The MLSecOps Podcast
Everything You Need to Know About Hacker Summer Camp 2023
Aug 03, 2023 • 36 min read
Speakers:
Diana Kelley, CISO - Protect AI
Chloé Messdaghi, Head of Threat Research - Protect AI
Dan McInerney, Lead Security Researcher - Protect AI
Chapter Markers:
(1:21) What is Hacker Summer Camp Week and what are the various events and Cons that take place during that time?
(3:58) It’s my first time attending Black Hat, DEF CON, Hacker Summer Camp Week, etc.: where can I find groups to attend with or to help me navigate where to go and what events to attend?
(9:53) Advice: if it’s my first time attending Black Hat, what other advice is there for me? What should I be thinking about?
(13:25) If I attend Black Hat, does that mean I’m automatically able to attend DEF CON or how does that work? (TL;DR separate passes are needed for each event)
(14:14) Are certain personas more welcomed at specific conferences?
(15:49) What are some interesting panel talks I should know about?
(20:53) There are a couple of other conferences going on during “Summer Camp Week” - BSides Las Vegas, Squadcon, Diana Initiative. What are those? When are they taking place? Can I go to all of them? How does that work?
(23:26) What AI/ML security trends are happening? What should I be looking for at Black Hat and DEF CON this year in terms of talks and research?
(28:55) How can I determine if a particular talk is going to be worth my time?
(32:54) Any other tips on how to stay healthy and safe (both physical and electronic safety) throughout the week?
Transcription
Charlie McCarthy 0:29
Welcome back to The MLSecOps Podcast for this week's episode, “Everything You Need to Know About Hacker Summer Camp 2023.”
This week, our show is hosted by Protect AI's Chief Information Security Officer, Diana Kelley, and Diana talks with two more longtime security experts, Chloé Messdaghi and Dan McInerney, about all things related to what the security research community fondly refers to as Hacker Summer Camp.
The group discusses various events held throughout the course of this exciting week in Las Vegas, including what to expect at Black Hat [USA 2023] and DEF CON [31].
All of us [MLSecOps Podcast hosts] will be at summer camp during the second week of August this year and would love to see you there.
In the meantime, sit back and relax while gleaning tips from this week's episode.
Chloé Messdaghi 1:21
So it's called Hacker Summer Camp Week. Also, It's called “LV” Week. It's also called Las Vegas Week. I don't know; there's so many names for it, but Hacker Summer Camp is the week and what we call it in the hacker space.
But what it is, is one whole week where everyone is basically in Las Vegas that works in InfoSec, and they come together and there's different conferences that occur: BSides Las Vegas, there's Diana Initiative, there's Black Hat, and then there's DEF CON.
And now this year we have a new conference coming out which is called SquadCon.
Dan McInerney 2:04
So I know that Dark Tangent started years and years ago as one of the first security conferences that really existed mostly at the start of, kind of, computer security as a goal. I've been [attending] since 2015. I've gone most years doing Black Hat and DEF CON, done trainings at Black Hat, things like that. They are super fun.
And like Chloé said, there's five cons this year, but really, there's like 50 mini-cons going on at any given time. There's villages, there's meetups, there's groups, there's parties. It's just never ending.
Diana Kelley 2:39
Dan, 2015, that was your first time going. Did you go to all of the conferences, or how did you pick which ones to attend?
Dan McInerney 2:47
So it gets really confusing about what to do when you get there, if you're going alone. And so what I ended up doing was joining a group called DC801, which is a DEF CON group all around the country. There are these little DEF CON groups that are usually full of hacker spaces. It's not necessarily security related, it often is, but a lot of people there just end up being makers. They like building chips and they like hacking stuff together, software engineers, stuff like that.
So I joined DC801 and went with that group, and they really held my hand through the whole process of where are we going, at what time, getting dinners organized, what talks are interesting, and all of the little parties and mini-cons that are going on. So I would suggest going with a group because it really makes the experience more interesting.
It can get a little overwhelming when you go by yourself and you don't have - like Chloé said, she volunteered - it's a really great way to get involved and meet people that know what they're doing. So my advice on the first conference is definitely find a group to go with, and there's actually forums you can go to and be like, “Hey, it's my first conference. Does anybody want to show me around, tell me where to go, what I'm supposed to be doing?” Because there's not really a set calendar for all of it.
