skip to main content

DEF CON Hacking Conference

Speaker's Corner

If you are a past or present DEF CON Speaker and would like to contribute to this page, contact talks [at] defcon døt org for more info!

DEF CON CFP: Thinking Back and Moving Forward

"Trying to find a place to house all the cats is a daunting task, albeit rewarding."

I'm very proud of DEF CON 24, I get a lot of joy from seeing all the hard work of everyone involved come together, that makes the countless hours we spent planning worth it. I've never done a post con re-cap before, but there is a first time for everything. Recently, I’ve had a few requests to give a talk on the DEF CON CFP process. Although I’m not sure how I feel about doing a full-on speech, a speaker’s corner post seemed appropriate middle ground. I am elated with the successes of DEF CON 24, and I can't help but brag and reflect on where we are and how far we've come.

How it was…

When I first started helping with the CFP process over a decade ago, I worked with a unique and small group of people. The Dark Tangent & Dead Addict directed us to do our best to process the few hundred submissions we received. In those days we printed out CFPs on reams of paper, we'd pass them around the muggy Seattle office and write our reflections on the back pages in our best chicken scratch. Before the Black Hat Submission system, our small group would email CFPs to "guest reviewers", but the bulk fell on the eyes of just a handful of people. We'd be in the office with papers strewn on the floor, put into rows and sorted piles that occupied the lions share of walking space. We'd work around the office for days playing the opposite of "the floor is lava" trying to avoid stepping on someone's SQL injection.

After selecting the best of the bunch, the rejection letters went out. Dead Addict was the first person I knew to reply back with a reason why a talk was rejected. I’d never heard of any other conference doing it before and to this day few can really tackle the large task it’s become. When I became the Speaker Liaison for BH/DC, I began prioritizing more communication, feedback, and I took the time out of respect for the speakers. I made it my goal to try to help people where I could. I always try to provide a kind and thoughtful rejection letter with personalized feedback, but it is also something that is very hard to scale the larger your CFP becomes. Feedback is something I think is very important to growth and success. We respect the hard work and courage of the submitters, I don’t know a con organizer that doesn’t. However, I am proud to say that DEF CON was the first conference to make feedback a priority for their submissions and speakers.

The Process Now

We have more than doubled the amount of submissions we have received in the past ten years. This year with almost 600 decisions to make between speeches and workshops, feedback was a challenging task to manage. We have gone from "just a handful" of guest reviewers to 25+ consistent reviewers with varying degrees of specialty and expertise. The feedback they produce ranges from the monosyllabic to shakespearian. Leah (A.K.A. 3n_ion) and I work hard to compile and provide that feedback for the submitters, It's not chicken scratch on the back of a paper any more. We are getting larger, the submissions are increasing, the coordination is getting more complex. Trying to find a place to house all the cats is a daunting task, albeit rewarding. "Victims of Success" is the mantra of 2016, we're having to deal with growing pains and finding scalable processes as everything keeps expanding year after year. Next year is sure to provide it’s own unique growth challenges.

We have a very hard-working and diverse team that review the talks. It's not like I TRIED to do it, but I’m proud that the CFP reviewers represent the hackers at our con. Our review board has varying degrees of skills, different specialties, personalities, and wear many hats. We all work well together to try to make sure that the fields of topics are well represented. The review board is busy for months, some reviewers log in every day/night and the entire CFP process can occupy 6 months out of the year. During our "surge" which is usually from April to July, we put in several hours a night and for some, CFP has become a part time job. (Psst..If you’re interested in reviewing talks, send us your cover letter and resume, tell us why you want to join the crazy.) The review board is transparent together, we hold each other accountable, we ensure quality and unbiased reviews in a censor free environment. Some subjects are debated and fought over and it's always great to see the victor get a talk selected.

We have an accomplished review team, and because they’re so talented, they also have "real jobs". We try to manage time and free up their cycles by providing support. 3n_ion and I act as the point of contact for the submitters and the review board, and having this proxy keeps things on task and flowing. The reviewers have to tackle hundreds of talks, all in their spare cycles, usually forgoing sleep. The board will review the supporting materials, endless white papers, slides, and have feedback or questions on them. (It’s very time consuming but worth it.) This single point of contact is something that has proven to work well for us. We contact submitters for more info, detailed outlines, or clarifications on content, so that the trains keep moving on time.

Narrowing the Focus

We love it when we get more personalized feedback and it leads to suggestions on other submission options. Sometimes the board will suggest the submitter consider other time formats, slight changes in content, or when applicable other submission venues like "This would fit in well at the Crypto Village". We work really hard in the final round to make sure all the last minute submissions have all been voted on (Reminder: Please submit early). We then pick the best out of the remaining talks with as little overlap as possible, we want a good reflection of what our attendees expect from a typical DEF CON talk. Sometimes even after making hard cuts on excess content, we still have too many talks in the list. This means we have to cut talks that are perfectly acceptable, many with all YES votes, even solid work that should be presented. Any conference out there will testify that hitting send on the rejection letters is certainly in the top 5 of worst things you have to do when organizing a conference. The bigger you are, the more you send.

One of the challenges we face as we keep getting bigger is trying to find a place for those talks that don't make that cut. This year I created an extensive list of alternative speaking opportunities and promoted them, because I want it known that you don't have to choose all or nothing. Just because a talk wasn't accepted to "the main stage" does not mean that it's not worthy of being presented. This year there were 13 separate villages at DEF CON where speaking opportunities were actively being solicited, not including DemoLabs or Workshops! There were probably more options if you looked "outside" of the conference as well to conferences like Black Hat or BsidesLV. If you submit to more than one stage in Vegas, it's likely going to be entirely fine with us, we don't have unreasonably strict content embargoes. (Just make sure you communicate with us about it).

I like to encourage people to participate, attend, and speak in the villages too. There is a lot to see and do in the villages and they have high caliber talks, some of the content DEF CON would’ve accepted if we had the room. DEF CON has no control as to who speaks in the villages, but I do try to forward a few submissions their way from time to time. It’s a shame not everyone can be on the “main stage” but there are more than enough reasons why the Villages are a great alternative option. Over the past two years we have tried to provide more promotion to the villages. If you didn’t know, we are trying to record as many of the village talks as we can schedule. This means that if you speak in one of the villages your talk may likely be recorded and available on the official recordings and DVD’s. I am thankful when we can do anything to get hackers and their knowledge a wider reach. This is just another thing that DEF CON is doing to preserve and share the knowledge as much as possible.

Considering Workshops

In some cases the content that crosses our path, should be a workshop instead. Some of the CFPs this year were encouraged to refocus their content to a 4hr block for a workshop. Luckily several submitters agreed, and in the end we had wonderful feedback from them and their students. We will be doing workshop submissions again for DC25, instructing a workshop comes with the same speaker benefits & honorarium. Teaching has the potential to help many people learn from you and break into a subject that you know best. The classrooms won't ever hold 1000 students, but I think that works well for the student/teacher ratio and fosters an intimate learning environment.

I love that we started doing workshops, because it allows everyone to have a chance to attend a workshop or hear from a instructor they normally may find to be out of their reach. For perspective... Training on "X" from Professor X would cost you two days time and $4,000 at a professional infosec conference, and still might be a bit too in-depth for your level. However, at DEF CON, Professor X gives you just the right amount of awesome in a four hour workshop format, for free. There is no wrong choice, both are going to be great options, each would be unique and an asset to anyone lucky to attend. That said, DEF CON’s workshops are a bit more reachable to those hackers starting out. There are many a hacker colloquialism to convey the sentiment that “information wants to be shared”. I’m thankful for our new workshop lead, Tottenkoph, and her team of goons for helping us build our workshops success.

The demand for these classes is insane, one of the challenges we're facing with this additional super in-demand option is handling registration. As you all likely know, the DEF CON Badge registration process is anonymous and cash only by design. DEF CON avoids collecting any personally identifiable information on attendees, thankfully the results is that DEF CON cannot be compelled to disclose any PII. When you want hackers to show up and do hacky things you might want to sandbox your ish, right? So, we're going to think on it and handle the demand for registration with a clever system. We don't want to end up with unreasonable lines… our title page should read: "DEF CON Hacking Con, Home of LineCon". Speaking of lines...

Lining up DC101

One of the places that I am also proud to see the growth is with DEF CON 101, again. I am proud to have DC101 fully integrated into the review board process for it’s second year. The talks we selected are in demand, evident by the lines that have steadily grown every year. DEF CON 101 started 8 years ago at DEF CON 17, under the leadership of HighWiz, as a panel to familiarize new attendees with con and our culture. It has since grown and become a pillar in our content lineup, from "just one panel" to an Official DEF CON track held for four days. The DEF CON 101 track is described as "A series of talks aimed at attendees who are not yet internationally-recognized infosec experts. This is not the n00b track. But if you're interested and engaged in the hacker community, these sessions are right up your alley. From Sysadmins & NOC Jockeys to College Students & IT Professionals, everyone exploring the world of Information Security can expect to feel welcome not intimidated." The success of this highly approachable track speaks volumes to the community we belong to where “knowledge is king", or queen. ;-) Thanks to HighWiz & Wiseacre for their vision on this track.

It’s not called a “Security Researcher” Handle!

Along with the DC101 welcome panel,"name that n00b" is a fun tradition, where "real names" and personalities are turned into "real" handles. I was happy this year to see official speakers start to go back to the days where you lead with your hacker handle. I help organize one of the largest hacking cons in the world, as a result I interface with fancy high paid leaders in the industry. I've known some people for over a decade and I don’t care to call them by their “real name”. I’ve met many speakers and goons with titles like CISO, COO, CEO, Etc for major corporations, but I don’t know them as that. I know them as their handles and for what they do that excites them. Name that n00b is one of my favorite traditions for that reason, because it brings that difference to light.

I hope that our speakers start to use their handles more, the DEF CON CFP allows you to submit as your handle or be completely anonymous. I like meeting people by their handles, not everyone does, and that's okay, but the option is there for everyone should they want it. I'm not sure if other conferences do this, that might be another one of those subtle differences between a "hacker con" and a “professional infosec conference". I think with us, the little nuances between hacker and infosec are a big deal.

You may have noticed a change in the titles on the official speaker page this year. When I started working for DEF CON, it was by way of a more professional infosec conference, Black Hat. A small core of us were responsible for the behind the scenes organization for both Black Hat and DEF CON. Some things we did carried over, including placeholder titles like "Security Researcher". You may have seen this moniker a 100 times on abstract pages for a bunch conferences by now. After contemplating on @XlogicX's title of "not a security researcher" back at DC22, I decided to change the default titles on the speaker page to "Hacker". DEF CON isn't a "Security Researcher" conference, we are a Hacking con. Thankfully people agree, I received a lot of praise and support for this new title change. I'm biased though, I think we should adopt this "Hacker" title, more, everywhere, and on all the things.

What’s up now?

Currently the CFP Board is starting to review the talks post con. Our reviewers are already going over the accepted talks they saw or purchased access to the videos to watch now (Via a third party vendor). Now is the time to let us know your talk feedback, if the speakers presented the content as expected, etc. For now you can email us feedback at or via the DEF CON forums. I am currently exploring future options, I’d like to have a better system in place for attendees to be able to rate and leave constructive feedback on speakers (I prefer email for now).

This year I scheduled over 230 people to deliver content at DEF CON, 120 talks, 42 workshops, over 4 tracks and spread out over 4 days. Some of the talks were delivered onstage in a 8,405 sqft room to 1k people! I’d like more feedback from attendees, we can then pass this info to the review board and to the speakers themselves. We'd love to hear more on how we're doing. When I compile the A/V files into an RSS feed and post them on the media server & YouTube for free this winter, I hope to hear from you.

I’ve gathered all of the updated presentation materials from the talks & workshops, DT has got them all up on the media server now. A substantial amount of slide decks and white papers have been updated, so I’ve marked them with -UPDATED in the file name. You can navigate to all the post con goodness at the following page:

Leading up to DEF CON 25

Since DC25 has already begun planning, I see my current perspective on how far we've come reflecting in my work for DEF CON 25. All I can do is think about the future and how great things are becoming. 25 years is something to be proud of, I predict next year is going to be a really special year.

I have many stories, I have seen many things. DEF CON is unique in it's stories of triumph like Grifter wrestling T-rex in a Godzilla suit, but there were other seemingly impassable mountains to climb this year and yet we did it. Leading up to DEF CON 25, I look forward to sharing some of our moments and experiences with you in more speaker’s corner posts like this.

Like I said at the beginning of this manifesto, I am proud of DEF CON 24. This year has really shown me what we can accomplish when we all come together, think like hackers, and accomplish something that is supremely unique and amazing.

Thanks to my peeps,

Nikita Kronenberg
@niki7a, Nikita(@)

Bridging the Gap: Dispersing Knowledge through Research Presented at DEFCON

"... the motivation to work towards a bigger aim and provide support in building secure and robust SCADA systems is all encompassing."

