Get in texts with technology with tex Stuff from stuff works dot com. Hey there, and welcome to tex Stuff. I'm your host, senior writer, Jonathan Strickland. I worked for how stuff works dot com been recording text stuff since two thousand eight, and I cannot believe that I've gone that long without covering this next topic. I'm talking about
def Con. It's a really interesting subject. I've touched on it once or twice in the past, and I've talked to people who have presented at def Con or attended def Con. I personally have never been to one, but I felt like now was the time. It would be really cool to take a look at a conference filled with people who know all about bypassing security and getting to all of your precious secrets. These are hackers and security experts who can identify vulnerabilities and weak implementations and
then exploit them. It's a conference where if you're not careful, you'll be publicly mocked for your poor security protocols. And it's called def Con. Jeff Moss, who is a hacker who used the handle the dark Tangent, founded the conference back in Moss operates some bulletin board systems or bbs is back in the early nineties on Phyto networks, and you may have my brother has forgotten what these bbs
is would like. Things changing so scoring nowadays and people quick to forget, So I thought maybe we should go back and talk about what the heck is a bulletin board system? What is phto net well, A bulletin board
system is a pretty simple concept. You have a host computer running some special software, and that software sets aside certain assets for the bulletin board system or BBS, such as hard drive storage space and maybe uh filing system of some sort of navigation system, a user interface, if you will, and this would typically include this message board system.
It allows participants to communicate with each other, typically asynchronously, which means that you could leave a message and then the next time someone checks in they could read their messages respond to them. The next time you check in you could see the responses, very similar to email um and many bbs is would only allow one person to connect to the bbs at a time because you actually were using dial up modems in those days. So you hook up a dial up modem to your computer, it
would call out a number using the telephone system. The plain old telephone system or pots, if you will, and that would dial up the host computer's modem, which would then allow you to connect. And some would have the capacity for multiple connections, maybe up to three or so, but a lot were just single connections and you would be you would have to wait if someone was already on there, you get a busy signal and you'd have
to try again later. Uh. Many BBSs would include simple games or drives where you could upload or download files at incredibly slow speeds. Imagine the Internet if it were limited to just the stuff that was on this one guy's computer across town. And you kind of get the idea. Now, because we're talking about the era of dialot modems, we're also talking about time when long distance calls were expensive and there was no free long distance in those days
unless you were getting around the system. But we'll get into that. So you're spending money in order to connect to anything that's not within your area code. Typically most people would just stick to bbs is that we're in the area codes that were in the local dialing options that they had, and initially that was the only way you could check messages on other bbs is you could
you'd have to call into that BBS. So if you have a friend who's three cities over and they're technically in long distance range and you want to check any messages they were leaving for you on the their local BBS, you had to call a long distance or they had
to do the same for your low gold BBS. There wasn't really any inner connectivity in the early days, So if your BBS of choice was called I don't know, let's say it's moss Eisley Cantina, So yours is moss Eiseley Cantina, my BBS of choice is called the Raven, we wouldn't be able to leave messages for each other unless we were willing to visit the other person's favorite BBS, and thus we'd be unable to share our love of Harrison Ford, who obviously inspired the names of both of
those bbs is and bonus points if you know what the Raven is. But either way, one of us or both of us would have to spend money on a long distance call if we wanted to drop a communication to the other. But then along came Fido net, and this was a network designed in the nineteen eighties to allow different BBS is to have exchanges between them. So if both the Moss Eiseley Cantina and the Raven connected
through Fido Net, you could communicate between the two. You could leave a message for your friend over at In my case, you would leave a message on the Raven for me, and the message you left at Moss Eisley Cantina would be relayed to the Raven. I could read your message. I could then send a message to you and it would be relayed to Moss Eisley Cantina and
you could read it there. So again, very much like email, BBS culture allowed people who otherwise would have had problems meeting up with folks who shared their similar interests like I don't know, let's say hacking, for example, and I should probably talk about what hacking actually is now. The popular definition of hacking is very narrow and misleading. It tends to focus on super negative stuff like breaking into secure systems in order to steal stuff or commit sabotage
or install malware. You know, you're designing viruses and worms in order to be some sort of online menace to society. But the basic definition of a hacker is just someone who wants to know how something works. They want to understand a system or a product or software or hardware. They just want to know how it works, and then how to make changes to it, how to tweak it so it does things it wasn't and just you know,
expected to do it wasn't designed to do. You increase its utility by making it do other things, or maybe you do things better or often worse, but in an entertaining way. So they hack a system up and see what makes it tick, and then they put it back together. And sometimes they'll hack together code to accomplish something, and there's no requirement for that code to be in any
way malicious or illegal. Hackers might make a program that lacks elegance or efficiency, but it gets the job done, and the same is true for hackers who work with physical gadgets as opposed to just code. They might make circuits that do nifty things, though it may be a primitive or particularly inelegant approach, refinement can come later. Hacking is just can I take this stuff and make it do what I wanted to do? So again, it could be hardware, it could be software, and there's also some
social hacking as well. The ability to manipulate people into doing things, not necessarily maliciously, though frequently it is uh. Sometimes it's just meant as a way of seeing how people tick. That's really what hackers are interested in. So working for a company like how Stuff Works, we appeal to that same sort of sensibility, that sense of curiosity that wants to be uh satisfied by learning how the
world works. Now back to Jeff Moss. He operated a few different bulletin board systems on Fido net, and his bulletin board systems were part of a larger network of people interested in hacking or freaking, which is sort of like the telephone system version of hacking. Now. I did a full episode about freaking years ago, and you can learn all about it, and also about some of the famous people who were freaks, like uh Wosniak so Wasniac being one of the co founders of Apple back in
the seventies, was one of the phone freakers. You can also learn about Captain Crunch, who used a toy whistle found in cereal boxes to help hack the phone systems. These were people who were learning how those phone systems worked and then how to manipulate them. Whether it was to make long distance phone calls for free, or just to really figure out how all those network switches worked because it was interesting and not a lot of material
was available publicly for people to look into. Uh Well, there were also people who were interested in just sharing information. They had access to information that they thought other people needed access to, and so they would use bolton board systems to disseminate that information to other folks. His BBS is, that is, Jeff Mosses BBS is connected to other systems
located around the world through this network. Now, Mosses bb as were popular and he started to function as sort of the centralized hub for many of these other BBS platforms, including platforms like hacknet, freak Net, and platinum Net. There were eleven in total that used his BBS as sort of a connecting point, and platinum Net out of Canada had a request for moss or more specifically, the administrator of the BBS platinum Net, which was located in Canada,
was asking moss for a favor. The operator of that BBS was going to go offline because quote his dad got a better job in the quote. So this was someone who is fairly young. One can presume living with his dad and that he was soon going to lose access to the computer they were using, the phone line
they were using because they were going to relocate. And this is where we remember there were a lot of young folks really interested in the way computers and complicated systems worked, and the operator of Platinum Net was hoping that Jeff Moss would be able to organize a big bash, a big going away party for Platinum Net. Because Jeff Moss again was operating this sort of centralized hub and Moss was in the United States, whereas this guy was
in Canada. So most of the members of these networks that we're using these bbs is happened to be in the US. That's why Platinum Net really wanted Jeff Moss to organize this, because he wanted as many of his friends to be able to go as possible, and it would be difficult to organize a party in the United States while you are actually in Canada. Now, Moss had
talked to Platinum nets administrator. And by the way, the reason why I'm not using any names here is because Moss himself says he forgot the name of the kid from so many years ago. He's forgot what the kid's name was. So Moss decided that the best place to locate the party would be Las Vegas, Nevada, for a couple of different reasons. For one, he had never been to Vegas, so he was kind of curious. He's like,
why don't we have the party in Vegas? And he felt that the party if it fell apart, if it was a bust and no one showed up, worst case scenario, he'd be sitting by a pool drinking a Pinia Colada in Las Vegas, Nevada. So he saw it as a win win, and that's when things took a turn. So platinum Net disappeared, the administrator that is of the BBS disappeared, the BBS itself went offline. Apparently his father took the job earlier than was expected, and Platinum Net went dark.