Diana Kelley 3:58
Where would I find those groups? Would I go into Discord or Reddit? Where would be a good place to find them?
Dan McInerney 4:05
Yeah, both of those are good options. The DEF CON forums are a good option. That's what my friend did. He just went to DEF CON forums and was like, hey, I have no idea what I'm doing. Anybody want to meet up?
Chloé Messdaghi 4:16
I would also recommend Diana Initiative. If you join their Discord, you can always find people in there so you can feel comfortable and safe for your first time, too.
Diana Kelley 4:22
So these are safe places to find - because a lot of people get very concerned - for anybody that hasn't been to Black Hat/DEF CON/Hacker Summer Camp before, there's active attempts to embarrass people by hacking them. [For example] Wall of Sheep, somebody got attacked.
How could I know? What if I go into the wrong Discord group? And how did you know you could trust that organization, Dan?
Dan McInerney 4:54
Well, they were my friends already. I joined a sort of maker space called The Transistor in Utah, and they introduced me to the DC801 crew. And a lot of the DC801 guys actually run the WiFi network at Black Hat. And so I knew that I have some level of safety with these people because they're all also trying to protect the conference itself. They're not out there actively trying to destroy things.
But, I mean, it is a question. How do you know if you can trust the people who are talking to you? I don't know that I have a good answer for that.
Diana Kelley 5:27
Well, maybe I think you already answered it. It's that you had someone you trusted introduce you. So that was great, that seems like a really good way to go about it.
How about, Chloé, how about if I do want to volunteer? You got connected with Diana Initiative. How would I find out the valid volunteer opportunities?
Chloé Messdaghi 5:49
Yeah, it's a great question.
So when I was looking at how to volunteer that week, because for BSides Las Vegas, you can have a free hotel stay and meals if you volunteer a certain number of hours a day. And so I reached out to them and asked, hey, do you have any more volunteering positions available for BSides this year? And they're like, “Yes. Let me connect you with the following folks. What would you feel comfortable doing?”
Diana Initiative also has the same thing, where you can go to their website, and you can find out, how do I get involved and volunteer? Every single conference is always looking for volunteers. It's a really good way to get in the door if you can't afford it, because some of them will provide you a hotel stay, but you get free passes to the conferences, because some of the conferences, you know, it's a lot of money to attend some of them.
And so there are definitely ways to go about it and just volunteer your time, and a lot of doors open for you. And you find new people, new groups, people you can learn to trust, and that's how you start networking in the community.
Diana Kelley 7:01
Okay, that's some good advice.
All right, so there's a lot of different conferences. Maybe it'll help for people to break down a little bit about what the differences are.
So, Dan. What is Black Hat? What's the niche that Black Hat is filling?
Dan McInerney 7:16
Black Hat fills sort of the corporate niche. It's a lot more suit and tie and a lot less t-shirt. DEF CON is like the t-shirt and shorts kind of place, it's where the community is sort of built. And Black Hat is where the sponsorships and the corporations come to sell their products and things like that.
So the Black Hat Conference ends up having a very large hall of sponsors and booths for various people to sell their wares and everything.
DEF CON, not so much. DEF CON, you'll find a lot more community involvement, and you'll see a lot more villages and stuff where it's a community and you're not there to sell your product or anything like that.
That's the main difference between Black Hat and DEF CON.
Diana Kelley 7:57
Anything that you want to add about that, Chloé? When you think of Black Hat versus DEF CON?
Chloé Messdaghi 8:04
Yeah, I'll be honest, it's suit and tie, basically when you go to Black Hat, but you can also find some really cutting edge research in the field, like from academics. And that could be quite useful for folks if they're wanting to know the latest research out there. But if you're looking for something that's deep, technical, or how someone broke something, I tend to find those more at places like DEF CON or BSidesLas Vegas.
Diana Kelley 8:34
Yeah, I agree. I mean, Black Hat really was the more commercial, more corporate version of what was going on in DEF CON. If you're used to RSA, if you've been to RSA before, it's going to be more technical at Black Hat. You'll get some overlap of what you would hear at RSA, but it tends to skew a little bit more technical and you'll get proof of concepts, that kind of thing.