In this blog post, I am sharing my experience about the research presented at DEFCON 23 about vulnerabilities in Supervisory Control and Data Acquisition (SCADA) web-based Human Machine Interfaces (HMIs). The details of the talk are available here. The motivation behind this research was to contribute towards strengthening and securing the existing SCADA systems across the globe. In reality, a number of researchers are playing a significant role to combat SCADA vulnerabilities and secure the critical infrastructure. This research required additional dedicated time and efforts over and above the individual’s job responsibilities and duties. However, the motivation to work towards a bigger aim and provide support in building secure and robust SCADA systems is all encompassing.

I started this research with the target to present at DEFCON 23. Fortunately, the talk was selected by the DEFCON review board. The efforts put by the DEFCON review board are incredible. I am saying this from my experience (from the last two accepted talks: DEFCON-20 and DEFCON-23). They ask for a significant level of details before they actually approve the talk and this helps the researchers to provide explicit information with clarity. DEFCON review board really deserves applause for assisting researchers in articulating their research in an effective manner.

As we know, SCADA systems are becoming the primary target of attackers to launch cyber attacks against the critical infrastructure. The attackers are exploiting vulnerabilities in different components of the SCADA systems to gain access so that critical systems can be abused or exploited for malicious purposes. The SCADA web HMI vulnerabilities were presented at DEFCON first and then advisories were released to Industrial Control Systems Computer Emergency Response Team (ICS-CERT), which works as an intermediate agency between researchers and SCADA vendors to make sure that reported vulnerabilities are patched in a given period of time and vendors take necessary steps to strengthen the design of vulnerable SCADA components. One important feedback I received from a globally known SCADA vendor was that I didn’t target one specific SCADA vendor but presented the issue as an industry-wide problem by talking about vulnerabilities in multiple SCADA vendors such as Schneider, Rockwell, GE, Siemens, Moxa, etc. As a result of the talk, ICS-CERT released multiple alerts. TheICS-CERT alerts are different from the advisories.

Since SCADA systems are categorized as critical infrastructure, they form a significant part of the national infrastructure. It becomes the responsibility of the security researchers to talk about the vulnerabilities as a part of security awareness efforts in SCADA environments. The idea is to disperse knowledge among masses and engineers who work at organizations that build SCADA systems. This should be treated as steps towards building a strong community of researchers and SCADA vendors. To take steps in this direction, the research presented at DEFCON was generalized, submitted for review and finally accepted by Cross Talk Journal, an approved U.S. Department of Defense (DoD) journal whose mission is to encourage the engineering development of software in order to improve the reliability, sustainability, and responsiveness of warfighting capability of the nation. The idea was to communicate about the state of existing security issues in SCADA web-based HMIs and how to eradicate these issues to build secure web-based HMIs for operating SCADA environments.

● The paper can be downloaded from Crosstalk Journal -
● The complete magazine is available here:

The sole motive is to show that the research presented at DEFCON is dedicated towards the betterment of security research community, government agencies and different industries. The research can be show-cased at DEFCON and at the same time, it can be used to educate masses who do not get a chance to attend DEFCON.

Hope to see more efforts in this direction.


Hackers and Healthcare: A Call To Arms

"... we firmly believe that medicine is in great need of hackers who will hard today to solve the medical problems of tomorrow."

We sometimes like to think we wear three different hats.

As physicians, we work daily to alleviate the suffering our patients endure at the hands of diseases like cancer, heart disease, and diabetes.

As futurists, we recognize the vast potential of computer driven drug design, genetic manipulation, and implantable medical devices to improve the lives of billions.

As hackers, we recognize the rapidly enlarging technologic foundation of health care, from electronic medical records to telemedicine, will surely come at a high cost- endangering our privacy, security, and potentially even our very lives.

DEF CON has given us the chance to wear these hats simultaneously and unite these passions for one incredible weekend every year.

Calling it a huge event is an understatement- there’s a massive scale to it that parallels some of the largest medical conferences on Earth. And yet, as folks who have been on both sides of the aisle, we can say that the prestige of presenting at one of those is nothing compared to the taste of that first shot on a DEF CON stage.

Far from the button-down sense of proprietary that suffuses academic medical meetings, DEF CON is permeated with a sense of wild possibility, creativity, and diversity. DEF CON prides itself on welcoming hackers from all walks of life. This mixture of knowledge, experience, and spirit brews a unique form of creative problem solving, and that’s exactly what we’re looking for now.

News of the latest protected health information breach, unexpected downing of 911, or latest medical device vulnerability seems to scroll through our feeds more and more every month, and thankfully, we’ve begun to hear about the great work that groups like I Am The Calvary are doing in this space.

We feel, however, that we’re on the cusp of an entirely new sea of problems that affect not just the manipulation of medical information or the systems that we use to deliver care but that alter human physiology itself, in ways that can be both incredibly destructive and alien to the vast majority of the medical profession. We’ll continue to speak about this issue going forward, but safe to say we firmly believe that medicine is in great need of hackers who will hard today to solve the medical problems of tomorrow.

And that’s why we applaud DEF CON for allowing non-traditional hackers to voice such calls to action. Our world is beset by an ever-growing number of serious threats, and international collaboration between motivated, innovative hackers working to address these challenges may be just what the doctor ordered.

The CFP Process

We get a lot of questions, many frequently asked, so Leah, our fellow review board goon and super human assistant coordinator to DEF CON CFP, has gathered all the answers from the review board, first hand experiences, expectations, and she has put them all together in a FAQ for us. We will update it and add to it where need be, if you have specific questions you’d like answered or think we’d benefit to add a question, you can reach out to Leah via her twitter at: or email us all at talks (at) defcon dot org.

Preparing the CFP process each year is invigorating. It is a time for potential speakers to showcase their hard work, and it signifies that DEF CON is quickly approaching. But a lot happens behind the scenes to make the finalized list of DEF CON speakers come together. How come some submissions are accepted while others are rejected?

How do you choose who’s accepted?

Review Board

To better understand the process we use when choosing speakers, let’s first start with the Review Board. Our Review Board consists of individuals who have years of experience in research, industry, presenting, and DEF CON culture. Each board member has a different set of experiences, both professionally and in the hacker world. This enables us to see submissions from a variety of perspectives and encourages a well-rounded assessment of each submission based on the merit of the information presented.


Topics submitted that are technically and culturally relevant to the DEF CON are normally easy choices for us. If you’re releasing a new tool at the conference or exposing a new vulnerability, that adds “super bonus extra lives” to your submission. But again, please remember, the topics need to be relevant and up-to-date.


We cannot stress enough how attention to details can affect a submission. When a submission has a thorough, comprehensive outline and shows a concentrated effort on the part of the submitter, it really stands out. It shows the Review Board that the potential speaker was committed to his/her research and is excited about the material they plan to present.

Proper planning of a talk goes a long way to the Review Board. Submitters are asked how many people are speaking and what time slot the talk is designed for. More often than not, talks do not need more than two speakers, and more than three should normally be avoided altogether. The panel format is generally discouraged as most topics offer better value to the audience when presented by fewer speakers. Panels also require longer time slots if the topic is to receive due attention. When the appropriate number of speakers and the appropriate time slot are chosen, it is much easier for the Review Board to picture how the specific submission can fit into the overall DEF CON experience.


The whole point of the CFP process is to select talks which can excite and educate DEF CON attendees. Review Board members keep this in mind when considering each submission. We seek out those talks that aim to present new techniques, expose dirty security flaws, or teach various tricks.

DEF CON is lucky to have some of the best attendees in the world. We’re all part of a giant community, and we’re interested in a lot of the same things. If you can bring your best ideas, written clearly, then we’ll do our best to get you on that stage. But every year we are faced with the unfortunate task of rejecting many submissions. So why are these talks rejected?

Why are submissions to DEF CON rejected?

There are many theories on why submissions are rejected. We have our share of conspiracies, intrigue, and angst. But I assure you we’re not actually all that complicated in our decision making process.

DEF CON receives hundreds of submissions to speak each year. Each submission is carefully reviewed by the members of the board, and unfortunately, not all can make the cut.

So, let’s talk specifics. What are the main reasons we reject submitted talks for DEF CON?

  1. The content is not relevant
  2. The content is incomplete or confusing
  3. The outline is lacking
  4. The content is dated
  5. The submission is better suited elsewhere
  6. There simply isn’t room
The content is not relevant

When reviewing a submission, the Review Board members always try to consider the audience. When we look at some of the submissions to speak, we notice the content doesn’t really fit in at DEF CON. That doesn’t mean the content is bad, just that the topic isn’t really relevant to our attendees. Those are submissions we have a lot of difficulty with because they may sound great, but just don’t seem to fit.

We get a plethora of talk submissions that are more professional, or just straight technical. Although technical in nature, DEF CON is more than just a technical conference and it certainly does not claim to be a professional one. When selecting talks, we opt for those which support the true “hacker” spirit of DEF CON. This could mean that quality submissions on technical or professional topics are passed over simply because they do not fit the hacking side of the technical community. These talks may, however, be well received at other venues.

The content is incomplete or confusing

Sometimes when reviewing a submission, we’ve got a general grasp of the content but we’re missing a lot of the details that would make the submission pop. Often times the submitter has a complete picture of the idea in his/her head, but unless that picture translates to the written submission, the Review Board is left having to read between the lines and guess at intentions. Although we may reach out for clarification or additional information, the discrepancy could cause a submission to be passed over for one which is more complete.

The outline is lacking

The outline is a chance to step the Review Board through the talk as it is intended to be given. It is also a good way for us to gauge the approximate length of a talk and verify that it will indeed fit in the chosen time slot. An outline that is lacking may prevent the Review Board from seeing a submission as a well-constructed, thought out, and cohesive entity.

The content is dated

Topics that were discussed several years ago and that may have very little bearing to the current state of technology are typically red flags for us. Technology changes rapidly, and the Review Board seeks out the most relevant and timely submissions. Unless dated material has gained new relevance, it is typically passed over for more suitable topics.

The submission is better suited elsewhere

DEF CON main stage talks are typically chosen to appeal to the majority of our attendees. These positions are also quite limited. Many submissions are quality work that deserve to be presented, but are passed over because they have a more targeted appeal or may not fill a room in a main track. These submissions are often recommended to a suitable village, such as Hardware Hacking, Social Engineering, etc.

There simply isn’t room

Although this reason may sound like an easy let-down, it is quite honestly something the Review Board must contend with every year. Hundreds of talks must be whittled down to a select few to fit that year’s time and space allotments. This means some great talks simply won’t fit into the schedule.

DEF CON has always been a collaborative effort from the organizers, the speakers, to the attendees and more. The Review Board members are honored and humbled to be a part of such an amazing venture. The CFP submission process is one way in which we each can contribute to the great effort it takes to keep this thing happening year after year. We encourage all potential speakers to be a part of this effort as well by putting the utmost care into their submissions and being supportive of the process. Every year we receive similar questions regarding the CFP process and the qualities of a good submission. We hope this FAQ will help to answer these common questions and encourage all potential speakers!


Q. What are the qualities of a good submission?

A. One thing every good submission has in common is thoroughness. The submission is filled out clearly, concisely, and competently. The topic is relevant to DEF CON and covers a new idea or perspective (but is not a Vendor Pitch). The outline is planned out and well structured, and the abstract provides an accurate picture of the talk as it is intended by the submitter. For most talks, the optimal number of speakers is 3 or fewer.

Q. My idea for a talk has been covered at a previous DEF CON. Does that mean it will be rejected?

A. Not necessarily. If there have been new advancements in the area related to you topic, you should present the fresh material. You may also choose to present the topic from a new perspective. However, if you submit a talk that is incomplete or simply parrots a talk previously presented at DEF CON then you may be rejected in lieu of more timely information.

Q. I am a ‘hobbyist’ and came across something exciting I would like to share with others, but I do not have a white paper or similarly documented research. Can I still submit a talk?

A. Absolutely. As always, be thorough in your submission. If you do not have a white paper on the subject, include any related material such as blog notes or thorough slides. Submit early and seek feedback from a CFP review board member.

Q. What should I consider before submitting my talk?

A. Is the topic relevant, new, and thoroughly researched? Do I feel confident speaking in front of others in an engaging and informative manner? Is this a talk I would be excited to attend? Will my talk fit into the appropriate time slot without rushing or stalling? If I plan on a demo, will it work? Can I pre-record the demo to ensure the best results for my audience? Have I considered my target audience and will this information benefit them? Answering yes to these questions is a good indicator your talk is worth submitting. As always, fill out the submission thoroughly.

Q. I’d really like to get some feedback on my submission before it goes through the entire CFP process. Is there a way to get this?

A. Yes. Email us at and let us know you'd like to get some feedback on your submission. However, you might also want to seek some advice from your peers. You could also consider reaching out to those whom have previously spoken or have experience submitting to speak.

Q. What criteria are used to accept/reject a talk?

A. The first thing reviewers consider is the completeness and clarity of the submission. If things are missing, vague, excessively brief or unnecessarily cryptic then the person reviewing may question your commitment to the talk and the thoroughness of your research.

Reviewers then consider the quality of the content you present. Is your outline appropriate and cohesive? Is your chosen topic relevant, interesting and unique? Do your slides reflect thorough research and a good flow to your talk? Is there focus and substance to the material you are presenting or is it broad and shallow? Does the topic warrant the number of speakers listed?

