(An Interview with Jayson E. Street – find Part II HERE)
SK: I’d like to start off by having you talk a bit about your experience with conferences in general – what are some general thoughts?
I have gone to conferences all over the world to speak (with no shame); I have spoken to every kind of crowd, from three to two thousand and everything in between. I’ve spoken to government officials and business people, from people who were just getting into the industry, to people who are not in InfoSec at all, and may have shown up to the conference because they were interested in it. I’ve spoken to people with every kind of opinion with every kind of person, because I love hearing from people with strong views.
I have seen a lot of different conferences, and I think there’s one unifying thing that people forget to observe when they think about conference culture. One observation that they forget about. The one simple truth that ties every conference I’ve seen together.
Someone is going there to learn.
Someone is going there because they need to know something; someone will find an answer when they go. They’re looking for help, they’re looking for knowledge, they’re looking for someone to help them with the issues that they face. That’s why they exist, why they’re needed, and why people go. That is why I gladly ignore the crazy number of cons. In my opinion, there aren’t too many cons as long as there’s someone there that wants to hear somebody speak.
SK: What about specialized talks within conferences?
I think some conferences are figuring out how to give people the talks they really want (which are often very specialized), and I do like conferences that are starting to have straight offensive tracks or straight defensive tracks. It’s a great way for people to hear someone speak on a topic they’re definitely interested in.
SK: While these conferences may be great places for veterans of the security industry to meet, talk, and learn, the industry is growing very quickly and there are lots of people who are now showing up but not industry veterans. Are these cons a place for beginners?
One of the things I like seeing (for example, at Bsides London and 44con) is a newbie track. Not just newer talks, or newer questions, but people who have never spoken before. Shmoocon does a great job of trying to get first-time speakers, and careers have been spawned there. DEF CON has DEF CON 101, which is specifically designed for this. DEF CON is great because it makes those talks approachable. Granted, I think every one of my talk is a 101 talk – but there’s a place for lots more of them!
SK: So while lots of cons are going out of there way to be a place for both experienced pros and beginners, we still hear those “con horror stories.” Do you think conference culture can be toxic?
I try not to talk about the conferences I don’t like, only about the conference culture I love. That being said, I do have a list of conferences I will never attend again. For example, I went to a conference this year that was one of the most inclusive, clique-ish, boutique conferences I have ever witnessed. I had a wow moment there: people talk about some of the bigger cons – DEF CON, or ShmooCon, or DerbyCon – and how they don’t feel included. My response to that now is that, having being on the outside of the “cool crowd” at a con – is “oh, no, trust me, you have not seen anything.” Some of the larger cons can seem exclusive at times, because they are so big and overwhelming, but there are conferences that actually pride themselves on excluding the “plebes”. I’ve never been looked so down on just because I’m not “one of the cool kids.”
SK: So then what do we do about the conferences that aren’t trying to be exclusive, but can end up seeming exclusive because of their overwhelming size?
I know it’s very hard for a lot of people in this industry: it’s very hard to talk to someone. The great thing about conference culture is that at most of the conferences I’ve attended – no matter how big or small – there was somebody you could meet and talk to. Go into a talk? The person sitting next to you is interested in that topic, just like you. That is your conversation starter. You share that interest – you are there for that interest.
I particularly like the cons that have embraced that kind of community bonding. For DEF CON, l0ST has created several badges that force you to socialize. One of the best badges that’s been out there was from DEF CON 19 or 20, with Egyptian symbols and a microcomputer. It was great because you had to socialize. You had to interact, you had to talk to other people. You had to go up to people to make sure you had to talk to people outside of your group to try and spark conversations.
SK: Do you think this can necessarily be applied by people besides you? You’re so incredibly social.
Conferences have tried to make it more social, but I’ve gotta say – at some point it’s still on the person. Stated without judgement and without condemnation, but it’s a fact. I wish people were as sociable as me, but not everyone is… which is probably a good thing.
But people should keep in mind that there’s a lot of incentive to be sociable. From starting at DEF CON 12, to Derby Con 1, to going to so many of these conferences when I was first starting out, I benefited from being social. When I was just a network security administrator at a financial organization in the midwest, never did I feel that I didn’t have an opportunity to meet someone, or bother someone, or interact with someone – even the important someones. DEF CON 12 was when I first met HD Moore, and so many other “big names”. They were accessible and willing to talk; they showed what this community was about. They were the examples that people should follow. Everything I do now is from the example that I learned from those people.
SK: Do you think that as the industry grows – and it’s clearly growing quickly – that this kind of camaraderie and accessibility will change?
There’s been a lot of talk about how big these conferences have gotten. I’ll be the first one to say that this past DEF CON that I was upset afterwards by looking at facebook posts – of friends of mine! – and realizing that there were people I knew at DEF CON and I never saw them. The biggest misconception of DEF CON now is that people still consider it a single conference. It is no longer just a conference. It’s not like a Derby, or a ShmooCon, or one of the many B-Sides. It’s really almost like a hacker burning man, with villages (they’re called villages!) catering to the various interests you may have.
There’s something so cool about the fact that you can spend your whole entire con at a “whole conference” dedicated to what you specialize in – the Hardware Village, Wireless Hacking, etc. When you do that, it’s a very small con for you. All the people you want to see, things you want to learn about, are there. But because of your one badge, you still have the opportunity to go to the others. An entire conference dedicated to every kind of specialty is at your fingertips.
Derby Con is currently dealing with the growing pains of getting bigger. From its very creation, it has always been an accessible “family vibe”. I’ve never seen an instance of a speaker not talking to a first timer. You see regulars just hanging out at the bar, buying drinks, or getting drinks, or just drinking and available to talk to (and for those who don’t drink, just hanging out and being available to talk to).
The front driveway is sometimes totally crowded with people just having great conversations. The lobby is full, and it is an equal opportunity place for everybody to mingle. That is not a size issue, not a clique- issue… it is a fact that is part of Derby Con. It’s just an accessible place to meet people. Dave always tries to make it feel like the family. Some people take that the wrong way, by thinking as though it’s “only” for the family, but no – he’s trying to suggest that there’s no exclusion to that family.