"You don't want to end up on the Wall of Sheep." That's the last thing my editor told me before I flew to Las Vegas to hang out at the infamous hacker convention DEF CON. A week later, I found myself standing in front of the wall, looking frantically for my name and password. Despite my obsessive caution, I knew I'd been hacked.
One morning my phone didn't work the way it used to, and then that afternoon, the TV in my hotel room was acting strange. I heard robotic voices barking into my wireless headphones, at one point. People waved antennas in my face, and I spotted Stingrays lurking under tables. I broke out into a cold sweat at one talk, suddenly and destructively anxious that I'd left my laptop open and connected to the hotel wifi. If I had, there was a good chance that my login credentials would end up on the Wall of Sheep, where DEF CON hackers proudly displayed the personal details of people who'd been pwned at the conference (a.k.a. sheep).
DEF CON is often regarded as the zany younger sibling of the Black Hat Briefings, an annual gathering of information security professionals. If Black Hat is the Super Bowl of hacker meet ups, however, DEF CON would be the scrappy, anything-goes tackle game without pads for the people who don't want to buy the expensive tickets. Black Hat reminds you that hackers are out there; DEF CON insists that they're coming to get you.
But by the time it was all over, I realised there was nothing to fear — at least, as long as I configured my machines correctly. The bright, nefarious minds that flock to Las Vegas at the end of summer are our guardians. Scary as they may seem, hackers are hellbent on helping everyone enjoy a safe and open internet. Security isn't always easy, though.
Hack Number 1: Laptop
Anybody who's ever been to a hacker conference will tell you never, ever use wifi, no matter what. The reasoning is simple. At a hacker conference, hackers want to hack, and creating fake wifi networks is an easy way to do it. Compromising an existing wifi network is another option, albeit slightly more involved. Inevitably, you're safest if you simply stay offline at events like DEF CON.
This wasn't really an option for me. I'm a blogger, and much as it pains me to admit it, I need the internet to do my job. Before going to DEF CON, I'd been using a secure network for journalists at Black Hat. At DEF CON, I was told to trust not a single network. I installed a VPN service on my laptop before going, just to be safe, but I was sure it wouldn't do much good.
So what did I do? Naturally, I went to a neighbouring hotel to find an open wifi network — not that any hacker would ever be there first. I saw some obvious fakes, like "DIY Phone Gadgets Community." But the official hotel wifi, "MGMGrandWiFi," looked real enough.
I joined the network and immediately regretted it. Maybe I was being paranoid, but everything looked slightly off. The landing page for the MGM Grand network could've been slapped together by anyone with a basic understanding of HTML. I checked the vendor for the network and found that it was sending me to a .net version of a .com domain. I slammed my computer closed and cursed myself for being such a chump.
This was my first run in with a DEF CON hacker — or at least I think it was — and the conference hadn't even started yet. The fun was only just beginning.
Hack Number 2: Phone
The laptop was off limits for the rest of my trip, but I'd prepared for such a fate. Armed with a notebook and an iPhone, I approached the registration deck with confidence. I'd pulled up my confirmation email and felt excited to get one of the quirky DEF CON badges. This year, they were actual multi-coloured vinyl records, laden with some sort of secret code pressed into the grooves, I imagined.
"We're going to need the press person to come down and confirm that," a surly-looking gentleman told me. His red T-shirt said "GOON" in all caps. I asked why, and his response was blunt, "Anybody can fake an email. She needs to make sure it's really you, in person."
The Goon left me standing there for 45 minutes, while we waited for the press person to appear. She did, and I hurried off to my first session. Somewhere along the way, I realised that I'd failed to switch my phone into aeroplane mode. This was the plan since it could easily connect to a fake cell phone access point set up by some identity-stealing hacker. Already nervous, I paused in the hallway of the conference center to make the switch. My phone wouldn't unlock.
"Touch ID does not recognise your fingerprint," said the lock screen, over and over again. That didn't seem right. This had never happened before. I tried again.
"Your passcode is required to enable Touch ID," said a new message. That really didn't seem right. Why was my phone telling me to enable Touch ID when I'd just used it? Did I fiddle with it in my pocket while I was waiting? Was I locked out of my own phone?
I convinced myself that I'd been hacked, again. I walked out of the hotel, activated aeroplane mode, and unlocked my phone with a passcode that I was sure a hacker could read. I adjusted my security settings and picked a new, ultra-secure passcode with a dozen characters. This would keep me safe.
Hack Number 3: TV
It was towards the end of my first day at DEF CON that I felt my paranoia peaking. I retreated to my hotel room before dinner so that I could get some rest and catch my breath. Outside, the Las Vegas strip was starting to light up. There was a massive ferris wheel towering over a cheap casino right outside my window, and I wondered what the view looked like from the top.
Too frightened to try the hotel wifi, I decided to watch TV. It felt so old fashioned! I pulled up the channel guide thinking of hot summer nights in high school, when I was stuck out in the country with nothing but cable to entertain me. An uncanny sense of dread snapped me out of my nostalgia. The channels weren't right. Everything was in Chinese.