So Moss had already begun preparations for this great, big party in Las Vegas, and people were already expecting a big shin dig. So Moss was left, as he said, holding the bag. He decided that instead of canceling it or making excuses, he would actually turn it up a notch.
He decided to invite everyone across the eleven networks that were connected to his BBS, and then he got on I r C also known as Internet Relay Chat and posted to Pound hack and Pound freak or if you prefer, hashtag hack and hashtag freak in these days, and those are chat rooms. IRC uses the hashtag or pound symbol to designate different chat rooms. Back in the day, there was only one hack chat room and only one freak chat room, and he posted about the party there. Essentially,
he was opening it up to everybody. He also says that he sent faxes out to tons of different people and organizations, including law enforcement agencies, agencies like the FBI and the Secret Service, and he said, we're gonna have a big hacking conference in Las Vegas. Now. Later on, he said he knew information about the gathering was gonna
get out anyway. It was going to become public, so he might as well get in front of it and let people know ahead of time, rather than make it seem like he's trying to be secretive and that perhaps these people are up to no good. He wanted to get in front of that and say no, no, no, we're getting together to have a party. Yes, we're all folks. Who are interested in information security, but we're not clandestinely
trying to take down the government or something. And now he had to call the party something, and he was thinking about different names and ultimately decided upon def Con D E, F C O N. Now, in military speak, def con as an acronym stands for defense readiness condition, and it's generally followed by a number. And here's how the scale breaks down. If you've ever heard about def con followed by number, this is what it means. Def Con five is normal peacetime readiness, meaning you are not
on high alert in any way, shape or form. Def Con four is normal increased intelligence and strengthened security measures, so not quite as laid back as normal peacetime readiness. Def Con three is an increase in four readiness above normal readiness, so you've got perhaps some various military units and equipment on standby. Def Con two is further increase in force readiness, but less than maximum readiness, so somewhere in between being a little more ready than usual and
being totally ready. Def Con one is maximum force readiness. You are ready to go to war at a moment's notice. Now, Moss like the term def con partly because it was in a film called War Games starring Matthew Broderick. Highly recommend that movie, by the way, It's one of my
favorites from the eighties. In that movie, Broderick plays a young hacker who uncovers some interesting games that, unbeknownst to him, are controlled by a supercomputer called Whopper w O p R that stands for War Operation Planned Response, and that particular supercomputer belonged to the North American Aerospace Defense Command also known as NORAD, and it turns out that the supercomputer runs on a program that was designed by an
eccentric programmer named Stephen Falcon. Now, Broderick's character, whose name is David Lightman, has no idea that he's accessed a defense computer. He was actually doing what he called war dialing. In in old days, people called demon dialing, which is where you would set up your computer's phone modem to just automatically dial a list of phone numbers, and your goal is to see if any of those phone numbers match up with another computer hooked up to a modem
so that you can get access to that computer. In the movie, what Lightman is trying to do is he's heard about a computer game company, and he wants to play the games that that computer game company is making before they come out. He wants to play them and test them and find out they're worthwhile. So he said this list of numbers. Why he doesn't know is that his computer is actually called into a defense computer, not a gaming companies computer. He just thinks he's playing games.
So he launches a game called Thermonuclear War, it's really a thermonuclear war simulator, and tries to decide where he'll attack first, and he decides cheekily that he's going to attack Las Vegas, Nevada. So Moss, who was living in Seattle at the time, uh the same place that David Lightman was supposed to be from, decides he's gonna hold a party in Las Vegas, and inspired by war games, he calls it def Con. He also mentioned that the letters D E F correspond to the phone key number three.
So in the old text days, each number on a phone was related to three letters, and the number three was related to the letters D E n F. So that was where the phone freakers out in the audience. And at that first def Con Moss accepted cash only that is true today. By the way, it is a cash only experience, and about a hundred people showed up. They had a few speakers talk about various programming projects
and concepts and information security. Moss says that everyone seemed to enjoy themselves, and afterwards he was completely exhausted and decided to go hibernate for a while. But then he started getting messages from people about how to improve the event for the next year, and a lot of requests about, hey, are you going to do this next year? And according to Moss, that was the first time he had ever considered making it an annual event. It was originally just
gonna be this one time going away party. Remember it was originally going to be for Platinum Net, but Platinum Net had already gone away, and so he decided, well, I guess, I guess we can make it an annual party. Well they decided to hold it again the next year, and according to Moss, it was about twice the size of the year before, and then the third year they held it it increased in size again. And shenanigans would
happen at these parties. For example, you might get into a building's elevator and discover that someone had rewired all the buttons, so they go to different floors than what you pushed. You might push floor three and end up on floor twelve, or you might see folks lugging around an enormous satellite up link dish for reasons that they wouldn't be willing to explain. But Moss says the tone of the conference really began to change around this time too.
The Internet was starting to take off and information security was transitioning from something that people were interested in as a personal passion into a legitimate career, and Moss says that the years between def Con four, which would have been and when the bubble burst in two thousand one, the tone of the show had turned into one centered around money and commerce and less about the geeky technical details of how to get around problems or to ensure
your own Internet security. We've got a lot more to talk about with def Con, including how it works and what goes on there, but first let's take a quick break to thank our sponsor. So pretty soon Defcon was just way too big for any one person to carry off, and so Moss depended upon a growing staff of volunteers.
