Paranoid Penguin - DEFCON: One Penguin's Annual Odyssey

Thousands of hackers in the same Las Vegas hotel? Sounds like a party to Mick!
A Couple Dissonances

Maybe because DEFCON invites such high expectations, a few things bothered me. Some are peculiar to DEFCON; others probably are characteristic of hacker culture as a whole. Either way, these observations are offered in a wholly constructive spirit. Nothing worthwhile is worth being complacent about.

The thing that bothered me most consistently about DEFCON this year was the behavior and attitude of many (emphatically not all) of the “red shirt goons”. In case you're unfamiliar with them, all members of DEFCON's volunteer staff are called goons, whether they're serving as actual physical-security goons like the red shirts, manning the information desk or running the massive DEFCON LAN infrastructure. All goons have T-shirts proclaiming their DEFCON goon status, but only the physical security crew's shirts are red.

I'm privileged to call many of these goons friends. In fact, it was the “original goon”, Conal Garrity, who first urged me to give DEFCON a try many years ago. I've seen my goon friends work incredibly long hours with little sleep, irregular meals and little else in the way of extrinsic rewards for their efforts. They're an amazing group of people.

So maybe I was disproportionately bothered by seeing a small number of the red shirts being disrespectful to the point of being counterproductive, in their efforts to manage the large crowds that attended DEFCON 17. At various times I saw some of these guys yelling at attendees, calling them names, insulting their intelligence and making vague threats (though their preferred punishment seemed to be “more yelling”).

One prominent goon even interrupted a presentation I was enjoying to harangue the crowd because there had been an incident concerning one person trying to bungee jump off the hotel's roof and another involving someone with a concealed handgun on the casino floor. The only problem was I'm pretty sure none of the hundreds of people who had up until this point been respectfully listening to Sam Bowne's talk had even heard of these incidents, let alone contributed to them in any way. I understand the goon was frustrated and stressed, but he took it out on the wrong people.

The crowds I saw at DEFCON this year were certainly large, but not unruly nor even particularly uncooperative. Certain goon antics seemed disproportionate. When I described some of them to a nonhacker friend later, his reaction was “sounds like Barney Fife syndrome”. I had to reluctantly agree that yes, it did seem as though authority had gotten to some of these guys' heads just a tiny bit.

Another thing that occasionally struck me was the paradox of DEFCON elitism. On the one hand, in many ways DEFCON represents one of the most inclusive, accepting and open atmospheres I experience in any context. Everybody is welcome: hackers, cops, feds, nerds, script kiddies, lawyers, teachers, students, reporters—even vendors. Boundaries of race, nationality, socioeconomics, creed or sartorial style generally do not apply at DEFCON.

And yet, there's definitely an in-crowd. DEFCON parties abound, which are, as with parties the world over, frequently about who is not invited as much as who is. This shows up in all sorts of contexts, including the speaking schedule itself, but it's subtle, and over the years I've had trouble putting my finger on the real shape, extent and nature of DEFCON elitism. To talk of elitism at such an essentially inclusive event as DEFCON really is a bit of a paradox.

Obviously nepotism figures into practically any human endeavor, so maybe it's no big mystery. But I've observed that many if not most of those who seem to be in the DEFCON in-crowd are more oriented toward attacking things than defending them. I suppose this isn't very surprising, given the way DEFCON markets itself—one of the official DEFCON T-shirts this year featured the slogan “hack everything!”

Why wouldn't a hacker conference concern itself primarily with new attack techniques? After all, as I've just described, much of the content that made the biggest impression on me this year involved attacks. Exposure to new attacks and vulnerabilities provides valuable insights to those of us who defend networks and systems for a living.

So, I don't mean to suggest DEFCON should set some sort of quota on attack-oriented material. However, I do think it's a shame that there's less of a focus on defense at DEFCON nowadays than there used to be. For example, both times I presented at DEFCON (in 2002 and 2003), my talk was included in the “Defense” track—a track that was phased out years ago. Maybe it's time to bring it back. Maybe more people need to submit DEFCON proposals involving compelling, cutting-edge defensive techniques.

And maybe, if we hackers want the world to give us more credit for the constructive things we do, and if we want people ever to accept the broader definition of hacker as creative problem solver, we need to do a little more to avoid giving the impression that we're almost exclusively creative problem makers.

So perhaps I'm less worried about nepotism per se—which in one form or another is inevitable in anything that relies so heavily on volunteers—than I am about its particular effects and ramifications. DEFCON simply needs more defense-oriented people it its in crowd. And I'm prepared to serve in that capacity myself, even if that means having to present at DEFCON year after year in multiple tracks, schmooze at all hours with prominent feds and attractive celebrity lawyers and accept one free beer after another at crowded, hot parties. You know where to find me, guys!

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix