a sticker, but man, I would have left one.
The thing I was really excited about for this was this thing called the Wall of Sheep.
Do you remember which village the Wall of Sheep was in?
Because I don't.
Yeah, data packets.
Datapacket Village, I think.
Datapack if that makes sense.
So we're trying to find it.
We walk down a hallway,
walk down another hallway.
And as you do,
I think trans music
just starts to get louder and louder
in the background.
The packet security
and packet hacking
workshop areas and villages
are definitely the most fun.
They have live DJs.
They brought,
it looks like all the equipment
was provided,
so they're giving like very basic overview
on like packet sniffing, port scanning, you know, network security forensics.
And I was telling Jordan that a lot of what's going on and hearing people are learning
is what we were seeing the people on the Rivian challenges doing,
which is like just accessing the network that they're connected to,
looking for what, you know, services, those units are running and connecting to them.
So it's kind of like a full loop.
Your first year here, you can do workshops, learn a bunch of the skills,
and then the next few years do the challenges.
And you walk in and there's a giant display up on the wall at this one particular village.
And it's called the wall of sheep.
They described it as an interactive demonstration of what can happen when network users let their guard down.
They passably observe the traffic on a network looking for evidence of users logging into email websites and other network services without the protection of encryption.
They find them and they put them up on the wall of sheep is a good natured reminder that a malicious person could do the same thing they did with much less friendly consequences.
that's directly from the site for the village itself.
Long and short of it is that if you connect to an insecure network at DefCon
and you log in anything that doesn't have encrypted username or password,
it is going up on that screen for everybody to see.
There was a lot of reasons to turn off Wi-Fi and Bluetooth
on all your devices before you're running this conference.
But I was actually, you know, I think that like,
knowing and having known of the Wall of Shield,
deep. I think that it probably was a way bigger deal like 10 years ago.
Like point to point encryption is such a key thing. Now like web browsers don't even like you
to go to websites that don't have HDPS enabled. Like they'll warn you. You know, most services
these days use some form of point to point encryption. But I bet 10, 15 years ago, that thing would
have just been a rolling list. Yeah. But I feel like just given some of the steps forward,
that the community's made in pushing encryption as a standard and things like that.
A lot of that, it's not as impactful as it probably was 10, 15 years ago.
But again, a lot of reasons to turn off Wi-Fi and Bluetooth on your phone and your other devices.
And I think that the Wall Sheep has become like a cultural thing.
I think there's people that go there and judging by the amount of pretty inappropriate
usernames and passwords up on that screen are intentionally finding unencrypted sites to log
into to get the credentials up on that screen. So I think it's a mix of legitimate security compromises
and just like a cultural thing that's become part of the conference. Totally. And you know what
this reminds me of is one of the days, Jordan and I stayed right next to the convention center
because we thought we'd walk to it every day. But as you know, you've heard, it is too bloody
hot to do anything in Las Vegas in the middle of summer. So we ended up.
up Uberig a lot and we were chatting with one of our Uber drivers. Oh yeah. And his partner worked in
the accounting department at the convention center. And apparently the entire staff was given the term
of the conference off and they shut down all of the technical infrastructure in the building.
They turned off the accounting systems. They turned off everything. There was even an issue with the like soda
machines not being able to use the internal Wi-Fi because they had turned it off to so you couldn't
buy water out of some of the vending machines that were on Wi-Fi and not hard-lined.
And they also plugged most of the hardline Ethernet ports in the building that probably
weren't explicitly given to the conference for access.
So it was this, you could tell that the precautions were high.
Yeah.
I wonder what the Blue Team at that Dunkin' Donuts that was.
just getting railroaded the whole time was up to that whole time.
Or maybe no one's,
maybe it's like,
don't mess with that Dunkin.
Nobody's messing with the Dachian machines on.
They probably pour,
I would love to know how many donuts they sold
and how many gallons of coffee they sold.
Because the other thing coming from Canada,
we'd get like a regular coffee at this Dunkin' Donuts.
And it was like, like 800 milliliters.
Like they were massive.
Yeah.
Get a massive coal.
Like are y'all good down there?
Yeah.
It was nuts. It's like a pint. I was just like, I will have a cold brew coffee. And they're like, do you want, do you have a camel pack you want to fill up? You got one of those Nalgin bottles? I was like a normal, normal human amount. Like, oh, you want to be anxious for the next four days. Got you. And I was. It was great. What a country. What a company.
Jordan, we'd gotten a coffee on the first day, like the day of the conference hadn't started when we went to get our badges. Jordan was tired from coming in. You know, we'd had some flight delays and other issues. And, and, you know, we'd had some flight delays and other issues. And, and, and, you know,
Jordan's like, hey, let's go back to the hotel for a nap.
