Top 10 Privacy-Related Events At DEF CON 25

By Debra Farber, Host of The Privacy Pact

At the end of July, somewhere between 20,000 - 25,000 people will flock to Las Vegas for the 25th anniversary of DEF CON, the largest hacker conference on earth - AKA “hacker show & tell.”

As someone who has one foot in security and the other in data privacy, I am delightfully surprised to see a sharp increase in the number of this year’s privacy-related talks, workshops, and villages. It looks like I’ll be pretty busy. I cannot wait!

In the meantime, here are my top 10 DEF CON 25 sessions that discuss privacy issues, in chronological order.


Friday, July 28 (11:00 - 11:45) in 101 Track

Psychographic targeting and the so called "Weaponized AI Propaganda Machine" have been blamed for swaying public opinion in recent political campaigns. But how effective are they? Why are people so divided on certain topics? And what influences their views? This talk presents the results of five studies exploring each of these questions. The studies examined authoritarianism, threat perception, personality-targeted advertising and biases in relation to support for communication surveillance as a counter-terrorism strategy. We found that people with an authoritarian disposition were more likely to be supportive of surveillance, but that those who are less authoritarian became increasingly supportive of such surveillance the greater they perceived the threat of terrorism. Using psychographic targeting we reached Facebook audiences with significantly different views on surveillance and demonstrated how tailoring pro and anti-surveillance ads based on authoritarianism affected return on marketing investment. Finally, we show how debunking propaganda faces big challenges as biases severely limit a person's ability to interpret evidence which runs contrary to their beliefs. The results illustrate the effectiveness of psychographic targeting and the ease with which individuals' inherent differences and biases can be exploited.


  • Suggy (AKA Chris Sumner), Researcher, The Online Privacy Foundation




Friday, July 28 (12:00 - 12:45) in 101 Track

A year ago, Mudge and I introduced the non-profit Cyber ITL at DEF CON and its approach to automated software safety analysis. Now, we'll be covering highlights from the past year's research findings, including our in-depth analysis of several different operating systems, browsers, and IoT products.

Parts of our methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy.


  • Sarah Zatko, Chief Scientist, Cyber ITL




Friday, July 28 (14:30 - 18:30) in Octavius 5

The world has become an increasingly dangerous place. Governments and corporations spend hundreds of millions of dollars each year to create new and cutting-edge technology designed for one purpose: the exploitation of our private communications. How did we let this happen? And what are we going to do about it? Are we willing to stand idly by and live in a state of fear while our freedom of speech is silently revoked? Or is there something we can do to challenge the status quo and use our skills to protect our privacy and the privacy of others?

The Hypertext Transfer Protocol (HTTP) is an application-layer protocol that's the foundation of the modern Internet. Initially created by Tim Berners-Lee in 1989, HTTP is still the most popular protocol in use today. One of the core strengths of HTTP is that it's flexible enough to transmit any type of data. HTTP is also everywhere - it's in use on desktops, mobile devices, and even IoT. Due to the ubiquitous nature of HTTP, firewalls and proxies are configured by default to allow this type of traffic through. Could HTTP be used to communicate securely while completely bypassing network management rules?

This workshop challenges the assumption that HTTP cannot guarantee confidentiality of data. It will introduce you to the HTTP protocol and demonstrate how it can be used to send data securely. We'll create command-line applications in C/C++ on Linux that will use HTTP to securely send messages across the Internet, while bypassing firewall and proxy rules. We'll use a variety of ciphers, hashes, and other cryptographic routines that are part of open-source libraries. Whether you're a professional programmer, find yourself a little rusty and want a refresher course, or even if you'd never created a secure application in C/C++ before; this workshop is for you.

Please note that this is a medium-level, technical workshop and requires that attendees have prior experience in at least one programming language, preferably C or C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.9.2 or msvc 2015).

Prerequisites: Previous experience in at least one programming language is required. Previous experience with C/C++ and cryptography is helpful, but not required.

Materials: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

Max students: 90 | Registration: (Open July 5)


  • Eijah, Founder, Demonsaw




Friday, July 28 (15:00 - 15:45) in Track 3

A judge with preferences for hard core porn, a police officer investigating a cyber-crime, a politician ordering burn out medication - this kind of very personal and private information is on the market. Get sold to whomever is willing to pay for it.

In a long time experiment, with the help of some social engineering techniques, we were able to get our hands on the most private data you can find on the internet. Click stream data of three million German citizens. They contain every URL they have looked at, every second, every hour, every day for 31 days. In our talk we will not only show how we got that data, but how you can de-anonymize it with some simple techniques.

This data is collected worldwide by big companies, whose legal purpose is to sell analytics and insights for marketers and businesses. In the shadow of Google and Facebook, companies have evolved, their names unknown to a broader public but making billions of dollars with your data. The new oil of the 20th century.

Our experiment shows in a drastic way, what the youngest decision reversing the Broadband Privacy Rule means. What the consequences for everyday life could be, when ISPs are allowed to sell your browsing data. And why that piece of regulation from the FCC was so important regarding privacy and constitutional rights.


  • Svea Eckert, NDR

  • Andreas Dewes, PhD




Friday, July 28 (16:00 - 16:45) in Track 4

The Federal Trade Commission is a law enforcement agency tasked with protecting consumers from unfair and deceptive practices. Protecting consumers on the Internet and from bad tech is nothing new for the FTC. We will take a look back at what the FTC was doing when DEF CON first began in 1993, and what we've been doing since. We will discuss enforcement actions involving modem hijacking, FUD advertising, identity theft, and even introduce you to Dewie the e-Turtle. Looking forward, we will talk about the FTC's future protecting consumers' privacy and data security and what you can do to help.


