Ever since taking an interest Linux, with the specific aim of better understanding and enhancing my personal digital security, I have been fascinated by hacker conferences. As soon as I learned of their existence, I made a point of keeping tabs on the major conferences so I could browse through the latest videos in their archive once each one wraps up.
I thought that was the closest I would get to such an event, but a couple of weeks ago, I had the chance to attend one for the first time: Chicago’s THOTCON. While I’m definitely still swimming in all the experiences I had, I wanted to share a few of my observations and insights.
At this point I can practically hear you asking, “Wait, you said hacker conference? For security?” So, before I go on, I should explain a bit about the interrelationship between hacking and security.
Ebony and Ivory?
The information security, or InfoSec, field is built on hacking. Without the latter, the former would be both impossible and pointless. This is because there are two sides to hacking. The more sensationalized of the two, often called “black hat” hacking, refers to malicious actors breaching a system without authorization either for personal gain or just to cause mayhem.
The far more common variety of hacking is “white hat” hacking, often more formally known as “penetration testing,” in which experienced, professional hackers are hired by a company to hack it, without inflicting any permanent damage, in order to audit the company’s security.
Obviously, there would be no need for white hat hackers if there were no black hat hackers, but because the ranks of the white hats far outnumber the black hats, we are able to enjoy what computers and the Internet have to offer in relative security.
The other reason these two approaches are related is because they depend on each other. In order for the white hats to fend off the black hats, they need to understand the tactics of the black hats. Correspondingly, the black hats can operate only where the white hats have yet to probe. It’s a perpetual cat-and-mouse game, but it’s one we have to play in order to make use of the modern Internet.
So what happens at a hacker conference? As I found out, quite a lot. Mainly, though, leading figures in the hacking/security community give presentations on their latest research so that attendees can hone their craft. Like at any professional gathering, there’s also a lot of networking (literally as well as figuratively).
That might sound boring, but I can tell you from experience that it’s anything but! The professionals, both presenting and attending, are at the leading edge of a field which — as the recent global ransomware attack demonstrated — affects all of us every day.
A Whole New World
As I said, there was a lot to take in, but here are some of the aspects of the hacker con experience that made an impression on me for one reason or another.
The most immediate aspect that stood out to me was the sheer amount of stimulation to be found there. In addition to a choice of three simultaneously scheduled talks to attend at any given time, attendees had the option of touring an exhibition room full of vendors, participating in a lockpicking tutorial, socializing at a full bar (open from 10 a.m.), or — last but not least — taking part in a con-wide scavenger hunt that included debugging the conference badge and deciphering hidden messages scattered throughout the area.
In short, there was so much to choose from that it was overstimulating, but in a good way. Everywhere I looked, there was something new to take in, and that’s exactly why we were all there.
Another thing that impressed me was the considerable range in the topics of the talks themselves. In just the presentations I saw, I heard speakers delve into everything from current vulnerabilities in Internet of Things devices to the philosophy of red team testing; from evaluating your ideas and models by attacking them from the outside to how the military is training soldiers to conduct hacking operations in open, state-on-state warfare.
Some of the talks may not have been directly applicable to me, but many of them were — and all of them expanded my understanding and appreciation for the work of the InfoSec community. Specifically, the conference gave me a sense of what goes into the pipeline between Internet services and my computer, providing a more holistic look at security than simply locking down my system.
Less surprising, but still great to see, was the fact that there was so much Linux at the con! It’s only natural that Linux, an operating system that lets you infinitely tweak and fine-tune your system, would be popular among the tinkerers that are hackers. The configurability and openness of Linux lends itself well to hacking, as hackers can wield exactly the right tool for the job.
Far and away the favorite OS for hacking is Kali Linux, a distribution armed to the teeth with network monitoring, forensics and injection tools. Because hackers have a way of, shall we say, “challenging” each other when assembled at an event like THOTCON, Linux is often a preferred choice for ensuring access to a computer to participate in the many puzzles and challenges offered.
One of the most encouraging things I encountered at the conference was an approachable and open-minded attitude among the conference-goers. People there were extremely open to sharing their knowledge and expertise with others, and no matter what your experience level. Everyone I met there had something to teach and something to learn. There wasn’t a conversation I participated in that didn’t involve everyone leaving better off.
Finally, one of the best experiences I had at THOTCON was seeing the hacker community’s very own hip hop act, Dual Core, perform during the after-party. Besides being a treasured cultural artifact from the community, the group’s lyrics are sharp and they are very personable with their fans, so they’re definitely worth checking out.
This is definitely only a taste of the full hacker conference experience, as even I was surprised by how much there was to see and do in spite of my familiarity with the phenomenon. While THOTCON doesn’t record its talks, DEFCON and Hackers on Planet Earth (HOPE) post theirs online, so if my account of my first con has you intrigued, look them up and check them out for yourself.