DEF CON Academy looks to serve, build community

Every year, a legion of hackers, programmers, cybersecurity professionals and researchers descend on Las Vegas for the most storied convention in the hacker community: DEF CON.

Since 1993, the event has provided a weekendlong haven for anyone interested in computer architecture, software, hardware and more. It hosts panels covering novel exploitation techniques and featuring big names in cybersecurity. There are hacking competitions and entire “villages” devoted to compromising automobiles, satellites or analog technologies like locks. In short, if it can be hacked, DEF CON attendees want to learn about it.

Beginning next year at DEF CON 33, cybersecurity enthusiasts of all levels will have a new mechanism to hone their cybersecurity skills: DEF CON Academy.

Organized by faculty and staff from Arizona State University’s Global Security Initiative, DEF CON Academy is a skill-based learning network. DEF CON Academy is supported by GSI’s American Cybersecurity Education Institute, an effort to provide practical cybersecurity education nationwide and bolster the U.S. cybersecurity workforce.

While the American Cybersecurity Education Institute has a broad goal of developing a nationwide cybersecurity workforce, DEF CON Academy has a narrower focus.

“DEF CON is a community, not a country, not an industry segment,” says Yan Shoshitaishvili, associate director of workforce development at GSI’s Center for Cybersecurity and Trusted Foundations, or CTF. “Our explicit goal is to support that community by pulling in some of the 30,000 hackers wandering the halls of DEF CON and skilling them up.”

Initially, pwn.college will underpin DEF CON Academy’s educational offerings. Created by Shoshitaishvili, pwn.college is a blend of educational modules, competitive practice environments and communication channels to help students learn collaboratively. Shoshitaishvili is exploring adding more educational resources to the system before its launch at DEF CON 33.

DEF CON Academy will also have a physical presence at the next conference, joining the dozens of existing villages that focus on areas ranging from car hacking to HAM radio, aerospace to AI, social engineering to bug bounties and more.

“Just like the Lock Pick Village might have 10 tables with people learning how to pick locks, we’ll have laptops set up and teaching how to do a simple buffer overflow, for example,” says Connor Nelson, a staff software engineer at CTF.

Shoshitaishvili and Nelson aim to structure DEF CON Academy so enthusiasts can jump into training at various levels, as well.

“Oftentimes, people have 90% of the fundamentals — there’s just small gaps in knowledge,” says Shoshitaishvili, also an assistant professor in the School of Computing and Augmented Intelligence, one of the Ira A. Fulton Schools of Engineering. “So we’ll have people there to help. We have a community that has already gone through pwn.college, many of whom will be volunteering to help out at DEF CON Academy, so they'll be able to pull people up that are missing that 10%.”

DEF CON Academy builds on ASU’s longstanding ties with the conference. From 2018 to 2021, Shoshitaishvili — along with CTF Director Adam Doupé and Tiffany Bao, CTF’s associate director of research acceleration — hosted DEF CON’s Capture the Flag competition. Fish Wang, CTF’s associate director of impact, continued the tradition in 2021 and is now entering his fourth year contributing to planning the competition.

Widely considered to be the “world championship of hacking,” DEF CON’s Capture the Flag challenge pits hacking teams against one another to steal digital information — the flag — from software custom-built by organizers.

“ASU has been a staple at DEF CON for a long time, and people now trust that we know what we're doing and we understand how the community works, and that we have the community's best interests at heart,” Shoshitaishvili says.

To get DEF CON Academy off the ground, Shoshitaishvili reached out to Jeff Moss, DEF CON’s founder, who greenlit the project.

After stepping down from hosting DEF CON’s Capture the Flag event, Shoshitaishvili wanted to continue contributing to the community. Shoshitaishvili and Nelson began working on pwn.college in 2018 to meet the growing need for qualified cybersecurity professionals and rectify the dearth of formalized, practical cybersecurity education.

Shoshitaishvili believes there is a huge chasm between practical and theoretical cybersecurity education. Most people know to regularly change their passwords, and can recognize phishing attempts, but they don’t understand the practical nuts and bolts of cybersecurity.

“It is similar to the difference between locking your door when you leave the house versus knowing how that lock actually works and how it can be compromised,” Shoshitaishvili says. “We don’t necessarily lack people who can tell you to lock your door — we lack people who understand locks on a deep, technical level.”

But in bridging the gap between theory and practice, Shoshitaishvili encountered a problem.

“The difficulty curve was basically vertical,” he says.

Nelson, who started working with Shoshitaishvili on pwn.college from the outset, thought the problem stemmed from how cybersecurity was taught.

“In the past, cybersecurity in academia often focused more on conceptual discussions, with few opportunities to apply the skills in practice," Nelson says. “The counterbalance to that is Capture the Flag, but that scene isn’t built with an education mindset — it’s a competition mindset.”

Capture the Flag can provide competitors with a wealth of skills and experience if they stick with it, but getting started in the scene is a bit like getting thrown in the deep end, Nelson says. His work and research on pwn.college eventually became the foundation for his dissertation, which he successfully defended in February.

“These challenges will just be scattered all about random little topics over here,” Nelson says. “So you might even be getting a little bit proficient in one or another, but then the next Capture the Flag is just a completely different topic. It wasn't built to be a cohesive curriculum.”

So Shoshitaishvili and Nelson blended the hands-on, practical application of Capture the Flag with a self-led, structured, concept-by-concept approach — and pwn.college was born.

"Before ASU, my philosophy was that you couldn't teach cybersecurity,” Shoshitaishvili says. “That it had to be learned instead. DEF CON Academy is an attempt to challenge that."

Shoshitaishvili affectionately describes DEF CON as a “supercollider of hacking.” The intense, weekendlong event packs in an incredible amount of learning and practical application into just a few days.

For instance, the Capture the Flag competition scene — while instructive — isn’t a sustainable way to learn, Nelson says.

“It’s not necessarily the healthiest thing in the world to cram learning into 48 hours straight every weekend,” he adds.

Through incorporating the hands-on elements of hacking competitions into DEF CON Academy, the team hopes to impart practical skills without the burnout. In addition, they look to bolster the strong hacker community present at DEF CON.

“It’s not completely fair to say that there’s no DEF CON community throughout the year, but being able to show up to a village and just get started learning something — that really just exists during the DEF CON convention, which is just a few days,” Nelson says.

With DEF CON Academy, Shoshitaishvili and Nelson hope to expand that learning experience all year long. By connecting hackers on pwn.college and other resources, they’re aiming to build a community and learning environment that extends beyond the convention halls.