I’ve listed some of the highlights, must-see’s, and surprises that I took away from this wild ride.
The hands-on labs were really cool and I would have liked to spend more time in that area. The swag bag included a bunch of gear that corresponded to the labs. You could learn about RFID signals, Software-Defined-Radio, wireless input devices, and other amazing nerdiness. I was really intrigued by the SDR and how I could have some fun with it. I mentally noted how I might tune in to the police radio when I got home so I can be that person in the neighborhood. No matter what conference you are attending, I would highly recommend visiting the labs.
Kevin Knows Everyone
This particular con is hosted by John Strand, owner of Black Hills Information Security. John Strand was someone I have admired and been following for a while. He also happens to be a long time friend of Kevin Johnson, our CEO at Secure Ideas. When Kevin heard John was one of the reasons I became interested in this field he invited me to attend the conference, even though I had only been on the job a few weeks. Secure Ideas was a sponsor, and Kevin one of the speakers.
As soon as we entered the Nugget, Kevin started to run into people he knew, which enabled me to meet many of the people whose careers I have been following. There was a steak dinner at the hotel that Thursday night, which was included with the ticket price. It was here when I realized that one of the people at our table was Alyssa Miller. She was one of the speakers I wanted to see Friday, a huge name, and someone I greatly admired. There are only a handful of well-known women in cybersecurity, and she is definitely an OG. Plus, she’s from Milwaukee, Wisconsin. This will always trigger something in my midwestern lizard brain (since I grew up in the Chicago area) that just assumes they are good people and we will be BFF. One of my coworkers, Ochaun, also mentioned that we were saving a seat for Wolf. Wolfgang Goerlich? I am eating dinner with Alyssa and Wolf? Another legend, and he lives in Michigan. I was feeling so lucky I thought I should play the slot machines. However, I might as well have lit that $100 on fire.
Stalk the Talks
The first evening there was a welcome speech from John Strand followed by a keynote from Paul Vixie. Thursday morning there was a keynote from Josh Wright. Next I went to a talk with Corey Overstreet from Red Siege. This was a really difficult decision because it was at the same time as Dave Kennedy’s talk next door. Kevin’s talk – The Konami Code: the Secret Code to Power Up your SDLC Security was super informative and entertaining as usual even though he will tell you he’s a terrible public speaker. Overall, I think my favorite talk of the con was Thursday afternoon from Jason Downey with Red Siege. It was titled – Six Things No One !@#$ing Told Me About Pentesting. Jason has been testing for about 8 months. This really resonated with me because I am new to pentesting and it gave me a lot of insight on what to expect. Additionally, there was a keynote from Naomi Buckwalter, talks from Alyssa Miller, Wolf Goerlich, Maril Vernon, and the CEO of Red Siege; Tim Medin. Not only did I learn a lot, but this also gave me a good feel for how tightly knit, helpful, and brilliant the people in this industry are.
Vishing for Sushi
While in Reno I offered to take a few vishing calls for an engagement the office was working on. I did it in between talks on Friday. The first few calls were easy. My ruse was one borrowed from another consultant and probably used often. I was from IT and needed to run some updates, bla bla bla, confusing technical talk. Most of the people were suspicious and said they were busy, they would have to call me back, and then took my name. And yes, I used my real first name. It only took me one call to realize that saying my own name during a greeting is so ingrained that it was going to be more of a struggle to use a fake name than it was worth. I literally had the name I was going to use written down in front of me and still blurted out my own.
If anyone ever calls you asking for your username and password, personal or company information, money or access to your computer, it’s a ruse or a scam. You should absolutely take their name and number and escalate it. That is exactly what you are supposed to do. What you should not do is call someone back that leaves you a message saying they are from IT and proceed to give them total access to your machine. Which is exactly what happened with one of the calls I made. You have to tell yourself you are helping to protect your clients because it feels terrible to deceive someone in this way. If you ever are feeling bad in Reno, comfort yourself with some great sushi. It turns out they have wonderful sushi due to the proximity to the California coast and this was a much welcomed surprise.
You Can’t See it All
I saw so much, but not nearly everything. Workshops, talks, an escape room, more labs, a CTF, even a Backdoors and Breaches tournament. There were only about 200 people in person and this was perfect for my first con. It felt intimate and I was able to meet so many talented, incredible people. At a bigger one, like Defcon with 25,000+ attendees I doubt this would have been possible. I highly suggest planning out your days in advance as soon as you know the schedules.
- One of our consultants from Charlotte, NC (Ochaun) won the bull-riding contest, and he was awesome.
- Listen to Darknet Diaries #67 – The Big House to learn more about John Strand and Black Hills.
- You should also visit BHIS’s training pages for more great stuff from John.
- Follow the links to all the people and websites I mentioned if you are new to the industry.
- If you are in a hotel full of hackers, I would like to think they are all the white-hat variety. But still make sure your phone and laptop are encrypted and your passwords are strong. This is good everyday advice as well, not just in a hotel full of hackers.
- Yes, marijuana is legal in Nevada.
If you are on the fence about attending a conference, I would urge you to go. It was a great time and something I think everyone in infosec needs to experience at least once. Although I plan on going to many, many more.