They're affectionately referred to as goons, their departments within the goons, such as people who maintain the network connections for def Con or folks who act as points of information or security. The goons typically wear an identifiable element, like a red shirt to let people know they are part of the
volunteer staff. Moss says that the year before the bubble bursts, so in around two thousand, the show had swelled up to seven thousand attendees, and according to Moss, only about half of those folks really seemed to belong there, like they seemed to be the actual geeky people who were interested in learning how this stuff worked and playing with it and exploring it and breaking it and fixing it, and the other half didn't really seem to be those folks.
They seem to be more people interested in commodity, commodifying security, making money, and and making deals. After the bubble bursts, the attendants dropped closer to five thousands, So some of those people that you might refer to as posers or just people who didn't belong at def Con sorry to not go anymore, because everyone was pretty much freaking out about whether or not tech would even be profitable anymore.
Especially in the dot com space. By def Con twenty in two thousand twelve, the numbers had increased up to fifteen thousand, and by then it was a lot of the legit folks who were really interested in info SEC and not just hangers on. The venue for the conference has changed a few times too. For several years, the con took place at Alexis Park, which I've actually stayed at on a trip to c e S. Alexis Park in Las Vegas is a former apartment complex and it
doesn't have a casino. That was the reason I stayed there. I was thinking, if there's no casino, I don't have to walk through this enormous casino to get to an elevator to get up to my room. I can skip all that. Because casinos are notoriously labyrinthian and difficult to get through. They don't want you to make they don't want it to be easy for you to get out right. Uh So I thought, oh, Alexis Park, it doesn't have
a casino, I'll do that. I did not realize that it was a bunch of apartment buildings separate from each other, and I was booked in a room that was like five apartment buildings back from the entrance, so it meant walking I don't know, maybe half a mile to get to my room. Uh, so I didn't save any time in the long run. Well, Alexis Park was where they had several def cons in the early years, and it
was a very popular place. Uh. It has several pools and lots of open spaces, and apparently a ton of shenanigans happened in and around those spots during the Alexis Park years. The pool parties, in particular, were the stuff of legend and sometimes of law enforcement. The hotel even printed up sheets that explained how much it would cost to replace stuff in your room. So if you wanted to trash your room, you could, but you'd have to pay for it. But you would know right up front
how much you had to pay. And actually the hackers like this. They liked the idea that, oh, well, if we destroy this television, it's gonna be two hundred bucks. But I got two hundred bucks, so let's go ahead and do it. And it was funny because Alexis Park management was totally cool with this. Is said, well, if you pay your build and that's fine because we'll just replace it. So it was an interesting experience and an interesting relationship between Alexis Park and the hackers, and everyone
seemed to really dig that. But it got to the point where Alexis Park just could not handle Defcon. It wasn't big enough. The convention had grown so large that they needed to have space that had better meeting facilities. The rooms weren't large enough to hold the crowds that were coming in, and so they eventually moved out of Alexis Park. Now, there are a lot of people who have nostalgia for the Alexis Park days, even though everyone
knows that logistically it and and't work anymore. And so that is why often to this day, someone at some point during def Con, we'll go to Alexis Park and they will go into the lobby of the area and they will steal the Alexis Park welcome Matt and smuggle it out and bring it over to the actual def Con meeting area and people will pose with the Alexis Park welcome Matt that has been stolen from their lobby and they'll return it, typically at the end of the conference.
But yeah, while they are no longer located in Alexis Park, the hackers will still, you know, bring it along as as a reminder of the good old days. Parties are a huge thing at def Con, and there are tons of parties, dances, DJ sets, lots of plausible deniability. Def Con frequently attracts musicians who work in digital media and use technology like chip tunes and other forms of musical
exprestion that rely heavily on technology. I've actually seen some of the sets, of course I've never attended to def Con, but watching some videos of the various DJ performances, it's incredible. You've got high tech light shows, You've got really cutting edge technology which is being used to make music. You've got people hacking each other the whole time, like technologically speaking,
not physically hacking one another. Although bio hacking is one of the areas of interest at def Con, the scheduled talks at def Con often revolve around important or even critical computer and network security issues, and sometimes the presentations are humorous. There's a great one that you can find online. You can actually watch it on YouTube, in which a programmer described how he was able to track down his stolen computer and lead police to the thief who took
it by monitoring when it came online. And this was a process that took a lot of creative thinking because he had already taken several steps to protect his computer, and once it was physically stolen, meant that some of those options were no longer available, Like he couldn't find it in certain ways because he had already removed that as a capability. But eventually he was able to discover his computer and even retrieve much of, although not all, of the data that was on his computer when it
was stolen. Other talks are a little more sobering. For example, take the talk titled go beyond tabletop Scenarios by building an Incident Response Simulation Platform. So this is a talk where a security expert with the Texas Department of Safety named Eric Capuano explained how organizations need to prepare themselves to respond to serious security threats by building out simulations that allow I T. Professionals the chance to train and
hone their skills. So he's saying, it doesn't do you any good to learn how to deal with an emergency when the emergency is happening. You want to train yourself in all of those strategies early on so that when something like that does happen, you can respond appropriately. There's another talk that was titled Fooling the Hound Deceiving Domain Admin Hunter hunters uh. This focused on ways to trick attackers into following a false pathway while they are seeking
out admin login credentials to a network system. So hacker gets access to perhaps a machine on a network and wants to see if they can find the admin level access to the whole network. Well, this was a talk
saying that might happen. So here's some ways to lay down a trap where the hacker thinks they're getting access to the admin credentials, but in fact what they're really doing is revealing their presence to the network administrator, who can then perhaps pursue that or handover information to law enforcement. So very interesting talks about not just circumventing security, but
how to improve security. In fact, almost all the discussions ultimately revolve around the fact that vulnerabilities aren't necessarily there for you to explore, eight they are there for you to examine, to learn from, and then to patch. So a lot of interesting approaches. Although the people who attend def con can sometimes seem like they're on the other side of the law, and often they are people who want to protect their identities and their security, and so
they'll go to great pains to do that. And to some people that might seem like it's an admission of guilt, but in fact that's not necessarily the case. Other recent talks have looked at security vulnerabilities and shortcomings and autonomous and connected cars. Chris Valisek and Charlie Miller showed that they could compromise a jeep and connect to its systems from miles away using a laptop computer connected to the internet. They could even cut the brakes or the transmission from
their laptop pretty easily. Another presenter did a talk about how air traffic control systems work and pointed out some serious concerns and security vulnerabilities, and he did this be us. There was no easy way to communicate to anyone appropriate about the concerns. It's not like he could just pick up the phone and talk to air traffic control and say, hey, I noticed that this is how you are using your systems.
