DEF CON 9 - Open Letter to the community

[InfoSec News <isn () c4i org>]

http://www.defcon.org/TEXT/9/open-letter-dc9.txt

First off let me thank everyone who made DC 9 a success. This includes
not only the staff, but all of the speakers, A/V, Network, DJs, and
attendees. Without everyone working together the convention could not
function. Thank you all for making our largest convention also the
smoothest convention in comparison to past years!

Having just finished my 9th DEF CON, I have a few thoughts - I am
looking for feedback from the community to help decide the next steps
for the future of DEF CON.  First, let me give you a brief history so
you can see where I am coming from and to allow you to decide where
you think we should go in future shows.

I have long thought that DEF CON cannot last forever in its current
form due to several factors: Growth, Core Attendees, and the changing
nature of the technology underground.

GROWTH

Growth causes all kinds of problems. The incredible and exponential
growth of DEF CON makes it more and more difficult to comprehend the
ramifications of running such a large conference. It requires more
people to be involved in organizing the show, more insurance to cover
more damage, more planning, more Con events, and more volunteer staff
to make things run more smoothly.

Around DEF CON 5, I came up with two possible theories on how growth
would play out for future shows. The first is that at a certain point,
the number of people not returning to the Con would equal the number
of new people attending, and there would be a zero growth rate. This
would allow us to predict and plan around a set attendance amount,
making it easier to plan the show.

My second theory was that attendance would continue to grow until it
reached a critical mass and everything melted down. Not enough space,
not enough food, too many new people and not enough attendees from
previous years to help run the show, etc. It is harder to tell when
this scenario occurs because every year there are always problems and
fires to put out since nothing ever goes the way you plan.

In order to try and deal with the growth issue I decided before DEF
CON 8 that I would stop advertising the convention except on the
DC-STUFF mailing list. The idea was to only let the show grow by word
of mouth. I hoped that this would slow the growth rate, and at the
same time attract people that would be interested in the scene.
Advertise to a generic forum like USENET and anyone might show up. Let
it spread by word of mouth and you should get more people like the
current attendees.

As you know (if you attended DC 9) it hasn't happened that way in real
life. Even though the only advertising for DC 8 was one mention in
2600, and no advertising for DC 9 we still managed to grow by leaps
and bounds. Things have not slowed down as initially predicted and we
reached over 5,100 people at DC 9 - about 900 more than DC 8. Long ago
we decided we would let anyone who wanted to attend show up.  We are
not in the business of censorship or exclusivity. The only people not
invited back have been people that pissed off the hotel enough to have
them kicked off-property.

My final thought for now on growth? The show has reached a point where
it is too big for its own good and I am not sure what to do about
this. As the show has grown, so has the amount of stress for all
involved in both the planning and running of DEF CON. The Con is meant
as a fun party of like-minded people, not a cause for ulcer-inducing
stress. I designed the convention to withstand a certain amount of
chaos and problems, but it was never designed to withstand people
calling for violence to staff members and property damage to the
hotel.

CORE ATTENDEES


The Core Attendees of DEF CON is the second reason related to why I
don't think the show can last forever. What I mean by "core attendees"
are the people who come to the show to pow wow about computer security
and the lack thereof. The people who have attended DEF CON for 4 years
or more - who won't view DEF CON solely as one giant rave for music,
drugs and sex and know that the party atmosphere is simply a fringe
benefit to the original intent of the show.

As the show grows and changes, some of the core attendees that have
been traveling to DEF CON for the last several years stop showing up.
If the hard core coders, programmers, and hackers no longer attend
leaving and only newbies, then the conference has completely lost its
point.  Remember - I started DEF CON to be a party for myself,
friends, and the technology underground. It is not meant to be an
everlasting event or a summer camp for every kid who owns a computer.  
If my friends stop attending because the show is too large or has an
incredibly skewed signal-to-noise ratio (emphasis on the noise), then
the point to DEF CON is gone.

How do you measure core attendees?  It's difficult to explain but
after being involved in the scene for so long, you learn to figure out
who's an old school hacker and who's along for the ride.  Do things to
alienate your friends and you can be sure that the show will be
forever changed.  Some of the alienation occurs due to growth, and
some occurs just because people grow up and move on to other things.  
This feeds into my third point.

EVOLUTION OF THE TECHNOLOGY UNDERGROUND

The changing nature of the technology underground has caused DEF CON
to change as well. When I started the show there were no real jobs for
people our age in computer security. LD phone calls were expensive,
UNIX was not free, the only people with good Internet access were
Universities and businesses, and PCs still cost quite a bit of cash.  
The Web was not sprouting up "Teach me how to hack" sites every other
minute, and there was a considerable amount of misinformation
surrounding hacking floating about.

