Announcement

Collapse
No announcement yet.

is DEFCON beoming simply one more INFOSEC con?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • is DEFCON beoming simply one more INFOSEC con?

    I realize that this thread's title is a bit of a loaded phrase, but there's something i'd like to point out here. I brought a number of new people to DEFCON this past summer. Friends, family of friends, and lots of new TOOOL faces were among those who had their DC cherry popped at the Rio hotel.

    When reflecting on whether they had fun or not (and, in this same vein, whether they will come to DC 20) a common theme kept arising in discussions... "it was really neat to see everything going on, but i'm not into INFOSEC at all and i felt there wasn't much there for me" was a common refrain.

    Naturally, i was as shocked and taken aback as many of you must be while you read that comment. I stood up (as many of you are wishing you could right now) and had to restrain myself from the "DEFCON is what you make of it!" and "you get as much out of DEFCON as you put in... anyone can find fascinating and wonderful activities and talks!" speeches.

    Then, one person and i actually sat down with the DC19 program and looked through it, talk for talk, and even read through the contests and events material, as well.

    I haven't sat down and attended more than one or two talks at DEFCON since perhaps DC9 or DC10 back at the Alexis Park. Aside from the times i'm on a stage, i'm rarely in the talk rooms. So naturally my view is a bit lacking in background. I suspect many of your opinions may be, too.

    Have a look at the DC19 talks. Imagine that you weren't a person who was in information security. What percentage of talks would you say apply to you or even remotely appeal to you?

    Well, just because i couldn't believe it myself, i decided to do the math (more or less, and i realize this is very subjective)

    Here's what we found...


    There were about 125 talks at DEFCON this year (unless i miscounted, and that's meaning actual briefing style talks taking place in the listed track rooms)

    If you weren't at all into INFOSEC, there were a little over a dozen that you might have thoroughly enjoyed. Almost half of these had to do with physical security, by the way.*

    In addition to those lockpicking and tamper evident seals talks, we see broad politically- and socially-aware topics like the Net Neutrality panel, prez talking about Privacy in the Digital Age, Hackerspaces, and the like.

    However, there were a few real gems (at least from the talk summary) that just feel more like "old DEFCON" to me. Top of this list for me was the "Build Your Own Radar" talk. (which i still have to download, so i don't know how it actually went)

    Staying Connected during a Disaster is a cool theme, along with some surveillance talks like the Aeral Hardware and Grenade-Launchable Camera and Airport Security that may have required a higher level of techy interest in the audience but also weren't fully INFOSEC talks.

    * i am absolutely not saying that i or TOOOL deserve any special praise or credit here, by the way. we love that people in this scene enjoy the lock stuff and whatnot, but we do this because we enjoy it. no special recognition is ever deserved, etc.


    There were also a half-dozen speakers who, in my opinion, always deliver solid material that is appealing to everyone. Johnny Long, Jason Scott, Jayson Street, Richard Thieme, and Moxie Marlinspike (with or without Diffie) are delights on stage and i would gladly recommend them to noobs or non-INFOSEC folk (even if that list gets increasingly harder to understand as you progress, if you don't have any background in computers) The EFF panel would likely fall into this category, too.


    Then there were about 15 more talks that, while they were distinctly focused on topics that are of primary relevance to security professionals or INFOSEC workers, they had a broad enough appeal to possibly keep non-computer people entertained for the hour...

    Big Brother Big Screen, Battery Hacking, the Fighting Monsters Panel, the Emergency Data Destruction panel, SpiderLabs Stories of Real Pen Tests, maybe the Trolling talk (whatever that was), BitCoin, the Comedy Jam, Getting Your Message Out (when the gov't shuts down the internet), Cyberpsychology, Security of Online Poker, Steg & Crypto, How to Do Research, Car Hacking, and Deceptive Hacking were probably all talks that i might have sent someone to and which they would have enjoyed with the right attitude if they were trying to enjoy DEFCON, even as a non-computer person.

    So that's less than one-fifth of the total talks at the "worlds largest hacker conference" having even tangential appeal to people outside of the rather specialized sector of the computer world known as INFOSEC.

    I'm not passing judgement here, nor am i saying that the folk who select these talks are doing a bad job. They wade through tons and tons of submissions and pick people who seem competent and interesting and try to balance it all out (and then, lest we forget, they actually cobble it all together into a schedule grid that takes into account all of the contests, games, events, etc!!)