Did you know that it could be manipulated in a way that could cause catastrophic results if you aren't able to address this issue. So he had to talk about it, which got a lot of attention and got people talking to him, and he said, well, that was my whole purpose. It wasn't too give people the keys to the air traffic control system. It was to alert the world to the presence of these vulnerabilities so that those vulnerabilities could be patched. There's um they're They're not meant to be
something to inspire terror in people. They're not meant to make people scared to use technology, but just raise awareness of those gaps in security so that experts can close those gaps and we create better systems further down the road as a pun, because we were just talking about cars and planes and travel, so down the road anyway.
There's also tracks of programming for kids. People have been bringing their kids to def Con over the past several years, and now the kids themselves have actual programming tracks they can follow. Uh. A lot of the same speakers who will talk to the adults will come and do presentations for the kids. And according to all the videos I saw, the speakers love it because kids pay attention and they
want to know how things work. They have interesting questions, sometimes ones that people don't anticipate that lead to amazing discoveries down the line, and the kids get to learn how to do cool skills like soldering, or some scary skills like luck picking or programming, and lots of other stuff.
Def Con celebrates hacking in its many forms, so you'll find lots of talks about coding, security, security vulnerabilities, how to make sure you don't end up a victim of security vulnerabilities, including which software packages you probably want to avoid, ways you can improve your Internet browsing behaviors to minimize the risk of someone sniffing out what you are doing or trying to take advantage of you in some way. There are also tons of contests and games that take
place over the weekend. Some of them are getting really, really, really clever. For example, at Defcon twenty, the convention held an intrusion challenge, so teams of three could compete, and the challenge simulated a physical break in of a locked office space and required teams to document evidence and try to return everything to its original place so that their presence wouldn't be detected. You also had to unlock a smartphone and get information off hit And then there was
the computer. The computer had some forms of protection on it like password protection, but more than that, it had information stored on it that would disappear if the computer
were to lose power. So there was a bonus element of stealing the computer without having the power cut to the machine, which would require using government level spy a agency stuff where you could cut a power chord, splice it to another power source in such a way that the power supply is never interrupted, and then you could put the computer on a cart and cart it out.
But it requires you to actually physically cut the power chord that goes to the computer and do it in such a way that you never break the connection entirely, so that you can actually move the computer with its still powered on, and that way you could retrieve the information that's on that computer, but otherwise we'd be lost if the power went out. It's really cool and it's
fun to watch those sort of things. Uh, and again it gets you thinking into the different types of security you need to put in place if you want your information to be secure, not just the computer systems, but the physical locks that you use things like that. It's important to know how it all works so that you can make sure you create the most secure system to
protect your data and other equipment. So all told, this competition required you to pick a lock, get access to an office, photograph some documents, access a phone, and steal a power down computer without turning its power off, which was pretty intense. Another popular game at Defcon, In fact, one of the most defining experiences at def Con is
ct F, which stands for Capture the Flag. Now, in a traditional capture the Flag game, teams compete to try and steal a competing team's flag and return it to their own home base, while simultaneously protecting their own flags from being stolen by the other team. But DevCon changes things up a bit. You have multiple teams playing, and your team has a computer on a network, and all the other competing teams have their computers on a network.
On each computer is some piece of data that represents a flag, So this is the information on your computer that other people are trying to steal. Your opposing teams have those same sort of flags on their computers on that network, So everyone's trying to secure other teams flags while protecting their own flag from being taken by other teams, and the administrators have had to come up with rules to help prevent teams from circumventing criteria for play, such
as taking a computer completely offline the network. I mean that kind of is unfair because you have to be on the network in order to participate. So people have come up with creative ways to meet these criteria, and every year the administrators have to kind of tweak the rules a little bit so that people don't just find creative workarounds and they are actually actively trying to play
the game as it was intended to be played. However, that being said, finding workarounds is really what hacking is all about. So it can it can. It might work once and you get rewarded, and then later on it gets written out of the options that you have. Uh,
the next time they do a CTF. At the twenty six team def Con and AI played in the CTF for the first time ever, so and un chaperoned art actual intelligent program participated in the CTF and for a while it would pull ahead of some of the human teams, but by the end of the game it actually placed last in the competition, So we don't have to worry about the computer hackers actual like computer hackers just yet. Then there's the crash and Compile drinking game competition in
which competitors are given a task. Typically it's to create a program that will take certain types of input and produce certain types of output, which is only normal. That's a normal programming you know, assignment. You might have a programming course and it says you need to build a program that's gonna take this input. You run it through the program, you get that output. Build a program that
does that. But in Crashing compile, it's a drinking game, so there are all these rules that come into play. If you try to compile your code and that doesn't work, you have to take a drink. If the code works but it's unstable and it crashes, you've got to take a drink. If it's stable but it's not producing the right output, you how to take a drink. And obviously the less careful you are, the more mistakes you make.
The more you have to drink, and the more likely you'll make even more mistakes due to that influence of drink. Perhaps my favorite of all the challenges is a different
kind of drinking game. It's the Beverage Cooling Contraption Contest or b C c C. This is a competition that took its inspiration from an episode of MythBusters in which the team on MythBusters were trying to come up with ways to quickly cool cans of beer to what was determined to be the ideal temperature for drinking, which on the show was thirty eight degrees fahrenheit or three point
three three degrees celsius. Teams of up to three people can compete in this competition to create an air temperature beverage in the quickest and most creative way possible. They are not allowed to use any commercial appliances in their efforts, and the contraptions have to be designed and built by the team, so they can't just buy something and use that. The team with the fastest time to cool their beverage to the proper temperature wins. Points are deducted for fouls.
So if your methodology creates a beer or other drink, whatever drink they're using at that time, that has a metallic taste to it, like, if it alters the taste of the drink, you get points taken off. If it makes the drink go flat, you get points taken off. If you spill drink, you get points taken off. That sort of thing. Other contests are equally cheeky. There's a counterfeit badge contest. In recent years, the badges have been electronic.
They've been circuit boards that actually do something, and they have USB ports and you can connect them to computers and you can actually hack the badges if you want, and do interesting things with them. So one thing that people try to do is they'll try and spoof a badge. They'll try and create a copy of the badge and create a counterfeit one. Jeff Moss has actually said that if you're good enough to hack a badge and fool security, you probably belong at deaf Con and you should be
able to attend without forking over the participation fee. Of course, you're probably spending more time and effort building your version of the badge then they did designing the badge in the first place, and in a way that kind of
shows your own level of dedication. Other contests include things like forensics puzzles as in computer forensics and network forensics puzzles, and scavenger hunts, which can get absolutely insane, and nearly all the contests test attendees knowledge and skill encoding or hacking in some way While winning a contest will get you a claim, landing on the Wall of Sheep will mean you're an example of someone practicing poor security behaviors.
