[ISN] DEF CON 9 - Open Letter to the community

From: InfoSec News (isnat_private)
Date: Fri Aug 10 2001 - 01:23:31 PDT

  • Next message: InfoSec News: "[ISN] The Code Red hype Hall of Shame"

    First off let me thank everyone who made DC 9 a success. This includes
    not only the staff, but all of the speakers, A/V, Network, DJs, and
    attendees. Without everyone working together the convention could not
    function. Thank you all for making our largest convention also the
    smoothest convention in comparison to past years!
    Having just finished my 9th DEF CON, I have a few thoughts - I am
    looking for feedback from the community to help decide the next steps
    for the future of DEF CON.  First, let me give you a brief history so
    you can see where I am coming from and to allow you to decide where
    you think we should go in future shows.
    I have long thought that DEF CON cannot last forever in its current
    form due to several factors: Growth, Core Attendees, and the changing
    nature of the technology underground.
    Growth causes all kinds of problems. The incredible and exponential
    growth of DEF CON makes it more and more difficult to comprehend the
    ramifications of running such a large conference. It requires more
    people to be involved in organizing the show, more insurance to cover
    more damage, more planning, more Con events, and more volunteer staff
    to make things run more smoothly.
    Around DEF CON 5, I came up with two possible theories on how growth
    would play out for future shows. The first is that at a certain point,
    the number of people not returning to the Con would equal the number
    of new people attending, and there would be a zero growth rate. This
    would allow us to predict and plan around a set attendance amount,
    making it easier to plan the show.
    My second theory was that attendance would continue to grow until it
    reached a critical mass and everything melted down. Not enough space,
    not enough food, too many new people and not enough attendees from
    previous years to help run the show, etc. It is harder to tell when
    this scenario occurs because every year there are always problems and
    fires to put out since nothing ever goes the way you plan.
    In order to try and deal with the growth issue I decided before DEF
    CON 8 that I would stop advertising the convention except on the
    DC-STUFF mailing list. The idea was to only let the show grow by word
    of mouth. I hoped that this would slow the growth rate, and at the
    same time attract people that would be interested in the scene.
    Advertise to a generic forum like USENET and anyone might show up. Let
    it spread by word of mouth and you should get more people like the
    current attendees.
    As you know (if you attended DC 9) it hasn't happened that way in real
    life. Even though the only advertising for DC 8 was one mention in
    2600, and no advertising for DC 9 we still managed to grow by leaps
    and bounds. Things have not slowed down as initially predicted and we
    reached over 5,100 people at DC 9 - about 900 more than DC 8. Long ago
    we decided we would let anyone who wanted to attend show up.  We are
    not in the business of censorship or exclusivity. The only people not
    invited back have been people that pissed off the hotel enough to have
    them kicked off-property.
    My final thought for now on growth? The show has reached a point where
    it is too big for its own good and I am not sure what to do about
    this. As the show has grown, so has the amount of stress for all
    involved in both the planning and running of DEF CON. The Con is meant
    as a fun party of like-minded people, not a cause for ulcer-inducing
    stress. I designed the convention to withstand a certain amount of
    chaos and problems, but it was never designed to withstand people
    calling for violence to staff members and property damage to the
    The Core Attendees of DEF CON is the second reason related to why I
    don't think the show can last forever. What I mean by "core attendees"
    are the people who come to the show to pow wow about computer security
    and the lack thereof. The people who have attended DEF CON for 4 years
    or more - who won't view DEF CON solely as one giant rave for music,
    drugs and sex and know that the party atmosphere is simply a fringe
    benefit to the original intent of the show.
    As the show grows and changes, some of the core attendees that have
    been traveling to DEF CON for the last several years stop showing up.
    If the hard core coders, programmers, and hackers no longer attend
    leaving and only newbies, then the conference has completely lost its
    point.  Remember - I started DEF CON to be a party for myself,
    friends, and the technology underground. It is not meant to be an
    everlasting event or a summer camp for every kid who owns a computer.  
    If my friends stop attending because the show is too large or has an
    incredibly skewed signal-to-noise ratio (emphasis on the noise), then
    the point to DEF CON is gone.
    How do you measure core attendees?  It's difficult to explain but
    after being involved in the scene for so long, you learn to figure out
    who's an old school hacker and who's along for the ride.  Do things to
    alienate your friends and you can be sure that the show will be
    forever changed.  Some of the alienation occurs due to growth, and
    some occurs just because people grow up and move on to other things.  
    This feeds into my third point.
    The changing nature of the technology underground has caused DEF CON
    to change as well. When I started the show there were no real jobs for
    people our age in computer security. LD phone calls were expensive,
    UNIX was not free, the only people with good Internet access were
    Universities and businesses, and PCs still cost quite a bit of cash.  
    The Web was not sprouting up "Teach me how to hack" sites every other
    minute, and there was a considerable amount of misinformation
    surrounding hacking floating about.