Now things are exactly the opposite. Money entered the underground
scene around DC 4, and since then, things have changed rapidly. There
are plenty of good and bad books teaching computer security, and there
are thousands Web sites dedicated to hacking. If you don't have a
felony and are dependable you can get a job in computer security.  LD
calls are cheap, all the Internet you can eat is about $20, UNIX-style
operating systems are free, and computer prices are so cheap that you
can build and attack your own network for very little money.  The
mentoring process of the "old school" underground is mostly gone now.
The original motivations of breaking into a university to get Internet
access have changed and with each new age group of kids, using a
computer becomes more of a key role of the educational process.
Hackers and computer geeks are no longer a small niche in society but
now the norm, resulting in an even more fragmented community,
generating an entirely new set of definitions for "hard core" and
"mainstream".

Each of these three changes are reflected in the attendees at DEF CON
with every new show. As more people were exposed to computers and
hacking, more people attended in exponential amounts and as the
reasons for why people hacked changed, so did the mentality of the new
generations attending the show.

NEW ITEMS

In planning DEF CON 9, I made some decisions to reduce the stress on
the volunteer staff.  Instead of having 8 volunteers registering
people all Friday long, I decided to hire some outside people to
handle this chore for Thursday, Friday and Saturday.  Instead of
having these same volunteers check badges of people, I hired more
hotel security to do this.  Why have your staff stand in the 110
degree heat if you can pay someone else to?

There have been some comments about how DC 9 seemed to be under
"tighter" control because of the additional security guards as opposed
to past years.  The problem is that the hotel does not allow us to
hire outside rent-a-cops.  We have to hire their security staff and
when you hire said staff a certain amount comes with guns. So it was a
trade off - pay more to get hotel security to save my hard-working
volunteers from boring, repetitive work.  DEF CON volunteers work very
hard, so we tried experimenting with the hotel guards and the outside
registration people. The idea is to reduce the workload of your peers
who come to DEF CON to help out in anyway they can to make sure you
have a good time. With a bigger show this year we spent more on
outside help.  I like this model of relieving stress on the staff, and
will try it again, with some tweaks, at future shows.

Because the hotel is providing the security, they are not under DEF
CON direct control.  Sure we can ask them to go easy on people, but if
they catch people messing with the hotel we can't control them.  For
example, if someone is caught damaging the hotel and hotel security
finds out, things get out of our control pretty fast.  Their concern
is their hotel, not the happiness of our attendees at that point.  At
DC 9 we actually had to talk the hotel out of calling Las Vegas Metro
Police and getting two people arrested.  We don't need more hackers
with criminal records, and if we can help it we will.  In one instance
two people did get in trouble with the police, but they had previously
gotten in trouble with the hotel at DC 8 for stealing, and were not
supposed to be back on hotel property.

Remember, DEF CON is a self-organizing group of people, largely with
out any oversight or control.  Everyone is operating under their own
responsibility with the staff there to help people out who need it.  
If the community can't keep themselves in check, we won't do it for
you, and the Con will go away.  I don't want, nor can afford, to have
staff and guards to take care of every little problem.  That's not the
point of the Con.  They are there for bigger problems than traffic
guard duty.  For example, there were some medical emergencies this
year, and the staff most likely saved a life.
 
CHANGES WITH DEF CON

I decided to close the vendor area at 7pm this year so the people with
tables could get some actual sleep with out having to worrying about
their stuff.  I decided to pay more to allow for greater wireless
network access coverage so attendees didn't have to be concentrated
and crowded in the immediate conference area to have net access.  We
even rented an additional tent for the hotel roof to hold more people.  
Finally, we managed to talk the hotel into reducing its costs on food
and drink.

While I don't think DEF CON is quite dead, I do think it is time for
even more changes to stave off a quick and painful death - "Evolve or
die" comes to mind. We spend a lot of time deciding on what changes to
make each year to help things go smoother for everyone.  In light of
this year's show, I have decided to ask the community for their input.

If you have suggestions on what changes or additions you'd like to see
at DEF CON for next year, please email suggestions () defcon org.

We are looking for your opinion on how to manage growth, speaking
topics, events, and ideas to keep the con from getting out of control
due to its size, etc.  Heck, all suggestions are welcome.

Suggestions already being discussed include:

- There will be no overlap of other groups with DEF CON. From Thursday
  evening to Monday Afternoon only DEF CON attendees wil be able to
  check in.  This will hopefully prevent the types of problems we had
  Sunday night when there were other groups on-site.

- A different way of dealing with hotel and con security.

- Speaker selection (Filter out poor speakers and bad talks)

- How to deal with rapid network growth


We're looking forward to you comments, and thank you for taking the
time to send them in.

The Dark Tangent (aka Jeff Moss)





-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.