For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

—Jeff Moss

Those are the 105 words that have polarized the hacker community.

DEF CON founder Jeff Moss turned the annual hacker conference on its ear Wednesday night when he asked federal government employees to stay away from this year’s show, which starts Aug.1 in Las Vegas. Strained by the revelations of surveillance by the National Security Agency and accusations of unwarranted access to Americans’ online activities, Moss decided to ask for a timeout.

The reaction since has been mixed, if not predictable. Some think events such as DEF CON should be open and collaborative, and that includes with the feds, while others find it counterintuitive to include the feds at an event that fosters technology and thinking that leads to secure and private communication and enterprise.

Moss, who is currently ICANN’s chief security officer, told Reuters that it was a tough call for him to make.

“The community is digesting things that the Feds have had a decade to understand and come to terms with,” Moss told the news agency. “A little bit of time and distance can be a healthy thing, especially when emotions are running high.”

Moss told Threatpost that he is in Durban, South Africa for the ICANN 45 meetings and was not available for comment at the time of publication.

The fallout has begun already, however, with two researchers pulling out of DEF CON after Moss’ decision. Kevin Johnson and James Jardine of Secure Ideas were scheduled to deliver a talk on SharePoint security, but instead decided against giving the talk at the show. Johnson saw the post on Wednesday night from Moss and slept on it a night before meeting with Jardine and other colleagues and making their final decision.

“It sat wrong with me,” Johnson said. “My immediate reaction was that I don’t want to be part of this.”

“I had the same reaction,” Jardine said. “I said I don’t want to be part of something disallowing or not bringing certain groups invited in.”

Jardine and Johnson explained their position in a blogpost, stating that DEF CON is a neutral ground that encourage open communication regardless of industry.

“We believe the exclusion of the “feds” this year does the exact opposite at a critical time. James and I do not feel that this should be about anti/pro government, but rather a continuation of openness that this event has always encouraged,” Johnson wrote. “We both have much respect for DEF CON and the entire organization and security community. It is with this respect that we are pulling our talk from the DEF CON 21 lineup. We understand that this may cause unfortunate change of plans for some, but feel we have to support our beliefs of cooperative collaboration to improve the state of information security technology.”

Robert Graham, CEO of Errata Security, steered the discussion away from politics and said Moss and DEF CON are simply heading off conflict.

“A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate. From shouting matches, to physical violence, to ‘hack the fed’, something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict,” Graham, a past DEF CON presenter, wrote on his company’s blog. “The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren’t the ones who would be starting these fights. But here’s the thing: it’s not a fed convention but a hacker party. The feds don’t have a right to be there — the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it’s still the feds who have to go.”

Nick Selby, another security professional and frequent speaker at industry events, said Moss’ decision is self-defeating. He points out that most hackers understand full well the depths of surveillance by the signals intelligence community.

“The relationship between hackers and feds is symbiotic,” Selby wrote. “To deny this is shortsighted, wrong and panders to a constituency that is irrelevant to our shared goals. It also defies the concept that, ‘Our community operates in the spirit of openness, verified trust, and mutual respect.’”

Black Hat, which precedes DEF CON, features NSA director Gen. Keith B. Alexander as its keynote speaker and several sessions given by employees of government agencies. Black Hat general manager Trey Ford said he would not consider a similar decision to the one made by Moss.

“Black Hat strives to cultivate interaction, innovation, and partnership within the security ecosystem—offense and defense, public and private,” Ford said via email, adding that he hopes Black Hat will move the conversation forward regarding the revelations of NSA surveillance of Americans.

“I think the Prism announcement got more attention than prior leaks to the general population, but we in InfoSec have no excuse for acting like we didn’t know this was possible or happening. (it is done inside companies every day),” Ford said. “Privacy is a very real concern for both the security and intelligence communities and we look forward to encouraging conversations about this very topic onsite. Everyone that comes to Black Hat is serious about security, has a professional level of interest, and is here to engage and improve that conversation.”

