Ready to make the most out of your first security conference? Join us as we guide you through the world of security events, from local Bsides conferences and OWASP talks to more established gatherings like RSA and BlackHat. We'll share tips on taking notes, networking, and keeping an open mind to learn from the experts, ensuring you have a rewarding experience.
But we don't stop there! Let's explore DEFCON, where you can dive into various villages and attend talks ranging from basic concepts to advanced topics. We'll discuss what to pack, how to protect your devices, and the potential risks of bringing work gadgets to such events. Don't miss this comprehensive guide to navigating security conferences like a pro!
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Ready to make the most out of your first security conference? Join us as we guide you through the world of security events, from local Bsides conferences and OWASP talks to more established gatherings like RSA and BlackHat. We'll share tips on taking notes, networking, and keeping an open mind to learn from the experts, ensuring you have a rewarding experience.
But we don't stop there! Let's explore DEFCON, where you can dive into various villages and attend talks ranging from basic concepts to advanced topics. We'll discuss what to pack, how to protect your devices, and the potential risks of bringing work gadgets to such events. Don't miss this comprehensive guide to navigating security conferences like a pro!
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, everyone? this is another security unfiltered mentorship episode. So today what we're going to be talking about is conferences, what you need to know to be successful If you are going down the path of having, or going to your first conference This year. So it is conference season for us. Security people Conference season for us typically starts when RSA begins, so like April, may timeframe, and it goes really through probably September or October. Even If you really want to close it off, you know, with the AWS Reinforce conference I guess you could in like November, but that's a bit far out there for people. So I I always say it's safe to assume that it ends, you know, sometime in August for the most part. So you know.
Speaker 1:First I want to talk about What conferences are best for first timers. You know, and I get this question a lot what do you recommend to go to? What do you recommend to bring? What should I be expecting at the conference? How do I network with people? How do I talk to other people? All of these questions We're gonna go over it all.
Speaker 1:So first, you know, let's talk about some conferences. So there's typically a local B sides conference, right. So there's Nashville B sides. This year There's supposed to be a Chicago B sides conference. I believe that that's actually in November or something, something like that. You know, but major cities typically have what's called a B sides conference. They're cheaper, they're, they're typically on the cheaper end, but you know the same sort of atmosphere of a bunch of security professionals going there, hearing different talks, talking, drinking too much, that sort of thing. You know it's a good opportunity For you to get out there and get into the community. You know and I think that that is something that's important that You know is honestly overlooked a lot of the times, and that Us, as a security community, we need to be more welcoming to new people. You know, other local cons could be Something like a local OWASP Talk or discussion. It's not necessarily a conference or anything like that, but it gets you Used to how the environment is. It gets you used to go into new places, meeting new people, talking to new people, kind of even telling your story or your background right and making those connections and learning something as you go.
Speaker 1:You know, when I was trying to get into security, one of the things that I did was actually go to local conferences of I think it was OWASP talks and a few other, just very local. You know small talks where, like, one person would get up there and talk about something interesting. You know some of it I wouldn't even understand, but I would be taking notes. I would be, you know, very, you know very tentative to what they're saying and I'm trying to learn and I'm taking notes on the things that I don't quite get, that I want to learn more about. And of course, you know, in the beginning That's a lot right, like you're taking copious amounts of notes. If you have that mentality You can trust me on that. But yeah, you know, the local OWASP talks and groups like that is really the best place to start.
Speaker 1:And then you work your way Up to a b-sides conference, a little bit bigger, still local, right, so you're not going anywhere. Still, on the cheaper side, we're talking, you know, a hundred, two hundred dollars, something like that. And then You know, take it, i would say, a step up. There's, you know, kind of Conferences, that kind of branched off from larger conferences like DEF CON. So in Chicago We have thought con, so really all of the Midwest people come to thought con. Mostly Chicago people go to thought con, but again it's a little bit of a bigger conference. It's a little bigger, if not the same size, as b-sides. They have multiple tracks. They have, you know, several different areas and specialties that you can go down and learn more about. A lot of people again drinking too much and You know, talking, networking, learning more.
