SoylentNews

An Anonymous Coward writes:

These are the conference events to keep an eye on. You can even stream a few

https://www.theregister.com/2025/08/05/bsides_blackhat_defcon_preview/ [theregister.com]

The security industry is hitting Vegas hard this week with three conferences in Sin City that bring the world's largest collection of security pros together for the annual summer camp.

The week kicks off with BSides Las Vegas, which runs from Monday to Wednesday. Of the over 200 BSides security conventions held around the world every year, this one is the biggest and is being held at the Tuscany Hotel, although tickets are sold out.

BSides started as a conference for rejected Black Hat speakers, but those days are long gone. Now it has a range of talk tracks showcasing new research, and this year, passwords are a key theme, with a specific three-day schedule devoted to finding solutions to one of computing's oldest security challenges.

There is a series of live feeds on the conference's YouTube channel and, if you miss seeing the talks in real time, the videos should remain archived. At the password track on Monday at 1700 PT, there's a disturbing-sounding presentation on a custom rig used to crack 936 million passwords with 92 percent accuracy that should be worth tuning into.

Also on Tuesday at 1130 PT, there's an informative talk by Stacey Schreft, the former deputy director for research and analysis at the US Treasury Department's Office of Financial Research, about the possibilities of security problems triggering the next big financial crisis. She warns that a major outage could cause massive damage to the increasingly digitized financial system.

With the collapse in security hiring, particularly for entry-level positions, BSides has a jobs track as well. For those seeking advice about getting started in the industry, or advancing further, four security execs will be giving advice on how to get into the recruitment cycle on Tuesday at 1600 PT.

For anyone considering adding BSides to their schedule, it's worth a visit. While the smallest of the conventions, it's also one of the most offbeat and there are presentations on everything from building hacking hardware to commercial licensing problems in the industry. And, as is traditional, there's a Capture the Flag competition running and festivities in the evening.
Black Hat – the biggie

Located in Mandalay Bay, Black Hat's main conference days are August 6 and 7. There are also training sessions in IT skills that start on August 2, and the talks begin on Wednesday. You'll need to pay and register to see them, but we'll be onsite bringing in regular reports.

The opening keynote will be a farewell (sort of) address from Mikko Hyppönen, who, after a 34-year tenure at F-Secure hunting malware, is quitting the industry to work on drones. As he told The Register in June, the Ukraine war has spurred him into working on the technology, particularly since his home country, newly minted NATO member Finland, has a massive border with Russia.

The core of the talks is about unpleasant new hacks and vulnerabilities in hardware and software. It was at Black Hat in 2008 that the late Dan Kaminsky revealed a fundamental flaw in DNS that could have run riot through the internet's backbone. While there's nothing on that scale this year, there are sessions scheduled on an Apple zero-day, ways to bypass Windows Hello's authentication systems, and even a talk on satellite vulnerabilities and how to exploit them.

Elsewhere in the talk tracks, there is a key focus on AI, as with everything in the security business these days, but this isn't a cheerleading event and there are some skeptical sessions planned, as well as deep dives into flaws. Several speakers are giving talks on how to fool AIs into breaking safety guardrails or leak information and bots – their use and misuse – are a particular focus.

Given Black Hat's status, senior government officials, past and present, are giving multiple talks on policy and practice in the field. Bailey Bickley, the NSA's head of Defense Industrial Base protection, will be sharing lessons learned in staving off large-scale system attacks. The acting director of CISA, Madhu Gottumukkala, was due to be on stage introducing himself after two months on the job and laying out his priorities, but has pulled out for a personal matter, so executive assistant director for cybersecurity Chris Butera and CIO Bob Costello will replace him. Former National Cyber Director Chris Inglis will also share his experiences in government.

Elsewhere, the Expo Business Hall is a good place to network and meet people, and the FBI, NSA, and other government agencies have recruiting booths on site. However, if you're there, avoid it on Wednesday between 1600 and 1700 PT as it's the so-called Booth Crawl, where the show has free food and drink and turns into a morass of attendees swarming booths picking up free squeezy balls, T-shirts, and other paraphernalia.

Attendees also get a hidden bonus – their security is being remotely checked by the conference's network operations center (NOC), which is staffed by volunteers scanning the networks for suspicious activity using state-of-the-art hardware, and The Register will report from inside the NOC. As the operators explained, if someone's egregiously slack on security or has malware on their system already, they'll have a private word about fixing the problem.
The original – DEF CON

Located at the Las Vegas Convention Center, DEF CON has its own NOC folks, but they don't take the discreet approach; instead, broadcasting, safely, the details of people who are showing poor security practices on the infamous Wall of Sheep, displayed to all attendees.

DEF CON is the original hacker summer camp, started in 1993 in a few hotel rooms by an 18-year-old Jeff Moss with around 100 people. It now hosts tens of thousands of visitors paying more than $500 a head to listen to talks, take part in hacking and gaming competitions, and visit over 30 "villages" dedicated to everything from ham radio to military hacking demonstrations. Its talks are not live-streamed, but most get posted to YouTube eventually.

Once again, AI will feature heavily and the convention is host to the annual AI Cyber Challenge run by DARPA, a competition using the latest LLM models to find vulnerabilities, install fixes that don't break the system, and generate reports while under time pressure. Teams have been competing for months and the final event will see a winner, who will presumably be barraged with lucrative job offers.

DEF CON used to be renowned for its Spot the Fed competition, trying to find government infiltrators (and the occasional undercover journalist) who had come in on the quiet. But it's a lot more Fed-friendly these days, and Moss will be on stage with former NSA boss Paul Nakasone for a fireside chat.

The bulk of the talks are pure hacking – vulnerabilities, interesting ways to crack systems, and war stories that advise on what not to do. With the exception of DARPA's competition, this is possibly the least AI-focused conference of the three and is much more about hacking existing systems with current technology.

Most of the villages have their own talks scheduled on everything from policy to privacy and industry-specific topics. There's a car hacking center that Tesla is fond of, the social engineering village is fascinating but also terrifying in showing how easy it is to play people, and the lock picking village is well worth a visit to meet some of the best in the business and get a tutorial.

DEF CON is a lot less buttoned-down than Black Hat and you don't see a lot of people wearing suits. Instead, it's a chance for security folks and those interested to let their hair down and mingle with people they usually only see online. While it's very useful for networking and learning new techniques, there's also a substantial party scene.

Red-clad "goons," volunteers who help people find their way around the show, will not hesitate to stop any bad behavior. DEF CON is one of the most inclusive conferences out there, with a strict code of conduct, and is a very safe environment, and even has kids-only sections for fledgling hackers.

DEF CON is the fun convention for hackers, while Black Hat is becoming more of a sales and networking-led event, but still has very high-quality security talks and training, and BSides is useful to see what's up and coming in the security industry. The Reg will report on news as it happens, but if you've got any recommendations, feel free to add them to the comments section.

= Links in article:

https://www.youtube.com/@BsideslvOrg/streams [youtube.com]
https://bsideslv.org/talks#7PHURF [bsideslv.org]
https://bsideslv.org/talks#9FF3LX [bsideslv.org]
https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/ [theregister.com]
https://bsideslv.org/talks#UYXVAU [bsideslv.org]
https://www.theregister.com/2025/06/04/mikko_hypponen_drone/ [theregister.com]
https://www.theregister.com/2023/08/12/black_hat_network/ [theregister.com]
https://aicyberchallenge.com/ [aicyberchallenge.com]
https://www.youtube.com/watch?v=3n2cBSBIAP0 [youtube.com]

Original Submission