Ever wondered what it’s like to venture into the fascinating world of hackers, where cybersecurity professionals and hobbyists engage in the most impressive knowledge-sharing event?
Picture this: a sunny August morning in Las Vegas, the neon lights of the Strip illuminating the city that never sleeps. Amidst the glitz and fascination, a different kind of spectacle unfolds—DEFCON, the world’s most renowned hacking conference, where digital crusaders gather to sharpen their skills, get initiated to new practices, or showcase their expertise by explaining their bleeding edge research.
We asked Maxime Clementz, Cybersecurity Senior Manager at PwC Luxembourg, to take us with him on a rollercoaster ride through his journey to DEFCON, where he had the one-of-a-kind opportunity to be a speaker.
Buckle up as in this blog we navigate the highs and lows of delving into cybersecurity research and earning a coveted spot on the DEFCON stage. You will dive into a world where bits and bytes matter just as much as the air we breathe, and where the whole event is a pretext to meet technical heroes, underground innovators, and to simply enjoy a place full of like-minded, but unique individuals.
The genesis of curiosity
It all started with a mission for a client where Maxime encountered for the first time what would become his favourite research subject: the VPN “Always-On” feature that forces your corporate laptop to securely connect to your organisation and benefit from all the protection you need.
We know you love to hate this network jail, but its promise is welcomed in our current cybersecurity landscape. As a result of COVID-19’s significant role in the spread of teleworking, organisations were forced to deploy more controls to the remote workforce endpoints.
But since Maxime, as he told us, is paid to break things, he eventually broke the “Always-On” feature—just once. And then twice, for another client, another setup, another product.
As a cybersecurity consultant, Maxime’s days were filled with advising clients on fortifying their defences. Yet, in the recesses of his mind, he craved to contribute more and, if possible, by diving deeply into a precise topic. Thanks to the energy and emulation within the PwC Luxembourg Cybersecurity team, Maxime felt encouraged to pursue his interest.
Coming up against a feature that uses both system and network concepts was a challenging exercise, as it required a mysterious blend of logic, creativity, and a hint of rebellious curiosity.
Maxime’s experiments allowed him to discover several ways to circumvent the “Always-On” feature, which would expose the user device to attackers on untrusted networks or enable a malicious insider (for instance, a corrupted or disgruntled employee) to stealthily exfiltrate data.
In sum, his findings are all about the weaknesses that make these scenarios possible. By reviewing a few commercial products amongst the most popular that feature Always-On settings, he demonstrated that they can all be defeated in one way or another. In other words, Maxime realised that even the most secure systems had their Achilles’ heels waiting to be discovered.
Hacking for good
Popular belief has evolved in the past years and most people started to understand that not all hackers wear black hats and lurk in the shadows. And sometimes—well, most of the time—wearing the bad guy’s shoes (or hat?) is a necessity to better understand the risks and protect oneself.
As an advocate of ethical hacking, Maxime sought to uncover vulnerabilities, not to exploit them, but to inform about them. His research was an attempt to hone his own technical skills, shed light on overlooked vulnerabilities and ultimately give back to the community by sharing his results and insight.
In addition, for Maxime, it’s always a very rewarding feeling to understand the intricate mechanisms of a highly engineered product. As he put it, “Dissecting systems to comprehend their inner workings is like a mind trip—it has a starting point, but since it’s through knowledge, it never ends.”
The DEFCON seal of approval
Thanks to his research, Maxime gained the kind of insight that is worth sharing so that his peers can also address it. The organisations that benefit from such protection don’t always have the time to analyse exactly how it works to find the eventual shortcomings.
While he was pretty confident of its pertinence, he still wondered: “Is my research relevant? Is it interesting enough to share it publicly?” Eventually, after numerous nights of experiments, he felt he had enough findings to publish his research.
Maxime would never have imagined that his “humble results”, as he calls them, would qualify for an official, main track talk of the most renowned and prestigious hacking conference.
At that time, he read that the Call for Paper (CFP) review committee was always giving detailed feedback on all propositions they received, and that was the only thing he was looking—and hoping—for: to get the opinion of cybersecurity experts to know if it was worth continuing digging into the subject.
Needless to say, Maxime was ecstatic when he received the invitation to present at DEFCON. The feeling was akin to receiving a golden ticket to the craziest Hacker Summer Camp.
Suddenly, the city of Las Vegas transformed from a tourist destination into the arena where Maxime’s hard work would take centre stage. What’s more, being a main track speaker allowed him to invite three guests. Any adventure is better when shared, and that’s how a cohort of PwC Luxembourg Cybersecurity specialists ended up in Sin City. Our small delegation joined the vast DEFCON attendance, which usually goes above 25,000 people.
Finally, beyond the opportunity to give a talk in front of such a big audience, Maxime received this invitation as proof of the power of passion and perseverance.
In the end, this journey to DEFCON wasn’t just about the technicalities. The digital landscape is an intricate web of challenges and opportunities, waiting for those brave enough to explore its depths.
Maxime told us that a common saying in the hacking community is that you can always find someone willing to spend an unreasonable amount of time on a specific topic. This will often result in demonstrating risks that need to be considered to better protect oneself.
Undoubtedly, Maxime’s willingness to dig into a topic that had perhaps been overlooked thus far allowed him to shed some light on its current situation, giving everyone the opportunity to improve their security posture.
More importantly, it also proved that cybersecurity recognition isn’t exclusive to full-time researchers, and that despite Maxime’s own belief, the path from a consultant’s desk to the illustrious DEFCON was possible.
The applause that followed his talk wasn’t just for him; it was for all those who strive to push boundaries, regardless of their professional titles. In that electrifying moment, Maxime realised that DEFCON was about the spirit of exploration and the relentless pursuit of knowledge.
As he flew away from Las Vegas, he carried, not just memories of neon lights and tech talks, but a profound sense of accomplishment and excitement about what was still there for him to explore.
What we think
In cybersecurity, it’s not just about breaking codes; it’s about breaking barriers – the barriers of convention, expectations, and perceived limitations. So, embrace your curiosity, join the community, and let your journey unfold in this realm where passion and innovation intertwine. After all, in cybersecurity, each byte of knowledge we gain is a step towards a safer tomorrow.Maxime Clementz, Cybersecurity Consultant and Speaker at PwC Luxembourg