But first, I'm just going to crush one liter of cold brew.
I just stared at the inside of my eyelids for 90 minutes,
just having a panic attack and trying to sleep.
It was great.
Let's kick it over to some ads.
And then when we come back,
we'll talk about a kind of AI village contest thing put on by DARPA.
It's fascinating.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone, somewhere.
saw something too late, an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machines.
machine speed and hundreds more that automate the repetitive work that normally buries human
analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind. If you want to see what trustworthy,
production-ready AI insecurity operations actually looks like, go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up? Last year,
2025 was nothing short of a record-breaking year for major breaches, from sophisticated ransomware
operators to AI-enabled attacks that turned defenses on their head. Organizations around the world
saw headlines they never expected and cybersecurity teams were tested like never before.
But here's the thing. These incidents aren't just news headlines. They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders
are responding and what strategies can help you stay ahead of the next big breach. It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches. Register now at arcticwolf.com
slash hacked. All right, we just stepped out of a normal conference into a really, really extra
larp, I would call it. I don't know if you agree, Scott. I strongly agree. We are in a virtual
city built in the middle of the conference that has the splashiest group.
in it. There's a Microsoft, A. Anthropic, and OpenAI, and a Google Village where you can talk to
their AI consultants, as well as the DARPA and ARPA village. You know how when you do laser tag,
it smells like fog machine juice everywhere? It smells like fog machine juice everywhere, is what
I'm trying to say. AI DARPA Village thing is, was fascinating, A for the fact that,
spot the Fed and all of these things in government distrust and co-intel pro and all these things
from old school hacker culture.
It was interesting to walk in and find that the single largest installation there was paid
for by the government.
And it was different from everything else.
Everything else was big gray collapsible tables, like good old-fashioned conference tables
with stuff on them in little chairs and you could sit at them in a conference hall.
But in the middle of it, there's this giant, like, cube, a giant voided off thing covered in display panels on the outside and a lineup to get in.
Set the scene, Scott.
How did this thing go down?
This thing went down.
They had all of the lights off in this section of the hall, which was like a whole hall in itself, essentially.
It was an artificial cosplay city.
built inside of the hall that you accessed by riding a cosplay rail system into it.
So you got into a fancy little room that was sitting on airbags and rode essentially a train car into
this city.
It was very, going from very low production value, very high content value, the rest of the
conference into this place that was incredibly high production value was shocking to say.
the least, had LED walls. It had like, it was, it was beautiful. Like, kudos to everybody that
was, got paid to make it. You guys did a really good job. But it stood out like a sore thumb.
But it kind of housed this contest, which in itself was fascinating. Yeah. So you get into it and they
kind of unpack how this contest works. And I'm sure more technical people than me can explain the
mechanics of what people were doing. But what I gathered was that in this fake city with this
narrative of being a connected city of the future and oh no, hackers are taking it over, there's this
two-year competition of which this was the first year. And they're trying to figure out how to
create automated systems to safeguard open source software. So people are competing on this.
They're creating stuff to try and fix this challenge and everything that they're creating,
as I understood it, is going to be open-sourced at the end, which is why you had sponsorships for
Microsoft and Google and OpenAI, all putting a little bit of money into this competition.
And Anthropic. Don't forget Anthropic.
I forgot about it. You never forget about Claude. And at the end of which, I think, is a $4 million
reward, I want to say, a big fat cash money reward.
Yeah, first prize is, I think, $4 million. We never actually saw. So this is another thing.
well on site in all of the cosplaying and the theatrical design,
there was very little detail about the actual contest.
There was posters up that explained certain parts of it,
but we didn't understand that it was a two-year project.
We had to speak to people who mostly told us what the contest was,
all of which refused to be on microphone.
So you're going to get it back from us.
Shout it with Google.
They've got like a red team blue team AI thing.
So they had a couple of the red team pen testers
and a couple of the blue team securers.
And they're talking about the AI
that they're building and using.
They also let us in on the fact
that Google just released a real-time voice changer
that will footprint any voice
or thumbprint any voice in about 15 minutes of audio.
So don't do this to us
given that there's hours of us fucking talking on the internet.
Yeah, and turns it into a real-time converter.
So they use it for their fishing attacks and phone attacks and social engineering, and it sounds cool.
What I can't figure out is why would Google make that public?
I mean, like, listen, we've created a tool for real-time pretending to be someone else.
Google.
I think it's because it exists like 800 other places maybe.
So they just like, we may as well release our own.
That's better.
I don't know.