Reviewers also like to see evidence of a qualified speaker. If you have spoken at DEF CON or at other cons, they like to see that those talks were engaging and beneficial to the target audience.

Q. I have never spoken at DEF CON or similar cons. Will that negatively impact my chance of acceptance?

A. If you have never spoken at a con before, other things such as video blogs can speak to your abilities as a presenter. If you are completely new to presenting, don’t worry! You submitted a thoroughly researched, interesting talk with a completed outline and captivating slides right? Good, then you are the type of speaker newb that reviewers love to give a chance because you have shown that you take pride in your submission.

Q. How can I become a more confident speaker?

A. Know your topic thoroughly. Spend time around other people in the INFOSEC community. Practice your presentation in front of live people who are willing to provide constructive feedback and then accept the constructive feedback and apply it to your presentation. Practice, practice and then practice some more. Consider your audience and anticipate questions. Work them into your presentation. If you were in the audience, what questions might you have? Practice your talk timed. Record yourself and play it back, make necessary adjustments well before DEF CON and then practice the timed talk some more.

RELAX! Almost everyone who comes to your talk is either there to support you or to learn something new from you. Trolls exist and always suck, but they are the vast minority. Your audience is in your corner.

Q. What are some resources to help new speakers?

A. Check these out:

The DEF CON Youtube page – It helps to review talks from previous years. Pay attention to what worked and what didn’t.

Q. Yay, my talk was accepted! Now what?

A. Don’t file your talk away until DEF CON, get excited about it! Get others excited about it! Practice it and continue researching the topic. This will make for a much more engaging talk. Also be sure to verify your talk will fit snuggly into your timeslot.

Pay attention to deadlines and requirements for speakers and take advantage of the great opportunities available to promote your talk and your ideas.

Q. What should I do in the event my talk is rejected?

A. There are many reasons for a talk to be rejected, and not all of them are negative. Review the feedback from the CFP Board or ask for feedback if none was received. Do not be discouraged or vengeful and be willing to try again in the future. Also, seek out other speaking engagements in or around DEF CON. If your talk was rejected for main stage but recommended for a village within DEF CON, please follow through there! It was recommended because the topic was relevant to that particular village, and will provide value to attendees.

Q. What if I want to submit anonymously?

A. Cool, do that. The only time we would need to know your “real name” is for speaker remuneration. Even rarer, it might come up in the case of verifying a particular reference. In that case, you can work with the CFP Director and the Speaker Operations team and we will honor your privacy. Speaker check-in can also be done with a unique identifier.

DEF CON Bittorrent Configuration Guide Announcement

"... as part of a new years resolution we have or will be doing the following to max out our security and privacy for these services in 2015."

This is the first part of several announcements about how DEF CON is moving to a more secure and privacy oriented deployment on all of our services. In part 1 I'll talk about what DEF CON is doing with our bittorrent file sharing, the next part will address our eMule / ED2K / KAD sharing.

DEF CON currently shares our content using bittorrent (very popular) and the eMule ED2k and KAD (not very popular) networks. We also run to act as one of the bittorrent trackers we use in our torrent files. We've done this for a couple years, but as part of a new years resolution we have or will be doing the following to max out our security and privacy for these services in 2015.


- Enable protocol encryption: We support encryption (obfuscation) but don't require it to connect. From what I can tell it is RC4 and designed in late 2006. It apparently is not even encryption, but obfuscation. [1]

- Disable DHT: Because we run a tracker and only server content, we don't go looking for other clients to download from [2], the DHT feature isn't necessary for us to enable. It also helps us disable another UDP service that can be abused.


When building torrent files there are a couple options to increase security:

- Don't use any trackers that use udp or http in your torrent files: Not many trackers that I've found support https, but it solves a couple of problems at the expense of some speed and CPU cycles on the tracker side. This is where DEF CON is moving toward, modern CPUs are plenty fast.

- We support web seeds and will use https exclusively to provide a direct download option in the future. Our older torrents include two seed links, one link for http and one for https for maximum compatibility.


For we have moved to only serving over TCP to not be an attractive UDP DDoS amplification target.

- We only serve torrents over https: We are now sending http redirects to https for people hitting our tracker over http. In the future we will regenerate all our torrents to use only https trackers and only https web seed links. Again I bet this costs us some traffic, but because we give away our content for free there is no lost monitization for us to worry about. Instead we are trying to walk the walk and learn what it takes to share as securely as possible.

- To do: Find other popular trackers that support https we can use when rebuilding torrents.

When the torrent file is complete and ready to be promoted it is critical you protect it as best you can, as it acts as a protection against someone breaking into your server and altering your media files. If they do that the checksums in the .torrent will fail and the down-loaders will discard the infected files. To get around this attackers would want to modify your torrent file to allow the altered files to be served. Don't let this happen! Serve from a static file server over https, set the torrent immutable, etc. You want all roads pointing to your well protected and https linked torrent files.


In our next installment I'll cover our eMule / eD2K / KAD configurations and strategy. Check out my post on this in my blog on the DEF CON Forums to comment!

Disrupting Robotic Homeostasis And Artificial Intelligent Systems With Electromagnetic Pulse

"I am expanding my work to include experimenting with Tesla coils."

Recently a computer was able to pass the Turing test in Great Britain. That machine was able to make human beings think that they were talking to a 13-year-old boy. In the popular media there's been people talking about supercomputers what happens when they become self-aware or become HAL as in the movie 2001. The futurist Elon Musk has also expressed reservation about artificial intelligence computers that become smarter that man. All of these advanced systems are run by microprocessors and robots have internal and external sensors. These components are very susceptible to electromagnetic pulse.

At DEF CON 17 I demonstrated digital devices that were being pulsed by my Marx generator. I am expanding my work to include experimenting with Tesla coils. I have been using coils operating at 3 different frequencies.

Robots may be particular susceptible to EMP pulses because of robotic homeostasis...

Homeostasis for human being means that blood level PH, sugar, and temperature has to be in the within certain levels in order for a human being to be healthy. For robot that means its sensors. That is devices that relay information (duplex) to its microprocessor. These would be servos and internal and external sensors. Is the robot walking, walking up stairs, galloping, what is the position of the of the robot arm to the work it has to perform. This massive computing power, servos and sensors can be disrupted by EMP pulse. I plan on doing some demos of my current work with tesla coils at DEF CON 23.


Speaker's Corner!

We present to you, today’s featured DEF CON Speaker! The greatest ever! Ermahgerd look at it amplifry! What a work horse! Never tires! All it’s bass…

Don’t like this? Do something about it.

If you’re a DEF CON Speaker (past or present) and would like to write a post to become featured here, on the Speakers Corner section of, please send an email to Talks (at ) defcon (dot) org with your story. Drop us a line, let us know what you’re working on or what you’d like to share. DEF CON Groups members and speakers that also includes you! What’s your group been up to these days? Topics can vary from discussions on latest buzzword, walkthroughs, attack & defense, bio hacking, tips for improving certain skills, opinions on the state of affairs, etc. The possibilities are endless, and we are looking for content that fits in the spirit of'_Corner

Disrupting Robotic Homeostasis And Artificial Intelligent Systems With Electromagnetic Pulse

Recently a computer was able to pass the Turing test in Great Britain. That machine was able to make human beings think that they were talking to a 13-year-old boy. In the popular media there's been people talking about supercomputers what happens when they become self-aware or become HAL as in the movie 2001. The futurist Elon Musk has also expressed reservation about artificial intelligence computers that become smarter that man. All of these advanced systems are run by microprocessors and robots have internal and external sensors. These components are very susceptible to electromagnetic pulse.

At DEF CON 17 I demonstrated digital devices that were being pulsed by my Marx generator. I am expanding my work to include experimenting with Tesla coils. I have been using coils operating at 3 different frequencies.

Robots may be particular susceptible to EMP pulses because of robotic homeostasis...

Homeostasis for human being means that blood level PH, sugar, and temperature has to be in the within certain levels in order for a human being to be healthy. For robot that means its sensors. That is devices that relay information (duplex) to its microprocessor. These would be servos and internal and external sensors. Is the robot walking, walking up stairs, galloping, what is the position of the of the robot arm to the work it has to perform. This massive computing power, servos and sensors can be disrupted by EMP pulse. I plan on doing some demos of my current work with tesla coils at DEF CON 23.

'Twas the Week Before DEF CON

"TO GOOGLE! He proclaimed and searched for his problem, as he cranked up the volume on the new Knife Party album."

Twas the week before DEF CON and all through the house...all the speakers were drinking and finishing their talks. Zack's slides were hardly started and his laundry was dirty, when suddenly a friend cheered "It's beer o'clock thirty".

Out to the bars he sprung into action, looking for drinks and social interaction. With his number of slides only up to five, he decided to cheer "FUCK IT, I'LL DO IT LIVE"

His tool hardly finished as he went to bed, nightmares of attendees booing danced in his head. With Kaminsky in a toga and Keith in his hawk, they force fed him shots while he tried to give his talk.

The dream continued on with his demos breaking, nothing working and everything flaking. He tries to explain what it should have done, realizing that his pants were mysteriously gone.

When next to his bed arose such a clatter, waking up from the nightmare to see what was the matter. His downloads had finished and started playing, new music for DEF CON for much needed raging.

Amid his dreams an idea arose, the solution to why his connections would constantly close. His packet was off by just one bit, he should have resisted the urge to hack it.

Back to coding he sprung into action, typing away furiously with much more passion. TO GOOGLE! He proclaimed and searched for his problem, as he cranked up the volume on the new Knife Party album.

Into the wee hours on his keyboard he typed, trying to fix the bugs with all his might. As the coding progressed, he began to feel like a newbie, continually asking him self "WHY'D I CHOOSE RUBY?!?!".

He makes his final changes and runs the code, hoping for the solution to finally hold. YES! he shouts as the fixes work, commits it to git and goes berserk.

Onto the slides he must now begin, with tens of thousands flying in. From worlds near, far and in-between, some friends he knows and others he's never seen.

He'll see you at DEF CON in just under a week, where we'll start the party with our fellow freak. And through the Vegas days and into the nights, we'll learn something new this year….we just might.


Don't forget about the
Q&A sessions

"...don't forget about the fantastic opportunities to be had in the Q&A sessions."A recent conversation about some of the benefit of DEF CON as a speaker and a con-goer made me wonder how many people are aware of the awesome potential value to be had from attending the speaker Q&A sessions.

After each DEF CON talk, the speakers are obliged to attend their allocated Q&A sessions, which are incredibly valuable for both speakers and con-goers alike and are one of the things that makes DEF CON a little different from the rest. At many cons, the speakers disappear into the crowd or disappear to catch a flight out of town, but at DEF CON they're generally available to a much smaller audience for about an hour afterwards.

For the con-goer, generally you're going to get great access to the speakers in a smallish, quiet room with seating to avoid the scrum that surrounds some speakers after a talk at many of the other cons. As a con-goer and a previous speaker I've noticed that although well attended, generally the Q&A sessions aren't over-crowded (with the exception of a small number of talks from the RockStars of the world). This translates to a near unique opportunity to fill in any blanks from the talks or perhaps just get a book signed before the speakers merge into the crowd and you have that whole "I don't really want to interrupt (insert name of speaker) because she/he is talking to other people right now" dilemma.

There's also a superb chance for future collaboration. Last year, a PhD student from the Florida Atlantic University attended the Q&A session after our "Weaponizing CyberPsychology" talk and asked some great questions about data mining. We'd stuck to statistical analysis in our research, and had purposely stayed aware from data mining and machine learning due to a lack of knowledge in that area. His attendance at our Q&A session and the follow up email exchanges have led to some interesting work which I'm excited to see the progression of (he has a great looking draft paper). We've also collaborated this year to bring his data mining expertise to a new data set and the problematic issue of mining highly skewed data sets. At many other cons you might need a serendipitous encounter to strike up this sort of relationship, but at DEF CON the Q&A sessions offer an almost unique opportunity to meet in person, exchange ideas and collaborate or not.

So when you attend DEF CON, don't forget about the fantastic opportunities to be had in the Q&A sessions. You might enhance your knowledge, the speakers knowledge or strike up a cool collaboration and maybe even a future DEF CON talk (as Nikita mentioned in her CFP post).

How Do I Make My CFP Stand Out?

"...before you get busy bringing sexy back and telling everyone about it, here's a few tips..." I get asked that question a lot. Sometimes it varies in how it's put, but in principle it's the same question. "What is a good CFP?", "How do I get picked?", "What tricks or tips do you have?". Well, since the CFP just opened and we have some time, I will let you in on the secrets I have. Follow these tips and, so long as your submission is not on the following, you should make your way past round one.

It's advised not to submit a CFP on:

  1. A vendor talk.
  2. Talks unrelated to "hacking".
  3. How I used Neurolinguistic Programming to bring back a cancelled Joss Whedon series.

Actually, I'd probably be a big fan of option 3. It's something I have not seen yet, and before you ask, no, a movie to tie up loose ends doesn't count. So, before you get busy bringing sexy back and telling everyone about it, here's a few tips from a glorified teacher's aide.