The Wall of Sheep is a display that lists logins and the first part of passwords that have been harvested off of the Defcon network, and it illustrates how many authentication technologies on the web use clear text authentication rather than a more secure method. Clear text authentication is terrible. You don't want passwords stored in clear text, you want that encrypted. So if you're using services that have unencrypted clear text passwords stored in them, then your password is
gonna get posted up on the Wall of Sheep. Typically, they only post the very beginning of the password. The rest of it will be asterisks out. But if your word is a plain English word, people might be able to guess it just from the letters that are showing. So this is a way of demonstrating, hey, you're using
some bad stuff and you should probably change that. Speaking of secure methods, the only way you can attend def Con is to show up at the door with your cash in hand in order to purchase the badge, or
you have to create a spoofed badge that can fool security. Now, Defcon does not accept any form of payment other than cash at the door, and this helps keep those transactions away from prying eyes, such as any agencies that might have an interest in identifying people who are particularly least skilled at let's say, intrusion attacks against secure systems, and everyone apart from official convention staff and guest speakers, will
pay full price to get in, including the media. So Jeff Moss has actually said that one of the purposes of this is that if def Con has ever hit with a lawsuit to hand over the list of attendees, they can't because there's no record apart from just cash transactions which don't have any paper trail to them other than there's a badge and there was cash given for it. There's no name associated with that, no credit card, no location. So that's one of the reasons Jeff Moss insists on
doing cash only. And while the cost might be a couple hundred dollars to get in, you're really getting into a bunch of different conferences, all related to information security and hacking and programming. There are tons of different projects and tracks that you can follow, and lots of different activities you can participate in. For example, if you ever wanted to learn how to pick locks, you can head over to lock pick Village at def Con and get
a lesson. Within five to ten minutes, you might be picking locks. You can practice your skills on various types of locks. You can learn how they work and how they're vulnerable. And again this isn't so that you can become a cat burglar extraordinaire, but rather understand how secure these locks actually are. So if a lock is fiendishly difficult to pick, that's a darn fine lock and one you might want to use for yourself. You might want
to use that to secure your belongings. But if you find a lock that you're able to get in in less than five minutes with bare minimum training, that's probably not the best lock to use. So in a way, it's kind of a consumer service learning which locks are really the most reliable, because you can bet the bad guys already know this, that's what they look for, So learning it and then putting that information to use is actually a good thing because it means that you're keeping
stuff safe. The conference and its attendees haven't been connected to some stuff that goes beyond pranks and mischief, maybe some stuff that crosses over into illegal territory. Mostly the attendees, not really the conference. The conference does try very hard to distance itself from anything that is outright illegal. Most of the stuff that they encourage is more on the
mischief side of things. But some people have decided that while they're attending def Con they want to try and show off and shut down maybe a computer system belonging to a particularly powerful company or organization. And some of that is for bragging rights. Uh. Some of that is because a lot of the attendees have kind of an anarchist ethos that they subscribe to, but not everybody does. It's not like it's just a convention filled with people
trying to watch the world burn. There are some interesting stuff, like I love that there's a competition to take a box that has a lot of tamper proof materials inside of it, and your job is to access all of those materials in that tamper proof system and then return them so that it looks like you haven't tampered with it at all. It requires a lot of creative thinking and using different skills if you want to actually be
able to get into that stuff without being found out. Now, there's a ton of other things that go on over at def Con and interesting stories that come out of it, but I think the best way to learn about it is to talk to someone who has been there. So when we come back, I'm gonna have a little conversation with my friend Shannon Morris. We'll talk about her experiences of attending def Con. But we'll talk about that in just a second after we take this quick break to
thank our sponsor guys. I am so pleased we are joined by Shannon Morris, a good friend of mine. She's been on the show a few times and she has generously agreed to dedicate some of her precious time to talking with us about def Con. Shannon, Welcome back to Tech Stuff. Hi, how are you doing, Jonathan? I'm great. I'm so happy that you are here. So to catch you up, Shannon. What has happened previously? On text I
recorded an episode about the history of def Con. But I told all my listeners I have not ever actually been to a deaf Con. However, you have been to a couple. How many deaf cons have you attended? Almost ten? The first year I went, I believe was in two thousand eight and I never stopped going, So come next year,
it'll be a decade awesome. So, as someone who has actually attended def con, can you can you tell me in your own words, how would you describe the convention to someone who has only heard the name but has no real idea of what it's all about. So I would say def Con is it's the largest hacker con in the United States. But it's not only hackers that go. Sometimes it's government people, sometimes it's hackers uh, and sometimes it's the kids that the hackers have had that will
also go to the convention. So a lot of people go to this convention in Las Vegas every single year, uh in the summertime, and we lovingly refer to it as hashtag hacker summer camp because it is always it always feels like it's a big family get together. There's lots of hugs, there's a lot of get togethers after the convention hours, like at restaurants and stuff like that just to hang out. UH. And it's also a big party.
There's a lot of partying. There's a lot of booze for the people that can legally drink UH and there's a lot of really good time. So it's it's become a really big part of my life in the fact that a lot of my very close friends, some of which that went to my wedding, even I met at def Con. So it's it's a big part of my life. So what would it be like like walk people through? I know that there's not really a typical def Con experience, as most conventions tend to change quite a bit from
year to year. They do this because they don't want to remain static and just be known for the same thing. But if you were attending def Con, what are the sort of things you would be going to? Like do you get do you go to any of the presentations for example? So for me, Um, I'm not your normal convention goer. I always go as either either press or as a vendor. Uh so I usually get my badge ahead of time. I pay for my badge ahead of time.
