What I learned from DEFCON 30
Zhouhan, August, 2022
DEFCON is one of the most popular hacker conferences in the world. After two years of virtual meeting, DEFCON 30 finally returned to Las Vegas in 2022. I was fortunate enough to present some research at Misinformation Village this year. I have never been to DEFCON before, and learned so much. Here are my 3 takeaways.
1: Talk to people. Several weeks ago I read Tokyo Vice by Jake Adelstein. There is a quote in the book that strikes me: "To not know and to ask a question is a moment of embarrassment; to not know and not ask is a lifetime of shame." Some DEFCON participants may look shy, but do not afriad to make connections and ask questions -- "what is your name, where do you come from, why do you come here?"
For example, there was a 5k running event every morning in front of Paris Las Vegas Hotel. At first I was hesitant if I should go or not. I lived in an Airbnb off the Strip, so I need to get up around 5:20am. I finally convined myself that if I didn't go, there are people I would never meet for the rest of my life. When I arrived at the rendezvous point the first morning, about 50 runners showed up! I was nervous to strike a conversation, but once the 5k started, people naturally formed into groups of 2 or 3. I met a person who is a musician-turned-software-engineer, a software engineer in Google working on Javascript code safety, and a runner who recently completed a 100 mile race. All it takes is "Hi, my name is Zhouhan, what is your name?"
2: Nothing is secure if trust is exploited. One of the events I enjoyed is vishing competition. Simply speaking, it is about teams making scam phone calls to organizations to solicit sensitive information. It is eye-opening to see employees who believe in a stranger within seconds because he/she claims to be a tech-support person, a journalist, or any professional. "Zero-trust" is a buzzword, yet humans cannot interact based on zero-trust.
So what should we do? Authentication and authorization is the key. Companies can enforce multi-factor authentication to make it difficult to impersonate an employee. In addition, companies can deploy multi user authorization whenever sensitive data is involved (for example, touching production server). Even if one employee account gets compromised, other empolyee can stop unauthorized behavior.
3: Misinformation is an emerging threat. Misinformation Village is the newest addition to this year's DEFCON. During the lightening talk, I shared my research in detecting cross-platform influence campaigns with Information Tracer. Professor Preslav Nakov discussed his research in "detecting fake news before it was even written. My friend Swapneel Mehta shared his work SimPPL: Simulating Social Networks and Disinformation.
Misinformation is not just a topic in academic. After chatting wiith several audience, I found that misinformation impacts many industries. For example, an advertisement fraud detection company is concerned about publishers distributing fake news; a darkweb investigator has to sift through fake posts to extract valuable intelligence. In general, I'm interested in new methods and systems that can improve informaiton quality. If you have any idea, please let me know.
Conclusion. DEFCON is huge -- the event spans across Harrah's, Linq, Flamingo, and Caesars Forum. I find it helpful to stay prepared yet remain flexible. I missed events I wanted to go, but stumbled upon talks that are really interesting. For example, I enjoyed a talk about how a high school student hacked and rickrolled an entire school district. I also learned in the AppSec (Application Security) Village that given infinity time, fuzzing can discover any bug (infinite monkey theorem). If you are also interested in technology and hacking, please consider joining DEFCON next year!