But yeah, it's not a huge leap from RSA to Black Hat, but RSA to DEF CON, if you've never been, I think it's definitely a very different vibe.
And my favorite, so it used to be for a couple of years, Black Hat was co-locating at the Mandalay Bay with this pet conference, and it was like “Zoocon” or something. And it was great because they had, if you were staying at one of the hotels attached to Mandalay Bay, they were asking when you checked in if you were okay with pets, or dogs and cats on your floor, and you'd see these really wonderfully groomed, dyed dogs and cats. It was actually a lot of fun. I don't think that they're doing that this year, but some of my favorite Black Hats were when you see hacker types walking down the hall and the dog going in the other direction and stuff, it was good.
Okay, advice. If I'm a first timer going into Black Hat, is there any advice that you guys would give me? Dan, if you were talking to me, it's my first time at Black Hat, what should I be thinking about?
Dan McInerney 10:10
Yeah, so it's pretty easy to get kind of lost.
It's a giant conference, like, area-wise, square footage-wise. So if you have no idea what to do, then it's usually good to go get (A) a schedule of talks. Just mark off the talks that you think are going to be interesting and go to those. And (B) get a schedule of where all the [DEF CON] villages are. And so go find a village that you think might interest you.
For me personally, I thought the lock picking village was really fun. It's a good way of meeting other people, so you can just kind of do something with your hands as you chat with other people at the table. It's a good way to get introduced to other groups, and lock picking is just kind of fun and way easier than people think it is.
So that was my first starting area when I was kind of like, well, it's 3 o’clock. What am I supposed to do? I go head over to one of the villages. The sky talks in previous years was a good place for that. Lockpick Village, Misinformation Village. I really like those villages because like I said, they're kind of like the mini cons. You don't get overwhelmed with 30,000 strangers around you. It's just people at your table. You can just chat with those people at your table.
Diana Kelley 11:10
Yeah. Make it a little bit more manageable.
Chloé, what would you give first timers?
Chloé Messdaghi 11:17
Okay. If you're going to Black Hat, I highly recommend networking. I know it can be very scary to network when you're on your own or something like that, but try to have a buddy. And the reason for the networking is because a lot of opportunities open the doors.
Basically, when you're networking, that's what a lot of people are doing there. So almost every single conference you go to in InfoSec, there's always this thing called “LobbyCon,” which is basically the “conference” that's happening in the hallways and when you're going to events. So I highly recommend checking out the events and attending, honestly.
That's how you really learn a lot more about what's happening in the industry by going to these events. So look at the networking events. If you're going to DEF CON, check out the villages, like Dan said. It's nice to have these little mini conferences in it because you can go to an area of focus that you're interested in. Highly recommend checking them out, too.
Dan McInerney 12:19
And so to add on to that, there's a lot of places that people just go sit down and hang out for more than three or four minutes, like the bar area or the restaurant area. There'll often be a lot of people just lined up sitting down and they're just going to have a drink or something for 15-20 minutes. You can just sit down next to somebody and just say, hello, what are you doing here? What do you do? And just make a friend that way.
So anywhere where you can get that targeted audience that's just sitting around and they're not just going to leave in a minute or two is a great place to start networking, like Chloé said.
Diana Kelley 12:47
Yeah. So if you're going alone, it's true. Make friends. If you went with a group, make new friends, make additional friends.
Dan McInerney 12:50
Add people to your group.
Diana Kelley 12:51
Exactly. Yeah. It really is about meeting people; engaging.
Two organizations I'm involved with are the Executive Women's Forum and the Women in Cybersecurity or WiCyS, and they tend to have meetups at these kinds of conferences at Black Hat.
So that's another thing, is that if you're interested in a subgroup, see if they're doing a meetup and go and make friends. It really is about finding new people.
So if I go to Black Hat, does that mean that I can also go to DEF CON? How does that work?
Chloé Messdaghi 13:32
Well, ahead of time you want to purchase, there's a bundle I believe that Black Hat has, where you can just get your DEF CON pass there. They'll put like a little marker on your badge saying DEF CON on there. So you could go there and then you can pick up your badge on certain dates and times.