Don't waste time. Answer all the questions. Fill in all the blanks. Follow directions.

I now have a twitchy triggered response to incomplete CFPs, thanks to endless half-answered applications which leave us wondering about the motives of the submitter. Be sure to clearly fill in how much time you are submitting for, the name of the talk, and if you actually read the terms of agreement, sign them. If we don't know what you want, we can't decide if we want to give it to you. Think of it like this: while we are waiting for you to respond, we are reading a paper from the other guy. The more information you give us, the better. Sending a submission back for more info is a time wasting process for all parties. You want us to get back to you quickly right? Not *that* quick, I'm guessing.

Details, Details, Details.

Please fill out a detailed outline. Detailed outline > monosyllabic bullet-pointing technique. You want to write an outline as if you are walking through your talk. It should give us a clear idea of what you are going to discuss. A detailed outline should have a beginning, middle, end, and a clear dénouement, or find yourself voted off the island.

Bad Outline:

Meh Meh
Meh Meh Grunt Meh.
I'm done here.

Good Outline:

  1. Intro
    1. Who am I?
    2. Why this talk is relevant to your interests.

  2. Background on Subject.
    1. Who is Joss Whedon?
    2. Early works in TV, Biographical.

  3. Establishing Precedent.
    1. The first show cancelled to invoke fan boi rage.
    2. The many more to be cancelled.
      1. Cancelled before they are even written.

  4. Things that cancel TV Series.
    1. It's obviously interesting.
      1. Define interesting.
    2. Cast includes attractive and intimidating female characters.
      1. Vampires, Cannibals, Demons.
      2. Uncomfortable employee/employer relationships.
    3. Target audience examples.
      1. Virginal
      2. Enjoys one or more table-top RPG.
      3. Loves nicknaming themselves and substituting fictional words for cursing.
      4. Will buy a single season series on blu-ray.
      5. Even when they already own it on DVD.
      6. Because there is 5 minutes of extra footage.
    4. A "River" runs through it.
      1. Why do Summer Glau's series mysteriously end?
      2. Is she cursed, will she always jinx it?
      3. Other common themes in cancelled Whedon series.

  5. Making the madness stop.
    1. Follow up movies and fan-made fiction.
    2. Completing the series via graphic novel.
      1. Why this is not good enough.
      2. How to know if you might have a problem with commitment.

  6. Gorram Mind Control.
    1. What is NLP
    2. Not using it to pick up chicks. get the point.

Where's the Beef?

Narrow it down, slow your roll. Make sure your topic, presentation title, and abstract are specific. Don't be vague with your subject matter or try to conceal the "meat" of your talk. That will bring us right back to rule number one. Take the following example into consideration: SQL < SQL Injection < Lateral SQL Injection in Oracle, OMGBBQFTW!

Nothing is worse than too vague an application, ripe with cryptic text about an undisclosed vulnerability that you don't want to tell us about and you probably shouldn't anyway because it will destroy the world or at least overflow a few oil tankers at sea, but you will tell us once we accept your talk.

In all the years I've worked for DEF CON, I can promise you that neither I, nor anyone else in employ has passed on or leaked information from a submission. We do consider your submission an honor and we wouldn't break the trust you placed in us, or our reputation to keep our lips shut. Now, if you DO have some super leet destructo 'sploit we would encourage responsible disclosure and we might not accept you if you didn't give all parties a fighting chance to patch up before word gets out. We're not looking to line the walls with cease and desist orders and expensive legal costs. Personally, I hate having to re-arrange the speaking schedule at the last minute due to cancelled talks.

You don't always have to provide working code, or a live demo, if we need it then we will we ask. Proof of concept is nice, a white paper or rough draft of slides go a long way in letting us see that you are serious and have put in the work. Additional materials shows you put in the time. Please also remember to put adequate time in making those additional materials legible and print friendly. White text on black background and "Matrix" slide after slide is detracting. Scantily clad or nude women in your slide deck do not add to the value of your talk either. Support your work with content, not flashy distraction. We don't go around accepting talks willy nilly because we like your jokes and jpegs.

We want new, interesting, documented, researched, and preferably never before presented submissions that are concise and clear. Even if you have presented this talk before, how are you going to make it better for us? Yes, I said it, BETTER for us. We want our content to be better than everyone else's. That's not egotistical, it's high standards.

We like talks where you took an idea and ran with it, however we don't like it when you run off with someone else's work. We like talks that reference the work of others or prior art. Give credit to your inspiration, if you got an idea from sitting in a DC 19 talk say so and let us know how you added to it? How did you contribute further how can the audience add to it? Where did you get your information? Saw a UAV at a hackerspace last weekend and you built a bigger better version that's cool? Lets see some photos of version 1.0?

Sifted through endless research papers to backup your claims? Cite them. The attendees want to know where they can go after your talk to learn more, sometimes that might be you and sometimes you might recommend reading a book or two to get started. We want to see submissions that expand the learning experience beyond 50 minutes at DEF CON.

What if your work is "incomplete"? Let's say you know you have enough content for a turbo talk, but your team is not done with the project and you might want to bump it to an hour later. Include what you do have now and leave a footnote explaining your intentions. You can always update your CFP, and you can always ADD to your talk, so long as it doesn't drastically alter the subject matter or decrease the value. If you are communicative with us we can make anything work.

DON'T say you have a tool or an exploit when you don't.

Don't pimp your employer and don't try to sell something. There are a lot of other conferences that accept proprietary software talks where men in suits talk for an hour straight about how their tool is the best tool for pen testers and all other options are unworthy. Worse still is a hidden sales talk in disguise. Five minutes out of 50 explaining how to do something outside of your product is not a healthy relationship.

I am the last person to criticize spelling and grammatical errors, so if I am gawking at the obvious errors, you have problems. A courtesy spell check is all I ask for. Word to the wise, we prefer submissions in English, not alpha numeric, it's not as cute as you think.

Be flexible.

If you want to speak at DEF CON, prepare to speak on Sunday. Even if it's the last talk of the day on Sunday, take the slot and don't worry that "people won't see it". They will see your talk, there were upwards of 12k attendees last year, and no room had crickets chirping. Besides, they are recorded, so if they miss your talk at con, they will see it later. It will be on record for many years to come. The same goes for Friday, not everyone can speak on Friday, regardless of how much you want to party or "get home early".

If we ask you to cut or extend your talk, consider it. We might be trying to fit you in the schedule with less time because it's already full. Or we think your talk would fit well in sequence with another talk, if only it was a little longer.

If we want to see a demo, or request more info, consider sending us your best promptly. We might have another submission that is similar to yours and we can't decide which is "better".

"What makes a good speaker once I AM Accepted?"

Read your emails throughly. Especially if they come from me.

Meet your deadlines.

Submit presentation materials.

Cite your references, watch the umms and ahhs, and avoid running over or under time.

Focus on making your content the best it can be and your talk, "the" talk, to be in.

You can make it fun too, include waffles if you want to, but your content should stand its ground regardless of theatrics

Write a speakers corner to address the public with a sneak preview of your talk.

Don't pass up opportunities.

Don't specifically ask not to speak at the same time as another speaker. Three other people will have to speak opposite of Dan Kaminsky or Adam Savage. How do you know that other speaker wouldn't rather be listening to your talk and is bummed they missed it?

Lastly, Make sure you are available to the public for questions and discussion, don't isolate yourself from attendees. Go to the Q&A Room after your talk, hang out and talk to people. The guy you might hang out with all night at con might have submitted a similar talk, maybe next year you team up and become like wonder twins or something.

Consider the following linkage to feed your brain.

Speaking and Research Tips:
Strom Carlson:
On Submitting:
On Advice:
On Attitude:
Just read them all:
Past Show Archive:


"Can a doomsday worm shut down the Internet?" This is a theoretical prima to bring out a discussion about whether an Internet doomsday worm can be created, that is so intractable that it cannot be eradicated. This worm could also have the ability to carry multiple weaponized payloads. Can a doomsday worm shut down the Internet? I don't think anyone could shut down the Internet, but I believe a worm can definitely create access problems. To look at some of the requirements for this worm, I think the best model to look at is a biological one.

The AIDS virus has confounded medical science for number of years. It seems to be one of the most successful viruses in modern history. From the article "Why Diseases Such As AIDS Are So Successful and So Deadly:" "Cell-to-cell transmission is a thousand times more efficient, which is why diseases such as AIDS are so successful and so deadly," writes Mothes. "And because the retroviruses are already in cells, they are out of reach of the immune system."

Cell-to-cell transmission is a thousand times more efficient. I think the best analog to this is social networking sites that have the greatest transmission throughput.

On the second line, "They are out of the reach of the immune system," if you take a corporation with 1,000 nodes that are infected, it's easy for data security to push down a solution and remove the worm. The PCs that are actually outside the immune system are almost always home PCs, iPods, Android phones, and small network PC groups.

What else can we learn about a biological model? If you walked into the middle of crowded room and asked if anyone knew Mary Mallon or Gaetan Dugas, you probably have a lot blank stares. Gaetan Dugas was AIDS patient zero, and Mary Malone was the infamous Typhoid Mary. They share some similarities that helped them to infect a lot of people. They appeared healthy and did not have any outward signs of any health issue at all. The gestation period for AIDS was more than 10 years, and Dugas infected a lot of men. Mary Mallon was a cook. She handled food and utensils, and at one time, she worked in a hospital. Mary she was a carrier of typhoid but it did get sick. Some of these ideas could build a good model for a worm.

With the above and what I know malware, let's build a model:

  1. It would have to operate in the noise level of the Internet.
  2. It would have to behave as a WebCrawler or spider to stay off of the radar of malware companies.
  3. It would have to infect its hosts with minimal discomfort; that is, minimally slow them down or it make it appear as if it was not a type of malware that somebody would want take the effort to remove.
  4. It would have to infect very slowly.
  5. It would have to be self-aware—it would have to recognize itself trying to re-infect a host.
  6. A model would have to be built for it to judge how its growth rate would have to be modulated.
  7. AIDS had a gestation of up to 10 years. A gestation time on the Internet of only one year would be an incredibly long time.
  8. The worm would have to be modular enough to take different payloads.
  9. It would have to try to just infect home PCs. Home PCs have been deluge with strange malware and bogus antivirus pop-up ads. Recently, Microsoft tried to issue a malware solution. This antimalware flagged Goggle Chrome as a Trojan, and actually remove Goggle Chrome from a number of PCs.
  10. It may also contain code to write to places on hard drives that are normally inaccessible to antimalware programs.
  11. Have to self morph, it would have to evolve
  12. Be able to present different signatures to antimalware

I got the idea for a doomsday worm from a Chinese hacker website. I don't speak Chinese, so I had to use Google Translate, and as they say sometimes things get lost in the translation.

Submitting to the DEF CON CFP

"You do stuff, you know stuff, and you have the stuff, now it is time to share it." It is that time again; the DEF CON Call for Papers is open. Get busy, submit your stuff. You do stuff, you know stuff, and you have the stuff, now it is time to share it.

But first: pause and actually READ the CFP announcement (at Read all of it. Now, think about what you have that you want to share and ask yourself which of the session lengths and formats is best for your content. Got it? Great, it's time to start assembling your proposal. Look at the CFP form ( Look at it, but do not start filling it out right away. There is specific information requested, in specific formats – it would be a great idea to provide that information, all of it, as requested. Assemble a coherent proposal, double-check it, head back to the CFP form, submit, and good luck!

A few more tips:

1) Follow the directions. Yeah, I know I just said that, I'm saying it again. This is one of the best ways to "hack" a CFP and get accepted (or at least not be first rejected), follow the directions.

2) This is not an English major's thesis, but you still need to proofread your proposal. Check your spelling and grammar, and make sure your proposal makes sense. Speaking at DEF CON means that you are communicating with hundreds or thousands of people in your session. If you cannot effectively communicate your ideas to a few folks on the speaker selection team you may not be the best candidate for speaking at DEF CON.

3) Be concise. That does not mean your submission has to be simple, or short, but it needs to get to the point, and have points to make.

Think about it this way, if you were staring at a DEFCON-sized pile of proposals would you like to read train-wreck paper after incomplete paper for hours on end – in your spare time, as a volunteer? I didn't think so. Do you think that a few hours into the pile the complete and correct CFP proposals would start to float to the top? Yeah, thought so. Make it easy on the staff, and improve your chances at getting accepted.

See you in August.

Stop. Think. Connect. A Special DHS, PSA Contest.

"I can only imagine the hilarity that would ensue in a minute for a video entitled 'How to not be a Noob' or 'Phishing & Trolling, not what it was in Grandpa's day.'" Howard Schmidt, Special Assistant to the President and Cyber Security Coordinator has issued a special PSA Contest. This crowd sourcing campaign is in an effort to alert the general public to Stop, Think, then connect, when it comes to their online presence and responsibility. Good, bad, or otherwise, I would really like to see what the DEF CON community came up with.

