(Continued from Part I: The Present)
SK: OK, so now we’ve done a lot of talking about the great improvements in some of the cons, and what you’ve seen a lot of improvement in this year. What do you think didn’t work this year? What is concerning to you?
I think this year one of the things I saw – and I think I may be a part of the problem – is the cosplay factor. I didn’t think about it until Russ Rogers brought it up, but I think a lot of people are going to “play hacker” instead of going to learn to be a hacker. It particularly came across at a couple of cons this year; it seemed that people weren’t really there to learn, they were there to be seen. They’re not really there to network, they’re there to play. I feel entitled to say that because I was one of the fakest and cosplay-iest attendees ever when I started attending ten years ago. I’m going to address it in my talk next year – I went to DEF CON 12 thinking about how a hacker was supposed to act, without actually learning… and it made me look like an idiot.
DEF CON, Derby Con, Shmoocon should never be equated with Comic Con.
SK: What about the beginners? The ones who don’t know any other way?
When I first went, I was already on the technical side. I had my CISSP in 2001, but didn’t go to my first con until 2004. I’ve been in InfoSec since 2000. I was four years in the industry before I got to go to a DEF CON. By then – seeing the stereotypes on the news, seeing them on the Internet – I got that romanticized version of “this is what it’s about”. I don’t want to say I was wrong, because people in those places aren’t necessarily wrong. I was simply ignorant, and there’s nothing wrong with being ignorant. I have a problem with being stupid. Being ignorant changes because you can learn. I showed up to DEF CON being very ignorant, but I learned. I get the sense that some people at these conferences are willfully ignorant. I don’t think they truly want to be a part of the community. They just wanna party (without giving anything back).
I can’t particularly talk about giving back anything from a technical standpoint; I’d like to think that I’ve helped the community in other ways. Communities are about contributions, not just “happy feelings” and cosplay.
SK: What are a few new conferences you’re excited about?
Conferences that I’m excited about – to hear about – are obviously skewed towards ones that I’m going to be a part of (which should be interesting). There’s going to be a BSides Tanzania; Jack Daniels has been reopening some BSides. There’s a conference I’m going to the Maldives. Think about that – the Maldives is concerned about InfoSec!
What I’m really excited about is that it is now a topic of conversation and something for people to meet and discuss all over the world. It is not an American problem, it is not a first-world problem…. it is a global issue. And the world is responding to it by getting together and forming conferences to discuss this. There are people waking up all over the world and realizing that their information has to be secured.
SK: So you would say that it’s important for the American security community to start paying attention to Global cons?
I think it all came to a head for me last year when I did my talk “Around the World in 80 Cons.” One of the reasons I’m working with DEF CON Groups is to make it a global action. Because of the way that we are connected and communicate today we can no longer have the audacity to think that any one country or group can solve these issues by themselves. We are all in this together and these are global problems that require global solutions and global action. It doesn’t take a tsunami or an earthquake or a hurricane to show that what happens in one region impacts the entirety of the world. I consider myself a citizen of the world, not just a citizen of the US. I love my country, but I love my planet just as much.
SK: Here’s a hard question, then: what do you think “The State of the Con” is today?
The state of most conferences today are – whether they realize it or not – uncertain. I think our community and industry as a whole is at a crossroads. Where is it going to go from here?
The conferences themselves are at a crossroads: as they grow, they eventually become the victim of their success. In some sense it’s a product of the way that society is evolving and becoming more tolerant of hackers, with TV shows, etc. demystifying what a hacker is and what InfoSec is. Learning about (though we hate the word cyber) cybersecurity, people are starting to understand how it’s used and why it’s used that way and what it actually means.
Because of this, I think we are becoming a better force for good to educate the general populace. The cons, though, are at a crossroads – there’s a chance that they may devolve into a place where people go because they saw it on TV and think it’s cool (they just want to “play” at the community). I think we’re at a point where things might also take a bad turn: people will be more afraid of “hacking”, and these conferences will become less acceptable, and it may reflect poorly on them or even be illegal to go to these conferences.
SK: Is there any way to answer or begin to solve these huge issues?
Of course I always like to make grandiose statements, but I generally also like to give a solution, or at least something positive to say. In this case I can admit: I’m not smart enough to have that answer. I don’t know. The people running these conferences are smarter than me, and have more experience than me, and I can’t presume to give them advice on these things. A lot of the people who criticize these conferences also don’t know. They don’t have any solutions. They just criticize.
I’ll just say that I don’t know what the solution is, but I have faith that the people working on it have a better grasp on it all.