But some people, what they have done already is that they have just gone straight to DEF CON online and purchased their tickets there. Otherwise [if] that's closed out. Then you're going to have to go stand in line and pay cash in person at DEF CON.
Diana Kelley 14:06
Cash only?
Chloé Messdaghi 14:07
Cash only, I believe still. But I could be wrong, but I think it's still cash only.
Dan McInerney 14:12
I think you're right.
[Per the DEF CON 31 website, the cost this year is $440 USD cash onsite]
Diana Kelley 14:14
It has been in the past, yeah. So, if I'm more of a suit or I'm more of a hacker, am I not welcome at Black Hat or DEF CON or is it more the merrier?
Chloé Messdaghi 14:28
I mean, honestly, last year I saw a lot more security researchers attending Black Hat than I have previously. And at DEF CON, it's really nice if you are one of those people who would consider yourself a suit and tie, it's good to go check out DEF CON because they are the major players in this industry, too.
So it's good to build these bridges and attend both of them. And yes, there are CISOs that do go to DEF CON and they speak at DEF CON because they're still curious and learning how things are still being hacked to this day. So, you know, build those bridges and walk on those bridges.
Dan McInerney 15:07
That wall between DEF CON and Black Hat sometimes I think gets a little overblown. It's not like you have to be this grungy hacker to only go to DEF CON and you're going to stick out like a sore thumb at Black Hat. It's a lot of overlap. It's a very porous wall between those two conferences.
Diana Kelley 15:21
I love that. That's a great way to say it. Yeah, it is. It's a very porous wall.
And back when I used to go to both conferences - I go mostly to Black Hat now - but when I went to most conferences yeah, it just starts to feel like it's a different location, but you kind of feel like it's just an extension, one to the other, so I completely agree with that.
So at DEF CON, I think that we've got some panels going on. Is that right? Chloé, can you tell us a little bit about what you're doing there?
Chloé Messdaghi 15:49
Yeah, so we have a panel at the AI Village, and this panel dives into how to get into AI/ML bug bounty.
So, for example, if you're a bug bounty hunter and you're like, well, how do I even start going into AI and ML security? Well, it'll be a good talk for you to learn about: what are the things you need to know ahead of time? What are the education parts that you're going to need to learn as well? But also, the panelists on there will also share what they have experienced, and that's always good. I always love taking advice from other people and their experiences. So that's happening there.
And then we have another panel, which is at the Misinformation Village, which talks about the misinformation around AI and ML security and what are things that we actually need to focus on as an industry as a whole. But especially in the hacker space. How do security researchers get involved to make sure that we are actually really solving the massive gaps that are existing when it comes to AI and ML security?
Diana Kelley 16:51
Yeah. Love it.
Okay, Dan, what was your most amazing memory of any moment at the “Summer Camp?”
Dan McInerney 17:07
Let's see.
Man, I love the DC801 parties because they're always really fun, and it's such a good group of guys.
But one of those crazy experiences that stood out to me was there was this guy that was writing similar tools as me over in Italy. And I emailed him and I was like, well, why are we working on the same stuff? Like, what's your background? You know, do you ever want to meet up or something? And he's like “Yeah, yeah, sure. I actually got sponsored to come over to DEF CON this year, so I'm going to fly over from Italy. Just wanted to see if you wanted to meet up.”
And so I introduced him over to the group I was with at DEF CON, and that ended up being one of my coworkers and the best man at my wedding, years on.
Diana Kelley 17:43
Wow!
Dan McInerney 17:47
So, yeah. In terms of networking opportunities, it's a great place to hang out with people and really get to know them.
Diana Kelley 17:56
Oh, what a wonderful story. And speaking of, yeah, the power of networking. All right, that's great. Chloé, how about you? What stands out for you?
Chloé Messdaghi 17:59
I would say it would be the first time that I went to DEF CON. I basically wanted to learn about Bugcrowd because I wanted to get into the Bug Bounty space more. And I socially engineered my way to get into one of their exclusive events. And when I got in, I knew exactly who I needed to talk to, and I ended up starting to work at Bugcrowd because I attended this event and met with the founder, Casey. And so my whole life changed from there. I would have never got into hacker rights. I would have never got into bug bounty if it wasn't for that evening and attending that event.
Dan McInerney 18:38
How'd you get in?
