Opinions
Access Everywhere: The best of DEF CON 33
Head of Research
Updated
Dec 15, 2025
6 min
Picture that energy when you're deep into coding or hacking in the small hours, a melancholic melody playing alongside ethereal synths like digital fog. That same energy you feel on the last night of DEF CON, after days of total immersion in hacker culture… That's the feeling captured by Love Me Better (Liquid Edit), part of the official DEF CON 33 soundtrack by Skittish & Bus, who were the con's official DJs. That feeling marks the end. This year's time has passed, but the experience and the feeling remain.
Let's look back at the best moments from a few days ago: the best of DEF CON 33, the latest edition of the world's most important hacking conference!
What's Access Everywhere?
As Jeff Moss (The Dark Tangent), founder of DEF CON, puts it, the conference is all about the joy of discovery, breaking things, fixing things, and understanding what technology can really do.
Edition 33 drew over 26,000 attendees, with 107 speakers on the Main Track and 220 across the villages. It all centered on one theme: Access Everywhere.
This theme was reflected in every physical and digital space of the conference, a motto conveying that knowledge is open to everyone. Open in three ways: usable, accessible, and private/secure. Various efforts were made to deliver knowledge across these three dimensions: accessibility options were enabled both on the web and in talks through screen readers, talks were streamed on YouTube, conference materials were provided in four different languages across various spaces, and of course, with privacy and security in mind, all sites were enabled with technologies like Tor and Veilid.
A quick note on pricing
The cost of this experience varied based on ticket type and time of purchase. For those who value privacy, DEF CON kept its cash-only option at $500, paid at LineCon (the registration line) with no personal information required. There was also online pre-registration for those who wanted to secure their badge in advance, with prices varying based on how close the event was: Early Bird ran until May 23 at $540, Regular until July 18 at $560, and Late Pricing from July 19 until pre-registration closed at $580.
Unlocking the hidden: This year's badge
This year's badge was analog, designed by Mar Williams (spuxo), featuring three colored lenses that revealed hidden content in 3D images scattered throughout the venue. Designed with an accessible color palette, the badge had a Victorian style with global and indigenous influences. Similarly, the black badge — awarded to contest winners and which grants lifetime access to DEF CON — was handcrafted one by one in the creator's backyard, cast in bronze.
The villages: 35 worlds to explore
With your badge as entry, you get access to everything at DEF CON: talks, villages, communities, competitions, and more. Villages are immersive learning spaces focused on specific areas of technology and hacking. This year there were 35 villages, with 220 village speakers and 159 talks total. Village topics ranged from game hacking to payment system hacking, from red teaming to voting machines, from quantum to embedded systems. There was so much to learn and experience, but these top three villages stood out above the rest:
Social Engineering Community Village
This one had a line just to get in, but it was definitely worth the wait. The village was an enclosed space where recording and photos weren't allowed. Everything there, of course, revolved around social engineering, taught through talks and hands-on activities. One of this year's activities was the SECVC (Social Engineering Community Vishing Competition), a vishing (voice phishing) competition where pre-qualified contestants, with months of preparation and target research under their belts, made live calls to extract specific information from real corporations, with audience members throwing in completely random questions the contestants had to work in, like "If you were a piece of cutlery, which would you be?"
Bug Bounty Village
This one surprised me in the best way. Due to high demand, it also required waiting in line, but once inside you got (a) their electronic badge, which you could interact with as you solved challenges, (b) challenge coins with encoded or hidden messages to solve, and (c) stickers and village swag. Inside, there were talks on web and mobile hacking, research, and bug bounty, plus several challenges to work on between talks and a live CTF to participate in.
Physical Security Village
This village was absolutely essential to visit and one of the most eye-catching. It could only be described as insane. There were mini doors, safes, all kinds of locks, padlocks, alarm systems, and surveillance systems — and they taught you how to hack all of it. Why? Because these systems need to be made more secure, and awareness must be raised through the open sharing of knowledge.
The talks that defined DEF CON 33
Those were some of the must-visit villages, but what about the talks?