But for an attendee, what you have to do is show up on the first day, stand in a really really long line, and pay in cash because they don't accept any credit cards and that's for the hacker anonymity. But once you get there, you just stand in line you pay. I think this year was like two hundred dollars in cash or something like that, and then you
get your badge and you're good to go. Um. There are talks, there are the vendor the vendor hall, of course, and then there's also a whole bunch of different rooms that you can hang out and called villages. Um. Each of these villages kind of focuses on a hacker specialty, whether that is WiFi hacking or car hacking. There's a lock picking village. There's even a village that is just
for kids. So you can pretty much find whatever you are interested in, as long as it has to do with breaking things and then making them work again, which is kind of the epitome of being a hacker, right, And I'm glad you brought that up, because, as I mentioned in the podcast section where I was chatting about this whole concept, the term hacker has been misused dramatically over the past twenty thirty years, and it's been the definition has been too narrow for the common definition, because
of course, hacker originally meant people who, as you say, like to take things apart, see how they work, put them back together, maybe tweak them so they do something they weren't intended to do in the first place, or maybe do it differently, or perhaps even do it better than it had been doing before. But it didn't necessarily have this connotation that it tends to have in popular media, which is a person who specializes in uh, penetrating a
secure system and then exploiting it in some way. Yeah. Absolutely, I think a lot of and I know we've talked about this before, but I think a lot of the hacker name in the biased against it comes from Hollywood, like the Hollywood core movies and TV shows that we have seen in the eighties and nineties that have made us think like, oh, hackers are really bad people, like there is no way you could be a good hacker. But that's actually not true of all of the hackers
I know. I don't know anybody that does something illegal. All of them work as a penetration tester, as a professional who goes in with a contract to a company and then breaks into their network under that contract to make sure that it is safe. Because if you don't take the time to find the vulnerabilities, you won't know how to secure yourself in the future. So hackers for me are the good guys. And I think um a lot of our community and lot of the people out
in the world who don't really understand hackers. What they need to relate to is the fact that hackers are good people who come in and make sure your stuff is safe. Because there are bad guys out there, but I don't refer to them as hackers. I refer to
them as criminals, right right. And I'm glad you mentioned that too, because we've seen in the past a lot of different def Con presentations, for example, have focused on vulnerabilities, and it becomes clear that the presenter has said, you know, in multiple instances of this that I tried to reach out there was either no one to reach out to or no one would listen to me about this vulnerability.
And so in order to force the issue, I am going to bring this forward to everybody because because trust me, if I don't talk about it, it just means the people who are aware of it are going to exploit it. If I talk about it, then it forces the hand of whatever entity to patch that vulnerability or address it in some way, because secrecy only helps the criminals, it doesn't help like the The The assumption is that if I talk about this thing, I've opened up the floodgates
and everyone can exploit it. Trust me, the criminals know already, they're just not talking about it. Yeah, exactly a lot of times you'll see these hawks that are exactly just that. Um At Defcon, somebody will bring up a presentation and turn in a call for paper paper to the def Con committee, and they'll either accept it or deny it.
And when they show up at the convention and give their talk, that's generally a very important disclaimer to say is, hey, I reached out to this company two or three times, I gave them six months to fix it. It has not been fixed. Or maybe on the other hand, they could say I reached out to the company, this has already been fixed, but this is what I found and this is why you need to update. For example, if there is a smartphone vulnerability, they might say this has
already been released by the operating systems smartphone manufacture. Uh, so this is very important for you to make sure that you are updating on your own personal devices or something around that. But basically they'll go in, they'll give this disclaimer and then hopefully the company won't go after them. After that fact, because since they can prove that they've already reached out to this company, they have that that
they can fall back on. So there's unfortunately, there's a lot of uh legal issues when it comes to what information you can release, and a lot of it comes down to you, how is the company actually dealing with these things behind the scenes, Like what do what kind of policies do they have in place for their own devices? Wow? Yeah, I mean it's to me, it's fascinating to take that into consideration, the idea that uh, this this this group
that has this reputation. Mostly I think because a lot of the people over at Defcon also have kind of a mischievous streak. So there's a lot of Yeah, there's a lot of mischief making. I'm gonna ask you about that in a minute. Uh, but there's a lot of mischief making that goes on at the convention. It's largely because you know, once you know how something works, it's a lot of fun to show that off to other people and sometimes show how it could potentially be misused.
Not in a way of like maliciously trying to promote that misuse, but rather say, like, look at this crazy thing I found and uh, this should not exist or or the fact that this exists delights me, but however we should probably address it. But it is interesting to also know that, you know, there's this very cognizant approach to what can and cannot be said. So that's so, that's so that it's all done in it and as as responsible away as possible. I mean, there is definitely
a tongue in cheek kind of approach. I mean the thing that the convention is called def Con, and it largely is because of the movie War Games, which is one of those Hollywood films that has created this image of the hacker that although I would you the War Games hacker was more mischievous than anything else. Uh that uh,
that has continued to be perpetuated in media. Uh So let me ask you this, like, as a vendor, I understand that it's a pretty small number of vendors in the grand scheme of things that tend to be invited to def Con. Isn't it one of those things where every single vendor must be approved before they can actually uh show up and set up a table. That's correct, Yeah,
you have to be approved as a vendor. You ask you also have to pay a fee for that table, which is why you know, we we generally choose to go to def Con and not the smaller cons because since uh, yes, we do have to pay a rather expensive fee, but we also have a very large audience that is coming to purchased equipment from us, it ends up offsetting the cost, so it ends up working out pretty well. Um, but as a vendor, each and everyone has to apply. You don't get invited every year anything
like that. So even the Hack five has been going for ten years, Hack five is the company that I work with, We've never been invited. We've always had to apply. And with that application, you know, you go through all the business e jargon, but you also have to say like, hey, this is why I think we should go to the convention, and this is what we think that we can bring to it. In Hack five's case, we are filling this void of giving giving the hacker community something that is
very introductory. A lot of the community basis on very expertise related information that may already assume that you already know the foundational information that you need to use equipment. So we came in and we were like, hey, we need to introduce something that gives beginners a way to understand how to use not only to the devices that we use, but also understand the fundamentals of why these devices were built. Uh so, and that's one of the
reasons why we also do podcasts. But the vendors come in, we all build our own boot so nobody builds them for us. Of course, if you want to hang anything, there's the the unions in Las Vegas that will do that for you. But we set up our own boots
and we sell our equipment throughout the weekend. One big thing that vendors have noticed in recent years is even though the convention itself only accepts cash at the door, a lot more people that are coming as guests or attendees are paying with credit card, which is the strangest thing given that it's a hacker con and the general consensus is you do not want to use your credit card whenever you are at the convention, but people still do.
And I think it's because since we as vendors are part of the community, they trust us not to take advantage of that. And we are using third parties, you know,
we're using Square, we're using Shopify or whatever. The company might be that you choose to use at the convention, so they know that their information is um encrypted and it's safe with that third party, and we don't actually even see anything except for the physical card, right, So you can't if you were for some reason, let's say, a shadowy government agency or command commanding you to hand
over those customer transactions. All you would have is just the fact that well, we've got I can't give you any more data than this. This is not I know that. That's like the purpose behind cash only at the door for the conventions that we aren't. We can't hand hand over the people who are here because it's all a
cash based transaction. So you've either paid cash or you've somehow managed to perfectly spoof the badge for that year, which, as the founder of Deacon has said, like if you can do it, then you probably deserve to be here.