    (Speaking of contests, the official site listed 37 entries under "contests and events" but only about 20 of them were actual competitions where people would actively participate in the hopes of being ranked or winning something. i'd say 10 or so of these were contests where people without computer or crypto skills could play. that's not so bad, in my view, and rather on the money)


    I guess i was just surprised, that's all. When i first started coming to DEFCON i wasn't a security professional. Many of us weren't. A lot of us have taken jobs in this industry and lived it for so long that we no longer even realize the shift that has taken place in the overall theme of the conference. How many of us would have been as able to feel "at home" at DEFCON today if we were our 17-year-old selves showing up for the first time?


    I'm not passing judgement here. And i'm not saying that DEFCON should make a hard turn and try to steer for HOPE or NotACon territory... but you can bet that i absolutely love the off-the-wall "omg i can't believe i built it" nature of many of the speakers at those events. If a few more DEFCON talks came with warnings about causing things to explode or cautioning people to not burn their houses down, would that be a bad thing? If kids today -- who don't get to grow up with the likes of Mr. Wizard -- could witness more inspired DIY tech talks, would that deserve some more support?


    Where do you all come down on this topic? Am i just a grumpy old fart bucking a tide of change that should not (and will not) be stopped? Am i seeing history through some odd-colored glasses and comparing current DEFCONs unfairly to a past which doesn't exist?

    What talks do you get excited about at DEFCON and how should this conference continue into the future without becoming just three more days of Black Hat?
    Last edited by Deviant Ollam; December 2, 2011, 21:32.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

  • #2
    Re: is DEFCON beoming simply one more INFOSEC con?

    Originally posted by Deviant Ollam View Post
    I realize that this thread's title is a bit of a loaded phrase, but there's something i'd like to point out here.

    I brought a number of new people to DEFCON this past summer. Friends, family of friends, and lots of new TOOOL faces were among those who had their DC cherry popped at the Rio hotel.

    When reflecting on whether they had fun or not (and, in this same vein, whether they will come to DC 20) a common theme kept arising in discussions... "it was really neat to see everything going on, but i'm not into INFOSEC at all and i felt there wasn't much there for me" was a common refrain.

    What was it that they went to DefCon looking for that they didn't find? Did they have unrealistic expectations about what DefCon was and is?

    Naturally, i was as shocked and taken aback as many of you must be while you read that comment. I stood up (as many of you are wishing you could right now) and had to restrain myself from the "DEFCON is what you make of it!" and "you get as much out of DEFCON as you put in...

    anyone can find fascinating and wonderful activities and talks!" speeches.
    You touched on a great point - so did they "put themselves into DefCon" or did they expect DefCon to "come to them"? Below you said "one person and I actually sat down", well what about the rest? I'd like to hear the reaction of the others...


    Then, one person and i actually sat down with the DC19 program and looked through it, talk for talk, and even read through the contests and events material, as well.

    I haven't sat down and attended more than one or two talks at DEFCON since perhaps DC9 or DC10 back at the Alexis Park. Aside from the times i'm on a stage, i'm rarely in the talk rooms. So naturally my view is a bit lacking in background. I suspect many of your opinions may be, too.

    Have a look at the DC19 talks. Imagine that you weren't a person who was in information security. What percentage of talks would you say apply to you or even remotely appeal to you?
    Well, you also need to look at the SkyTalks (which aren't listed on that page).

    Well, just because i couldn't believe it myself, i decided to do the math (more or less, and i realize this is very subjective)

    <Snip that deals with specific talks and subject matters or lack there of>

    So that's less than one-fifth of the total talks at the "worlds largest hacker conference" having even tangential appeal to people outside of the rather specialized sector of the computer world known as INFOSEC.

    I'm not passing judgement here, nor am i saying that the folk who select these talks are doing a bad job. They wade through tons and tons of submissions and pick people who seem competent and interesting and try to balance it all out (and then, lest we forget, they actually cobble it all together into a schedule grid that takes into account all of the contests, games, events, etc!!)

    (Speaking of contests, the official site listed 37 entries under "contests and events" but only about 20 of them were actual competitions where people would actively participate in the hopes of being ranked or winning something. i'd say 10 or so of these were contests where people without computer or crypto skills could play. that's not so bad, in my view, and rather on the money)
    I still think that the Scavenger Hunt is one of the best competitions for a n00b to do at DefCon... Yes, it does take up a significant amount of time, but in as far as getting them involved with DefCon, I think it's tops.

