DEFCON33
Posted on 07 August 2025
Talk Submission
My DEFCON journey starts at DC4420 where I was lucky enough to meet up with Lena Yu who runs the Malware Village! She encouraged me to write a talk submission which I stayed up to 02:00 to get it submitted before the deadline.
I ended up submitting two talks, one for the main DEFCON conference and one the Malware Village inside DEFCON. I had been watching DEFCON talks for years on YouTube, but the conference and how the villages and badges work was still a bit of a mystery to me.
My DEFCON proposal was on I2P (The Invisible Internet Project) because at the time I was investigating alterative C2 methods and the project was a growing interest for me. I wanted to use the talk as a way to keep that mental research train going and to get some more experience with the project. However, the talk did not get accepted for the main DEFCON conference.
My Malware Village proposal was a talk building upon the 2024 research paper Discovering and Measuring CDNs Prone to Domain Fronting (Git Project) by Karthika Subramani. The idea was to re-perform the same research for 2025 and then perform a “Retrospective” between the two years to see if there was an industry trend either for or against Domain Fronting via mainstream CDN providers.
After a very late tea and chocolate-powered evening, submission was completed! T hen a week later I found that my talk has been accepted!
I was very honoured to have my talk accepted. However, then it quickly dawned on me that I’d basically committed to re-performing Karthika Subramani research, which I’m sure she had many months of dedicated time to perform, into what was basically a few evenings and one weekend. Not my best example of project planning. Plus, I had to write the presentation too.
What followed was an extremely frantic series of late evenings debugging Karthika Subramani code and trying to build workarounds for not having access to the same datasets in the original report. I ended up writing some small tools to scrape the data sets for me and reduced the number of sites to be tested since I just don’t have the patience to debug all the issues I had with Chrome, JavaScript, and puppeteer-based web scrapping. Both my Linux Kernel and I needed a cup of tea after some of these evenings.
The other issue I had during putting the presentation together is just how nebulous the term “Domain Fronting” is; depending on how you count it, I researched six different methods! This included standing up an instance of PoshC2 to reverse engineer their method. I wasn’t going to be breaking any new ground with this presentation. However, I wanted it to be a one-stop shop of everything domain Fronting related, so I made sure to make a detailed slide for every method and include a comparison chart.
The Flight
Control Plane was very gracious in allowing me to use some of my R&D days to work on the presentation and also pay for both the flight and the hotel out there!
The flight and hotel were fairly ordinary affairs, I didn’t fly business class or anything, but I did take some time to rehearse the presentation on the flight and found it quite funny that Virgin Atlantic gave us all mini ice-cream!
Las Vegas
The main takeaway for me is Las Vegas is not really “my thing”. I don’t gamble, I miss public transport, and it’s a bit too over the top for my taste. Not to mention ridiculously expensive! A fruit pot was $10, and just to get around for the week, I ended up spending $300 in Taxies.
I do see, however, why people come here, it’s an engineering marvel the place even exists. Caesars palace is frantically mind-blowing, and I’m sure the stage performances are once in a lifetime. I did end up having a go on a roulette table and Slot machine, losing $20 but winning $10 yay? Only to spend it on a $25 cocktail.
I also attended a few pool parties which was a highlight for me. Plus amazing people from all walks of life, I had great chats with basically every taxi driver.
On a final point, Las Vegas is hot! Like 45°C HOT, I was prepared for it, but my word! Suncream! Lots of it! Drink lots of water! Try to avoid the sun the best you can! The sun is angry, and you’ll definitely know about it!
The Conference
The one thing I underestimated about the Conference is just the sheer size of it. At any one time there must be thirty different talks going on across all the different villages and main tracks, it can be quite overwhelming! I’m glad the hacker tracker app exists to help you keep track, but planning the talks I wanted to go too basically took half a day. I completely understand why there are two different kinds of people, the ones who plan and the ones who just go with the flow.
Through the wonders of Line Con and my best attempts at small talk, I managed to make quite a few new friends, which was really nice, and fun exchanging stories and tips for how to survive the con. The Lonely Hackers Club was one I read about before visiting and was a great way to meet other first timers to the con.
The villages themselves are extensive, it was very cool to see so many little niches represented. Below are my favourites:
- Lock picking village – I’m still a terrible picker, but it’s always good fun to give it a try and see all the different new tools which people have developed
- Physical Access – So many fun practical demos showing off how to bypass different doors.
- Embedded Systems – I got to meet LiveOverflow! That was surreal! they had a demo with some old routers which you could connect to a JTAG debugger too and attempt to reverse engineer the firmware which was something I’ve read about for a long time and was very exciting to try first hand.
- Red Team Village – This one definitely lived up to the hype of massive queues. they had three different tracks right next to each other and personally I was surprised by how bad the audio setup was. I thought it was going to be a silent disco style setup where everyone gets headsets and then you can listen to the presenter that you are connected to. Every time I visited InfoSec that’s been a very common setup, however here it was just all three presenters trying to talk the loudest. Did watch a very interesting presentation about kubernetes hacking and also overheard the presentation next to it about open source intelligence gathering.
I’m not going to give a full write up of every talk I went to; since this was my first time visiting DEFCON, much of my time was getting lost in the “energy” of the conference, which I think is a great way to experience it.
The Talk
The talk itself went very well, about 40 attendees turned up to watch. It was very satisfying watching so many people in the audience nod along in agreement when I hit specific points. A huge shoutout to the Malware Village for hosting me and the other speakers!
Slides
GitHub Research Repo
https://github.com/copethomas/defcon-33-domain-fronting
Talk Photos