    Now things are exactly the opposite. Money entered the underground
    scene around DC 4, and since then, things have changed rapidly. There
    are plenty of good and bad books teaching computer security, and there
    are thousands Web sites dedicated to hacking. If you don't have a
    felony and are dependable you can get a job in computer security.  LD
    calls are cheap, all the Internet you can eat is about $20, UNIX-style
    operating systems are free, and computer prices are so cheap that you
    can build and attack your own network for very little money.  The
    mentoring process of the "old school" underground is mostly gone now.
    The original motivations of breaking into a university to get Internet
    access have changed and with each new age group of kids, using a
    computer becomes more of a key role of the educational process.
    Hackers and computer geeks are no longer a small niche in society but
    now the norm, resulting in an even more fragmented community,
    generating an entirely new set of definitions for "hard core" and
    Each of these three changes are reflected in the attendees at DEF CON
    with every new show. As more people were exposed to computers and
    hacking, more people attended in exponential amounts and as the
    reasons for why people hacked changed, so did the mentality of the new
    generations attending the show.
    In planning DEF CON 9, I made some decisions to reduce the stress on
    the volunteer staff.  Instead of having 8 volunteers registering
    people all Friday long, I decided to hire some outside people to
    handle this chore for Thursday, Friday and Saturday.  Instead of
    having these same volunteers check badges of people, I hired more
    hotel security to do this.  Why have your staff stand in the 110
    degree heat if you can pay someone else to?
    There have been some comments about how DC 9 seemed to be under
    "tighter" control because of the additional security guards as opposed
    to past years.  The problem is that the hotel does not allow us to
    hire outside rent-a-cops.  We have to hire their security staff and
    when you hire said staff a certain amount comes with guns. So it was a
    trade off - pay more to get hotel security to save my hard-working
    volunteers from boring, repetitive work.  DEF CON volunteers work very
    hard, so we tried experimenting with the hotel guards and the outside
    registration people. The idea is to reduce the workload of your peers
    who come to DEF CON to help out in anyway they can to make sure you
    have a good time. With a bigger show this year we spent more on
    outside help.  I like this model of relieving stress on the staff, and
    will try it again, with some tweaks, at future shows.
    Because the hotel is providing the security, they are not under DEF
    CON direct control.  Sure we can ask them to go easy on people, but if
    they catch people messing with the hotel we can't control them.  For
    example, if someone is caught damaging the hotel and hotel security
    finds out, things get out of our control pretty fast.  Their concern
    is their hotel, not the happiness of our attendees at that point.  At
    DC 9 we actually had to talk the hotel out of calling Las Vegas Metro
    Police and getting two people arrested.  We don't need more hackers
    with criminal records, and if we can help it we will.  In one instance
    two people did get in trouble with the police, but they had previously
    gotten in trouble with the hotel at DC 8 for stealing, and were not
    supposed to be back on hotel property.
    Remember, DEF CON is a self-organizing group of people, largely with
    out any oversight or control.  Everyone is operating under their own
    responsibility with the staff there to help people out who need it.  
    If the community can't keep themselves in check, we won't do it for
    you, and the Con will go away.  I don't want, nor can afford, to have
    staff and guards to take care of every little problem.  That's not the
    point of the Con.  They are there for bigger problems than traffic
    guard duty.  For example, there were some medical emergencies this
    year, and the staff most likely saved a life.
    I decided to close the vendor area at 7pm this year so the people with
    tables could get some actual sleep with out having to worrying about
    their stuff.  I decided to pay more to allow for greater wireless
    network access coverage so attendees didn't have to be concentrated
    and crowded in the immediate conference area to have net access.  We
    even rented an additional tent for the hotel roof to hold more people.  
    Finally, we managed to talk the hotel into reducing its costs on food
    and drink.
    While I don't think DEF CON is quite dead, I do think it is time for
    even more changes to stave off a quick and painful death - "Evolve or
    die" comes to mind. We spend a lot of time deciding on what changes to
    make each year to help things go smoother for everyone.  In light of
    this year's show, I have decided to ask the community for their input.
    If you have suggestions on what changes or additions you'd like to see
    at DEF CON for next year, please email suggestionsat_private
    We are looking for your opinion on how to manage growth, speaking
    topics, events, and ideas to keep the con from getting out of control
    due to its size, etc.  Heck, all suggestions are welcome.
    Suggestions already being discussed include:
    - There will be no overlap of other groups with DEF CON. From Thursday
      evening to Monday Afternoon only DEF CON attendees wil be able to
      check in.  This will hopefully prevent the types of problems we had
      Sunday night when there were other groups on-site.
    - A different way of dealing with hotel and con security.
    - Speaker selection (Filter out poor speakers and bad talks)
    - How to deal with rapid network growth
    We're looking forward to you comments, and thank you for taking the
    time to send them in.
    The Dark Tangent (aka Jeff Moss)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 06:52:14 PDT