I am confident that our DEF CON community could come up with some pretty interesting feedback in regards to this contest, I'd love to see and hear the creative ways you would advertise to the general public. I can only imagine the hilarity that would ensue in a minute for a video entitled "How to not be a Noob" or "Phishing & Trolling, not what it was in Grandpa's day." Overall, I have had a love for PSA's since I was a kid. A lot of us remember and have a special place in our hearts for the PSA's of our youth, especially ones of the "The More you Know" variety. Who didn't like watching "This is your Brain on Drugs" or GI JOE telling us that bullying is wrong? I know I did, and "Knowing is Half the Battle".

From the contest:

"Keeping the Internet safe is a responsibility we all share. We need to take time to stop and think before we connect to the Internet, share information online, or participate in online communities. But sometimes, a creative and compelling reminder can help. That's why the Department has kicked-off the Stop. Think. Connect. PSA Challenge – because all Americans have an important role to play in securing the Internet. We are looking for videos that will help educate Americans about Internet safety and what we can all do to protect ourselves and our families online. If you know what it takes to get Americans motivated to improve their safety online, then we need your help. We want videos that inspire Americans to Stop. Think. Connect."

For details on the requirements and how to submit visit the contest page at:

PSAs must include at least one of the following Internet safety tips:
* Keep a Clean Machine
* Protect Your Personal Information
* Connect with Care
* Be Web Wise
* Be A Good Online Citizen

In similar fashion, I'd love to see if anyone out there posts something on:
* Understanding Encryption
* Surfing Anonymously
* Using Proxy Servers or Feed Over Email
* Understanding Copyright, TOS agreements, and Privacy expectations.
* Who and What is a Troll and how to defeat them.

This past year we had a few talks both in the offense and defense perspectives, check them out on the DC 18 archive, there are too many that fit this topic to list, you might find something that inspires you. I hope you guys & gals out there send in a submission, if you don't want to submit to the official contest, can you send us a link instead? These PSAs would be great to show at DEF CON 19, and if we can, we'd probably like to share some of your clips online so we can get the word out to "Stop. Think. Connect" The contest runs until Feb 14th, Valentines day, so send in your love, send us links, let's get this PSA party started.

Good luck!

@niki7a on twitter.

Feel free to comment or introduce your own insights for this discussion on the thread for this article on the DEF CON Forums!

How Did We End Up Like This?

"...compliance issues are driving and defining both security and budget in businesses large and small, and that means a lot of hackers' day jobs are touched by PCI." Earlier this year I participated in a panel discussion on PCI at DEF CON. Yes, PCI at DEF CON. It was actually a very lively and informative discussion, and the follow up in the Q&A room was informative and *very* lively. While I am honored by the opportunity to speak at DEF CON, and to share the stage with several people who (unlike me) actually know what they are talking about, I do have one question that keeps tormenting me:

How the hell did we get to the point that PCI is a topic that draws a crowd at DEF CON?

I don't think there is any one answer, instead there are several. Here are a few:

First, I think part of the draw of candid conversations about PCI is that compliance issues are driving and defining both security and budget in businesses large and small, and that means a lot of hackers' day jobs are touched by PCI. It doesn't matter whether you are a network admin, outside pentester, manager; anyone who is involved with regulated systems or data feels the impact to varying degrees. Even people who have nothing to do with information security may feel the budgetary impact of compliance. I think those indirectly involved with compliance are starting to see this, and take an interest – and there have been almost no conversations designed to engage or inform the technical InfoSec practitioner audience.

Another factor is that while we rarely "grow up", people in the hacker community frequently grow older (often at an alarming rate). This occasionally means ending up in jobs with words like "manager", "director", or even "chief [something something]" in their titles. These poor folks can't get away from compliance. They may still go to DEF CON, but they've probably been to a lot of "Business of InfoSec" conferences lately, too. And candid conversations aren't always what you get at those kinds of vendor-driven events – so a hacker con take on the issues may appeal to them.

There is also the issue of management-speak, which is a foreign language to some DEF CON attendees. While this may eventually be career limiting, it shouldn't limit anyone's access to information. We have tried to keep our discussions "non-denominational", and minimize or at least explain the acronyms and jargon used. A related thought – it is possible that our inability to effectively communicate security issues to senior management leaves them vulnerable to believing that complying with a security regulation means they are secure – but that is another talk for another year.

Note: it is important to remember that it isn't just PCI, there are a myriad of other regulatory requirements in the wild, but PCI seems to be the poster-child for regulatory issues.

And finally, there is DEF CON itself. While many people (mostly those who have never attended) have a pretty narrow view of DEF CON and those of us who attend. We know better, it is a dynamic event with a dynamic audience, and the mix of content highlights that. Thanks again to the DEF CON team for giving us the opportunity to bring this topic to a wider audience.

Feel free to comment or introduce your own insights for this discussion on the thread for this article on the DEF CON Forums!

Experiences of a First Time DEF CON Speaker (Part II)

"In short, I like to laugh and learn and that's how I like to communicate..." Previously I wrote about my experiences as a first time DEF CON speaker prior to speaking.  Now it's only fitting that I complete the story and write about my experiences shortly before, during and after speaking, hopefully encouraging future would-be, speakers.

A Few Weeks Before the Con

In the weeks leading up to the con, I found myself pretty focused on presentation content, how could I best get my message across and how did I want to deliver it? I spent time looking at previous talks to see what worked well, especially in terms of what level (skill-wise) to pitch the content at.

Choosing a Presentation Style

I generally prefer talks where it's fun and/or that its clear the speaker is passionate about his subject. In short I like to laugh and learn and that's how I like to communicate (when possible of course and it's not always possible in a corporate environment).  Obviously, you need to choose a style you're comfortable with and that fits your content; it's unlikely the less serious approach will work for deep technical talks.

Creating Content (Slides)

A number of friends and co-workers all offered to be guinea pigs and sit through a rehearsal, timing the talk and such like.  Well, I'm not really that kind of person. For example, for my wedding speech, I wrote some bullet points down about 3 hours before the ceremony, and the speech seemed to go down well. I typically adopt the same approach (out of work) for other talks and mostly it works out. So I was opting for a similar approach here.

I decided to use slides predominantly as visual support rather than things to be read, i.e. a lot of pictures.  Now, I'm no Johnny Long, but that style of presenting and receiving information appeals to me the most.

I outlined roughly 120 slides and had a reasonable idea what I wanted to say for each slide.  120 slides, for 50ish minutes?  In your face "effective presentation skills".


OK, so I did sort of test the timing out for this talk as I tend to run over if I'm not careful.  I opted to time by sections rather than slide by slide, by reading through the slides over a beer in the hotel. For example, section one took 15 minutes, section two 20 minutes and section three, 25 minutes, making 60 minutes in total.  Fine for Blackhat with 15 minutes to spare, but I'd have to knock ~15 minutes of for DEF CON.  I figured I'd talk faster at DEF CON..simple really.

The benefit of timing by section is that you can easily keep track on whether you need to speed up, or whether you want to slow it down a bit.  Timing by slide can get a bit too distracting. FWIW, the KeyNote presenter display really helps here.

Understanding the audience

This is something I agonized over for hours, always considering whether the audience would get bored stupid by a slide, or worse still a sequence of slides.  To reduce boredom and to ensure that people didn't feel short changed, I took a leaf out of Michael Shrenks DEF CON 17 talk and made the agenda and goals clear. i.e. this is what I'm talking about, and this is what my aim is, "i.e. leave interested enough to try stuff out or read more".

I also added a quad chart to highlight that n00bs stood the best chance of gaining a lot from my talk, while experts were free to stay and heckle.


The white-paper, was to prove useful. I used it as a place to go to town on "the science" and reference any research I'd stumbled across on the topic. This way, the talk could entertain and if people were sufficiently interested, they'd seek out references and step by step instructions in the white-paper.  This really gave me some freedom with the talk.

Note: I still have to follow up with a couple of people looking for code. I haven't forgotten.

Nerves. Night before

I anticipated some nerves for sure, but I was also hit by something a number of other con speakers get... it's the "oh shit, the other talks are much 1337er than mine and I don't deserve to be here" syndrome.

The fact is, you're there, DEF CON critically reviewed your Call For Paper entry and you do deserve to be there. Still, it's harsh slap in the face when it dawns on you what others are talking about. When people are "JackPoting" ATMs and "dropping 0 day", you naturally get a little freaked out.

The best advice I can give here is to just get on with it, because ultimately, if your talk bombs, it's not the end of the world. Secondly, it's a fantastic opportunity to be able to speak at these cons; savor each moment as it may be your last.

Nerves. 60minute countdown

Everyone has different ways of dealing with it and some lucky buggers don't get nervous at all.  I tend to avoid people where possible.

On Stage Tech FAIL:

The proctors/goons are awesome and really help to put you at ease.  I also grabbed a friend/goon (alien) to help me get rigged up. Usually I can get my Mac working on the big screen no problem, but put me in front of a audience of ninja's, watching my every mouse click and that's it, I turn into "Never used a computer before man".. so thanks alien for helping sort the display FAIL out ;-)

On Stage:

So you're there, what are you most comfortable with, holding the mic or speaking into a mic on a stand?  Heck, I play rock-band, I wanna hold the mic and walk about a bit, or at least feel like that's what I'm doing.

The first couple minutes are the worst.  Deep breath, slow it down and go with your opening gambit, I typically like to break the ice, so I introduce Helga.

After the first couple of minutes, I felt that I was pretty much in my stride and began to really enjoy the experience and it is a great experience.

Post talk

Ignoring the overwhelming sense of relief, I was really excited by the level of interest and follow on discussion (in the breakout room, via email, in person etc).

I got speaking to a number of people, including visualization experts such as Raffael Marty (, I'm just a hobbyist that guy's a real viz-pro. I got talking to social network ninjas, investigative journo's and other con speakers (new and old).  Speaking brought me in contact with others sharing my interest in the topic. For me, this is probably the primary benefit for speaking.  Made some great friends too,

Follow on

A couple of people really seemed to like the talk and wrote it up here and here. That was a really welcome surprise.

Most recently, the talk led to an article in a U.K. national newspaper (The Daily Mail) and an appearance on the Breakfast TV show Daybreak.  It's funny seeing yourself described as "an expert", especially when you really don't think you are; I mean, lets face it, this stuff isn't Kernel Hacking Science.


A great experience.  Talking put me in contact with a community of people engaged in visualization and investigative fields and opened doors for some truly excellent experiences and discussion.

Oh, and the signed DEF CON skateboards generated roughly $1,500 for Hackers For Charity and EFF  (here's a pic of the EFF deck with a Klingon..)

Will I do it again?

I really got involved by accident this year, just thinking that a talk on data visualization and social networks might encourage others to play, so, as for speaking again, if a talk springs to mind I'll be submitting a paper for sure. Mostly I hope that my experiences inspire other people to have a go.

Feel free to contact me via any of the methods on my website here and here's the links to slides, white-paper, audio and video.

My Secret Locksport Agenda

"That's 700 more people I'll never have to explain myself to!" There is an awkward moment for those who pick locks for fun: telling friends and family about it. Many people have an immediate negative reaction to the thought of picking locks:

"Isn't that illegal?" -- "You're a thief?" -- "I better not see you around my house!"

Sometimes it upsets friends and family so much that they stop talking to you. I was lucky; only one family member reacted this way. I was naive, happily chatting to anyone about my new hobby turned many people off. After a year of getting rebuffed and accused I learned to hide what I love most. I love locks -- I'm fascinated by them. I find the smell of brass and grease invigorating. Until I became interested in locks I thought people who were obsessively passionate about something were absurd and lying about how much they loved it. I had no idea. When it comes to locks I am wholly consumed, so keeping mum was frustrating. There were places I could talk about it and people who didn't care or were into it, but when I met someone new I'd talk about anything but locks.

Then I went back to Holland.

When I first learned to pick, Barry Wels convinced me to attend the Dutch Open (now LockCon) in the Netherlands. The first year I attended I didn't know anyone and was stunned by the talent and knowledge in the room. My experience was a constant state of awe. The second year I knew more and had established myself as a strong picker at DEF CON 15. My focus was on the competition; how far I could go and who I could beat? I was taken by surprise when Arthurmeister gave me a bear hug when I walked through the door. I was distracted by these people who had become my friends. On the ride up to Sneek I traveled in the back seat of a friend's car with his children. We didn't speak the same language so we made faces and took pictures with my new camera and they taught me little games. It was really endearing.

This particular year the conference was around a local holiday where children running around with paper lanterns begging for candy. A few of the adults took the kids into town to go door to door. We would sit down to big family style meals and I was amazed at all the people who remembered me and were happy to see me. The whole thing felt like a family reunion. Then it was time for the competition. I tried to focus and be serious but I was scolded by some Germans who told me to have fun. I looked around and saw kids peaking in from the doorway, excited and cheering for their parents.

I left with a much different view of locksport and the community, one that has been reinforced every year. The overriding theme of LockCon has been, for me, normalcy. This is where everyone is excited about locks, curious about new ideas, and, more importantly, where friends and family can spend a weekend catching up and finding out about each other's lives. Sinterklaus even stopped by once!