Chloé Messdaghi 18:43
Well, I kept an eye out. You know, when I was saying, like, sometimes there's a “Lobby Con” happening, and you also mentioned that sometimes people just sit outside kind of doing their own thing -
Well, I was sitting outside of - not an alleyway - but in the Lobby Con area. And when I was there, I saw a group of people wearing orange shirts, and I knew right away they worked for Bugcrowd. So I approached them saying, hey, I have this 3D printed bracelet for an event that's supposed to happen later today. Do you know how to find out the information? Because I have to hack into it to know the details of attending this event. And they're like, oh, I don't know. I don't have my kits on me or anything like that. I'm like, oh, darn, I don't really know what to do tonight then. And then they're like, “Hey, you should come to our event.”
And I already knew they had an event planned and everything. I just need to get an invite in. And so they invited me to go there. And when I talked to someone there staying at the bar, I knew that this person is this role. So I started talking to him about the areas that he's focused on. And then I got him to introduce me to Casey Ellis.
And then Casey and I, we talked about the things that I knew that he cared about and he was passionate about. And we sat by a pool just talking for quite some time about hacker rights and what we see with the bug bounty industry, and that is how everything unfolded.
Social engineer, people! [jokes] Just do it!
Diana Kelley 20:19
There you go.
Dan McInerney 20:23
We're always trying to do sneaky stuff like that at DEF CON. There's some of the parties, like Rapid7 throws a big party every year, and they've got a little VIP section. Nothing malicious - we just want to go get in there and just say we did. So we do things like send ourselves fake emails from some corporate executive at Rapid7 and say, hey, we lost our badge, but this guy says that we're allowed in here. All right, just come on in here.
Chloé Messdaghi 20:48
It’s never for a malicious intent. It's literally to open doors and for people to have a conversation with you sometimes, as needed.
Diana Kelley 20:53
It’s for good. It’s for good. There are a couple of other conferences going on BSides Las Vegas, Squadcon, Diana Initiative.
What are those? When are they taking place? Can I go to all of them? How's that work?
Chloé Messdaghi 21:11
Yes! You can go to all of them.
So Diana Initiative is happening on that first Monday of that week, and it's an all day. It's a great conference. It's probably one of the top conferences I've been to where I feel included. And I think that's a really important thing. Especially, I remember the first time I went to Black Hat and I felt very much alone and intimidated and very nervous and scared because I didn't see anyone who looked like me there.
And so Diana Initiative actually helped because I walked into the room and I felt like I belonged there because I saw other people, representation. So I really like that about Diana Initiative and Squadcon is doing that as well. Squadcon is happening on the Thursday and the Friday, I think Saturday as well, but they're doing a phenomenal job trying to bring inclusivity during DEF CON time to make sure that even people that are attending DEF CON also feel like they are welcome and they deserve to be there in the hacker community.
It's so important to have representation right now with everything going on in the world.
Diana Kelley 22:28
It's true. Anything to add on BSides or the other cons? Dan, is it possible to do it all?
Dan McInerney 22:36
I haven't been to BSides because there was just so much to do for me personally and the group I was with at DEF CON and Black Hat, so I actually don't know what BSides looks like, unfortunately.
I might have to go check that out next time because that's what I keep hearing. I keep hearing fantastic things about BSides. It's like just very casual.
Chloé Messdaghi 22:56
It’s like all the conferences. If they all came together and made a baby, it would be BSides Las Vegas. People are welcome. They feel cared for. It's such a safe environment. You have your hacker community there, but you also have your suits and ties there.
It's like the conference that bridges every single person during that week to feel included in. So I really like their conference.
Diana Kelley 23:26
All right.
Okay. So, looking at us, we all work for Protect AI. It's an AI/ML security company. How are you seeing trends?
And Dan, let's start with you. How are you seeing the trends? What are you going to be looking for at Black Hat and DEF CON this year? What kinds of talks are you interested in? What research?
Dan McInerney 23:51
Well, obviously I am most interested in AI research and - I'm actually going to miss DEF CON this year because I have to go travel with my wife during the same time, which I’m very, very upset about.
But that being said, because ChatGPT came out this year, and that's just been the talk of the town for the whole industry pretty much since it came out, I know that there's going to be some amazing AI talks. I know the AI Village is going to be packed.