Oh yeah, there's a whole bunch of contests that happened at def Conto, and that's one of them where people make their own badges to see who can make the best one, and generally they'll either win something that's not necessarily like a totally recorded contest, but you know, they might go up to one of the goons that work at Defcon and be like, hey, check out my badge, and they might you know, end up giving them a prize. There's a lot of really cool contests. There's a lot
of cool villages. There's the vendors, the talks um, There's a lot of really interesting things that happen at Defcon. There's also conventions that happen during dev Con in Vegas, which is part of the reason why we call it Hackers Summer Camp, because the whole community is getting a lot more aware of being inclusive to minorities, to women too, people that aren't necessarily you know, the norm that you
would see at Defcon. So for example, we're starting to see um last I think in the last several years, there's been Queer Con, which is for the l g B t Q community. It's a big suite, it's a convention. They also have their own pool party that people can go to and everybody's invited. Of course. Uh, there's a bunch of women's sweet setup that are very that generally talked about inclusiveness for women. And there's you know, the kids convention to the kids villages, so kids are invited.
It's not necessarily just like the twenty one upcrowd that we've seen in the past. So it's becoming a much larger convention. It's becoming a lot more friendly to people that didn't necessarily uh know that they could go or feel safe at the convention. And I think that's a really positive effort that def con and the other conventions that happen in Vegas are trying to do. Yeah, I
like that a lot. I like I like the fact that, you know, because the general perception, more frequently than not, I think of of what the stereotypical hacker is is they tend to be twenty something to maybe early thirty something. More frequently than not, they're portrayed as white, and they're
almost always male. And so to see that this convention is actively or even just encouraging the participation of other groups that don't fall into those categories and is acknowledging, Hey, you know, there are people who are not falling into the stereotypical view of what a hacker is supposed to be, who have valid opinions, They have contributions to make to the community, They have great ideas that we should listen to. Is really encouraging, because you know, we we want to.
I've always been one of those people who championed the idea of more inclusiveness with any sort of stem kind of approach, and that includes hacking, and I'm pleased to see that there are people who have taken up that banner and they have really pushed it, especially over the last few years. I was looking into some of the stuff about the children's village, like you pointed out, and I think it's fantastic that they book some of the same speakers who give the big presentations to the entire con.
They'll come in and they'll do a session with the kids, and I think that's amazing. You know that you're getting these people, some of whom have national reputations in the form of information security, coming in and talking to kids on their level, like not talking down to them, because kids are way smarter than we give them credit for, and they pick up on this stuff way faster than old fogies. Me um, it's great to see that. So
I find that really interesting. I am somewhat sad Shannon that that your first your first def con was two thousand eight, because it means I cannot ask you about the legendary by gone days of the Alexis Park. I've heard stories the last Alexis Park def Con took place in two thousand five, so those days were over by the time you came in. However, you have been there since.
They've changed locations a few times. It started off at the Riviera Hotel, and then it was at the Rio, and then at Paris and Valleys, and now I think the most recent one was at Caesar's Palace, and it will be at Caesar's Palace again next year as well. So with those changes in location, have you noticed any other like subsequent changes in the con itself or is it just one of those things where it's just gotten
bigger with each change in venue. Um, it's mostly just been getting bigger and bigger with the changes of venue, and I think that's the main reason. Although given some of the strange things that happened at the hotels, they could change those hotels because of something else, Tangent Assigne. More on that later, but yeah, it's It's one of the really strange things about Defcon is the fact that
they do change hotels every two to three to four years. Uh, And I don't know why that is necessarily because I'm not on the board, but I can make my own personal assumptions based on what I've seen. You know, first of all, there's always i mean one, when you're ever, you're doing events, planning for a big event, there's always long term contract type stuff that you have to look at.
So there's that. So some of it could very well be that it's just oh, we were only able to secure that location for two years and we knew it was going to be a transition. Sometimes it might be oh, this hotel wasn't so pleased when it found out all the elevator buttons were rewired to the wrong floor. Yeah, So on that fact um, there have been many different things that happen at dev Con, and it doesn't matter which hotel is at there are always these funny little
pranks that get pulled all around the hotel. It could be anything from the hotel elevators getting switched up like that. It could be them getting stopped in the middle of two floors. Uh. It could be a great example as Caesar's Palace this year is they have a food court, and the food court all of the different restaurants give out those little wireless handset things. Uh, those little square boxes that vibrate whenever your food is ready. They all
run on the same frequency. And of course, since you have a bunch of hackers at Caesar's Palace, if they find out everything runs on the same frequency and they can recreate that pattern to make all of the devices vibrate and go off at the same time, they will do it, and then everybody's sitting in that food court will stand up all at the same time expecting their
food to be ready. Wow. Um, I've seen another example here in Caesar's Palace this year was Uh, there are a whole bunch of statues that are supposed to be like Roman, you know, the Roman gods, Roman, all the different beings from histories past. And they're like animatronic, aren't they. Um. There are some animatronic ones in one of the shopping centers, and then a lot of the other ones are just like made out of really nice stone and they're in
the middle of walking areas. They're very easy to get up to. And Google eyes are a really big thing at def Con, so you will find all of these statues by the end of the convention weekend. With Google's
Google eyes on them, and it is the funniest thing. Luckily, I think Caesar's Palace was really dealing with it kind of humorously because they left a lot of those things on even after the janitorial staff went through in the middle of the night, So I think that they were taking it with like a good positive appeal, like, hey, this is a part of the hacker community, this is
def con, Like, this is what we were expecting. So we're just going to leave those up for the weekend and let y'all have your fun as long as you do follow follow the rule of MPD no permanent damage. Yes, no permanent damage. So luckily Google eyes don't cause permanent damage. Um. I don't like it when the elevators get messed with because I'm an old lady and I like to go to sleep at night and not get stuck in an elevator,
which has happened before. But it also comes with the territory, so I understand that if I'm going to def con, those things will happen. Well, if you were if you were talking to someone who was possibly thinking about going to def con, what is what is your pitch and convincing that person to say, like you know what, Yeah, this is something that you should try. If you're interested in it, you should give it a go. What would
you tell that person? So, I would say that def Con is unlike any of the other hacker cons that I've been to. All of the local conventions are much smaller, which also have a huge deal of appeal. But if you really want to see the uh the prankster def Con, if you want to see the family get together, the Hacker summer camp, if you want to get that huge deal of inspiration throughout the weekend from all of the different villages uh, and if you want to feel included.
Defcon has a code of Contact, which means that they are very very inclusive, and if anything happens there, you can report it and know that you'll be okay. UM. Def Con is the one place that I go every year, and I just love going, even though at the end of the week my voice is shot, even though I am tired, and sometimes I come home with the con flu which will generally happen if you go to Vegas
and you don't drink enough water because it's a desert. Um. It's it's the one place that I can go and feel like I'm not only included, even as a woman in a very even though I'm considered a minority in the hacker genre, even as a woman, I can go there and I feel included and I feel real embraced in that community. But it's it's friendly, it's fun, and it's big. It's huge. So if you're looking for a party, it's also a very good time. If you're looking for a job, it's a great place to go as well.