  • Whitney Merrill, Privacy, eCommerce & Consumer Protection Counsel, Electronic Arts

  • Terrell McSweeny, Commissioner, Federal Trade Commission




Friday, July 28 at (17:00 - 17:45) in Track 4

Women's health is big business. There are a staggering number of applications for Android to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy. These apps entice the user to input the most intimate details of their lives, such as their mood, sexual activity, physical activity, physical symptoms, height, weight, and more. But how private are these apps, and how secure are they really? After all, if an app has such intimate details about our private lives it would make sense to ensure that it is not sharing those details with anyone such as another company or an abusive partner/parent. To this end EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.


  • Cooper Quintin, Staff Technologist, EFF

  • Kashmir Hill, Journalist, Gizmodo Media




Friday, July 28 at 20:00 - 22:00 in Trevi Room | Evening Lounge | 0025

Relax and enjoy in an evening lounge while you get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This Evening Lounge discussion will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more.


  • Kurt Opsahl, Deputy Executive Director & General Counsel, Electronic Frontier Foundation

  • Nate Cardozo, EFF Senior Staff Attorney

  • Eva Galperin, EFF Director of Cyber security

  • Andrew Crocker, EFF Staff Attorney

  • Kit Walsh, EFF Staff Attorney




Friday, July 28 (20:00 - 22:00) in Capri Room

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation
Are you curious about the impact of fake news and influence operations on elections? Are you concerned about the vulnerability of democratic institutions, the media, and civil society? Then come engage with your peers and the first US National Intelligence Officer for Cyber Issues on ways to hack democracy. He will: (1) provide a low-tech, strategic analysis of recent events, foreign intelligence threats, and the future of information warfare; (2) lead a Socratic dialogue with attendees about the trade-offs between national security and core democratic values (such as freedom, equality, and privacy); and (3) open the floor to audience questions and/or a moderated group debate.

This session is intended to be informal and participatory. It will cover a range of issues from supply chain attacks on voting machines to psychological operations by using an interdisciplinary approach that encompasses constitutional law, world history, game theory, social engineering, and international affairs. The discussion will occur against the backdrop of cyber security and critical infrastructure protection, but it will not examine any specific hardware or software systems; rather, it will concern the conceptual formulation and conduct of modern strategic influence campaigns. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must.


  • Mr. Sean Kanuck, Stanford University, Center for International Security and Cooperation




Saturday, July 29 (12:00 - 12:45) in Track 2

"Get over it!" as Scott McNeeley said - unhelpfully. Only if we understand why it is gone and not coming back do we have a shot at rethinking what privacy means in a new context. Thieme goes deep and wide as he rethinks the place of privacy in the new social/cultural context and challenges contemporary discussions to stop using 20th century frames. Pictures don't fit those frames, including pictures of "ourselves."

We have always known we were cells in a body, but we emphasized "cell-ness". Now we have to emphasize "body-ness" and see ourselves differently. What we see depends on the level of abstraction at which we look. The boundaries we imagine around identities, psyches, private internal spaces," are violated in both directions, going in and going out, by data that, when aggregated, constitutes "us". We are known by others more deeply in recombination from metadata than we know ourselves. We are not who we think we are.

To understand privacy - even what we mean by "individuals" who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated every day. To confront the challenges of technological change, we have to know what is happening to "us" so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to grasp our own new "human nature" that has been reconstituted from elements like orange juice.

The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. Buddhists call enlightenment a "nightmare in daylight", yet it is enlightenment still, and that kind of clarity is the goal of this presentation.


  • Richard Thieme (a.k.a. neuralcowboy), Author & Speaker




Saturday, July 29 (12:00 - 12:45) in Track 3

You've planned this engagement for weeks. Everything's mapped out. You have tested all your proxy and VPN connections. You are confident your anonymity will be protected. You fire off the first round and begin attacking your target. Suddenly something goes south. Your access to the target site is completely blocked no matter what proxy or VPN you use. Soon, your ISP contacts you reminding you of their TOS while referencing complaints from the target of your engagement. You quickly switch MAC addresses and retry only to find that you are quickly blocked again!

What happened? How were you betrayed? The culprit? Your dastardly DNS resolvers and more specifically, the use of certain EDNS0 options by those resolvers.

This presentation will cover the ways in which EDNS OPT code data can divulge details about your online activity, look at methods for discovering implementation by upstream DNS providers and discuss ways in which malicious actors can abuse these features. We will also examine steps you can take to protect yourself from these invasive disclosures.

The details covered will be only moderately technical. Having a basic understanding of RFC 6891 and general DNS processes will help in understanding. We will discuss the use of basic tools including Wireshark, Packetbeat, Graylog and Dig.


  • Jim Nitterauer, Senior Security Specialist, AppRiver, LLC




Friday July 28 - Sunday, July 30 (all day)

Privacy is important to everyone, both in terms of the abstract legal right to secure our information and the concrete availability of tools and means to keep that data secure. In this age of near-ubiquitous surveillance, it's a good idea to keep your security knowledge sharp. To that end, the Crypto and Privacy Village is back with a full roster of presentations, contests and workshops to level up your privacy game.

More From Debra | The Privacy Pact

Listen to Debra talk about the intersection of privacy and security in her podcast series, #ThePrivacyPact.