So, I started talking locks again with friends and pretty girls I was trying to get to know. It's not the first thing I talk about, I try to play it cool, but when it comes up I can't help but show my passion for it with excited babbling and an inspection of their keys. There was a bigger change, too. I started talking to other people about it, people I'd never met and large audiences. I began doing interviews and workshops and suddenly found myself profiled in a local free weekly. After my profile in the Boston Phoenix I landed a story on All Things Considered and a bio in the Boston Globe. I started honing what I wanted to say about Locksport and what I love about it. I appeared on the History Channel and doubled the number of speaking engagements I do each year. I've started doing workshops for new audiences. My mother even got involved and connected me with a mystery book author's conference where I'll be on a panel of experts discussing attacks and forensics for the literary mind.

All of this has stemmed from the same idea: normalcy. I love DEF CON and the hacker conferences, but I want to speak to a wider audience so the next time I'm being introduced as a competitive lockpicker at a dinner party I don't have to spend 10 minutes explaining that I'm not a thief, not going to break into their home and that yes, in fact, this is legal. I don't care if people pick -- I am not on a mission to convert anyone to locksport. I just want them to have heard of it. To know that it exists and be prepared when they hear a friend or loved one picks locks. My ideal is to have people be absolutely indifferent. I don't need anyone to love what I love, but I don't want them to hate that I love it.

Now I'm embarking on my newest venture, launching my own line of lockpicks. I'm proud of them and I think they will be successful in the locksport community. I have had incredible support from them both developmentally and financially, but I'm not making picks for them. I'm making them for the world. I want to spread the knowledge of locksport via marketing. I want to expand the market, catch the curious and let people know that this exists. I'm launching my picks via Kickstarter, an all-or-nothing funding platform that depends on individuals pledging small amounts of money to back your project. I set the lofty goal of $6000 and as of this writing, have raised over $50,000. I cannot tell you how exciting it is that many, if not most, of those individuals backing my project had never heard of Locksport, didn't know of it's potential for social acceptance and jumped on the boat anyway.

This will be the first set of lockpicks many of these people ever own. That's thrilling to me. When I look at the backer list I think to myself, "That's 700 more people I'll never have to explain myself to!" So, it's selfish, to be sure, I just want people not to gawk at me when they find out what I do. I think we'd all like to be taken at face value a little more often -- I'm just taking a more direct route to making that happen.

Hacking Millions of Routers

"Given the number and popularity of the affected routers, this translates into many millions of vulnerable routers deployed world wide..." After having attended the past couple of DEFCONs, I'm really excited to be speaking at DEF CON 18 this year. In anticipation of my presentation, "How to Hack Millions of Routers", I thought I'd take this opportunity to answer some questions, offer some background information, and give a quick teaser about the talk.

Most people assume that because they don't have remote administration enabled on their router, external attackers cannot access their router's administrative Web interface. However, for many routers this is simply not true; anyone with a registered domain can in fact gain full interactive access to the router's internal Web interface in order to exploit vulnerabilities or log in to the device (either via the router's default password or a brute-force attack), at which point they can view settings, change settings and generally do whatever else they want with the router*. However, this attack is not restricted to the primary Web interface; it can also be used to gain interactive access to SOAP-based services running on the router as well, such as Universal Plug-n-Play which requires no authentication at all. While this attack does not work against all routers, out of thirty different routers tested the attack was successful against more than half of them, including the venerable WRT54G from Linksys, ActionTec routers used by Verizon FiOS and DSL customers, and many others. Given the number and popularity of the affected routers, this translates into many millions of vulnerable routers deployed world wide, not to mention all the other routers that have not yet been tested.

The attack is actually a combination of many things, from browsers and JavaScript to firewalls and TCP/IP stacks, but it ultimately centers around DNS rebinding*. Although DNS rebinding has been publicly discussed for almost 15 years, many people still don't completely understand it. I've gotten several inquiries about the talk, and they generally boil down to two basic questions:

1) What is DNS rebinding?
2) What is so special about the DNS rebinding technique presented in this talk?

To understand DNS rebinding, let's examine why DNS rebinding is needed in the first place: the same domain policy. The same domain policy is a security policy that is enforced by your Web browser. That policy states that if you browse to, then that page from can tell your Web browser to load content from other Web sites (images, JavaScript, CSS, iframes, etc), but it cannot see the responses from those Web sites nor access the content that is returned by those Web sites. In other words, JavaScript from can only access content from because that content comes from the same domain. This is a good thing, as you wouldn't want some JavaScript from making unauthorized XmlHttpRequests to Web sites inside your local network or elsewhere.

The problem with this policy is that computers don't use domain names to communicate with each other; they use IP addresses. The idea behind DNS rebinding is:

1) Get the victim to load some JavaScript from
2) Convince the victim's browser that has moved to a different IP address, say,
3) Evil hacker's JavaScript is free to interact with, which the browser now thinks is located at

The difficult part in the above attack is convincing the victim's browser to switch IP addresses. Various methods of achieving this have been presented in the past, so why yet another talk on DNS rebinding attacks? Because quite simply, the common DNS rebinding attacks that have been discussed in the past are either not practical or simply no longer work:

o Setting low TTL values in DNS responses doesn't work anymore because of DNS pinning.
o Anti-DNS pinning attacks only work in older browsers (IE6/7, FF2.x), and even then the rebinding attack takes between 15 and 120 seconds to take effect depending on the victim's browser.
o The "multiple A record" technique can no longer be used to rebind to internal (RFC1918) IP addresses.
o In addition to browsers, third party plug-ins such as Flash and Java have implemented anti-rebinding measures.
Thanks to several features present in many popular routers and their underlying operating systems*, none of this will deter the attack discussed in this talk, which has been tested against live networks under real-world scenarios (with the appropriate permissions from the network owners, naturally). Common anti-DNS rebinding protections offered by services such as dnsmasq, OpenDNS and NoScript will not prevent this attack, nor will changing the router's internal IP address. The good news is that there are fixes that can be made by both vendors and end users to protect against this attack*. The bad news is that these are fixes that should have been implemented years ago, but instead have been ignored by both vendors and users alike.

Of course, what is a talk without a tool release? I will be demoing and releasing a tool that automates the entire attack and extends the target router's internal Web interface out to an external Web site where the attacker can access and browse the router's Web pages in real time, just as if he were sitting on the LAN himself. All the attacker needs is a user inside the target network to browse to the attacker's Web site. It's point-and-click hacking goodness that's fun for the whole family!

* To be discussed in more detail at the talk!

"Hey, maybe I've got a DEF CON talk emerging here"
Experiences of a first time DEF CON speaker (Part I)

"...I've seen this mentioned on another website, but one of the best ways to meet people is to do a talk..." … and so begins this short summary of my experience (up to now) as a first time DEF CON speaker, what I like about DEF CON, how I got involved, submitting a talk and just what is it I'll be talking about anyway….

Local DEF CON chapters, a serendipitous meeting
On the way home from DEF CON 15 I got chatting to another con goer, alien (@alien8 on twitter), a DEF CON Goon. alien told me to check out DC4420, the London, UK DEF CON chapter…so about 2 years later I went along.

DC4420- Community
Dc4420 is excellent. Each month a group of 50-80 hacker/geek types get together, typically for two talks, a tech talk and a fun/lower-tech talk. There's also plenty of opportunity to chat with folks…

…I've seen this mentioned on another website, but one of the best ways to meet people is to do a talk. Talking, or even just sharing what you're working on can lead to discussions with others who are tackling the same challenge or have complementary knowledge and skills.

I let alien know I had a talk about "teaching my dad to be safe online" and before I knew it, I was talking at DC4420. Well, this had a knock on effect of people talking to me about what I was doing in the local village community.

Through that one talk, I got chatting to some seriously smart people at DC4420 (Far smarter than I'll ever be). I've had discussion and help on a number of topics (non-work related, for the record) and also shared my learning's with others. Ultimately, this is what a community is about and I love being part of it.

That's all fine, but what the heck does this have to do with my DEF CON talk?

Seemingly Random Sequence of Events
Well, after DEF CON 17 I decided to start using Twitter (hey! It's actually pretty useful). Among the first people I followed were @_DEF CON_ , @ RyanlRussell and @tonyhawk (yes, the skateboard legend).

Tony was looking for volunteers to help in a worldwide twitter hunt. A what? A 'Twitter Hunt'. Tony is well known on twitter for randomly hiding skateboards, bmx's and other cool stuff, then sending out a clue (via twitter), so his tweeps can hunt down the schwag….

…so I volunteered, and to my amazement, I got selected to help (I'm nearly 40, married, with child, I shouldn't be this excited about a skateboard legend). His event involved close to 100 decks being hidden around the world with clues being sent out for locations as far apart as Sydney Australia, London UK and Boise Idaho.

And I wanted to see a Google map with pictures of the people who hid the decks, the people who found them and the schwag. That's where my adventure started.

I sent out a tweet asking if anyone knew of a quick way to grab tweets between dates and pretty quickly I got a response from a fellow DC4420er going by the name of @l0sthighway (he's a smashing chap). He suggested I use Maltego (check out the community edition).

So, in about a month I went from no knowledge of Twitter or Maltego, to using Maltego, together with some dreadful PERL scripts to call the Twitter API. I had a bucket load of help from the wider community, including the Maltego creators, Roelof Temmingh and Andrew Mowhawk and of course a few folks from DC4420.

I wrote up some of my adventure and left it at that (new born child in the house and all that).

Just after the earthquake in Haiti, I spotted a tweet from DECappeal (the UK disaster umbrella charity). They wanted to gather stats on social media… well, I now knew a thing or two about this, so I sent them a tweet. A series of calls with DECappeal and British Red Cross later and I was collecting twitter stats for them and generating graphs.

Nigerian Scammer Networks
In late 2009/early 2010 a friend was on the wrong end of a Nigerian scam. Well, I just thought I'd have a poke around with Maltego and see if it could, theoretically, help identify anything interesting. Well, it got very interesting…

Hey, maybe I've got a DEF CON talk emerging here?
I chatted to alien about the potential content, who asked if l0sthighway and I would like to talk at the DC4420 meeting that coincides with Infosec Europe (the UK's big infosec show). Wow, that's like a big deal.

Although a watered down version of the intended DEF CON talk, it seemed to capture the interest of a number of people… so I figured I'd go ahead and submit a paper…what's the worst that could happen?

Call For Papers – Notes from the field
Well, I pinged Twitter looking for people who'd be interested in pointing me in the right direction with my CFP. Dave Rook (@securityninja) , Jayson Street (@jaysonstreet) , Rafal Los (@Rafallos) and alien (@alien8) all sent offers of help…They helped me transform my idea into a talk worthy of con-consideration.

My starting title, although reflective of the talk, was certainly not sufficiently "DEF CON", so I went through a few iterations, ending up with "Social Networking Special Ops: Extending data visualization tools for faster pwnage" (…closer).

My major observations are:

Creating a compelling title isn't as easy as it sounds.
1. Creating a CFP entry takes a good deal of time.
2. Get people to critically review your entry. I suggest people who've been accepted previously.
3. It helps if you've got a detailed outline of your talk and other supporting material (slideware, whitepapers etc).
4. If I ever submit again, I'll be getting my paper in sooner.
5. It's nail biting waiting to hear the outcome.

Well, to my amazement, I got accepted to speak. WOAH!...

So what's the talk about?
In a one sentence summary.

"my talk describes how data visualization tools (like Maltego) can be extended to speed up the analysis of social networks (well, anything really)".

The talk is delivered in 3 parts.

Part 1.
I start with an intro about social network analysis, how there's an explosion of personal data available online and why this presents both a problem and an opportunity. I figured most folks have some idea about this, so I don't spend a lot of time here, but I will call out research/work in this field.

Part 2.
I share how you can use visualization software, and in this case Maltego, to data mine social networks. I focus on Twitter, based on my experiences with the Tony Hawk Twitter Hunt. BTW. I'm also running the DEF CON Twitter Hunt so you can all share the fun of a twitter hunt. Thanks to the generosity of Tony Hawk, I've got a limited number of his decks (signed) to give away too.

The Tony Hawk angle is intended to be a fun and light hearted way to introduce Maltego, but what about something more interesting?

Part 3.
This section talks about my experience enumerating a Nigerian scam ring. I share what I've learned about Nigerian scammer operations; for instance,…

• Did you know there are hundreds of worldwide "cells" (62 in the UK alone) ?
• Have you any idea how much a Yahoozee (Nigerian scammer) makes?
• Have you seen what they post on social networks?

I'll share how I found this stuff out, using data visualization and techniques in social network analysis inspired by previous talks including "Satan is on my friends list" and "Social Zombies".

By the end of the talk I hope to leave the audience with an appreciation of work/research/tools in social network analysis and data visualization. I also hope to expose the audience to ideas that they can apply in different contexts. In short, I want to generate the same level of interest that sparks and motivates me when I go to a DEF CON talk.

What next

1. Come along to my talk at DEF CON on Sunday at 4pm (I'm also at Blackhat and Bsides).
2. Get on Twitter and get ready for the DEF CON Twitter Hunt.
I'm honored and excited to be able to talk and be actively involved with this year's con. If you want to say hi, send me a tweet or ping me on the forums.