Let me see if I can wrap this up.
So what they did is they took five massive open-sour sources.
projects, the NJNJNG's Web Browser, the Linux kernel, and three other ones, which I can't
remember. Sorry people. And they took the code bases for them. So millions and millions of lines
of code. Like these are all massive projects. And they introduced subsets of known vulnerabilities
into the code. So they introduced, you know, it was at least 10 vulnerabilities into each
code set. And it would have been different styles of vulnerabilities and have different
complexities. And then each competitive group or team had to create what they were calling a cyber
reasoning system. So they weren't creating an AI to solve it, which is kind of where I thought it was
going. But it seemed like they were building a cyber reasoning system, which included different types
of like static analysis, looking for structures, dynamic analysis, like looking through the code
at execution time. They created a whole model.
like an algorithmic model to test code bases,
identify vulnerabilities, and then patch them.
And that was the contest,
is that each team submitted their cyber reasoning system,
which then was launched against these code bases,
one after another.
And there was this beautiful Settlers of Catan map.
And if you understood what it was,
and it was all of the little hex tiles
were the different vulnerabilities that they had introduced.
and you'd see them light up as yellow.
The second one of the systems identified it as a vulnerability.
Given the players that were at the table,
DARPA's obviously got public interest governmental side.
They want code to be more secure so that, you know,
so the United States is less vulnerable to cyber attacks.
You've got Google and Microsoft.
You probably have large corporate desires of creating web,
or not web,
environments that auto flag potential security vulnerabilities and tell you how to patch them in
real time. That's a huge value to anybody that's building in Visual Studio or any of the other
Microsoft products or whatever Google's up to. And then you've got the AI bodies who are looking
at this taking what they can from the contest and these cyber raising systems and seeing what they can
train AIs to do. So I assume that's that's that's my assumptions, but I'm assuming that's how the
playground works in that village. The AI village that DARPA put on was the only one I think that had a
big fat cash prize. The majority of these contests that people are doing, they're competing for,
and we'll talk about this, these black badges. They're sort of this lifetime pass to DefCon
and a symbol that you showed up and you crushed it. They don't give out many of them. They're a pretty
big deal. The entire closing ceremony is giving them out.
And we don't have time to dig into every single one of these contests that we saw,
but we should definitely talk about the Capture the Flag contest,
because though there are many of them, it is sort of the big one.
Welcome back to the second day of Live CTF here at DefCon 32 in Las Vegas.
We will be starting our match really soon.
I think we have all the players in place right now.
So all the players, are you ready?
We are now starting in five, four,
Four, three, two, one, go.
Good luck.
All right.
Capture the flag is cool.
If you are, if you are into that world, it is very neat.
Like I was watching, like we didn't sit and watch it in real time, A, because it's nothing to watch, really.
You know, you don't have the insight, but they were live streaming everything on YouTube, and you can watch the replays of it.
It's live CTF.
If you YouTube that, you'll see kind of a purple logo.
and if you go to their live functions, you'll see previous streams,
and you can watch the entire, like the primary DefCon
capture the flag contest replace.
And it was hosted by either A, the flag producers
or the puzzle creators and other technical people
who were giving insights and talking through the problems
as people were solving them.
And I've watched, I think, six hours of it at this point,
if the replays, and it is awesome.
If you're from a, it is, I would say, strongly technical.
The reverse engineering, the reverse engineering, disassembling, decompiling,
decompiling software, you know, they're writing, poem scripts and things, and they're, you know,
digging through memory heaps.
Like, it is, it is not for the everyday average person.
But if you were into that, it is very cool to watch.
And it is amazing.
the speed that these people are doing this stuff at.
Because I remember doing this stuff,
and I would spend like weekends in the coffee shop
to get where these people would get in like five minutes.
And I was like, wow, they have made a sport of this,
and it is a sport of optimization.
All right, we're looking at the teams for the capture the flag.
It's like a big in-the-round space, huge table.
we've got friendly multi-citizens, maple mallard magistrates, great names,
hype boy, I like hype boy, cold fusion, and blue water.
Also, it doesn't look like it's any individual.
Everybody looks like they're here in large teams.
They're very set up, some with like external displays and laptop stands.
And there's a group called LiveCTF setting up a broadcast studio.
broadcast studio where it looks like they will be doing the capture the flag live, probably on Twitch or YouTube.
So we're going to have to check that out after.
It's a very fascinating contest.
Way over my head, but the amount of excitement in the closing ceremony for who won that black badge for it was palpable.
And it went to the Carnegie Mellon University's Plaid Parliament of Poning or PPP, I guess there's three piece.