Oh yeah, fantastic uh networking opportunity in more ways than one. Now I also have to ask, but this will kind of be our sign off because I talked about in the actual podcast, But I want to hear what your thoughts are and perhaps just the sort of the general uh conception of the Wall of Sheep. Um. Yes, so the Wall of Sheep is hilarious. I think it is a great way to spread awareness of the fact that
wireless is not necessarily safe. It is very vulnerable, especially to people that go to the convention and forget to turn wireless off on their devices. Um. I've never been on the Wall of Sheep, so I can't tell you from experience it is how it feels to be on the wall of sheep, but I would probably be embarrassed if I showed up on there, but I would take it as a learning experience. If if I was to show up on there, I would be like, Okay, how
did this happen? And I would want to learn so that that would never happen to me again in the future, and I could take that into the real world and know that I am safe with my own devices. Right again. More, while you might have suffer a little bit of embarrassment in the short term as you appear on a wall, the lesson you learn is more valuable because again, the criminals aren't going to alert you that you are sharing
any information. They're going to be using that. So it's better for you to be aware of it and be able to prevent that from happening than to be unaware of it and then just be taken advantage of perpetually. So absolutely I see it. I see it as a valuable service, even though I know that I would be paranoid the entire time that was going to show up. Do you take do you take a burner phone with you? I used to um I I stopped doing the burner phone just out of pure laziness the past few years,
which is very bad. You should take a burner phone with you. I am not the norm, but there are a few things that I would recommend to people that are going just for their own security and privacy because it is a very target rich environment. I would say, if you can take a burner phone, UH, if you can erase all the data off that burner phone, any personal data, and don't log into like your bank, for example,
while you are at the convention on that phone. UM. I would also recommend keeping NFC, Bluetooth, and wireless turned off the entire time, because there are hacks for all of those uh. And if you want to on sites like Amazon, there's these really cool things called Faraday bags,
and I bought one myself and it works great. I've tested it, and Faraday bags will If you put your smartphone inside of a Faraday bag, the Faraday bag will stop any kind of UH wireless frequencies from coming into the bag and coming onto your device, so it'll protect your device from anything out there that might be trying
to attack the devices in the wild. I would also recommend water because it is Vegas, really good tennis shoes because any hotel you go to that def Con is in Ore, You'll you will be walking very very far uh and get lots of sleep and make sure to take a shower, just like any other convention. Yep. Personal hygiene does not stop just because the convention has started. No, it does not. Hand sanitizer not a bad idea, or at least washing your hands frequently, not a bad idea
at any of these sort of conventions. I've been the champion of that at c e S so many years running, especially at a place like CES, because you're just handling your handling stuff that so many other people have handled, Yes, exactly, but valuable tips and take advantage of the learning experience to make sure that you get out there and you ask questions. Because the people that go to def Con and have vendor booze have villages that they running there
there to answer your questions. I believe that no question is a stupid question. If you are a beginner, you come up to me and you ask a question. If I don't think that my product that I'm selling at my vendor booth is correct for you, I've I've done this in the past. I will lead you out of my booth and take you to the bookstore where you can pick up a book that teaches you all the fundamentals and the theory behind the products that we sell.
So I I highly recommend that if you're a beginner, to go to these conventions, especially def COM, because the learning experience that you'll you will get there and the networking that you'll get is like no other You can't get that same kind of experience online. Yeah. And and in my now I've not been to death count, but in my experience talking with people who do this sort of stuff, they get they get a thrill out of being able to talk about and explain it to other people.
They they enjoy sharing that knowledge. It's not like they're hoarding knowledge and they don't want other people to have it. So in fact, I often see it as the act opposite, Like people learn something cool and they immediately want to share it with other folks so that they also know
how to do it. So yeah, So that to me is something that is really a valuable thing to take away, is that these are folks who really want to share that experience and to explain and to teach and to have that knowledge expand beyond just their own circle, So definitely. You know, Defcon is not like a participant not not
like a spectator sport. You know, it's fully participatory. And the more I heard this more and more every time I was watching any video about it or anything, everyone was saying the more you participate, the more you get out of it, and that it's it's an environment that encourages participation. And you know, I'm sure that you've you've had a chance to practice all sorts of skills that you didn't necessarily go into, you know, with any uh
real affinity for at the beginning. Like I mean, it wouldn't surprise me at all to learn that you have started to really get good at picking locks. Yeah, that's actually a thing that I was going to mention. I started picking locks at def Con, and I didn't know that I was that it was a skill that I had naturally until I started doing it, And I wouldn't
have done it if I hadn't gone to Defcon. But now I have that skill that I could use for more security awareness, like even on my own house, I can make sure that my house isn't you know, luck pickable, for example. But you you do learn skills there, you get to. You get to meet a lot of really amazing people and it's a great experience all around. Um, even if you go on your own there's some really awesome people that you can meet there. Shannon Morrise, thank
you so much for joining our show. Please tell people where they can find all the stuff what you do. Uh So, you can follow me on Twitter, I'm snubs S and U b S. That is where I post most frequently, and I can also answer any questions that you have about def Con as well over there. If you are interested in the podcast that I do, you can check out all of those over at h K five dot org o r G and hack five is also the place where I do all of my own teachings.
So if you have questions about the hacker community, or if you're interested in pent testing as a profession, definitely check out our podcast there because we go through not only the fundamentals, but also the theory and sometimes some expert advice as well. Awesome, it was a pleasure having you back on the show. I'll make sure to have you on again before too long. Thank you guys. That is the history of def Con. This was a really interesting subject for me to look into. I was completely
in the dark ha ha about this convention. I had only had some idea of what was going on, and the more I looked into it, the more I realized that a lot of those notions were based on misinformation. And again, big thanks to Shannon Morris for jumping on here and giving me the first person perspective of what it's like to go to one of these conventions. It
sounds like it would be really fascinating. I know I would be completely out of my element where I to attend, and yet I feel like I gotta make an effort to go at least one year and experience this just as an attendee and to learn and to to see that community and to experience this for myself. If you guys have suggestions for future topics of tech stuff, please
let me know. You can send me an email that addresses tech stuff at how stuff works dot com, or you can always drop me a line on Facebook or Twitter. The handle for both of those is text stuff hs W. Remember you can watch me record episodes live on twitch dot tv slash text Stuff. I record on Wednesdays and Friday's. Just pop over to that U r L and you'll be able to see the schedule there, and I'll talk to you again really soon for more on this and
thousands of other topics. Is it how stuff Works? Dot com