…and yes. I'm bricking it a little bit… who wouldn't be ;-)

ARIN and IPv6 at DEF CON

"...The rebirth of the Internet is imminent, and it begins with the depletion of IPv4 and the rise of IPv6..." I've been lucky enough to witness some pretty remarkable events during my career in information technology. I witnessed the rise of the Internet first hand. Then I watched as the Internet and IPv4 made IPX, Banyan Vines, and other protocols obsolete. I was there for Y2K - a lot of money and effort went in to what amounted to a non-event for most enterprises. I watched as my portfolio crumbled when the dot com bubble burst. I worked at several companies that were victims of bad management and bad luck during that time. I've seen a lot of change in this industry, and yet, I think we're just getting started. The real boom is about to begin and with it comes great change.

We're on the cusp of the greatest change I am likely to witness in my career. The rebirth of the Internet is imminent, and it begins with the depletion of IPv4 and the rise of IPv6. IPv6 heralds a new age for the Internet. We'll finally realize the potential of the Internet as it was originally conceived; a huge network of inter-connected devices with real end to end connectivity. The ability to globally address every single connected device will change the way the Internet looks, the way it works, the way we work, the way we play, and the way we communicate.

Today's Internet has been a dry run for what will become the Internet for many generations far into the future. The new Internet will do things we cannot imagine today and will likely be unrecognizable to those of us that work on it today. The proliferation of IPv6 will bring about a mature information age and many new technologies and opportunities.

With great change often comes great turmoil. I expect the Internet to experience some growing pains during this transition. Rather than a soft landing, we appear poised to hit the wall at mach 3 and the result will forever alter the Internet.

The issue is simple: IPv4 addresses are running out, and fast – only 6.25% of the IPv4 free pool remains, and the rest is going quickly. Some companies have been slow to adopt IPv6 for various reasons, including the associated time, cost, and risks. But with IPv4 depletion imminent, more and more of the Internet will use IPv6, meaning we must run both IPv4 and IPv6 simultaneously. Dual-stacking means everyone can see our websites, use our web-based services, and communicate with us.

IPv6 is now a key feature that customers are looking for, and companies who offer it will have a significant advantage. Now is the time to request IPv6 addresses from ARIN or your appropriate Regional Internet Registry (RIR) ( and start providing your customers with IPv6 connectivity in addition to IPv4.

On Sunday, August 1, John Curran, ARIN's President and CEO of ARIN, and I, ARIN's Network Operations Manager, will lead discussions on IPv6 at this year's DEF CON.

John's session {IPv6: No Longer Optional, Sunday, August 1, at 11:00am} will describe the key considerations for and benefits of IPv6 adoption and the steps all network operators and engineers should take to prepare for IPv4 depletion challenges. John will review regional and global IPv4 depletion and IPv6 adoption statistics, address allocation trends, and the IPv6 educational resources available to help you prepare.

In my talk, {Implementing IPv6 at ARIN, Sunday, August 1, at 1:00pm}, I will provide details of ARIN's own deployment of IPv6, and will include information about getting IPv6 transit, configuring hardware and software, and using off the shelf tools to ease the transition. I will also talk about security best practices related to IPv6 deployment.

If you cannot attend the session, but are looking to learn more about IPv6, you can visit or for more information.

Packing It All In

"...leave plenty of room to take a chance and be enchanted by someone or a topic you have little exposure to..."This year, I am extremely fortunate to have been selected to speak twice.

The first talk I will give is on Android Rootkits. This talk is being given with one of my colleagues from London, Christian G. Papathanasiou (@h0h0_). We tried to make this a great talk for both new comers and veterans. If you are interested, come check it out. It is going to be a lot of fun!

The second talk is Malware Freakshow 2 — a continuation of the talk I gave at DEF CON 17. Again, this year, I am giving it with Jibran Ilyas (@jibranilyas). Last year, we spent a lot of time focused on the various environments that were compromised by malware and just a little bit of time on the actual malware demos. This year, we flipped it around. We found some really interesting advances were made over the last year, so a good portion of the talk is the live malware demos. (Yes, they are going to be done LIVE. If anyone out there has a direct line to the demo gods, please put a good word in for us!)

If this is your first time attending DEF CON, it can be very difficult to figure out what to do. I put together a few pointers. Hopefully, a few of these will help you make the most of your journey at the end of July.

The Talks
This year there are more talk choices than ever for attendees. The number of great talks is incredible. Some of the best talks I have seen where NOT the ones that had hype, whether by person or topic, associated with them. By all means, attend the popular talks, but leave plenty of room to take a chance and be enchanted by someone or a topic you have little exposure to. You might learn something that motivates you to do something great (or not). Keep in mind you are not going to be able to see even a fraction of the talks this year, so choose wisely.

The Contests
I have personally never competed in a contest at DEF CON, but I have many friends who do year after year. Some do well and some crash and burn, but I have heard many rewarding and interesting stories by those who have competed. The amount of time you are willing to commit is a big factor here. If you are thinking you are going to attend a ton of talks and also compete in 10 events, think again. If competing is your thing, go for it!!

The Parties
Catching up with old friends and making new contacts is one on the best parts of DEF CON. Many of the people I have met at DEF CON over the years, I still keep in touch with. A handful of those people I actually work with everyday.

There are many pubic and private parties at DEF CON. Use your contacts to find out where to be after hours. If you don't know anyone, like the boat I was in back in 2000, meet and talk to people at during the day and find out where they are going and what they are doing at night. For many events, you need to be invited or have some sort of token or ticket to get in. If you just tag along with a group of people who are going to a party with hopes that the guy at the door will take a liking, you will be disappointed. It is his job to keep you out. Whatever you do, don't name drop at the door. Hackers validate. There are also many public parties and events that are going on during the con that are likely much more hospitable than 194 sweaty guys and 6 girls stuffed into a skybox. Don't be a wallflower.

The Aftermath
Whether this is your first DEF CON or your eighteenth, allow yourself some time to decompress and then act upon what you learned or experienced. When it is all said and done and you are lying on the floor of McCarran Airport waiting for your flight to board, make a mental note to spend some time to think about things you learned and the people you met. Don't forget to keep in touch with all the great people you met, you never know where those contacts will lead you. Finally, if any of those talks sparked your interest, get involved and contribute to one to the most intelligent and creative communities on the planet.


What's This Lockpick For?

"Important note: Much of this is merely my opinion. My incredibly accurate opinion." Among the first questions you hear when teaching anyone to pick a lock is some variant of "What is this pick for?" I've heard it a dozen ways, "Which one should I use for this lock?", "Which one will open it fastest?" and "How does this one work?" I know that answering this question in print won't keep me from having to answer it a million more times, but at the very least it will help me collect my thoughts and hopefully serve as a primer to new pickers who come across it.

Important note: Much of this is merely my opinion. My incredibly accurate opinion.

Rakes, Hooks & Profile picks, oh my!

There are three major categories of lock picks. Rakes typically consist of multiple sharp or flowing curves and are meant to manipulate multiple pins at once. Hooks are just the opposite, consisting of a single point, though there is a great deal of variety in how that point is designed. Hooks are meant to manipulate a single pin at a time. Profile picks are all sharp angles and may seem completely random at first blush. These are designed to recreate the profile of the key with minimal manipulation.

There are outliers that don't fall into the three main groups. Of those, most important are the diamond & ball picks. I'll cover those in depth. Depending on how quickly I put together the rest of this material I may cover more esoteric tools meant for specific locking concepts. We'll see!


The first tool many pickers will use is your basic medium hook. This is a perfect beginner tool because it's a bit clunky inside the lock, doesn't require a great deal of skill to get the best use out of it, but in its simplicity it remains very effective and often enjoys a place in the primary kit of any picker as their skill advances to the intermediate stage.

Medium HookTo best describe the medium hook's limitations, I'll explain the advantages of the Gonzo, so called because the head looks a bit like the nose of Gonzo the Great. Unlike the m.hook, the Gonzo has a rounded tip, allowing it to move more smoothly through the lock. Also, the tip extends just a bit higher than the m.hook, allowing it to better manipulate tricky high-low bittings. The Gonzo is beloved among many, if not most, advanced pickers and has taken the place of the m.hook in their primary kits.

Long HookThe Long Hook is a bear. It is difficult to move through many keyways, can get caught inside the lock mid-pick and is generally just uncomfortable to work with. However - the extreme tip that causes all of those problems also allows it to set the most ridiculous high-low bittings. Though this pick rarely sees regular use, it has proved itself invaluable once or twice and so many pickers will keep it around, just in case.

Deep CurveThe deep curve is the most widely borrowed member of a family of tools built around a specific method of picking. Personally, I've never cared for the Falle method of progressive curves, but there are people I respect a great deal who swear by it, so I'll leave it to them to fill you in. The deep curve, regardless of how I feel about the larger system, is an excellent tool. By allowing the belly of the curve to run along a low point in the keyway & rocking the pick into the lock, following the line of the pick head, you get a great sense of control and can easily manipulate difficult to reach pins in the back of the lock.

Notch HookThe most common notched hooks tend to fall, in height, somewhere between the m.hook & the l.hook. However, you can carve a notch into any pick you like and enjoy the benefits. Simply, the notch makes it easy to locate each pin inside the lock and in the rare situation where heavier-than-normal force is required you don't risk slipping off of the pin you are working on as you would with the Gonzo or m.hook. Finally, in locks with oddly shaped pins, such as Medeco's chisel tips, the notched hook allows you to manipulate them in more specific ways, such as rotating them.

Deforest diamondI do not know Deforest's first name, though I've heard someone say it before. These days the picks named for him are more likely to be known as an "offset diamond" and "offset ball," but where possible I'll try to give these picks what I consider their proper names. The Deforest diamond is typically my second pick in a lock, right after the Bogota, which I'll cover in the rakes section. The angled tip of these picks gives the deforest deeper reach than your typical hooks and the added shape to the tip, whether ball or diamond, allow you some additional manipulation options. My primary use of the Deforest is to defeat the previously mentioned high-low bittings. The Deforest moves through a lock with ease, unlike the l.hook and can set the more extreme high-lows that the Gonzo can't quite reach. Though you will rarely find them in starter sets, a Deforest should be one of the first picks you make or acquire after you get comfortable with your initial tools.

There are other hooks and other single pin picks that straddle the line between hook and something else, but by the time you come across them, you'll be able to deduce their function.


I'm probably going to start some fights when I discuss rakes. I will be the first to admit that my tastes are sometimes non-standard, but I've tried countless tools and opened a lot of locks, so trust me. Then, when you find out I'm completely wrong and you don't open any locks, you'll have learned a valuable lesson about trusting experts on the internet.

C RakeI'll begin with the ever-popular "snake rake" or "c" rake. This diminutive, narrow profiled rake that is found, without fail, in every started set a new picker buys, is all but useless against decent locks. It will pop Master #3s like magic. It will stun and amaze and eventually, once you learn to use and love the other tools on this list, fall into disfavor and out of your primary kit.

Large S RakeMuch more interesting is the Large S. When I first saw this tool I was told it was the German secret weapon. "Push, Push, Open!" my Dutch friend declared. I bought one immediately and found great success with it. The Large S is able to set more varied bittings than the C or the S.

S RakeThe S rake is loved by a lot of people. I don't really tolerate it well and as such I'm probably not the person to describe it's best use. So I'm not going to! Ask almost any other competent picker though and I'm sure they can tell you why they like it. One note - this is a very common rake in starter sets and typically the first pick to break on a heavy handed newbie picker.

L RakeThe L rake, however, I love. The L is the only rake I buy in bulk for classes and workshops. The most common profile you will find for an L rake is pretty timid, but can still do the job. While this pick will open a decent number of locks, I've found it's best use is in setting 7-9 cut pins. Apply light tension & rake low in the keyway to set the longest pins in the lock, then, increase your tension a little bit as you go back in with a Gonzo or Deforest diamond to finish the lock off. A basic, but very effective speed picking strategy. These aren't easy picks to make by hand, but can be well worth it so you can craft a more aggressive profile.

BogotaMost important in this list is the Bogota. Sole creation of Raimundo, this pick has been poorly reproduced by many of the major manufactures in the last 3 years. Unfortunately for the people buying the knockoffs, you can't just stick a Bogota rake on a popsicle-stick handle and expect it to work it's magic. Lacking the thin, bent handle of the traditional Bogota, they have dramatically reduced the efficacy of the pick. I cannot overstate the ludicrous quality of a well made Bogota rake. NKT, a British competitor at the Dutch Open (now LockCon) in Sneak, NL made it to the final table using nothing more than a set of Bogota rakes and popped one of the final round locks in 3 seconds as well. They double as tension wrenches, it's why they come in pairs. The basic method is to hold the rake like a trigger and "Shake like you've had too much coffee." Silly as it sounds, it works. Personally, I've developed a slightly different technique over the years, but still, it would not work without the bent handle. The Bogota is the only rake on this list that allows me to get a quick topography of the lock with a few simple swipes. Bogota + Deforest Diamond is how I won my Black Badge.