Speaker 1:The key is to really be more open to learning new things at these conferences. In my opinion, you know, and if let's say that you're new to security, your your insecurity Maybe, or you're a security analyst And this is your first con This is what I typically do I'll go to, let's say, three to four talks total for the entire conference. That relates directly to my job or maybe my industry that I'm in. You know, typically they cover all industries. They cover, really, you know, all professions within security. A lot of the times they do, and I think it's unintentional, but that's just how it works out. And then the rest of the time that I'm there, i am looking at or going to talks that I'm interested in, things that I don't know that much about, and I'm actively taking notes, i'm actively trying to learn more, you know. And then we have larger scale conferences like RSA, black Hat, def Con, the AWS conferences are definitely bigger. You know, microsoft Azure conferences are definitely bigger, but we'll start with kind of Def Con, for, you know, for this purpose, right? So, really, the next step up is Def Con, in my opinion, and in my opinion, i think Def Con is the best.
Speaker 1:Maybe I'm a little bit biased because that was the first major conference that I went to, but you know, at Def Con it seemed like people were more open to networking. It seemed like they were more open to just talking to you, especially in the registration line, where it's literally called line con. The slogan is line con is the real con. It's because everyone is typically in a good mood, right? They're, they're gearing up for the conference, they're getting ready And it's a long line. I mean you can be literally walking nonstop through this line for like 30 minutes with no one in front of you, like you could literally be walking. That's how long the line is, but with people in front of you, you know you could be there a couple hours, and so that's why I try to get there at like 5am, which is always difficult because it's in Vegas And I don't really go to sleep until like 2am in Vegas. So you know, there's there's that to also account for. But you know, with Def Con people are more open to network.
Speaker 1:I feel, and I'll give you a couple of examples. You know, just from me being in the line at Def Con registration, i met hardware hackers, i met pen testers. I met bug bounty hunters. You know, and I didn't even know this at the time, it was kind of groundbreaking to me to understand this. But bug bounty hunters, you know some of these guys. They work for four months out of the year right Of looking for bugs in top tier products from top tier companies like Apple, microsoft, google, you know, nvidia, you name it right, like a top tier tech company. They're actively looking for bugs in those products And they'll make a couple hundred thousand dollars in those first four months and they won't do anything else the rest of the year. You know they'll do their own side projects. They'll, you know, maybe dabble if they get bored They'll do another bug bounty. But you know, for the most part you know the good ones at least the good ones were talking about the top. You know 3%, something like that. Right, they're making all their money in the first four months, which blew my mind.
Speaker 1:I didn't even think that. You know that was a career option. You know, before that time, when I met that person, i didn't even realize that that was more of a career option. I really didn't. I thought I thought that it was more for you know, side projects, you know, or even a hobby kind of you know, nothing that would ever make you any real money. But definitely there is people out there that do it, that actually make a living off of this, which, you know, i find to be very impressive.
Speaker 1:And you know, another thing with Def Con is it is huge. It is so much bigger than Really every other conference that I've been to honestly, like, yeah, rsa has, you know, a large Venue and then a huge place for the vendors and whatnot, and that's fine at all. But RSA is more about selling you stuff. Right, you gotta understand what the conference is and what you're going to, and stuff like that. Rsa is more about selling you stuff, introducing new products and stuff like that. It's really geared more towards, like, the business leaders, the business executives. Right, def Con is more geared towards the technical people. The people that you know are actually building the tools. They're building the tech, they're deploying it, they're running it in the environment. They're testing different things. This is for the hackers, the, you know, security engineers, security analysts, the architects, all of those hands-on roles. Def Con is more more for those people and So you know, nine times out of ten, if you talk to someone at at Def Con, you know you're gonna be able to find something in common with them because you're doing a very similar role to theirs.
Speaker 1:You know, being hands-on is not Uniform throughout security. Right, there's different roles that roll under security that are not hands-on, which is It's a give-and-take, right, like it's not the best, it's not the worst, it's it's something right. And Then we'll go into really the more advanced cons. And what do I mean by this? You know you're not gonna go to Def Con and Grab a CISSP certification. You're not gonna go to Def Con and get an AWS certification or an Azure certification Or anything like that. You're not gonna get sans training. It's Really not a place for that. I don't even think it's offered. I've never even heard of it being offered before. When we go to black hat, black hat is more training geared. It's where you know it's some extremely expensive training is going on and Yeah, i mean that's exactly what it is like. You're going to black hat and you're typically walking away with, you know, some sort of training under your belt, potentially a certification under your belt, and Of course, you know black hat leads right into Def Con and so then you have Def Con right there, you know.
