Paranoid Penguin - DEFCON: One Penguin's Annual Odyssey

Thousands of hackers in the same Las Vegas hotel? Sounds like a party to Mick!
A Couple Dissonances

Maybe because DEFCON invites such high expectations, a few things bothered me. Some are peculiar to DEFCON; others probably are characteristic of hacker culture as a whole. Either way, these observations are offered in a wholly constructive spirit. Nothing worthwhile is worth being complacent about.

The thing that bothered me most consistently about DEFCON this year was the behavior and attitude of many (emphatically not all) of the “red shirt goons”. In case you're unfamiliar with them, all members of DEFCON's volunteer staff are called goons, whether they're serving as actual physical-security goons like the red shirts, manning the information desk or running the massive DEFCON LAN infrastructure. All goons have T-shirts proclaiming their DEFCON goon status, but only the physical security crew's shirts are red.

I'm privileged to call many of these goons friends. In fact, it was the “original goon”, Conal Garrity, who first urged me to give DEFCON a try many years ago. I've seen my goon friends work incredibly long hours with little sleep, irregular meals and little else in the way of extrinsic rewards for their efforts. They're an amazing group of people.

So maybe I was disproportionately bothered by seeing a small number of the red shirts being disrespectful to the point of being counterproductive, in their efforts to manage the large crowds that attended DEFCON 17. At various times I saw some of these guys yelling at attendees, calling them names, insulting their intelligence and making vague threats (though their preferred punishment seemed to be “more yelling”).

One prominent goon even interrupted a presentation I was enjoying to harangue the crowd because there had been an incident concerning one person trying to bungee jump off the hotel's roof and another involving someone with a concealed handgun on the casino floor. The only problem was I'm pretty sure none of the hundreds of people who had up until this point been respectfully listening to Sam Bowne's talk had even heard of these incidents, let alone contributed to them in any way. I understand the goon was frustrated and stressed, but he took it out on the wrong people.

The crowds I saw at DEFCON this year were certainly large, but not unruly nor even particularly uncooperative. Certain goon antics seemed disproportionate. When I described some of them to a nonhacker friend later, his reaction was “sounds like Barney Fife syndrome”. I had to reluctantly agree that yes, it did seem as though authority had gotten to some of these guys' heads just a tiny bit.

Another thing that occasionally struck me was the paradox of DEFCON elitism. On the one hand, in many ways DEFCON represents one of the most inclusive, accepting and open atmospheres I experience in any context. Everybody is welcome: hackers, cops, feds, nerds, script kiddies, lawyers, teachers, students, reporters—even vendors. Boundaries of race, nationality, socioeconomics, creed or sartorial style generally do not apply at DEFCON.

And yet, there's definitely an in-crowd. DEFCON parties abound, which are, as with parties the world over, frequently about who is not invited as much as who is. This shows up in all sorts of contexts, including the speaking schedule itself, but it's subtle, and over the years I've had trouble putting my finger on the real shape, extent and nature of DEFCON elitism. To talk of elitism at such an essentially inclusive event as DEFCON really is a bit of a paradox.

Obviously nepotism figures into practically any human endeavor, so maybe it's no big mystery. But I've observed that many if not most of those who seem to be in the DEFCON in-crowd are more oriented toward attacking things than defending them. I suppose this isn't very surprising, given the way DEFCON markets itself—one of the official DEFCON T-shirts this year featured the slogan “hack everything!”

Why wouldn't a hacker conference concern itself primarily with new attack techniques? After all, as I've just described, much of the content that made the biggest impression on me this year involved attacks. Exposure to new attacks and vulnerabilities provides valuable insights to those of us who defend networks and systems for a living.

So, I don't mean to suggest DEFCON should set some sort of quota on attack-oriented material. However, I do think it's a shame that there's less of a focus on defense at DEFCON nowadays than there used to be. For example, both times I presented at DEFCON (in 2002 and 2003), my talk was included in the “Defense” track—a track that was phased out years ago. Maybe it's time to bring it back. Maybe more people need to submit DEFCON proposals involving compelling, cutting-edge defensive techniques.

And maybe, if we hackers want the world to give us more credit for the constructive things we do, and if we want people ever to accept the broader definition of hacker as creative problem solver, we need to do a little more to avoid giving the impression that we're almost exclusively creative problem makers.

So perhaps I'm less worried about nepotism per se—which in one form or another is inevitable in anything that relies so heavily on volunteers—than I am about its particular effects and ramifications. DEFCON simply needs more defense-oriented people it its in crowd. And I'm prepared to serve in that capacity myself, even if that means having to present at DEFCON year after year in multiple tracks, schmooze at all hours with prominent feds and attractive celebrity lawyers and accept one free beer after another at crowded, hot parties. You know where to find me, guys!

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState