Imagine attending an event with thousands of hackers from around the world where the fear of being cyber attacked is so real no-one uses public Wi-Fi, fewer people still wear name badges and some delegates take to wearing tin hats.
If this sounds like a script for an Arthur C Clarke novel then you鈥檇 be wrong. Welcome to DEF CON 25 in Las Vegas, the largest gathering of underground hackers in the world.
Founded in the early 1990s by American hacker Dark Tangent (real name Jeff Moss) the convention is now in its 25th year and is a magnet for everybody from hackers to law enforcement officials, security analysts and tech journalists.
As well as sharing the latest security threats, the big pull is the contests where delegates can pit their wits against some of the best hackers in the world to put security systems to the ultimate test.
It鈥檚 the reason why British cyber security firm Secarma sent a 10-strong team 鈥 which included a competing team of five hackers 鈥 over to this year鈥檚 four-day DEF CON 25.
The company provide penetration testing and consultancy services to clients around the world and managing director Paul Harris described it as the 鈥淥lympic Games for the hacking community鈥.
Secarma鈥檚 technical director Mark Rowe is a veteran of the event, having first attended DEF CON 6. He鈥檚 seen it grow from a few hundred delegates in a small motel to this year鈥檚 convention in Las Vegas鈥 iconic Caesars Palace, which was attended by up to 30,000 people.
鈥淭he attendees for DEF CON 25 now are probably different to the ones that were there when I first went,鈥 recalled 47-year-old Rowe to 老九品茶Cloud.
鈥淲hen I was there it was probably hardcore security people, some hackers and people from government agencies that were interested to keep track as to what these hackers were doing.
鈥淥ver the years, the cyber security industry has grown. You now have lots of companies that have their own pentesting teams, ethical hacking teams, so there鈥檚 people attending from the commercial side.
鈥淵ou鈥檝e still got the mix of hackers, the guys who are just interested in hacking, and the government spooks who attend, it鈥檚 just grown massively.鈥
So what was it really like at DEF CON 25? The event came on the heels of Black Hat, a conference and trade show for cyber security professionals.
Unlike Black Hat, which can cost several thousand dollars to attend, tickets for DEF CON are bought in cash for $250 without the need to leave a name and people have to queue up from 6am.
Rowe says you simply don鈥檛 know who you鈥檙e standing next to so security is the name of the game.
鈥淔or example you鈥檙e advised not to have any details about the company you work for,鈥 he explained. 鈥淲e didn鈥檛 take any work laptops, we took completely clean ones. We didn鈥檛 put Wi-Fi on or use Bluetooth. Some of the delegates even wore ski masks so they couldn鈥檛 be identified.
鈥淩epresentatives of the US government are there but that side of things is probably overhyped. When I first went to DEF CON, there were 200 people there and you鈥檇 have government guys taking photos to find out who the people were.鈥
Harris added: 鈥淔or people who operate on the wrong side of the law, they do get very paranoid if people suddenly pull out a camera and start taking photos.
鈥淭here鈥檚 a tin foil hat competition, so you鈥檝e got people walking around in tin foil hats. It鈥檚 an industry based on paranoia so everyone there is slightly paranoid anyway. It鈥檚 the nature of the beast.
鈥淒EF CON is the only conference I鈥檝e ever been to where the presenters are getting hacked as they are presenting. They can see themselves being hacked as they鈥檙e talking and they鈥檙e very aware of it.鈥
It was the first time Harris had attended the event and he offered this advice to fellow DEF CON virgins. 鈥淚 was told don鈥檛 wear a nice watch, don鈥檛 wear an expensive pair of shoes and don鈥檛 do anything that makes you stand out so you look different and it was good advice.鈥
Caesars Palace reportedly even closed its business centre for the duration of this year鈥檚 event in case hackers attempted to take control of its networks.
DEF CON 25 took over four floors of Caesars Palace, with the conference broken into 鈥榲illages鈥 which focus on different aspects of security. For example there was an Internet of Things village; a car hacking village; and an industrial controlled system (ICS) village.
Set against a tacit acceptance that everyone is trying to hack you there were lots of parties, live music and merchandise. 鈥淚t鈥檚 a bit like Glastonbury,鈥 joked Rowe.
Harris says in their industry DEF CON is the one event an ambitious cyber security business like Secarma can鈥檛 afford to miss.
鈥淲e are an international team of more than 55 cyber security specialists, operating out of 20 cities in 10 countries around the world,鈥 he explained. 鈥淎ttending DEF CON is vital to our credibility.
鈥淭here are lots of small companies in this sector offering a basic level of testing but Secarma has got a very broad and deep specialisation in ethical hacking. We鈥檝e got very talented people that operate in the top tier of hackers globally.
鈥淥ne analogy would be that we鈥檙e a bit like the SAS to the army. We鈥檙e incredibly agile so we can swoop in and do this very clever stuff that normal businesses can鈥檛.
鈥淎 lot of our customers have their own security teams but we bring a different perspective and skillset to validate and enhance their capabilities.鈥
Harris says the challenge facing the industry is trying to keep up with the cyber terrorists. 鈥淵ou鈥檝e got some very smart people targeting businesses, particularly large organisations,鈥 he said. 鈥淚f you want to be vigorously tested yourself you need people that are better than the best bad guys.
Big companies are being hacked all the time, several times a day if you鈥檙e big enough. That鈥檚 why you bring in the experts to try and find all the vulnerabilities that could be exploited before hackers come in and shut you down.
鈥淎ttending DEF CON enables a company like Secarma to showcase itself at the biggest hacking event in the world against the best of the best. By taking part in the competitions and doing well we can position ourselves as the best in the world.
鈥淭hink of it as the Olympics for hackers and our intention was to go out and win gold. We picked an Internet of Things competition because it鈥檚 a huge booming sector that鈥檚 notoriously insecure.鈥
Explaining how the competition worked, Rowe said: 鈥淲e were provided in advance with a list of Internet of Things devices that would form the competition, including electronic padlocks, home routers, wireless routers and smart batteries.
“The competition was to find as many vulnerabilities in those devices as we could. Each vulnerability had a score. We bought four of the 20 devices before we left.
鈥淏ear in mind that these devices are out there being sold with no known vulnerabilities in them so it鈥檚 a tough competition.鈥
Uniquely, the Secarma hackers were able to completely compromise all devices tested, finding a number of very serious vulnerabilities that surprised even the judges. Rowe added: 鈥淥ur findings have been reported to the vendors to be fixed before further details of this competition can be released.鈥
Secarma entered a second competition to identify known vulnerabilities in a number of products. Harris said: 鈥淭he second competition was a race to the finish and we entered it late because we were focusing on the first contest. A total of 92 teams took part and only 37 teams found one or more vulnerabilities. Only two teams had maximum points and Secarma was one of them. We were able to find all of the vulnerabilities in the limited time provided.鈥
Secarma鈥檚 success at DEF CON has already helped the company win a six figure contract from a US-based customer.
Harris said: 鈥淚f an American customer is asked why they鈥檙e using a niche British company they鈥檙e able to justify it to their bosses because we’re among the best in the world.
鈥淲e can go to these global competitions and win. This is a great springboard for Secarma going into the end of 2017 and the beginning of 2018.鈥