Speaker 1:Another thing that I want to point out is Def Con is Def Con's, you know, way less expensive than black hat. Black hat Last time I checked actually last time I went was probably 2017. I think a Basic ticket, low-level pass, was like $2,500. For Def Con this year is $460. So Is it? is it pricey? Sure, you know it's not. It's not cheap, that's for sure, you know. You can't call it cheap if it's $460 and what? not right. But is it black hat? expensive, you know, and that's the biggest, that's like the biggest Thing when we start talking about conferences and if companies will pay for them and things like that, they look at Def Con prices and they're like, oh, this is nothing.
Speaker 1:I'm used to people asking for black hat. I'm used to people asking for RSA, because I think RSA passes are even right, around $2,500, maybe even more expensive, like 4,000 or something, which is just absurd to me. But you know that this is more down the advanced route, right And so at these advanced cons like AWS, reinforce, aws, reinvent, azure, ignite I believe that's the conference name for Azure. You know all these more advanced cons. You're literally going to them, hearing about new products, new things that they're launching. You're getting training, you are Learning about their product even more and whatnot. You're drinking the Kool-Aid, so to speak. You know they're more expensive. You're getting more training from it, so it's a give-and-take right.
Speaker 1:So, in my opinion, if you're going there for training, it's probably not really worth it, to be completely honest, because it is so expensive, it's so cost prohibitive, you know, um, i actually just purchased my training materials, my certification passes for three certifications this year and I think the total for three certs and All training was, i want to say, $1,200. I think it was $1,200. All right, $1,200 would not get you into black hat. It wouldn't even get you in, let alone training by a company or someone or, you know, any sort of sans training or anything like that. Like it would not get you anything a black hat, okay. And so to me, if you're going to a con to get training in or whatnot, if the company's paying 100% Good on you. You know that's great, but I would rather use That money or that opportunity on a different conference like Defcon, where I'm learning new things.
Speaker 1:There's multiple tracks. There's typically, i think, between four and six tracks. You know, if you go to thought con, there's about two to three tracks. At Defcon there's about four to six tracks and a track is just a different lineup of Talks that people are giving. It's not necessarily based around a specific topic. I mean, it could be, you know, you could have days that are a little bit more overloaded with, you know, hardware hacking or Bio hacking or hacking drones. You know, whatever it might be right, but for the most part you know they're they're. They do kind of stay around the same thing roughly, but there's no like set. You know track one is For, i don't know, pen testing, right, and then track two is for bio hacking and whatever, right. It's nothing like that.
Speaker 1:And another part of Def Con that I absolutely love is the villages. You know, at Def Con It's a huge area, right, so they typically take up like two or three resorts in Vegas. That's how big this conference is. The last time I went, which was Probably, maybe, maybe 2021, maybe, i don't quite remember it, but the last one that I went to There was over 40,000 people registered over 40,000 people, you know, and that's just day one registrations. It was insane, i could not believe it. But it takes up several. You know resorts in Vegas and they're all typically, you know, right next to each other and whatnot.
Speaker 1:But, that being said, the villages are also an extremely interesting place Because you get hands-on learning with these different things. There's a social engineering village where you learn how to socially engineer people. There's potentially, you know, something like a pen testing village or a lockpicking village or a car hacking village. There is so many different kinds of villages at Def Con and it's really where you're getting hands-on Experience. You're talking to the experts, you know, face-to-face, there's, there's no one else, it's more one-on-one And you're learning about how to actually do the work, which You know. If you're someone that is new to security, that's trying to really just get started in security, the villages honestly are is a little bit more Enticing, a little bit more valuable for you to spend your time in rather than the talks, because the talks, the talks, can be extremely advanced and they can also be very basic, right like I'll give you an example, there was one talk One year that I went, that the person was talking about how he was reverse engineering the security features of intel cpus And how he stumbled upon secured memory And how he was trying to break into that secured memory, doing some advanced techniques that I've never heard of.
