When August arrives in Las Vegas, hackers roll into town. Each year, two major conferences — DEF CON and Black Hat — take place in Sin City and feature some of the most cutting-edge research and training in the InfoSec field. The lesser-known BSides conference happens at the same time, giving IT security professionals a wealth of choice in a city known for taking more money than it gives. But which conference really pays off, and what’s the best bet for Vegas 2015?
DEF CON: The Original
DEF CON was the first hacking conference hosted in Las Vegas and is the brain child of security expert Jeff Moss, also known as “The Dark Tangent.” According to the conference’s official website, it began as a closing party for Platinum Net, a Fido-based hacking network headquartered in Canada. When the organizer disappeared and left Moss holding the bag, he decided to host the party anyway and invited many other hacker friends — thus, DEF CON was born. This year, DEF CON 23 is set for Aug. 6–9 at the Paris Hotel and Bally’s Hotel in Las Vegas.
Much of DEF CON focuses on the practical application of hacking techniques. While the conference has grown from one track to five and now includes a greater emphasis on research, the core of the gathering has always been about events such as capture the flag and exploring the community aspects of hacking culture. Federal law enforcement agents regularly attend the conference, although in recent years, Moss has asked them to call a timeout. The con’s hacker roots are still very much evident when it comes to registration and payment: Everything is done at the door, and the $230 entry fee is taken in cash to prevent any online collection of payment card data.
Black Hat: The Spinoff
Black Hat, meanwhile, is a spinoff from the original DEF CON and was also founded by Moss. This year, Black Hat will be held at the Mandalay Bay Convention Center from Aug. 1–6. The cost is approximately 10 times that of its progenitor, but the con has a much different focus split into distinct areas: briefings and trainings. Briefings are designed as a place “to learn the very latest in information security risks, research and trends.” Leading researchers take the stage to share their discoveries and in some cases report on vulnerabilities they have uncovered in major pieces of enterprise software, which occasionally raises the ire of vendors. Trainings, meanwhile, are “hands-on attack and defense courses” that offer actionable insights on everything from penetration testing to exploiting Web apps and designing SCADA systems. Black Hat also supports the work of the Electronic Frontier Foundation (EFF).
BSides: The Newcomer
BSides is the newest hacker conference to arrive in Las Vegas; this year, it’s being held Aug. 6–7 at the Tuscany Suites. According to the BSides website, their Sin City event is typically attended by 1,000 to 1,500 people, a fraction of those heading to DEF CON and Black Hat. But their mandate is different: Instead of focusing on speakers with insight about current InfoSec challenges or existing vulnerabilities, BSides wants to attract researchers willing to give their take on the next big thing in cybersecurity and threat intelligence. Billed as a conversation rather than a talk, there’s no fee to attend this self-described “grass roots, DIY, open security conference.”
Many security professionals considering a trip to Las Vegas this year have the same question: Why hold three conferences in the span of a week? BSides makes the point that it’s not trying to compete with either DEF CON or Black Hat, but simply wants to offer another venue for ideas and information, giving attendees of the other two conferences somewhere to go if they need a change of pace. Black Hat and DEF CON, for their part, focus on two sides of the InfoSec coin: how hackers are leveraging current opportunities to push the limits of technology and what companies can do to mitigate these emerging risks.
Making the Choice
So what’s the best choice for 2015? It depends on company needs. If laser-focused training and actionable security insights are the priority, opt for Black Hat — and register early. If an interest in hacker culture as a way to enhance existing IT policies is the goal, try DEF CON, and come with cash. And if the goal is to get a handle on the next big thing in cybersecurity through collaboration rather than typical convention style, opt for BSides.
No matter the choice, however, go prepared for hot weather, hotspots and the hottest InfoSec topics.