Alexander, meanwhile, is still scheduled to deliver his keynote and Ford would not comment on a contingency plan should he pull out, nor did he have specifics on what the general will be speaking about.

“General Alexander faces hard decisions about where privacy and security cross, a way of thinking that the security community is also very familiar with,” Ford said. “I am hoping we get a glimpse into his world and thinking.”

Meanwhile, Johnson said he and Jardine did not make their decision to pull out of DEF CON lightly and their intention is not to have others follow suit.

“[Moss’] decision seems really opposite of what DEF CON stands for. From the reaction of some people, I find it hypocritical where some are saying that [the hacker community’s] idea of openness doesn’t involve the feds. I think that’s naïve,” Johnson said. “Openness has to involve everybody. People have been overwhelmed by political issues and the outing of spying and surveillance. They’re letting their feelings toward that overshadow what the DEF CON message has always been which is to get together, break stuff and learn together.”

Johnson and Jardine said they will still release a paper on their talk which covers an overarching plan for assessing SharePoint installations, including a tool they will release as open source, and guidelines for SharePoint assessments for pen-testers and internal teams to help them understand risks associated with the Microsoft collaboration platform.

*DEF CON image via leduardo‘s Flickr photostream, Creative Commons

Categories: Hacks

Comments (12)

  1. Dee
    1

    Actually, I think that the Dark Tangent made the best call he could, in light of the recent revelations regarding the endeavors of the US/UK government to snoop on all their citizens and those of many other nations.
    It saddens me that Johnson and Jardine have taken the stance that they have, however, guys? You won’t be missed at DefCon.
    My experience of my community is such that at the core, we are fiercely supportive of each other. We love to share our gifts with each other, and with others who may be like minded. However, at the moment, it’s as if the hunch we had that our spouse has been cheating on us has been validated with video and audio. Many of us are hurt, many of us are angry. As DT stated in his post, we need time to process these revelations, the better to be able to address them appropriately moving forward.
    So, Mr. Johnson and Mr. Jardine? Have a great time NOT being in Vegas for DefCon 21.

    • Anonymouse
      2

      Well said. It doese not change a thing.
      The feds will show up anyhow. They always do.

  2. Nope
    4

    If I had been inviting someone over to my house for decades, and then found out that they’d been spent the past ten years going through my drawers and copying all my documents, I’d not invite them back.

    Of course, with the NSA, they’ll still come anyway, which just makes them look even creepier.

    • Herb
      5

      And despite all the news reports over the past 10 years that they were going through your drawers and copying all your documents, it took Snowden’s leak for you to realize it?

  3. PrintedMoney
    6

    “neutral ground that encourage open communication regardless of industry”

    The problem with this statement is that the government is not an industry…they are anti-industry and anti-freedom. We should be excluding this government from everything since it has become an empire fueled by debt and printed money with its tentacles wrapped around nearly everything. We are being strangled in nearly every way possible and it keeps growing like a cancer.

  4. Bob
    7

    Why is there so much concern over NSA activites of late. They have been doing almost all of those things for years and years and years. Big deal.

  5. John
    8

    The participants at this conference are some of the smartest people in the world. To think any one of them is surprised or mad about these revelations is ludicrous. The feds should and will be there. It’s a shame they cant be there openly.

  6. Ben Dover
    9

    What’s the difference? If the feds want to attend, they will. They can just put on that fake eyeglasses, nose and mustache disguise.

  7. MannyC
    10

    I’m not a “hacker” and just enjoyed the conversation on these posts-to now. It appears to me everyone is just acting like whiney pre-teens that have been having sleep-overs and pajama parties for years and now hurt because one of your BFF’s was found to be filtering information from all sources in order to catch the bads from the other side of the tracks, so to speak. Hilarious!

  8. sowhat
    11

    not to worry, with the sequester most folks are not allowed to spend money on conferences anyway.

  9. Mark Edgar
    12

    If everyone encrypts as standard default using high end AES then they will not be able to spy.
    They will not as they profit from this information you have and own.
    Simple ban Google!
    DuckDuckGo.com might be an idea!

Comments are closed.