Speaker 1:That I can barely remember, to be quite honest. But I just remember that literally probably about 95 of what this guy was saying was going straight over my head And I looked to my right. I was there with a friend That I considered to be smarter than me and it was going straight over his head. He did not follow it at all either. You know and there can be other talks that are talking about, you know, how we need to do a better job of Training people in security, kind of More soft skills, type of things right, which is totally different. Those are two totally different ends of the spectrum.
Speaker 1:And then you have villages somewhere, you know, in the middle, where, yeah, it's advanced, you're learning new things, but you're doing something different. Yeah, it's advanced, you're learning new things, but you're doing it. You're doing it hands-on and you're learning From the very best you're. You're talking with them face to face. There's no intermediary or anything like that. It's just a really good experience.
Speaker 1:Now, you know, let's talk about what to bring. So, obviously, you know, you bring your own personal items. Um, whatever You know, whatever you need to get you through a trip at in vegas, for instance, for defcon if we're just talking about defcon, um, you know. And then, on top of that, i typically I always break a laptop. Uh, i have my phone on me, i have my smartwatch on me and You know, with that being said, you should really consider a fair day either, a fair day bag.
Speaker 1:Um, one of the products that I am looking into right now, personally, is from this company called slnt It's probably pronounced something, but that's how I know it as Where they make, you know, laptop sleeves, sleeves for your phone, sleeves for Really every electronic device that you can think of, um to protect it from any outside connections. And so that's actually pretty important, because when you're at this conference, you know you'll, you'll see this sign that says if you Cross this line, you are fair game. So if you get hacked, if your device gets hacked, you know That's, that's on you. You should have known to turn off the wi-fi, to turn off the bluetooth, to turn off, you know nfc or any other outbound connection or inbound connection to your device, which Basically turns your cell phone into a brick, like I don't know if you've ever done that before, but it basically turns it into a brick. Um, it turns your laptop into really only a note taking device. So do you need a laptop? Maybe not. Do you feel like hacking people and probably getting hacked back? Then maybe you need a laptop.
Speaker 1:You know, i know someone that actually goes to conferences with a backpack that he designed that holds a bunch of Wi-Fi gear in it And all it does is scan all local connections nearby and immediately starts running through different attacks, you know, on all these different devices, and at the end of the day, he goes and looks at all the different information that he gathered from these devices And he said that it will be hundreds, if not thousands of devices when he goes to DEF CON of. You know unsuspecting people that are not paying attention, that are trying to use their phone they haven't hooked up to Wi-Fi or something like that, you know, and they don't. They don't realize it's happening, but he literally all he does is walk by and he hacks the device just like that. So that is definitely something that you should keep in mind. You know, just understand that there's. There is that risk. You know there's. There's people out there that find it funny. They find it fun to hack someone to really get as much information from them as they possibly can. You know, in some opinions right, some people's opinions that's malicious. You know that's that's not good. They shouldn't be doing that.
Speaker 1:But at the same time, there is a really big sign when you enter the conference that says if you go past this point and your devices are live, you can expect to be hacked. It is on you to, you know, manage your own devices and protect your own devices. They even say that Now I would absolutely recommend against hard recommend against bringing any work device. Leave your work phone at home. Leave your work laptop at home. If there's a work tablet, leave it at home. Do not bring it to the conferences because that opens you up to a lot of different liabilities. Because there is a very good chance that when you took possession of that laptop, you had to sign an acceptable use policy form And more than likely, somewhere in that acceptable use policy form said that you want to take it into an adversarial environment knowingly, that you wouldn't knowingly do that, that you wouldn't knowingly put that company device at risk of being breached, of being hacked.
Speaker 1:And you know, when you go to these conferences, there is science, everyone knows it There's. I mean, there even used to be warnings when you purchase the badge, whether it's online or in person. There would be notices saying, like you know you're at this conference, just take notice. You need to be aware of where you are and whatnot. Now, if you're just a normal tourist right in Vegas because I mean, vegas has millions of people you know, in the city at all times, basically all times of the year, there's going to be a lot of different tourists there too You know, if you're outside of that con, you're, basically you're not fair game for any semi friendly hackers. Now, if there is, you know, someone that is bored and drunk and they're, they're looking for something to do, you know all bets are off, right, it's a little bit of a higher risk than what it would be if you went to Vegas in like December or something like that for vacation. But you know, for the most part, right, you really have enough. You have very little to worry about outside of the conference, just walking around the strip, things like that.
