The Magic is in the Mix

by rthieme on September 1, 2000

The Magic is in the Mix

SEPTEMBER 2000/NEWS&VIEWS

Information Security Magazine

BY RICHARD THIEME

NEWS

Nearly 6,000 multi-generational hackers, crackers, corporate security gurus, intelligence officers, journalists, corporate recruiters, federal officials and scene junkies flocked to Las Vegas in late July for two security conferences: The 8th Annual Def Con, held at the Alexis Park Hotel  and the Black Hat Briefings, a more mainstream security conference held two days before Def Con at Caesar’s Palace.

VIEWS

My, how time flies.

Eight years ago, 100 computer hackers who had previously connected only in cyberspace–mostly through bulletin boards–decided to meet in Las Vegas. Why Las Vegas? “It’s the only city that builds hotels faster than we can use them up,” said one.

The con took root and began to grow. And grow. And grow. Founded and led by Jeff Moss (a.k.a. Dark Tangent), Def Con then began sponsoring the Black Hat Briefings, now in its fourth year. Originally conceived as a forum for security experts presented by elite hackers, Black Hat has grown from 350 to more than 1,500 attendees. Black Hat also offers annual conferences in Amsterdam and Hong Kong and is adding specialized seminars like Security for Windows 2000. Moss recently left his job at Secure Computing’s consulting division to devote himself full time to growing Black Hat/Def Con (BH/DC).

Eight years after its modest beginnings, the magic of BH/DC is in the mix. While some mourn the loss of the old days–when Def Con more closely resembled hacker-only cons like Pump Con, Summer Con and Cuervo Con–Moss always intended DefCon as a bridge that would include many “straight” government and corporate computer security types. He saw that real security was created through collaborative conversation. Def Con’s opening session, a “Federal Panel” that included such speakers as Art Money, Asst. Secretary of Defense, testifies to the success of Moss’s effort to transform the con. Still, it’s not by chance that Moss added BlackHat to the mix four years ago. It is much more profitable than Def Con, whose dirt-cheap admission prices attract a lot of Gen-Xers who couldn’t afford the pricier BlackHat.

In contrast to H2K, a hacker gathering held earlier this summer in New York which seemed to many like a cyberWoodstock reunion, BH/DC has grown with the times. Moss now has multiyear contracts with hotels, and the “Def Con goons”–volunteers who serve as support staff–are now joined by professional convention organizers.

Of course, other computer security conferences have also evolved, including SANS, CSI, Usenix, TISC, MIS’s Infosec World and various vendor-sponsored conventions, such as the RSA Data Security Conference. Thanks to the open borders of the Internet, computer security is big business. So how well does Def Con/Black Hat stack up to its more mainstream competitors? Why do so many people come to the burning desert in July when other conferences are available?

Multi-Ring Circus

First, a disclaimer: I have spoken at Def Con for five years and Black Hat for four years. For me, BH/DC is a primary community populated with friends and colleagues. So rather than give my own (admittedly biased) opinion here, I asked others for their evaluations while I was there.

While the sister cons do not get straight A’s from everyone, all agreed that the unique flavor of the multi-ring circus, with its great diversity of resources, and the good-to-high quality of technical presentations make it a “must go” for many.

Vaughn Hendricks, a staff systems integrator of Lockheed Martin Mission Systems, has worked in computing for 35 years and computer security for 20. He limits the conferences he attends to Black Hat/DefCon and CSI.

“Black Hat/Def Con offers a unique opportunity for collaboration between good guys and bad guys,” Hendricks said. “I can listen to premiere network security gurus and ex-hackers and discuss vulnerabilities in depth. I’ve been to both for two years, so it’s at the top of my list for gathering information for protecting government resources.”

A senior security engineer who goes by the handle “Noid” seconded Hendricks’s sentiments. “BH/DC has a certain edge that no other mainstream security convention can compete with. When it comes to hacking systems or being on the cutting edge of protecting systems, there’s a certain mindset one must possess, and all of the speakers at BH/DC have it,” said Noid, who works for SecurQuest, an Irvine, Calif.-based security firm. “I’ve been to most mainstream conventions and they’re good at teaching textbook methods of attacking/defending systems, but at BH/DC you get to talk face to face with the person who pioneered the particular attack/defense, which you can’t get anywhere else. I went to SANS this spring, for example, and they taught us all about L0phtcrack and BO2k. It was informative and interesting, but at DefCon I can have a beer with Mudge (author of L0phtcrack) or DilDog (author of Back Orifice 2000) and have my questions answered directly by the authors.”

Drew Fahey, a computer security and investigative specialist for e-fense Inc., added that the BH/DC cons aren’t for everyone, however. “You don’t go for hands-on training,” he said. “You go to meet new people and see who is really ahead in information security. That is not to say you don’t get good information at Usenix or SANS, but you don’t get to meet members of the underground or groups like CDC [Cult of the Dead Cow] at traditional security conferences. You really have to experience it to understand its value.”

Veterans of traditional security conferences may also be uncomfortable, at first, with the nonconformist environment at BH/DC. Though its rebel image has softened over the years, DefCon, in particular, still attracts a large contingent of tattooed, blue-haired teens decked out in black from head to toe. And while the rabble-rousing was kept to a minimum this summer, Def Con still attracts a contingent of attendees who insist on hacking into the PA system, pouring cement into their room toilets and dumping bubble-bath into the Jacuzzi. You’re certain to get none of that at CSI or RSA.

However, most of the attendees I spoke to chalked these incidents as minor annoyances, preferring to emphasize the other unique aspects of the BH/DC. Charles Neal, senior director of cyberterrorism detection and incident response for Exodus Communications, said that “Black Hat brings people closer to the edge of the black and white side of the security knife than other security conferences.” That made it a “valuable experience” for Neal–who is also a recently retired FBI special agent of the L.A. computer crime squad–“in spite of a few speakers with good knowledge but underdeveloped presentation skills.”

Originally appeared in the September 2000 issue of Information Security Magazine (infosecurity.mag.com). Copyright (c) 2000. All rights reserved.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: