Thoughts from Defcon 27 – This is why I do what I do

Defcon is the one of the oldest and largest continually running hacker conventions, started by The Dark Tangent. According to their own FAQ, Defcon started as a party for members of “Platinum Net,” a Fido protocol-based hacking network out of Canada. Fido was one of the protocols used to store and forward information before the Internet was pervasive and popular. People used it to create ad-hoc networks that stored and forwarded files and messages across the world.

Back in the late 1980s and early ’90s, the phone company did not offer unlimited service. They charged significant amounts of money to make long distance calls. Many of the kids who grew up on Commodores, Apples, Amigas, Spectrums and PCs traded cracked/pirated games (warez), traded demos, chatted, and wanted to explore.

A number of groups came together to find weaknesses in the phone system, Alliance Teleconferencing, payphones, the nascent wide-area networks such as TYMNET and PC Pursuit, and corporate phone systems so that they could avoid having to pay for these long-distance services. This was called phone phreaking and was part of the hacker scene.

Many of these networks and their brethren – especially the main one, FIDONet, before the Internet – relied on phreakers to help facilitate cheap or free communication. Maintaining store and forward networks to relay messages, warez and files cost a lot of money at slow baud rates.

This extended to hacking, where numerous people got a hold of accounts on university or corporate systems that had Internet, TYMNET, Telenet or PC Pursuit connections, and extended the scene to Internet Relay Chat (IRC), proprietary chat systems, File Transfer Protocol (FTP) sites and Internet or network BBSes. Outdials, which were connections from these systems to standard telephone modems to allow for free long-distance modem calls, were critical for college students that wanted to call BBS systems at home.

The scene members got together regularly at parties and meetings. Diversi-dial (DDial) had at least one national convention. There was HoHoCon in the Winter, PumpCon (which still exists) in the autumn in Philadelphia, and SummerCon in the summer. There were numerous others, including the 2600 meetings, which still occur the first Friday of every month. The demo scene groups still have meetings in the US and Europe. Even the people that met about their Commodores have their choice of multiple Vintage Computer Federation events.

Defcon was chosen as the name because of two factors, which were that The Dark Tangent didn’t want an association with a particular time of year, and because the convention was taking place in Vegas, which was the nuke target in the movie War Games. The name stuck, and so did the ethos.

It continues the tradition of the old computer and hacker conferences, such as the old Trenton Computer Festival (TCF), which have since either stopped operating or drastically changed. It is built around people who love to explore, share knowledge, and learn about security and computing. While the Internet has changed the world around us, it hasn’t altered inquiring minds or researchers. This is the closest you will get to the original conferences that we or our parents/relatives attended at the dawn of computing.

Long-time fan, first-time speaker

I had always been in awe of Defcon. Out of all of the conferences out there, this is the one that was always considered the biggest and best. I had never found the time to attend before and had always put it off “one more year” due to the amount of work I have. Additionally, I always felt like I wasn’t good enough to attend.

Until I spent several years in my role, I thought I was nothing more than someone who made a bad first impression and was lesser than my peers. I never thought that I was considered an equal in the security community. I started spending a lot of time documenting everything I did and presenting at local conferences. It took me a few years before I was presenting at larger ones like HIMSS. I put in a proposal to the Recon Village based on a tweet and didn’t expect a follow-up. The acceptance came as a complete surprise because of that, and especially after my Black Hat proposal was turned down.

I had less than a month to put together a good presentation on the use of Open Source Intelligence and Reconnaissance in Healthcare Information Security that would cover what security practitioners needed to know to implement it in their own programs. My goal when creating presentations is to give one that someone can print out and use in their daily work life, not just look at for 40 minutes and walk away with nothing. I wanted to give the audience a reflection of what I have learned in eleven years in this position. I took everything I learned about management behavior, risk, and management tendencies to not truly address it for fear of looking bad and created something useful out of it. There’s a lot that security professionals do not know, especially in healthcare, about how management and organizational structures can either help or harm security. It took me the better portion of a month working off and on to get this done right. Based on audience feedback, I think it went well.

Networking par excellence

The other great part of going to Defcon is the networking. People are incredibly friendly and willing to talk. I was able to meet a lot of great security researchers and discuss work that we were doing. I was also able to discuss some research I submitted to HIMSS and RSA as proposals. The true value in these conferences besides the educational programming is commiserating with your peers to learn and share more from them. You never know who is going to attend. Several of my peers and prior collaborators from other security events were there.

Why I do it

I present and give information out because very few others did this for me, or people like me. I experienced gatekeeping for years, especially in school and work. I hated being made to feel like complete garbage about myself so someone could feel better about themselves for doing so. I wanted to help others not have to deal with pretentious people or that level of arrogance. I prefer to share with my peers and with people who really want to learn.

I do this because there are a lot of security professionals who don’t get the information, they need to do their job that matters from their organization. Many didn’t take the normal career path to get where they are, as it’s a new profession. Very few programs teach what really goes on with organizations. It took 2 Master’s degree programs to cover structural theory, human resources, strategic management, ethics, and leadership in the way that I needed to deal with the demands of being in this position. It took me teaching to realize how little I knew after that. My goal is to empower and educate others to give back, and to blunt the effects of the so-called gatekeepers.

This is reminiscent of the original programmers back in the 1970’s. These people got together and taught each other, released information, and were sharing years before Richard Stallman and the GNU Manifesto. The most famous group was the Homebrew Computer Club, which counted Steve Jobs and Steve Wozniak (Woz) as members. When you bought an Apple (or Commodore 64), you could get the schematics and internals. The great programmers on these platforms came from all over the place. The great ones like Woz shared. This is how many of the people at the top of the industry learned. There weren’t Computer Science programs churning out ready-made app developers. You learned from others who shared. You went to large events like the Trenton Computer Festival, the Homebrew Computer Club, your local users’ group, or local meetups. This is how we started.

What I learned

I learned that the best conference is the one where people share the most and do so because they want to. I appreciate the effort that the Defcon team puts on quality and addressing security issues. I really like speaking at BSides, CircleCityCon, local ISSA chapters, and HIMSS because I get a chance to interact with the audience and my peers. Defcon had many of the same types of people. People who had knowledge there shared it. I had people encouraging their followers to see my presentation on Twitter (thanks Sherrod!). I was able to have conversations about security with numerous people who were willing to give their time.

Defcon gets a bad rap from some because of the bad actors, which unfortunately permeate both society and security conferences. However, the people that are there want to be there. The volunteers that put this together are also dedicated and should be appreciated more. The challenges are elaborate, thoughtful, and designed by people who want to one-up themselves every year to give an incredible experience.

This is what we need to see more of in the security industry. We need more sharing, and more of a community that follows in the footsteps of our forebears. While we do understand the need to market and sell products, we should be using conferences as an opportunity for great educational content and two-way dialogues with the speakers, audience, ad peers. Knowing risks and needs well is the best sales tool.

Defcon, while being very respectful of the past, has also inspired a number of other conferences. BSides, Diana Initiative, and the local Defcon groups all carry its message forth and are educating a new generation. I appreciate that they carry on the messages of the Homebrew Computer Club and the other events and groups that came before.

That being said, I’m going to try and work on a great presentation for the main stage next year. I’ve already asked two people about a panel discussion.

Thank you to all the volunteers, speakers and goons who took their time to put together a great conference!