Speaker 1:For me, personally, i tend to go with a fair day bag. You know, put the laptop in the fair day bag, disable the wireless and the Bluetooth. The fair day bag is kind of just like that, that, that extra level of protection, right? Like, i'm pretty sure I just disabled the Wi-Fi on this device, but who knows if Apple is still using it silently in the background and they're still sending out connections and whatnot, right, like I don't know that because I haven't analyzed my laptop. Same thing with my phone, same thing with my watch, all that stuff. And so I just try to put it all into a fair day bag. My watch is a little bit different, because I may have a schedule to follow, right, i may have different conferences that I want or different talks that I want to go to, and so with that, i need to be aware of what the time is, and so just understand the risk, right?
Speaker 1:And another key tip that I think is overlooked often for people talking about going to conferences make sure you have a backup of all your devices before you even go, before you get on the plane to go, make sure that you have a backup of all your devices, just in case something happens, right, just in case someone does an attack on you and completely breaks your device. You have a backup. So, yes, it is frustrating as hell for the days that you are there without that device, but when you get back home, you have all your data, you have the device operational and you know what's going on. I actually know people and I've done it myself that will take the backup. They'll go to DEF CON And then when they come back, they just restore to that backup. The reason why they do it is because they don't know if someone was able to, you know, insert some root kit or boot kit on their device And you know who knows what information people are gathering and whatnot.
Speaker 1:You know, not everyone is an upstanding citizen, right, like, not everyone is going to have the best intentions for everyone at heart, and so you should prepare yourself and act accordingly. At least that's my opinion. You know. Just prepare yourself, right. I think that's the biggest thing by far. So what to expect? you know, i already kind of talked about what to expect with how the conferences are laid out, with how the villages are laid out, where they are. You know, they're typically across a couple of different resorts, so you get to learn the ins and outs of these resorts pretty well by the end of the week. Also talked about, you know the difference between the different cons and you know talked more about line con, right.
Speaker 1:So I think that that is a really undervalued or underappreciated part of the conference for new people, Because you know, this is when you get to network with people. This is when you get to kind of advance your career. Even, you know there's, there's people that I never would have met outside of the podcast, right, because the podcast wasn't even a thought in my head at the time when I was going to DefCon for the very first time. There was people that I never would have met, that I met in the line that opened my eyes to security and different domains of security in totally different ways, and that's really important. When you're starting out, when you're early on in your career, you want to learn as much as you possibly can And that's a great place to start. That's a great place to actually expand, expand your mind and expand what you you believe are is possible.
Speaker 1:Basically, so, to close it out, what is the best conference? What do I like to go to the most? Nothing compares to DefCon. In my opinion, every single year that I even have like a 10% chance of going, i try to go. I really do. You know, last year I didn't go because I have my vacation in Germany And that trip alone is like 10 grand. I mean, all in, like that trip alone is like 10 grand And I can't rationalize another trip, especially when I'm paying for Germany myself. You know I might even be rounding up on that number, but you know it's a lot of money. That's the point. And so I just couldn't swing DefCon right. But this year I am 100% going to DefCon. I am very excited to be going to DefCon.
Speaker 1:I will be handing out security unfiltered stickers at DefCon. So if you're at DefCon then you find me ask for a sticker. If I have any available I'll give them to you. But if not, you know I'll be placing them randomly, you know, at slot machines and bars and all the just random locations. But yeah, you know it's going to be a great time. I may even have, if you're lucky, i may even have a first like prototype of security unfiltered t-shirt. Very excited about that. But that is to come later on, right, like we got all the way until August and it's about to be June. So with that, guys, thanks for listening. As always, i really appreciate all the support. You guys are fantastic. I mean I feel like I have, you know, the best audience, the best group of people listening to this podcast possible. So I really thank you guys and I appreciate all of the people that are listening and our avid listeners. So thanks everyone. We'll see you next week.