W RakeThen there's the W rake. The l.hook of the rake world. This unwieldy, aggressive rake is sure to get bound up in the back of your lock and it's thin connection between shaft and pick head means it will bend and break with heavy handed use. However, just like the l.hook, it has proved itself by opening a tricky lock, if rarely, and thus remains in use today. Sometimes the ugly, odd and downright fragile picks will open the locks we can't get at otherwise, which brings us to...

Profile Picks

Unfortunately, I'm exhausted! So, I'll cover Profile Picks, Diamonds, balls & some of the more esoteric tools like Matadors and cruciform picks in a few days.

-Schuyler Towne

Kill Yr Idols

"You are not, in fact, a Hacker Superhero"I didn't talk to a soul for more than five minutes for the first three DEF CONs I went to.

I suppose I've been both a part of, and very much outside of, the "hacker scene" for a long time now. I grew up around punk rock: MaximumRockNRoll, all ages shows, a detached coolness and an unspoken set of rules and regulations that everyone knew somehow anyway, whether instinctively (for the kids who somehow Just Fit In, seemingly without trying), or learned (in my case) from subtle slights and ridicule, a silent but nonetheless rigid set of boundaries that defined what seven inches you bought (or admitted to buying), the width and specific colors and patterns of your braces, the strategic locations of which patches you had on your flight jacket and where.

Along with the punk scene, there was another I supposed I belonged to, or wanted to belong to as well, one I rarely admitted around my punk and skin friends, the world (back then) on boards and the right IRC channels, of quietly traded docs and warez and .NF0 files that mostly said very little but had that same beautiful and tragic optimism of my punk zines, the idea that all of us (somehow) could be more interesting than the sum of our parts, whether our salvation was some nebulous abstraction called Rock and Roll or another equally impenetrable abstraction called Hacking.

To me, going to my first DEF CON was a lot like going to my first punk rock show. I had a general idea of what to expect, had done a lot of my homework, knew the right words to say, had the right t-shirt, and mostly spent lots of time getting shunned, rated, shut down, and dismissed.

At punk shows, you could practice your game every week until you got it down. At DEF CON, and really just about nowhere else, you only get to try to figure out the social puzzle for a few days, and then try again next year. It's a long process, and one that turns a lot of people off. Yes, it keeps getting bigger, and yes, a lot of the same people come back every year, but I'd wager another equal number come once, can't figure out how things work, and never come again.

I'm really not bitter, I swear to you. If I was, I wouldn't have kept coming for ten years. I love DEF CON. I am a loyal DEF CON defender, I always show up early and leave late, and I even (OH NO HE DIDN'T! AWWW HELL NAW) like the Riv. I do. Sorry.

But seriously -- DEF CON people, all of you, need to stop taking yourselves so freaking seriously.

Point of order:

You are not, in fact, a Hacker Superhero. If you are reading this and are (in fact) a Hacker Superhero, my sincerest apologies. But for the vast majority of you reading this, you're not. You're just not.

And that's okay. You probably are really good at *something*, and are probably smarter than the average bear, otherwise you most likely wouldn't be bothering to come to DEF CON, more often than not on your own dime. Still, letting go of the idea that you're a REALLY BIG HIGHFALUTIN' GOSHDARNED DEAL will go a long way toward the two of us having a drink and a nice chat, and potentially one or both of us learning a thing or two. That "I Am A Serious And Unmitigated Total BadAss" vibe you're putting out? Not really that helpful, sorry. Let's drop it, and I'll front you a Tanqueray and tonic.

Another point of order:

Those people behind the podium, or running your favorite event, are not, actually, Hacker Superheroes either. No, seriously, they're not. Some of them are really, really, ridiculously smart. A larger number of them are really, really good at marketing. But NONE of them are superhuman. They're just people. Passionate people, sure. A particular flavor of people that are the exact reason we all get together at these shindigs year in and year out, sure.

But guess what? They're vain. They're neurotic. They have annoying nervous tics. They will talk to you about their cats and their favorite houseplants, they will have pieces of their lunch stuck between their teeth, and once you finish your tedious fawning about how great Bug X, Talk Y, or Book Z was, they will stare at your shoes, you will mumble something about the weather, and then some other fan(boy|girl) will come up and give them a bear hug and a high five and start fawning again, and neither of you will be any better off than when you started.

My point? I guess that we all need to forget the mythology. We need to forget the mythology we make around the supposed "stars" of our merry little band (ProTip: There's no such thing as a famous hacker -- Justin Bieber is famous, Johnny Long is a guy who was on CNN one time), and we need to forget the mythology we are all so desperately trying to make for ourselves. If you can get past all of that, past all the bullshit, simulacra, posturing, scenewhoring, smack-talking, and (nowadays) industry autofellatio, you will actually have a really good time at DEF CON, or at least I always do.

Here's how I go about doing that, what I finally figured out in my fourth year at con.

I talk to people. And I make other people talk to each other.

I'm not good at it, I'm really not. I forget names. I don't do small talk. I stutter sometimes and repeat myself. I interrupt a lot. I spit when I get excited. But for three days every year, at DEF CON, I do it anyway.

I grab random people who look like they're not interacting, and I make them interact, often against their will. If someone is a dick, I keep trying anyway. Alcohol seems to help.

I especially try to make people who look like they wouldn't do so under any reasonably sane set of circumstances get engaged in conversations. Feds and homeless people, blackhats and those Jesus Hacker guys, overdressed gothy glam-rockers and hyper-hetero Polish weightlifter types, those Korean CTF people with matching t-shirts and haircuts and well, whoever. I collect invites to SUPERELITEOMGPRIV8R00MPARTIES and give them to quiet kids who don't know anyone and would never get invited. I'm particularly proud of dragging Hovav Shacham's grad students to StripperCon two years ago. That was pretty epic.

In other words, I guess the way I keep sane and have fun at DEF CON is basically to spend every moment I can doing what no one (seriously, NO ONE) did for me those first three years: welcoming people to this thing we call "The Scene", and generally trying not to be a dick.

You should too. See you at con.

Trying to Be a Wise Man at DEF CON

"The smart man learns from his mistakes. The wise man learns from the mistakes of others.
- Anonymous"
I try very hard to share wisdom that I have learned from others but also I feel sometimes it is good to share my mistakes so others can be the wiser. With that in mind let me take you back to DEF CON 12 it was my first time at DEF CON thankfully even after my EPIC fail it was not my last. I went to my first DEF CON with all these notions on how it was supposed to be. The people were all hackers and uber leet you had to look weird to stand out (yes I spray painted my hair blue & yes to my chagrin there are pics online). All these people wanted to hang out with you and share what they knew and to hear what you had to say.

So in other words I went to DEF CON not really knowing what DEF CON was about. I did learn quite a lot my first time (most of it the hard way). I learned that DEF CON is what you make of it. If you want a place to just party with people who look and think like you then you will be happy. If you are looking for a place to learn hands on with some of the brightest people on the planet, good news, you will. If you go to DEF CON knowing what it will be and expecting it to conform to your ideals then you my friend will be sorely disappointed. DEF CON does not conform to ones ideals it is a place where we all learn to accept other points of references.

That was my Epic fail, I went thinking my way was how DEF CON was supposed to be not willing to open myself to all the other opportunities that the event had to offer. My first time there I met H D Moore, Tony Watson, Kevin Mitnick, Rain Forest Puppy, FX and the Woz. So what, I didn't stop to really learn from them I thrust my camera in their face to get a picture with some of my heroes. What I could have done was turn the dial down from 22 to maybe 6 then listen and converse with them. For you see, they would have talked with me stupid blue hair and all. Not because I was an author, or a DEF CON speaker for I was neither. No they would have spoken with me if I were willing to listen because they knew what DEF CON was really about, it is a place to share information and to learn from others.

I learned that lesson and I hope you learn it from me so you don't experience that first hand. Be yourself not what you think people are expecting. Feel free to go up to the speakers to ask them questions if they are not too busy or anxious getting ready for their talk they will most likely take time to talk to you. Do not waste that opportunity just for a picture. Talk to them as well as listen to what they have to say and start a friendship that will last longer than the picture taken.

Remember DEF CON at its core is a hacker conference sometimes though we forget the true meaning of that. Adam Laurie shared with me the DEF CON ethos. "If you know something, share it. If you learn something, learn more. When you really know your stuff, teach it." That is what a hacker conference should be all about.

This also brings to mind another question we tend to ask ourselves in the INFOSEC/Hacking community. Do you know what a hacker really is? The easy answers are not always the right answers. A hacker is more than the faceless nameless person behind that email you just opened (please don't click that link!).

A common quick (and lazy) definition has equal parts technology and malicious intent. But truth requires additional consideration. Hackers have been around far longer than John Draper (a.k.a. Captain Crunch – ask your favorite search engine for more on his exploits) or Matthew Broderick in War Games. Perhaps the better approach to a good definition is to look at some examples from history.

Many examples of a good definition can be found in the work of Sun Tzu. He brought a depth of thought to the strategy of war that had not been seen before his time. He realized success in war was not solely a function of physical power. Instead, victory in war was (and remains) dependent on variables both complex and subtle.

Sun Tzu would win battles with smaller forces. For example, he would use terrain and mental attacks to amplify the power of his army. He controlled his enemy's movements with false retreats. He drove them to choke points and applied force at the precise point of weakness (sounds a lot like a buffer overflow attack today).

Sun Tzu would send an assassin to the enemy's camp and kill the opposing general right before the battle (in technology that is called a zero-day attack). The ensuing chaos made victory nearly certain.

Sun Tzu would probably agree with a certain modern "warrior" – "knowing is half the battle". He would use any sources available to learn all he could about himself, his environment, and his enemy. Today a penetration tester might call that "building a profile" on a target. A politician might call that "opposition research".

Leonardo da Vinci is usually credited as a painter, sculptor, architect, polymath, and inventor. Hacker is an appropriate designation to add to the list. The techniques he used were so far ahead of his time that we still marvel at his insight. For example, his art was shaped by his study of optics, perspective, anatomy, and even psychology. He solved problems by adding knowledge from unexpected places. One fine example of a Leonardo hack is his journals. Most of them are written in mirror image cursive. This has often been credited as a type of "security by obscurity" since it would be difficult for a casual glance from an apprentice to reveal the master's secrets. However, a hacker would look at this result and see a great example of mental and physical dexterity. Someone who is left-handed knows the problem of writing left-to-right. The result is generally smudged script and ink-stained hands. So why not change the rules and write right-to-left? The key to the solution is to ignore the rules.

In 1608 Hans Lippershey of Holland asked for a patent for a device he had invented "for seeing far". The label of a hacker could be applied to the Italian Galileo Galilei who took the idea further and eventually built about one hundred different telescopes. He combined mathematics, optics, and good craftsmanship to build a better tool. However, the real "hacking" occurred when he pointed the device at Jupiter and saw a cluster of three "stars" that behaved strangely. When one of them disappeared, he deduced it had gone behind Jupiter. He went on to observe four satellites of Jupiter and even predicted their motions.

In 1932 a twenty-six year-old mathematician named Marian Rejewski joined two others in a secret attempt to deduce the internal workings of an early version of a German encryption machine called Enigma. He had a sudden insight that he tested on some encrypted text. He later described "From my pencil, as by magic, began to issue numbers designating the connections…" Rejewski brought a methodical, mathematical mind to his problem. Perhaps the best part of his "hack" was the confirmation of his solution. Rejewski tested his results with a copy of the Enigma manual that Hans Thilo Schmidt had managed to smuggle out of Germany. The whole story of how that happened is full of what is today called a "Social Engineering" attack. And even better – inside that manual was a sample message and the corresponding cipher text. To someone trying to break a cipher, this was gold. Today this is an example of taking advantage of unnecessary code left by a sloppy programmer.

Albert Einstein looked at the puzzle of gravity and realized for the previous 250 years we should have been thinking about the curvature of space and not a mysterious force. Thomas Edison tested 1,600 different materials, including a hair from a friend's beard, before he found the right filament for an electric light. Igor Sikorsky was only 19 when he designed and built his first attempt at a helicopter. Problems will yield to the right combination of will, creativity, and intelligence.

In 2009 the Iranian government held elections many of their citizens believed were fraudulent. Protesters spread evidence of government abuse 140 characters at a time on Twitter. Twitter icons from users all over the world turned green in support. "#iranelection" became one of many popular ways to spread news globally faster than the Iranian government could respond. Perhaps we will see a government yield to the power of a social network. That would be a hack worth watching.

The Urban Dictionary has a good definition of a hacker:
An individual capable of solving complex non-intuitive problems in a seemingly intuitive manner. The processes and techniques used are not necessarily methodical to the observer, but yet achieve results significantly and consistently faster than known experience would predict. A hacker is not defined in terms of intention or purpose, but rather by the talented single-mindedness of method. A hacker is not a hack. Today we label Steve Wozniak and Charlie Miller and HD Moore and Jeff Moss as modern "hackers". But the hack is only part of their stories. Their creativity and character, when applied to the puzzles they tackle produce what history will measure.

If you are a CEO with hackers among your employees, or a parent with a hacker for a daughter or son, be thankful for their vision. They see the world differently. They have the potential to advance human history. Nurture their character and give them room to explore. We can only imagine what they will try, discover, tear down, build up, and create.