Of the 683 talks submitted to the Main Track, 107 were accepted and 71 were from first-time DEF CON speakers. After all were rated, 72.2% of talks were rated as high-quality in content, 53.7% were recognized as excellent in terms of the speaker's presentation skills, and 56% were marked as exceptional.
The quality of the talks is undeniably excellent, and DEF CON has become the state of the art in hacking and cybersecurity. That said, taking the liberty, here are what I consider the three best talks at DEF CON 33.
HTTP/1.1 Must Die! The Desync Endgame
This was the heavyweight of the talks. Given by James Kettle (albinowax), Director of Research at PortSwigger, it starts from the premise that HTTP/1.1 has no reliable method to isolate requests when multiple are sent in a single TCP packet. From there, he presents two new techniques to exploit desynchronization: Zero-CL and the Expect header.
Zero-CL, or Zero Content-Length, is a technique previously thought impossible to exploit due to an inherent problem: the frontend server doesn't recognize the Content-Length header, while the backend does, so the frontend never sends the request body, and the backend keeps waiting for it. James bypassed this on IIS servers by having them visit paths with reserved words, which returned immediate responses, thus bypassing the block. He was able to exploit this behavior with a double desync: an attack composed of two requests from the attacker and a third from the victim.
On the other hand, the Expect header, or Expect: 100-continue, also introduces a series of new flaws: By adding state to the protocol and splitting requests into a two-part process where headers are sent first, then the body, two response header blocks are created and a desync with the frontend can be triggered.
With these techniques, James earned $350,000 in bounties and closed the talk with the conclusion that the fix is to use either HTTP/2 or HTTP/3—which is why HTTP/1.1 must die.
Kill List: Hacking an Assassination Site on the Dark Web
This talk grabbed the audience's attention from the first moment and never let go. It's the story of how Chris Monteiro, a Dark Web researcher, stumbled upon a hitman-for-hire site and took complete control of it. He and journalist Carl Miller created a global network to warn potential victims directly, after initial failed attempts to cooperate with UK authorities and Interpol. The whole operation resulted in unmasking 175 assassination orders, leading to 32 arrests, 28 convictions, and 180 years of prison time. However, Carl's call to the community is a call for help to finish unmasking the remaining cases still pending investigation, as over 2,000 messages or orders were recovered before authorities took the site down.
Stories from a Tor Dev
Finally, there was a talk about Tor, a tool closely related to the Dark Web — more specifically, to online privacy and anonymity. The talk was given by Roger 'arma' Dingledine, co-founder of the Tor Project, and focused on three main themes through a series of stories from his time with the project: (a) relationships with government and government entities to build internal allies and expand the importance of privacy and anonymity, (b) defending the Tor network against sophisticated attacks, and (c) ways to help users in authoritarian regimes circumvent censorship. Roger delivered his message through a series of interesting and sometimes ironic or funny stories, highlighting the importance of having a global community where a diverse range of actors — even opposing ones — can help keep privacy and the network working properly.
Why we keep coming back to the desert
With all the talks, villages, communities, and more, DEF CON also becomes an almost surreal experience where at any moment you might be walking along or find yourself face to face with a hacking legend and simply have a conversation or take a photo with them. That's how I personally got to meet great figures like the already mentioned James Kettle, Jack Rhysider, creator of the Darknet Diaries podcast, and Fabian Faessler, security researcher better known as LiveOverflow.
Everyone who goes to DEF CON lives a unique experience, and edition 33 reminded us why we keep coming back to the desert every year, why the Goons in red shirts keep watching over us without asking for anything in return, and why there's always joy in those endless lines. The reason is simple: DEF CON is the heart of hacker culture. The moment and space where knowledge flows free, like an intense and fleeting, yet transformative, chaos. And when it's all over and the Las Vegas Convention Center falls silent, we take something with us that no talk can describe: the certainty that we belong to something bigger than ourselves — a tribe scattered across the world that, for a few days each year, comes back home.
Get started with Fluid Attacks' PTaaS right now
Other posts