    I guess i was just surprised, that's all. When i first started coming to DEFCON i wasn't a security professional. Many of us weren't. A lot of us have taken jobs in this industry and lived it for so long that we no longer even realize the shift that has taken place in the overall theme of the conference. How many of us would have been as able to feel "at home" at DEFCON today if we were our 17-year-old selves showing up for the first time?
    You probably also started attending DefCon when it was much "younger". DefCon is turning 20 this year, and I really think the types of talks have changed over time in reflection to the age/place in life of many of the core attendees (but I'll talk about this more at the bottom).

    I'm not passing judgement here. And i'm not saying that DEFCON should make a hard turn and try to steer for HOPE or NotACon territory... but you can bet that i absolutely love the off-the-wall "omg i can't believe i built it" nature of many of the speakers at those events.
    One of the things I'm glad that DefCon has primarily stayed away from, (that you can find a lot more of at HOPE) is the Targeted Politics.

    DefCon seems (at least to me) to be a lot more about the "tech" than the whole politic scene (which is a good thing).

    If a few more DEFCON talks came with warnings about causing things to explode or cautioning people to not burn their houses down, would that be a bad thing? If kids today -- who don't get to grow up with the likes of Mr. Wizard -- could witness more inspired DIY tech talks, would that deserve some more support?
    You're right, now they don't grow up with Mr. Wizard or Dr. Fad or any of that type of thing. Now they have the internet. Now they have a plethora of websites and youtube videos/channels that specifically focus on those topics.

    Where do you all come down on this topic? Am i just a grumpy old fart bucking a tide of change that should not (and will not) be stopped? Am i seeing history through some odd-colored glasses and comparing current DEFCONs unfairly to a past which doesn't exist?
    No, but in certain regards, you are comparing two different events. DefCon IX in many aspects was an entirely different event than DefCon XIX.

    What talks do you get excited about at DEFCON and how should this conference continue into the future without becoming just three four more days of Black Hat?
    Some people do view DefCon as Blackhat on the cheap. Good or bad, I have heard that phrase thrown around a few times.

    In certain regards, I think DefCon was definitely ahead of it's time. One of those area's was the "n00b" track, a number of years ago. People didn't want to go to the newbie track back then, because they were worried about being labeled a "n00b". It's a shame, because I think there is an actual need for it. Whether people would still be afraid of being called a n00b or not, I don't know... I tend to think it doesn't have as great of a stigma as it did at early DefCon's, but I have been wrong before. There's a lot of things you could do with a n00b track/events, but that would probably take this conversation off on an entirely different tangent. If this thread starts heading in that direction, I'll share my thoughts then, but I'm not going to "derail the thread" in the second post.

    But I digress...

    What a lot of this all boils down to is: DefCon can/will never be everything to everyone unless those people who want something different step up to make it happen.
    And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

    Comment


    • #3
      Re: is DEFCON beoming simply one more INFOSEC con?

      Dev's post reminded me to post my own post-con essay about the problems with Defcon.

      The thread and essay are up at https://forum.defcon.org/showthread....696#post123696

      Short version: I agree with Deviant.
      Never drink anything larger than your head!





      Comment


      • #4
        Re: is DEFCON beoming simply one more INFOSEC con?

        This is all good feedback, all i have to say is "we're working on it". This year we plan to revamp our CFP Review process and bring in new names and faces to the people who review our submissions, and we plan to make those names a matter of public record as well. We hope to add a diverse group of people/experiences and many names will be WELL Recognized on these forums. Thank you

        Funny, last year people were yelling at me that things weren't tech enough and they were tired of seeing ____X____Hacking talks. You'd think I threw a live grenade in the room mentioning food hacking or booby traps.
        "Haters, gonna hate"

        Comment


        • #5
          Re: is DEFCON beoming simply one more INFOSEC con?

          What makes Defcon great to me: I saw Dan Kaminsky, Kevin Mitnick, and Jeff Moss, all off stage and out of their known roles, and they were learning things from others -- listening, conversing, and loving it.

          Try that with some of the holier than thou types. Defcon is an experience that cannot be put into words.

          Comment


          • #6
            Re: is DEFCON beoming simply one more INFOSEC con?

            Originally posted by Deviant Ollam View Post
            "it was really neat to see everything going on, but i'm not into INFOSEC at all and i felt there wasn't much there for me" was a common refrain.

            Where do you all come down on this topic? Am i just a grumpy old fart bucking a tide of change that should not (and will not) be stopped? Am i seeing history through some odd-colored glasses and comparing current DEFCONs unfairly to a past which doesn't exist?

