Rethinking DEFCON

For nearly two decades, the DEFCON hacking conference has brought together people with an interest in investigating technology and cracking security. In recent years, however, DEFCON has suffered significant growing pains. Getting between sessions meant pushing through crowds reminiscent of major crossroads in Tokyo. Entering an almost-completed session to get a jump on the next was not allowed, so people lined up in the hallways, further clogging the byways. And, the smaller sessions — such as the lockpicking village — failed to offer a sanctuary from the crowds and were routinely packed as well. While attendees were always destined to miss the majority of the happenings at the conference, DEFCON increasingly seems to be more about moving from location to location, and less about all of the learning in between.

Rob LemosFor nearly two decades, the DEFCON hacking conference has brought together people with an interest in investigating technology and cracking security. In recent years, however, DEFCON has suffered significant growing pains. Getting between sessions meant pushing through crowds reminiscent of major crossroads in Tokyo. Entering an almost-completed session to get a jump on the next was not allowed, so people lined up in the hallways, further clogging the byways. And, the smaller sessions — such as the lockpicking village — failed to offer a sanctuary from the crowds and were routinely packed as well. While attendees were always destined to miss the majority of the happenings at the conference, DEFCON increasingly seems to be more about moving from location to location, and less about all of the learning in between.

Take, for example, this year’s popular talk by Moxie Marlinspike on the problems with the current secure-sockets-layer infrastructure. The red-shirted Goons — their official title — kept the line orderly, but it still took 25 minutes to get into the presentation’s venue, the Penn and Teller Theater, which seats 1,500. Between talks, the central hub and hallways were packed.

While attendance isn’t clear, the conference’s stock of 10,000 badges sold out early on Friday, according to DEFCON officials. The replacement badges, made of laminated paper, were readily evident, suggesting attendance numbers significantly higher than, and at least double, the 6,000 people that attended in 2003.

Founder Jeff Moss has tried various tactics over the years to mitigate the problems, but with little effect on the sheer number of people and the growth in attendance. Last year, the same problems existed, but the crowds and the bottlenecks at the Riveria could easily be blamed on the inability of the hotel’s layout to absorb the attendees.

The shift to the Rio Casino and Hotel solved many of the bottlenecks in the hallways, but underscored that the ultimate problem is not with the venue, but with the success of the show. This year, the hotel handled the crowds fairly well, but there were still problems: Watching back-to-back sessions at different venues was nearly impossible, and the size of the show meant that networking with others happened away from the Rio.

The future of an overtaxed DEFCON may reflect the failure of another show: Comdex, a Las Vegas conference that symbolized the era of the personal computer. While DEFCON has avoided many of the issues that plagued that show, they both have been troubled by their own success.

In the late 90s, massive growth hit Comdex. Originally, a meetup between vendors and manufacturers started in 1979, Comdex grew quickly as the dot-com boom took off. While the conference was considered a must-attend event for computer technology companies, the inflated prices for floor space and hotel rooms left executives disliking the necessary pilgrimage to technology’s Mecca.

In 2000, IBM canceled it’s booth at the show, others followed in a steady decline for the conference. In 2004, the conference took a hiatus, which became permanent. Today, more specialized conferences have taken the place of Comdex: the Consumer Electronics Show (CES), for example, has become the place to announce new consumer products.

DEFCON does not seem to have the organizational problems of Comdex, but success can cause its own issues. Like Comdex, DEFCON may have grown too big to serve hackers and tinkerers like it once did. Instead, for the attendees, the regional hacker conferences — such as CanSecWest, ToorCon, and ShmooCon, with attendance of high hundreds and low thousands — are a much better way to exchange information.

Will DEFCON go the way of Comdex? Not likely, and in any event, not immediately. Comdex’s fall came a few years after the burst of the dot-com bubble. The security industry and the hacker scene that fuels it is undergoing a boom, even amidst an economic downturn.

Yet, for all its promise, rethinking DEFCON may be necessary.

Suggested articles