It was their third consecutive title and a record eight victory in the past 12 years.
These folks just rock this thing pretty much every year.
They were playing under the name the Maple Mallard Magistrates, MMM.
And in a lot of the replays that I've been watching, they are very good.
One of the best pieces of advice I heard from someone going into this,
and it proved out to be very true, is that you got to be able to resist.
fomo at this thing.
If you have a really bad fear of missing out, you're going to drive yourself nuts at
DefCon.
There's just too much stuff going on.
You could probably hunker down to any one of these things and spend the whole time there
and have a pretty fascinating time.
So in the spirit of that, there's no way we can get to everything that we saw.
He spent, you know, two, three days just bouncing from thing to thing.
But more on the culture side was just the parties.
So Las Vegas Convention Center ends at five or six.
the sort of like primary stuff every single day. And then a few hours later, nine, ten type
thing, the conference center is still open. And these conference halls have turned into parties,
much like the villages, they're put on by different people outside of the convention itself.
You've got got got got got got Quircon. You've got furry con. You've got a whole bunch of
different cons as parties inside of this big event. The one, and we mentioned it earlier,
that Scott unfortunately wasn't able to make it to
was Jack Reciter's Darknet Diaries party,
which I was very excited to go to.
I was excited to go in and talk to Jack
and hang out with a bit of party
because I thought that was going to be a thing
I was going to be able to do.
And I got to say, one of the coolest moments of this,
we've had, if anyone doesn't know,
Darknet Diaries is a fantastic cybersecurity show.
They tell hacker stories.
It's a great show.
It's a cultural phenomenon.
And Jack was putting on this big party.
And I roll up on the last, you know, proper night of the con to go to it.
And I walk up.
And I was so happy to see this.
The lineup went outside, went around the corner, went all the way up to the hall,
turned another corner, went all the way down another hall.
Full of people who were excited to go there and meet Jack and celebrate this communal thing that they all loved.
And it was such a perfect metaphor for the whole thing.
You know, in that case, it was that one show.
but this whole event was this massive celebration of a thing that I think people typically associate
as being isolating.
It is the flawed, incorrect archetype of the lone hacker in a basement somewhere.
And it's not.
It's tens of thousands of people all coming together in the desert to meet each other and form
community and build things.
And that party was just such a perfect little metaphor for the whole enterprise.
Well said.
Still sad I couldn't make it, but well said.
said. I didn't mean to hype it as I was hyping it. I feel bad. No, no, no, hype it up. Jack's a friend of the pot.
He is. And it was a very cool party. It was great to see him. I went to the closing ceremony where they give out these black badges. So as we've talked about, there's different types of badges. We had a green one. It was press. The default one was a cool, clear plastic. There's, I think, red ones for goons. We never even talked about, which are the sort of volunteers that run the whole thing. There's vendor badges.
there's presenter badges, but the badge you want, the Uber badge is the black badge.
And the end of this whole event is the closing ceremony where they give it out.
And it's really fun to watch.
One by one, the different teams go up and they give them one black badge that entitles you
a lifetime access to the conference.
They were handmade versions of the same badge with like gold detailing and a crystal that's
been, I don't know if it was a radiator, but had some connection to Las Vegas's
nuclear history. The designer of it went up and she explained it beautifully. The really cool little
objects and they're this symbol of, you know, you know, I won. I did it. I showed up. I beat
everybody else. I got the thing. And there's so much pride. It was a lot of fun to watch.
So I think they get line privileges. Like they get, it comes with, I think, you know, not only free
entrance to the contest, but also kind of priority entrance into the conference. So yeah, it's, it is,
I'll say that in our days there, I did not see one.
That's true.
Which tells you something.
Probably just means that whoever had one was hunkered down at some contest with their head
into the computer just like tearing in trying to win another one.
So we probably wouldn't see them running around too much because they probably weren't running.
One of the thing I was looking for in the notes and stuff when we got there was what CTFs
qualified you for a black badge.
And I'm not sure.
I know the main one does.
the team can win. I believe it's won. But I think that there's a bunch of other
contests throughout that end up giving away a black badge. I'm not sure which ones they were.
Maybe I'm wrong on that, but that would be a fascinating point for if somebody wanted to
return and maybe try to get one for themselves. There was a funny story about the badges.
It had to do with, I think it was the goons. And it was that so at the end of the event during this
final ceremony, it was really well done. There was a whole transparency section talking
with the number of times, you know, say, emergency was contacted or people who had some kind of
report to safety or security. They went through it all one by one, very itemized, very broken down.