I kept cycling through the channels. Some were filled with static; others appeared to be game shows from Beijing. Then I landed on the DEF CON channels, a handful of them. This was unusual, because the channels only displayed garbled versions of the DEF CON logo. The whole scene seemed post-apocalyptic, like a space bomb had leveled all of the American satellites, leaving only signals from the hackers and the other side of the planet visible.
I convinced myself that it was a prank. Some cheeky DEF CON Goon had spliced his way into the hotel's TV system and broadcast Chinese gameshows along with foreboding messages from hackers. A bead of cold sweat dripped down my temple. There was nowhere to hide.
Hack Number 4: Elevator
I had to get out. When I opened the door to the hallway, a scream ripped through the hallways. I looked both ways but didn't see a soul. So naturally, I started running.
A small crowd had gathered by the elevators, each with a white record dangling around his neck. White meant they were regular DEF CON attendees (categorized as "human" by the DEF CON organizational scheme), and I was thrilled to be in the presence of hackers I could actually see. We waited in silence, only interrupted by the occasional slurping of a Mike's Hard Lemonade. The elevator made a ding and swoosh sound as it opened. I zipped on and punched the button for the casino.
"That button look weird to anybody else?" asked one of the spiked lemonade connoisseurs. He pointed to floor 22. Though we were moving down, away from the 22nd floor, the button flickered on and off in an obvious rhythm.
"That bother anybody else that they're fucking with the elevators?" said his friend, chuckling. He pointed out that the display above the door had also been taken over. Instead of displaying whichever floor we were on, it just said "CE" and flickered, like the button for the 22nd floor.
It bothered me. The hacked elevator bothered me quite a bit actually, since it was a necessary piece of physical infrastructure that could ostensibly malfunction and cause a terrible accident. I could get over not being able to use my phone or laptop. But I couldn't fathom the thought of fearing for my life every time I went up to my hotel room.
My paranoia was evolving into panic when the elevator opened out into the casino. There was a small scrum of people, some unwelcome commotion. I saw a security guard tugging on a young woman with an expensive-looking camera. I looked around, confused, and saw why. John McAfee, the infamous anti-virus software magnate, was strolling through the lobby clutching a tall boy and smirking like a smug rock star. He must've just gotten out of jail.
Hack Number 5: Bluetooth
I couldn't take it any more. I had to call home and speak to a familiar voice, so I ventured up the strip, this time several hotels away from Bally's. This was far enough away that I'd be safe from the reach of any data-munching antennas or signal jammers. This was safe.
Like any frightened 31-year-old man in an unfamiliar town, my first thought was to call my mother. I dug my wireless headphones out of my bag and hit the speed dial. I heard "Hello" on the other end of the line, and then a screeching noise, one I'd never heard before. That was it. I was fully compromised. Even my phone's Bluetooth had been hacked, and I had no way to contact my loved ones. I might as well just give in. I might as well let myself become part of DEF CON if DEF CON was going to take me over. I might as well let the fear surround me and devour me, like Batman does.
I turned off my phone, turned back to Bally's, and towards my terror.
The Hackers' Ball
Inside was a giant party. The casino had filled up with record-toting computer nerds, each exhibiting his or her own variation of cyberpunk extravagance. Some held displays high up above the crowd, shouting inaudible chants. One group dressed in lab coats with the phrase "DEF CON LABS" printed on the back. Another wore backpacks filled with pulsating LED lights and glowing goggles. One pack was passing a handle of vodka around a circle and drinking straight from the bottle.
I floated through the crowd with a distant sense of wonderment. This was a young and rowdy group, but they weren't out to get anyone. They were fucking with me because I let them, and I let them because I, like much of the world, am often oblivious to how much I'm exposing myself on the internet and on computers in general.
The rest of that night in Las Vegas is a bit of a blur. I slammed some Mike's Hard Lemonade with some hackers and played some video games. I talked to security experts who'd travelled from all corners of the globe, from Idaho to China. Everyone seemed thrilled to be there, and the most I thought about the weird glitches that had defined my day at DEF CON — the fake wifi network, the iPhone error, the weird TV channels, the scary elevator, the garbled headphones — weren't as bizarre and terrifying as they'd seemed.
In fact, on any other day and in any other place, I'd take the glitches in stride. I've joined fake wifi networks before. My iPhone does weird stuff pretty often. Hotel TV is weird in general. All elevators are scary. And Bluetooth sucks on most headphones.
A realisation flooded over me in the hot Las Vegas night. Despite my mounting paranoia and in spite of my own faults, I probably hadn't been hacked at all. If anything I was a little bit safer at DEF CON, because I was paying closer attention to my security. Much more so than in my daily life in New York City, I was aware that I could be hacked at any moment at DEF CON. At that moment I saw these wily hackers as optimists, knights in nerd armour who believe that we can be safer — if only we truly understand the dangers out there, inside our machines. They're the ones paying attention when you're not.
At the end of the night, I gazed up at the Wall of Sheep. Even if I had been hacked, I didn't care any more. I almost wanted to see my name pop up. I was going to change all my passwords regardless. At least this way I'd get a little bit of recognition for being a part of the process.
Illustration by Jim Cooke / Photos by Adam Clark Estes