For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.
When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.
This will give everybody time to think about how we got here, and what comes next.
—Jeff Moss
Those are the 105 words that have polarized the hacker community.
DEF CON founder Jeff Moss turned the annual hacker conference on its ear Wednesday night when he asked federal government employees to stay away from this year’s show, which starts Aug.1 in Las Vegas. Strained by the revelations of surveillance by the National Security Agency and accusations of unwarranted access to Americans’ online activities, Moss decided to ask for a timeout.
The reaction since has been mixed, if not predictable. Some think events such as DEF CON should be open and collaborative, and that includes with the feds, while others find it counterintuitive to include the feds at an event that fosters technology and thinking that leads to secure and private communication and enterprise.
Moss, who is currently ICANN’s chief security officer, told Reuters that it was a tough call for him to make.
“The community is digesting things that the Feds have had a decade to understand and come to terms with,” Moss told the news agency. “A little bit of time and distance can be a healthy thing, especially when emotions are running high.”
Moss told Threatpost that he is in Durban, South Africa for the ICANN 45 meetings and was not available for comment at the time of publication.
The fallout has begun already, however, with two researchers pulling out of DEF CON after Moss’ decision. Kevin Johnson and James Jardine of Secure Ideas were scheduled to deliver a talk on SharePoint security, but instead decided against giving the talk at the show. Johnson saw the post on Wednesday night from Moss and slept on it a night before meeting with Jardine and other colleagues and making their final decision.
“It sat wrong with me,” Johnson said. “My immediate reaction was that I don’t want to be part of this.”
“I had the same reaction,” Jardine said. “I said I don’t want to be part of something disallowing or not bringing certain groups invited in.”
Jardine and Johnson explained their position in a blogpost, stating that DEF CON is a neutral ground that encourage open communication regardless of industry.
“We believe the exclusion of the “feds” this year does the exact opposite at a critical time. James and I do not feel that this should be about anti/pro government, but rather a continuation of openness that this event has always encouraged,” Johnson wrote. “We both have much respect for DEF CON and the entire organization and security community. It is with this respect that we are pulling our talk from the DEF CON 21 lineup. We understand that this may cause unfortunate change of plans for some, but feel we have to support our beliefs of cooperative collaboration to improve the state of information security technology.”
Robert Graham, CEO of Errata Security, steered the discussion away from politics and said Moss and DEF CON are simply heading off conflict.
“A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate. From shouting matches, to physical violence, to ‘hack the fed’, something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict,” Graham, a past DEF CON presenter, wrote on his company’s blog. “The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren’t the ones who would be starting these fights. But here’s the thing: it’s not a fed convention but a hacker party. The feds don’t have a right to be there — the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it’s still the feds who have to go.”
Nick Selby, another security professional and frequent speaker at industry events, said Moss’ decision is self-defeating. He points out that most hackers understand full well the depths of surveillance by the signals intelligence community.
“The relationship between hackers and feds is symbiotic,” Selby wrote. “To deny this is shortsighted, wrong and panders to a constituency that is irrelevant to our shared goals. It also defies the concept that, ‘Our community operates in the spirit of openness, verified trust, and mutual respect.'”
Black Hat, which precedes DEF CON, features NSA director Gen. Keith B. Alexander as its keynote speaker and several sessions given by employees of government agencies. Black Hat general manager Trey Ford said he would not consider a similar decision to the one made by Moss.
“Black Hat strives to cultivate interaction, innovation, and partnership within the security ecosystem—offense and defense, public and private,” Ford said via email, adding that he hopes Black Hat will move the conversation forward regarding the revelations of NSA surveillance of Americans.
“I think the Prism announcement got more attention than prior leaks to the general population, but we in InfoSec have no excuse for acting like we didn’t know this was possible or happening. (it is done inside companies every day),” Ford said. “Privacy is a very real concern for both the security and intelligence communities and we look forward to encouraging conversations about this very topic onsite. Everyone that comes to Black Hat is serious about security, has a professional level of interest, and is here to engage and improve that conversation.”
Alexander, meanwhile, is still scheduled to deliver his keynote and Ford would not comment on a contingency plan should he pull out, nor did he have specifics on what the general will be speaking about.
“General Alexander faces hard decisions about where privacy and security cross, a way of thinking that the security community is also very familiar with,” Ford said. “I am hoping we get a glimpse into his world and thinking.”
Meanwhile, Johnson said he and Jardine did not make their decision to pull out of DEF CON lightly and their intention is not to have others follow suit.
“[Moss’] decision seems really opposite of what DEF CON stands for. From the reaction of some people, I find it hypocritical where some are saying that [the hacker community’s] idea of openness doesn’t involve the feds. I think that’s naïve,” Johnson said. “Openness has to involve everybody. People have been overwhelmed by political issues and the outing of spying and surveillance. They’re letting their feelings toward that overshadow what the DEF CON message has always been which is to get together, break stuff and learn together.”
Johnson and Jardine said they will still release a paper on their talk which covers an overarching plan for assessing SharePoint installations, including a tool they will release as open source, and guidelines for SharePoint assessments for pen-testers and internal teams to help them understand risks associated with the Microsoft collaboration platform.
*DEF CON image via leduardo‘s Flickr photostream, Creative Commons