Hi everyone,

I was amongst 10 000 people at the Rio Casino last weekend in Las Vegas for Defcon 19. It was my 3rd Defcon, having been present in the previous 2 years. Here is my take on the event.

Thursday: Getting the badge

They started selling the badges at 8:00am Thursday morning. I though I would arrive "early" and not wait too long, so I was in line at 7:30am. My mistake! Even though they opened registration at 8:00am sharp, it took me 2 hours to finally reach the end of the line! And as the line build up with new people coming in, it was just unpractical. Some may say it's part of the Defcon experience, but I call it bad planification. By the way, it was the same in the previous years. To me, they could hire more people just for the registration and put them in the parking lot or something like that (it rarely rains in Vegas...). Anyway, getting the badge was a real pain.

Another point, the conference's price increased from $120 (Defcon 17) to $140 last year to $150 this year. While this is still pretty cheap, we didn't get an increase in value in the last years. So to me, this is becoming more and more a lucrative business...


Friday, Saturday and Sunday: The Talks

Finally, the conference gets underway. Some talks were very interesting while others were extremely boring. But hey, it's the same everywhere! But at least, no one got drunk speaking in front of the crowd like at Defcon 18 (at least, not in my experience). We really had 5 tracks (4 tracks plus the Penn and Teller theater) and thanks to the switch from the older Riviera to the Rio conference center, mouvements between each rooms were much easier, so kudos to the Rio and the Goons for that.

But that being said, many rooms were jam pack and couldn't accomodate everyone who wanted to attend a given talk. So even if it was better than at the Riviera, I still missed 2 talks I wanted to see...

So a trick to make sure you are in a room for a talk is to arrive "one presentation in advance". For example, if you want to attend the 2:00pm talk in track 2, you go to the 1:00pm talk even if you are not interested in it. This way, you are sure to be in the track 2 room at 2:00pm, right? Wrong! They sometime forced people out of the room to get in line to "try" to enter the room again. The result is, as you might guess, pretty frustrating...

Another issue: the chairs. They are about 4 inches narrower than the average man shoulder width. I don't know about you, but I hate being squizzed between two guys for hours. It looks stupid, but after a few days, you get very tired of it. Everyone was complaining about this...

The talks themselves were quite good and well structured. But now that I have more experience in IT security, I didn't learn much compared to my first time at Defcon. But that's just me.

The best part was to meet people. I got to chat with Don and Dynamik (nice to put a face on a name!) and met three other guys from past conferences. So networking is a big plus at this conference.


Conclusions

If you live close to Las Vegas and want to have fun for a weekend, go to Defcon. It's cheap, the talks are good and networking is great. But if like me, you have to flight thousand miles and you pay from your own pocket to get there, then you may find it pretty expensive for what it is. But you have to be at Defcon at least once in your life. Three years in a row like I did is a bit too much for the value, but this isn't a complete waste of money.

Personally, I now prefer BSides and other smaller conferences like EC-Council's TakeDownCon. Less crowdy, great talks and more space for the shoulders!

Just attended my first con.  While I feel the things HM was saying, Defcon grows by leaps and bounds every year.  If you don't like the crowds, stay away from 20.  I was at a goon party, and someone was saying that the essentially outgrew the Rio in the first year, but there's apparently a contract for several years, so, be prepared for the same.

I missed a couple of talks, too, due to the crowds, but if I was in a line that seemed like it was going to be too long, I'd run up to my room, pull up the slides on my laptop, and watch on DCTV.  Yeah, it kind of sucked, but you'll have that. (BTW, the unofficial headcount I heard was 15,000-20,000)  Also, the talks will eventually show up on the DC site, so you'll have a chance to catch whatever you missed.

My biggest disappointment was the sheer amount of stuff to do.  Talks, contests, and villages.  How do you choose?  I felt like I missed out on way too much, would have enjoyed participating in more contests.  Did get to sit in on oCTF for half the day sunday, and took home a trophy in the beard competition, but I wanted to do CTP as well, hack the vote, I LOVE scavenger hunts, and would have loved to spend more time in the villages.

All that being said, it was a GREAT first time, and despite the lines and all that, I'll be back year after year.  Coming up on 10 years in InfoSec, and I still came away with a LOT of information.

In fact, Lock pick Village was one of my favorite places to spend time when I had it, and I made a nice little video when I got home.  If you have friends and family that don't understand the need for good locks, feel free to pass this around:

http://www.youtube.com/watch?v=ZBuJCUCA6UY

We should have a EHN meet next year.

Fair warning for oCTF, have some ipv6 knowledge.  We were caught off guard and were scrambling with a guys mifi to hop on the web and read up on, sad to admit, the basics.  To get your scanning tools to work, since most don't support ipv6 (at this time), you'll need someone good at setting up tunnels.  We used 6tunnel to proxy ipv4 requests to the ipv6 addresses.  All that being said, it was an awesome forced learning opportunity.