Caesars was hacked by the same attackers that pwned Okta, and used the stolen keys and tokens to get into Caesars. It was nothing carried out by Defcon in any way.
Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.
This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.
> It was nothing carried out by Defcon in any way.
You think insurance providers are capable of doing this level of analysis? They see "hacker conference" in which Defcon may still hold some notoriety in and decide it's a risk.
They are able to. I've worked with AXA and Chubbs before in this space.
I don't think this was done because of cyber insurance
They most likely got bumped to make space for a better paying corporate conference.
Most vendors are now running a Cisco Live/AWS Re:invent type conference, and they've increasingly consolidated on Las Vegas because venue booking and block room booking is much easier there than in any other city in North America.
Also, DefCon has become massive, so the RoI has most likely shrunk due to staffing overhead.
People love saying this about Black Hat and Defcon, but I can't think of an important research result disclosed at Defcon 31 that wasn't a Black Hat talk. More good research gets turned down for Black Hat (which can only accept 3-5 talks per track) than appears at Defcon. Median Defcon talk quantity is approximately that of a good regional conference.
And that makes sense. Talks aren't really the point of Defcon, and they are (besides the lobby conf) the sole point of Black Hat. Black Hat is also a vendor circlejerk, but that fact confuses people who don't actually practice in the field.
BlackHat isn't a con you attend. You go there for the training sessions that are required to obtain/upkeep your certifications.
The infosec industry sorta runs separately from the rest of tech in that it's entirely a status economy. Name recognition, certification and publication are the most important things to maintain stable employment.
On the other hand none of the planned programming at DEFCON has any professional value whatsoever and it's merely a metacon for connecting with people in varying niches in the space.
I don't know what to say to someone who thinks the Black Hat talk schedule and lobby conference isn't a reason to go, but a $5000 training course on "Active Directory Security Fundamentals" is. You do you, I guess.
I don't care if you go or not. I'm not trying to sell anybody on Black Hat. If you work in this field, you know what Black Hat is, and if you care about Security Summer Camp you're in the lobby bar at Mandalay. My only nit here is people claiming that the actual Black Hat conference is a vendor event (like RSA). It is not. Almost every good Defcon talk was a Black Hat submission (as you'd expect; it's the highest-status mainstream security conference, and it pays honoraria and travel expenses for speakers). There's a whole other conference, BSides, that started just to soak up the talks Black Hat doesn't accept.
Fair enough. BH as vendor event wasn't my axe to grind but the parent poster's.
I was just complaining about the industry and the event in general as only having status-economy value.
e.g., the only reason I would go is if I needed to for industry certifications. Talks aren't a reason for me to go to anything (they'll be streamed eventually and I can filter them better). I'll agree the talks are better here than most other events
I guess if your employer is footing the bill, sure, fine, whatever.
Talks having no attendance value to me might be a personal thing, but you can blame Netflix and re:Invent 2017 for that. I sat through 4 different talks given by 4 different people that were supposed to talk about different parts of their architecture but were basically the same slides and staff engineers from 4 different departments claiming responsibility for the same parts of the system.
Sure that has nothing to do with Infosec, but talks can be an epic waste of time and I'm much more suspicious of them these days.
Again: I'm not trying to sell you on Black Hat. But re:Invent is nothing at all like Black Hat. Black Hat is a peer-reviewed research conference focusing on presentation of security research results. You pay to see Black Hat talks if breaking the encryption on police TETRA radio or defeating Apple's PAC pointer authentication is professionally useful to you. For most Black Hat talks, that stage will be the first public airing of that research. At events like re:Invent, the new stuff is just product announcements.
I can see not wanting to sit through a bunch of vulnerability research talks! Defcon is certainly the more "fun" event.
There are higher-status (non-academic) research conferences, but they're not mainstream. Of the events everybody knows about and that employers at pentest firms will pay to have people develop talks for and employers at F500 security teams will pay to have engineers attend, Black Hat is basically the most important event of the year.
> For most Black Hat talks, that stage will be the first public airing of that research.
I find this aspect intriguing, and seems to contribute to the buzz around the event? Used to be true in some other areas of computer science too, but outside of security I can't think of an academic conference where it still happens. Nowadays you can almost always expect talks at top conferences to have preprints posted on arXiv (or openreview.net) ahead of the talk, often weeks or months ahead. I mean not that somewhere like NeurIPS lacks buzz either, but you're not normally expecting major surprises in the talks.
Yeah, it's an idiosyncrasy of vulnerability research and "zero day" status. Things will get discussed with the media in advance of the conference, but if you blog your whole talk before the review board sees the submission, that'll get used to shoot down accepting. Which sort of makes sense, because even if it's good, your submission will be competing with 5 more really good talks on the same track.
I'm a longtime reviewer for Black Hat, and I've reviewed (shadow) for ACM and (publicly) for Usenix (I was a PC for WOOT a few years ago). It's a different vibe. Nobody's WOOT submission got dinged for having been disclosed in advance, but Black Hat submissions will get dinged for having been presented at regional conferences prior to BH.
Again though: the single easiest way to make sure a talk has no chance at BH is to make it vendor-y. Reviewers will LinkedIn-stalk the names on the presentation to make sure nobody's connected to marketing or sales. If you're submitting something that's even tangential to your product (smart toaster firewalls), even if it's good research (elite-level zero-day vulnerabilities in smart toasters), you have to go way out of your way to assure reviewers you won't pitch on stage.
Black Hat is pretty sensitive to making sure the talks themselves aren't commercial, even though the conference trappings are extremely commercial. "This would make a better RSA talk" is an extremely common epithet.
My comment was around the wording as advertised. It will also be my 11th DEF CON next year, never been to Blackhat. We should grab a beer.
I have personally worried after seeing Cesars transform after the events at the Mandalay Bay with the new addition of their own paramilitary group (the SRTs) and their actions during DEF CON. Just check out their job descriptions: https://www.linkedin.com/jobs/view/security-officer-srt-i-fu...
Before the SRTs, I personally know from knowing the staff who run the conference that they have helped Cesars Entertainment in previous years strengthen and work with them hand-in-hand to secure their networks and train their staff. Even work with the goons to make sure people didn't get trespassed over shenanigans. I honestly think the mid level management is sad we are gone.
The other side is the Okta was just a taste of what could go wrong. Seeing MGM totally shut down and loosing millions was scary for upper management. Auditors weren't comparing Blackhat to DEF CON but that the listing on the spreadsheet was not "boat show" but "hacking con" and they deemed that was too much risk for the level of coverage Cesars Entertainment wanted.
Never the less, we all hated Cesars and I am personally excited to see what this next year will look like.
Anyone that takes this scene seriously knows Defcon is the place to be. Blackhat is a overpriced vendor circle jerk. The only way to make Blackhat relevant again is to kick out all of the vendors and if you can't do that, forbid them from collecting peoples information.
This is going to be my 11th year at Defcon this year. I snuck into a couple of blackhats and didn't get any value from them. I've been around the block a few times.