And so if I was going this year, which I can't go, sadly, I would definitely be looking at and checking off all the AI talks; as many as I can. Because this is the ground floor of the industry. I mean, this year is going to be the coming out party for AI security, essentially.
Diana Kelley 24:38
Yeah.
Any specific research? Are you looking at people doing adversarial AI? Prompt injection attacks? Any specific area that you think is holding the most promise, research-wise right now?
Dan McInerney 24:53
Research-wise, the prompt injection attacks are getting a lot of the media attention, and they seem like a very practical way of making waves. So I'm kind of expecting to see some new research around that. That is going to be really interesting.
But I'm also interested to see how the holistic view of the AI landscape that's not just adversarial ML – adversarial AI attacks – How like the pieces that go into an AI, can you attack those? Like, do you have to attack the prompt alone? I don't think you do. I think there's a lot underneath the surface of the prompt that's also very attackable that we haven't really probed that much.
Diana Kelley 25:35
I agree. All right, so, yeah, hopefully we'll have some good advances at the conference this year on that.
How about you, Chloé? What are you focusing on? Which parts of the research and the talks?
Chloé Messdaghi 25:45
I honestly am focused on the misinformation around AI/ML security. That's a huge concern for me and I think for a lot of folks out there because there's people that'll say like, “Oh, you need to focus on this and only this.” And these are people that don't know how ML is designed. And that's really deeply concerning right now.
And I think the thing is that in our industry, we're still having these debates. Is it okay to use AI as a term right now? What is an LLM? Some people don't know what that abbreviation stands for. So it's a lot of catch up from the developer side for security folks. They're going to have to play catch up and then for us to try to get them to learn a lot faster.
So I'm looking forward to hearing conversations of everyday folks that are attending these conferences to hear their thoughts when it comes to AI/ML security, and then from there learning about where we actually are and where we're standing in this misinformation situation.
Dan McInerney 26:47
Yeah, there's a lot of talk around the misinformation of AI, and I feel like a lot of people just kind of form an opinion really quickly without necessarily understanding the technical details behind it.
For instance, there's a lot of problems with hallucinations right now in some of the big LLMs. And so there's a lot of people who are shouting from the rooftops that the sky is falling and that this is going to usher in an age of misinformation because the AIs themselves can be tricked.
And I'm not certain that's true. I think it's definitely a valid concern, but I think that hallucinations will slowly start going away as we advance the technology. So I don't necessarily think that AI regurgitating hallucinations is a huge sky's falling issue, but, I mean, I don't even know yet because we're still talking about the future, so I’m just speculating.
Diana Kelley 27:40
It’s also part of the use case too. I mean, if it's generative AI, if you're saying I want something that's going to make new stuff up, then the use case of it being a search engine is kind of a little bit different. Yeah, you want it to generate a response, but if it's trying to generate something new I have asked it numerous times what books I've written, and – this is ChatGPT specifically – and it tells me five books that I've never written.
But statistically, the probability of my having written those books was really spot on. So it generated something statistically probable, which is great, that's what it was designed for, but it isn't. So I think with this hallucination, sometimes I feel like people may misunderstand yet the use cases for the system as we're using them.
Dan McInerney 28:25
Right. You can get it to misinform you on simple math questions. You can ask it, count this list, it'll give you the wrong list.
Is that like a terrible thing? Not really. You just kind of have to understand that's a weakness and it will be fixed eventually.
Chloé Messdaghi 28:39
Yeah, I think that it has a lot to do with intent, too. It's not like maliciously telling you false information. It's like, oh, this is what it's like. It's more like it just doesn't know better. It's not like it can ever say, like, I don't know that, Paul.
Dan McInerney 28:53
It's a very confident toddler.
Chloé Messdaghi 28:54
It’s so confident!
Diana Kelley 28:55
It's not socially engineering you; it’s trying!
So, as we're getting ready to wrap, Chloé, I was wondering if you could share: there's a lot of talks at these conferences. There's a whole lot. Do you have any tips on how you figure out if a talk is going to be worth your time?
Chloé Messdaghi 29:16
Oh, yeah. Oh, geez. Yeah. I have to admit, when you're like, okay, I really only have this amount of time during this time period, what can I do?