            What talks do you get excited about at DEFCON and how should this conference continue into the future without becoming just three more days of Black Hat?
            I hear the words and understand where they are coming from, I cannot argue with people's feelings or perspective, Each person perceives and believes things from their own point of view. However;

            I just want to give a perspective from a non Techie non sophisticated un-educated average Joe's eyes. I have attended Defcon for the past 4 or 5 years, I started attending as a chaperon with No expectations. I felt isolated and a bit on the outside my first year, however the more I spoke to people and the more I put myself out there the more I learned and the more I enjoyed it.

            The talks I have seen have nothing to do with what I do as a Job or hobby, however I have taken away valuable and meaningful knowledge from almost every talk I have attended. As people we do not live in a vacuum, Information that infosec or netsec people use often translates into the rest of the world also (especially in today's computer driven world) as an example, I went to a talk on HTML5 given by Ming Chow last year, since then I have read and seen many articles about HTML5 in the newspaper or in blogs and because of that talk I have a much better understanding of it and can see how it may affect (effect?) my future as a regular computer user not a power user.

            What I am trying to say is Defcon should just do the stuff that comes along that the people involved feel is good and fits their needs, the rest of us can choose to take part or not, there is no way to make it fit everyone, but anyone can choose to get something valuable from it.

            As long as you keep offering things that allow newbie's an opportunity to understand that Defcon is open to anyone who commits effort to it, Defcon will be great. I am a huge believer in Defcon 101 because it makes it clear to everyone it is their responsibility to make Defcon Great not the other way around.

            Comment


            • #7
              Re: is DEFCON beoming simply one more INFOSEC con?

              Originally posted by astcell View Post
              What makes Defcon great to me: I saw Dan Kaminsky, Kevin Mitnick, and Jeff Moss, all off stage and out of their known roles, and they were learning things from others -- listening, conversing, and loving it.

              Try that with some of the holier than thou types. Defcon is an experience that cannot be put into words.
              Exactly; couldn't agree more. Meritocracy at its best; no one is above learning. It was somehow heartwarming to see.

              So my 3.14 cents:

              DC19 was my second, and already I am starting to feel the call of DC20 (four month recovery). I know shockingly little about InfoSec; I am merely a tech who has a desire to know - to gain knowledge about almost everything. The tech draws me to DC, but honestly, there is a greater (if less worthy) draw: I enjoy the occasional snifter of brandy (read: getting shitfaced), and when I did so locally, we sat around & talked about nothing. At DefCon I get to imbibe whilst learning about some of the coolest cutting edge information on Earth.

              I have never attended a talk at DC; too busy with the contest. Yet I have listened in on some breathtakingly informative conversations, many of which were well over my head; yet not one where I walked away having learned nothing. I will likely never even win my particular contest; but I shall be there next July, trying to do just that.

              No doubt DefCon is aging, and everything changes as it ages. But there are many younger, smaller hacker cons out there to fulfill that original feeling, so DefCon fills a different role as it ages; like, hopefully, most of us do (or not - hardly appropriate for me to exhort the benefits of maturity when I look so forward to getting blitzed like a frat boy again).
              The f*ck? Have you ever BEEN to Defcon? - chs

              Comment


              • #8
                Re: is DEFCON beoming simply one more INFOSEC con?

                I think you're asking some of the right questions, Deviant. My personal take is that the answers you'll get are largely related to how catholic someone's opinion is as to what "hacking" means.

                I've been lucky enough to work in some ridiculously interdisciplinary places and it's pretty much an article of faith of mine that the answers very often (if not quite "usually") come from the places you least expect.

                What does that mean in the real world? I think we would do well to seriously think about attracting folks on some of the other "edges" out there, whether it's biohacking, 3d printing, or materials science fun. Anyone with half an imagination can see that any one of those has the potential to completely disrupt, confuse, enrich, or victimize people, depending on how savvy they are and whether they're in the right/wrong place at the right/wrong time.

                I, like most other people, came from the networking and information security side of the house, but I really appreciate it when someone with experience in another discipline can help me see how things I already know in my space can help them with theirs and vice versa. I also think that the maker culture is so giddy from finally connecting a bunch of people who used to do things alone in their garages that they're not particularly spending a lot of time thinking about things like the security risks and societal implications of some of the technologies with which they're tinkering. That's the area where DEFCON is perhaps uniquely suited to having an impact.

                Comment


                • #9
                  Re: is DEFCON beoming simply one more INFOSEC con?

                  I am closing this thread in "Post DC19" and copying it to a new thread in the DC20 planning forum for continued discussion. This forum (Post Defcon 19) is due to be closed for new threads and any replies by non-mods. This will happen next week.

                  Thanks!

                  (Any other threads in Post DC19 forum that should be copied?)

                  Comment

                  Working...
                  X