Hacker Summer Camp Recap - A Snick Snack

Hacker Summer Camp recedes into the rearview mirror and the world starts back up again.

Morning standup. Q3 sprint. Follow-ups and circle-backs. But perhaps we’re changed. Perhaps we re-enter the frays in a slightly different way, shedding data of a marginally changed nature. Philosopher and media theorist Marshall McLuhan said that as a species, “We look at the present through a rear-view mirror” in our “march backwards into the future.”

He continued: “Because of the invisibility of any environment during the period of its innovation, man is only conscious of the environment that has preceded it; in other words, an environment becomes fully visible only when it has been superseded by a new environment.”

Does the landscape after BSidesLV, Black Hat, and DEF CON count as a new environment? Could the information gleaned, hands shaken, and drinks shared change us significantly going forward?

For my part, I always emerge from this week in Las Vegas and find my surroundings drawn into sharper relief. Finer lines mark more edges, but they also bring us together in more ways, if we let them. Light sources are brighter, or revealed as so bright they hid now-revealed details, like a message written on the lightbulb only visible in the briefest of moments upon flicking the switch off. 

McLuhan’s observation in mind, that may be my sign that our chaotic week of community each year marks a new environment, superseding the old and making the latter finally visible. 

Or perhaps that I just need more sleep this year.

—-------

Folks often pose the question: “Which is better, Black Hat or DEF CON?”

The real answer is, “It depends.” 

Black Hat starts the week out with everyone fresh and wide-eyed, staring down the barrel of at least six days of scrambling if they attend both conferences. It is to my benefit that we take care of the business end first before the social and sensory overwhelm hits - I’m much more articulate and sociable, moving mountains to meet practitioners, collaborators, and customers. Discussions are more hard-nosed, shorter, and more focused. Metrics rule the day.

That being said, Black Hat is a delight of a different sort. It’s a much more focused and organized entity rather than creeping chaos. Meeting up with other practitioners and talking shop involves a lot less small talk, with a substantial chunk of theory discussion and an even larger space held to talk practice. 

Plus, less bare concrete. 

One highlight of my Black Hat arrived early; my first briefing was From Prompts to Pwns: Exploiting and Securing AI Agents, presented by NVIDIA AI Red Teamers Rebecca Lynch and Rich Harang. Lynch and Harang began by providing an excellent technical foundation. Points included LLM compromise as enabled by a “universal anti-pattern” that allows for the attacks, as well as agentic autonomy classifications and their relation to both systems architecture and the introduction of nondeterminism into the system. They then pivoted to the practical nature of their red teaming and the realities that informed it. LLM guardrails are mostly just other LLMs performing checks, and so subject to similar attacks. And since these platforms are often crawling the web, the ability to introduce untrusted content spans the entire Internet. Specific technical observables included Cursor rules files, ASCII smuggling, and more. And the idea that malicious actors can more effectively use LLMs to socially engineer the user than other technologies was a brilliant insight.

The talk was equal parts funny and grim, and I’m now hungry to see more from NVIDIA’s AI Red Team.

Another highlight came from the venerable Threat Intel team at Infoblox, No Hoodies Here: Organized Crime in AdTech. The talk revolved around long-term and fascinating research around spam & scam cybercriminals VexTrio, accompanied by the second in Infoblox’ blog series on the group (you can find the first post here). Their research laid bare the evolution of VexTrio into an adtech powerhouse of villainy, complete with Instagram photos of their fast cars, lavish meals, and expensive boats. A deep understanding of both the technologies involved and the human behavior behind them emerged through excellent research and storytelling.

—-------

DEF CON is, of course, an entirely different animal. It’s about one-tenth the price, and I’d guess at least twice the size of Black Hat. And the chaos only ends where the concrete does too (that’s not hyperbole by the way, the floors are all concrete, bring good shoes and ibuprofen).

Now that DEF CON has moved to a single venue it’s become a little more manageable, and staff learned the ins and outs of the new complex last year and applied those lessons to great effect. Attendance is much wider spread than Black Hat, with enthusiasts and other kinds of technologists in attendance. 

There’s more swagger, but there’s also more joy; folks assembling under an umbrella of energetic curiosity and irreverence and self-organizing across a number of villages as well as the main stage talks. 

We were able and honored to show up to and share with DEF CON 33 in a big way three separate talks in three separate villages. 

DNS Scavenger Hunt
Security Advisor Malachi Walker gave an interactive talk at the Blacks in Cyber Village: Following Threat Actors’ Rhythm — to Give Them More Blues. The talk provided indicators to follow around threat actor activity and then engaged the crowd in a DNS-based scavenger hunt from the terminal.

Malware in DNS
Malachi Walker and Senior Security Operations Engineer Ian Campbell spoke on investigative findings in the Malware Village: Plain TXT, Malicious Context: Uncovering DNS Malware. Included were DNS investigation basics, and then several real-world examples of DNS TXT records being used for malware storage and retrieval as well as the step-by-step detection specifics. There’s a bonus round at the end of the slide deck for folks interested in domain mysteries!

Pre-Identifying DNS Wildcards: A New Standard of Care
CISO and Head of Investigations Daniel Schwalbe presented original research and enablement at Recon Village. Informed by a DEF CON 31 win at the Subdomain Enumeration Contest, an alternative method identifying 100 times the winning results required a parallel new solution to identifying and removing wildcarded domains.

Of course, other folks were there too. A LOT of them, actually. And many giving great talks on stages or in villages. Yale Grauer in the Crypto and Privacy Village on Cyber Defenses, cooperq and oopsbagel in the hackers.town community on Rayhunter Internals, and our friend Jon DiMaggio co-speaking with Jon Fokker on the Track 5 stage spilling the tea about a REvil actor, to name just a few. This latter was a fantastic talk that showed the deep and inextricable connection between ransomware observables, human behavior, and group dynamics with substantial realness. 

Summer in Las Vegas is always hot, and uncomfortable, and packed with people. But at the same time, filled to the brim with joy and curiosity, serious business alongside frenetic nerdery. Different but often parallel strains of justice running through many diverse communities celebrating their uniqueness and their shared loves and interests simultaneously. 

I don’t know of another week like it anywhere, and I wouldn’t have it any other way.

(except for maybe the concrete floors.)

Join our teams as they share their DEF CON talks on Tuesday, September 30: https://www.domaintools.com/defcon-session-recap-customer-webinar/