First, find out which ones are being recorded. That's the first one I would recommend. First go through, try to figure out which ones are recorded, which ones aren't. Then the ones that aren't being recorded, then to go through those ones, whatever you're passionate about. But also not just passionate about, but also what are the things that aren't really being talked about?
So any talk that stands out where it's like, I don't think I've ever seen or heard of any talk like this topic before. Go and attend those because that means that person might be that cutting edge person. That person, before the big wave hits, they're already starting to see something that we need to acknowledge, so I recommend doing that. And then the ones that are recorded, make sure you make notes and put some time on your calendar, like one-hour holds for the next few weeks saying, make sure to watch this one, make sure to watch that, so you don't forget that you want to watch those in the first place.
Diana Kelley 30:22
That’s great advice. How do you figure out what to go to, Dan?
Dan McInerney 30:26
I have very specific interests, so I end up just checking off all the lists of the things I'm super interested in, which is (A) highly technical web attacks. I like the really highly technical ones where they go through, line by line of code, and they're like, okay, you see the pointer right here? It's pointing to the wrong register somewhere else. And I like being able to kind of follow along with them as they're doing it and then learn new tips and techniques and try and think about how I can apply this to other areas of security.
So I'm going to be just going down the list and checking out the, well, checking the recordings of the talks. They're going to be highly technical on web applications, AI security, Windows hacking, and Python development in general.
So I'm going to be pretty hyper-focused on those myself.
Diana Kelley 31:15
Okay. Yeah. So since you've got such a narrow space, it's pretty easy to figure out what's really worth your time.
Dan McInerney 31:21
Yeah.
And so because it's so limited time when you do go. If you do have a very narrow interest, it may be worth it just to explore that interest. But like Chloé said, you can find some talks that are exactly the beginning of the wave. That you're like, okay, I don't know anything about that, but it sounds like something that might be important in a few years or even next year or even right after the talk drops.
Those are also really fun. And also check out who the speakers are, because if you are an executive and you want to learn more about the executive security and stuff, then you probably want to go to talks by executives. If you're a hacker, you probably want to go to talks by a hacker. So the speaker is going to be really important.
Diana Kelley 32:05
I agree. Or even if you're an executive that wants to know more about hacking, wants to get a little more technical, which is very cool. But yeah, I will sometimes if I don't know who the speaker is or I haven't heard or read, if they've got research out there, I haven't seen them speak before, I'll check out LinkedIn to try and get a feel, because sometimes you see somebody who's doing a talk that sounds really interesting, but you read on LinkedIn their background and what they've done and what they're saying about the topic, and maybe it feels a little less interesting after you've done a little bit of digging. So that's another thing that you can do.
So, any tips about people being able to – other than hydrate, which I think we have to keep doing because it's the desert – any tips, Dan, for people getting through this week and staying healthy?
Dan McInerney 32:54
Staying healthy. That's going to be a tough one. Pretty sure I've had a cold from DEF CON multiple times. Yeah, get the hand sanitizers out. That's going to be pretty important.
Yeah, hydration. Making sure you're getting enough sleep. I mean, I know that the 3-2-1 rule says three hours of rest, two meals a day, one shower a day. If you're going outside, you may want to take more than one shower. I can say that much. And 3 hours of sleep. That's rough. That's going to be rough to do. But also I'm 35 years old, so I think back a couple of years ago I might have been able to pull that off.
Diana Kelley 33:34
Anything else? Chloé, I know you're a fan of the 3-2-1 rule.
Chloé Messdaghi 33:36
Three, two, one is the thing that I try my best to live by. I think in the previous ones, but I think last year I did like 5-2-1 instead. So I would get at least 5 hours of sleep a night. But I've realized I need my sleep and it's all about balancing health.
You don't want to get sick. I do recommend, if you want to wear a mask and you're worried how people are going to see you wearing a mask, just wear the mask. Honestly, who cares at the end of the day what people say? But if you want to protect yourself and make sure you don't get sick, feel free to wear a mask. No one's going to judge you on that. If they do, so be it.
I'm going to be wearing a mask at times when I want to be safe and protected. So I would say go for that. And then also make sure you eat well, don't drink too much, keep an eye on your drink at all times and, you know, make sure your Bluetooth is off and your WiFi is off at all times on your devices, and keep an eye on your credit cards.