But apparently someone faked, this is not encouraging this, but someone faked a goon badge
and social engineered their way all the way through the like back end security system,
all the way until the point where they like were talking to one of the bosses,
revealed they'd done this and they promptly hired this person for next year.
So that was pretty fun.
I was going to say, I feel like that's a bit of a metaphor for the,
what the conference has become.
Like the gentleman that hacked the rivian, like sure you get a challenge coin,
but I'm sure you get a large technical job offer that follows that challenge coin.
I feel like there was a lot of that.
There's probably a very cloudy layer of technical recruiting going on.
Actually, one of the running jokes that Jordan and I had was,
I hadn't seen a technical recruiter here.
Like I just assumed there would be,
it would be full of like recruitment people
and, you know,
like people looking to place people into high paying tech jobs.
And this is a place where they come to farm contacts to do that.
Because you meet tons of people,
like just chatting in the donut line,
you'd meet some senior person at Nvidia.
And then the next time you're in another line,
you'd meet some other person who's got some sophisticated,
red team job at like Mandy and and it's like it was just an ongoing thing that everybody you'd
ran into and chat with was like had a senior technical job and I was like I wonder where they're
hiding all the tech recruiters because I'm sure those people would be salivating and maybe they
maybe they have a process for keeping those people out of there which would be great but I feel like a lot
of the CTFs and stuff aside from the fun ones probably have a back end of like if you're the person to
do this, then maybe you should come work with us.
There's a little bit of drama throughout this thing.
Reference the badge thing, which is one of it.
The other thing that was fascinating was, there was a hotel.
So the conference books out these blocks of rooms at a couple different hotels nearby
that you can walk from in less time than our hotel.
And one of them, I think we name this because it's publicly disclosed at this point,
it's called Resorts World.
and it became clear partway through
that Resorts World was searching rooms for hacker tools.
They were sending security up to the rooms,
knocking on doors,
going into the rooms,
going through people's stuff looking for flipper zeros,
Wi-Fi pineapples, soldering kits,
looking for hacker stuff.
And boy did that,
boy did that piss some people off.
People weren't very happy.
There was a lot of anger directed towards that hotel,
which I'll be honest with you.
If I was in the hotel business, I'm not sure I'd want to piss that crew off.
They had given, apparently they had given, like, photo sheets to the house cleaning staff
to be like, if you see any of these things, make sure you report it.
So it was very targeted at the DefCon crew.
But with that being said, I'll say that we heard a lot of tales of DefCon crew people
mucking with the previous, in the previous years, mucking with,
the host environments, which is probably why the Las Vegas Convention Center shut down all of
their infrastructure. Also, why, yeah, I don't know. Also, if you remember, I think we had an
episode last year about certain casinos getting malwareed and shutting down and losing billions of
dollars of revenue. So they're probably all very sensitive to this topic right now. Not that that
allows them to violate people's privacy, but at the same time, I can see where their heads were at.
It's a push and pull of do you want 30,000 people's worth of economic injection into your city
more or less than you don't want that many slightly mischievous hackers converging in your city?
I don't know the answer to that.
But I hope that they keep letting it happen there because it was a very cool experience.
Yeah, 100%.
this is our, I think our 99th episode, which was a pretty fun one to get to do in this place
with this community of people.
Yeah.
There was a line during the closing ceremony that I really, really liked.
And it encapsulated something that I think we both kind of saw here, which was the sense of
people, each with their own thing, their own thing that in the rest of the world is an obscure
niche, but here there's just enough people that you can build a community and you can create a physical
space where you come and celebrate it.
And the person on stage said, I've dreamed a lot of things and they've happened here.
And I get that.
You see that a lot walking around in this halls, that people that just, they get an idea
in their head and they're able to hack it together and they were able to hack together a
community and this is where those people come.
You know, to everyone that puts it on, helps organize it, volunteers, the goons, everybody,
the people who play the music in the halls, the DJs, the people that come up with
the puzzles, like the list goes on and on and on, uh, you guys all do a fantastic job. And I was
so impressed the entire time. And, and the people that come and just sit at a table and put up a
sign being like, ask me about this thing. I'm an expert in it. And you can just sit down and have a
one hour conversation with somebody about some topic and they'll tell you, they'll give you an
advanced class in what it is and how it works. And it's just like, it's like a knowledge,
I don't know.
It's beautiful, like a knowledge melting pot.
So it was awesome and very cool.
And thank you to everyone that puts it on.
To play us out, I think this episode, wrap this bad boy up.
I think I was going to drop more of that wall of sheep trance music we were playing earlier.
Hell yeah.
Just, you know, what you hear is you slowly walk up to that wall of sheep.
Thanks for listening to another one.
Catch you in the next one.
Take care.