Black Hat/Def Con The Magic is in the Mix by Richard Thieme How time flies. Eight years ago, one hundred computer hackers who had connected only in cyberspace - mostly through bulletin boards - decided to meet in Las Vegas, Nevada. Why Las Vegas? "It's the only city that builds hotels faster than we can use them up," said one. The con took root and began to grow. And grow. And grow. This year, nearly six thousand "hackers" of multiple generations, corporate security gurus, intelligence officers, journalists, corporate recruiters, Feds, and scene junkies came to the Alexis Park Hotel, a non-gaming resort hotel, as well as to the more mainstream two-day security conference, the Black Hat Briefings, that precedes Def Con at Caesar's Palace. Founded and led by Jeff Moss, a.k.a. Dark Tangent, Def Con began sponsoring The Black Hat Briefings four years ago. Originally conceived as a forum for security experts presented by elite hackers, Black Hat has grown from 350 to more than 1500. Black Hat also offers annual conferences in Amsterdam and Hong Kong and is adding specialized seminars like Security for Windows 2000. Moss recently left his job with Secure Computing to devote himself full time to growing Black Hat/Def Con. Eight years after its modest beginnings, the magic of Black Hat/Def Con is in the mix. While some mourn the loss of the old days, when Def Con more closely resembled hacker-only cons like Pump Con, Summer Con and Cuervo Con, Moss always intended Def Con as a bridge world that would include many "straight" government and corporate computer security experts. He saw that real security was created through collaborative conversation. A Federal Panel this year including Art Money, Asst. Secretary of Defense, opened Def Con this year and testifies to the success of Moss' effort. In contrast to H2K, a hacker gathering held earlier this summer in New York which seemed to many like a Woodstock reunion running on the fumes of an obsolete ideology, BH/DC has grown with the times. Moss now has multi-year contracts with hotels, and the "Def Con goons," volunteers who serve as support staff, while still in evidence, are now joined by professional convention organizers. Of course, other computer security conferences have evolved too, such as SANS, CSI, Usenix, and TIS. Thanks to the open borders of the Internet, computer security is big business. So how well does Def Con/Black Hat stack up as a security conference? Why do so many people come to the burning desert in July when other conferences are available? First, a disclaimer I have spoken at Def Con for five years and at Black Hat for four years. BH/DC is a primary community for me populated with friends and colleagues. So I asked others for evaluations. While Def Con/Black Hat does not get straight A's from everyone, all agreed that the unique flavor of the multi-ring circus, with its great diversity of resources, and the good to high quality of technical presentations, make it a "must go" on many lists. Vaughn Hendricks, Staff Systems Integrator of Lockheed Martin Mission Systems and SIPRNET Project Manager, NAVSEA OO1, has worked in computing for 35 years and computer security for 20. He limits the conferences he attends to Black Hat/DefCon and CSI. "In the military, I worried about our classified operations and still do, working for government sites since officially 'retiring.' Black Hat/Def Con offers a unique opportunity for collaboration between good guys and bad guys. I can listen to premiere network security gurus and ex-hackers and discuss vulnerabilities in depth. I've been to both for two years - you get Def Con for free when you go to Black Hat - so it's at the top of my list for gathering information for protecting government resources." Noid, a Sr. Security Engineer for SecurQuest, an Irvine, CA based security firm, believes that "BH/DC has a certain edge that no other mainstream security convention can compete with. When it comes to hacking systems or being on the cutting edge of protecting systems, there's a certain mindset one must possess, and all of the speakers at BH/DC have it. I've been to most mainstream conventions and they're good at teaching textbook methods of attacking/defending systems, but at BH/DC you get to talk face to face with the person who pioneered the particular attack/defense, which you can't get anywhere else. I went to SANS this spring, for example, and they taught us all about L0phtcrack and BO2k. It was informative and interesting, but at DefCon I can have a beer with Mudge (author of L0phtcrack) or DilDog (author of Back Orifice 2000) and have my questions answered directly by the authors." Those unique resources were also emphasized by Drew Fahey, Computer Security & Investigative Specialist for e-fense, Inc. in Englewood Colorado. "Black Hat and Def Con are invaluable," he said. "You don't go for hands-on training, you go to meet new people and see who is really ahead in Information Security. That is not to say you don't get good information at Usenix or SANS, but you don't get to meet members of the "underground" or groups like CDC (Cult of the Dead Cow) at traditional security conferences. You really have to experience it to understand its value." Charles Neal, Senior Director, Cyberterrorism Detection & Incident Response for Exodus Communications, Inc. and recently retired FBI Supervisory Special Agent of the LA regional computer crime squad attended his first Black Hat and was impressed. "Black Hat brings people closer to the edge of the black and white side of the security knife than other security conferences normally do," he reflected. "There are thought provoking topics, more than occasional good debates in and out of sessions, and opportunities for good personal contacts. That made it a valuable experience, in spite of a few speakers with good knowledge but underdeveloped presentation skills." Other security conferences provide solid information in a traditional setting. Other hacker cons provide forums for gray hats and black hats. But Black Hat/Def Con provides a unique blend of white, gray, and black hats and the opportunity for real networking and dialogue among them. Richard Thieme (rthieme@thiemeworks.com) is a contributing writer for Information Security. He writes, speaks, and consults on the human dimensions of techology and the workplace.