Dan McInerney 34:40
I was about to say this isn't just health and safety. This is also electronic safety. Bluetooth off. If you're super paranoid, then yeah, bring a burner phone and a burner laptop and that way you can just toss them out or do whatever you need with them afterwards. And you can be guaranteed that you're not going to bring an electronic virus back home with you.
But in general, I find it's just safer to just use a VPN. Bring, bring a laptop you don't care about. Turn your phone off when you're not using it. Avoid the cellular networks, use encrypted messaging. Those are all going to [help] keep you safe.
And I also don't recommend using the ATMs at the conference. Those can get a little hairy. There's been a lot of history with messing with them. So bring cash from somewhere else.
Diana Kelley 35:22
Yeah. A lot of active skimming. Especially ATMs outside of the casinos, because in the casinos, the security of casinos is amazing. I got to work on a project when I was at KPMG for Valley Gaming in the 90’s and I was just blown away already at how advanced casino security is.
But yeah, any time you're outside of the casinos, be pretty wary of those sketchy looking cash machines. They've probably got skimmers on them.
All right, so as we're wrapping up, both of you could tell me a little bit more about why Protect AI is going? And maybe, Chloé, you could start us.
Why are we going to Black Hat, and how are we showing up? How can people engage with us, speaking of making new friends?
Chloé Messdaghi 36:09
Right. Well, I think the importance of us being there is because we're a company that's also wanting to plug into the communities, not just the hacker community, but also the corporate communities for all of us to be aligned when it comes to AI and ML security. And so our presence at Black Hat is we're trying to be there to answer any questions that people may have about AI and ML security, to cut through that misinformation and the noise around it; everything that we're hearing and seeing.
But also to really show that we're here. And we want to work with you on making sure that we're building these bridges across all the different communities that exist in InfoSec.
And at DEF CON, we're still going to be doing that, but also sharing a lot more that we have: educational content as well. So for people that are trying to learn how to get started hacking in the space, we have content for you so you can learn and also attend the panels to learn a little bit about how you get into the bug bounty world when it comes to AI and ML, which has incredibly high payouts, by the way. Just putting it out there for everyone.
And also to help answer any questions that hackers have about how to get into this space in the first place.
Dan McInerney 37:30
So, Black Hat, we have the booth. You can come talk to us. We'll be at AI Village, pretty much all weekend. And so if you want to know anything more about how to break into careers or industry, how you can get started hacking AI using our bug bounty program and get paid for it too, it's great on your resume.
You can come visit us in the AI Village and we'd be more than happy to help you. We'll have the Protect AI t-shirts on. You can see, right, here. That’s what it looks like.
Yeah, that's our presence.
Diana Kelley 38:00
Well, I am excited to be in Las Vegas with both of you in a couple of weeks. And I am excited to meet all of our new friends from the MLSecOps Community who stop by our booth, stop by the village, introduce yourselves. If you're looking to make friends, we're looking to make friends, too, and to help make the world a safer, AI-Powered world. So thank you both, Chloé and Dan, and we'll see you and everyone else in Vegas.
Chloé Messdaghi 38:26
See you soon.
Dan McInerney 38:27
All right, bye bye.
Diana Kelley 38:29
Hi, I'm Diana Kelly. I'm the CISO at Protect AI, and I attended the first Black Hat.
Chloé Messdaghi 38:34
Hi, everyone. My name is Chloé Messdaghi, and I'm the Head of Threat Research. And I'm excited to see you all at Black Hat, DEF CON, Diana Initiative, Squadcon and all the other villages within DEF CON. I think I got them all.
Dan McInerney 38:48
Hi, I'm Dan McInerney. I'm the Lead Security Researcher at Protect AI. If you want to get involved in AI security research, we're going to be having a bug bounty program. And you can learn from all of the CVEs that we found on our blog at protectai.com.
[Closing]
Additional tools and resources to check out:
Protect AI’s ML Security-Focused Open Source Tools
LLM Guard - The Security Toolkit for LLM Interactions
Huntr - The World's First AI/Machine Learning Bug Bounty Platform
Thanks for listening! Find more episodes and transcripts at https://mlsecops.com/podcast.