DEF CON 9 - Open Letter to the community First off let me thank everyone who made DC 9 a success. This includes not only the staff, but all of the speakers, A/V, Network, DJs, and attendees. Without everyone working together the convention could not function. Thank you all for making our largest convention also the smoothest convention in comparison to past years! Having just finished my 9th DEF CON, I have a few thoughts - I am looking for feedback from the community to help decide the next steps for the future of DEF CON. First, let me give you a brief history so you can see where I am coming from and to allow you to decide where you think we should go in future shows. I have long thought that DEF CON cannot last forever in its current form due to several factors: Growth, Core Attendees, and the changing nature of the technology underground. GROWTH Growth causes all kinds of problems. The incredible and exponential growth of DEF CON makes it more and more difficult to comprehend the ramifications of running such a large conference. It requires more people to be involved in organizing the show, more insurance to cover more damage, more planning, more Con events, and more volunteer staff to make things run more smoothly. Around DEF CON 5, I came up with two possible theories on how growth would play out for future shows. The first is that at a certain point, the number of people not returning to the Con would equal the number of new people attending, and there would be a zero growth rate. This would allow us to predict and plan around a set attendance amount, making it easier to plan the show. My second theory was that attendance would continue to grow until it reached a critical mass and everything melted down. Not enough space, not enough food, too many new people and not enough attendees from previous years to help run the show, etc. It is harder to tell when this scenario occurs because every year there are always problems and fires to put out since nothing ever goes the way you plan. In order to try and deal with the growth issue I decided before DEF CON 8 that I would stop advertising the convention except on the DC-STUFF mailing list. The idea was to only let the show grow by word of mouth. I hoped that this would slow the growth rate, and at the same time attract people that would be interested in the scene. Advertise to a generic forum like USENET and anyone might show up. Let it spread by word of mouth and you should get more people like the current attendees. As you know (if you attended DC 9) it hasn't happened that way in real life. Even though the only advertising for DC 8 was one mention in 2600, and no advertising for DC 9 we still managed to grow by leaps and bounds. Things have not slowed down as initially predicted and we reached over 5,100 people at DC 9 - about 900 more than DC 8. Long ago we decided we would let anyone who wanted to attend show up. We are not in the business of censorship or exclusivity. The only people not invited back have been people that pissed off the hotel enough to have them kicked off-property. My final thought for now on growth? The show has reached a point where it is too big for its own good and I am not sure what to do about this. As the show has grown, so has the amount of stress for all involved in both the planning and running of DEF CON. The Con is meant as a fun party of like-minded people, not a cause for ulcer-inducing stress. I designed the convention to withstand a certain amount of chaos and problems, but it was never designed to withstand people calling for violence to staff members and property damage to the hotel. CORE ATTENDEES The Core Attendees of DEF CON is the second reason related to why I don't think the show can last forever. What I mean by "core attendees" are the people who come to the show to pow wow about computer security and the lack thereof. The people who have attended DEF CON for 4 years or more - who won't view DEF CON solely as one giant rave for music, drugs and sex and know that the party atmosphere is simply a fringe benefit to the original intent of the show. As the show grows and changes, some of the core attendees that have been traveling to DEF CON for the last several years stop showing up. If the hard core coders, programmers, and hackers no longer attend leaving and only newbies, then the conference has completely lost its point. Remember - I started DEF CON to be a party for myself, friends, and the technology underground. It is not meant to be an everlasting event or a summer camp for every kid who owns a computer. If my friends stop attending because the show is too large or has an incredibly skewed signal-to-noise ratio (emphasis on the noise), then the point to DEF CON is gone. How do you measure core attendees? It's difficult to explain but after being involved in the scene for so long, you learn to figure out who's an old school hacker and who's along for the ride. Do things to alienate your friends and you can be sure that the show will be forever changed. Some of the alienation occurs due to growth, and some occurs just because people grow up and move on to other things. This feeds into my third point. EVOLUTION OF THE TECHNOLOGY UNDERGROUND The changing nature of the technology underground has caused DEF CON to change as well. When I started the show there were no real jobs for people our age in computer security. LD phone calls were expensive, UNIX was not free, the only people with good Internet access were Universities and businesses, and PCs still cost quite a bit of cash. The Web was not sprouting up "Teach me how to hack" sites every other minute, and there was a considerable amount of misinformation surrounding hacking floating about. Now things are exactly the opposite. Money entered the underground scene around DC 4, and since then, things have changed rapidly. There are plenty of good and bad books teaching computer security, and there are thousands Web sites dedicated to hacking. If you don't have a felony and are dependable you can get a job in computer security. LD calls are cheap, all the Internet you can eat is about $20, UNIX-style operating systems are free, and computer prices are so cheap that you can build and attack your own network for very little money. The mentoring process of the "old school" underground is mostly gone now. The original motivations of breaking into a university to get Internet access have changed and with each new age group of kids, using a computer becomes more of a key role of the educational process. Hackers and computer geeks are no longer a small niche in society but now the norm, resulting in an even more fragmented community, generating an entirely new set of definitions for "hard core" and "mainstream". Each of these three changes are reflected in the attendees at DEF CON with every new show. As more people were exposed to computers and hacking, more people attended in exponential amounts and as the reasons for why people hacked changed, so did the mentality of the new generations attending the show. NEW ITEMS In planning DEF CON 9, I made some decisions to reduce the stress on the volunteer staff. Instead of having 8 volunteers registering people all Friday long, I decided to hire some outside people to handle this chore for Thursday, Friday and Saturday. Instead of having these same volunteers check badges of people, I hired more hotel security to do this. Why have your staff stand in the 110 degree heat if you can pay someone else to? There have been some comments about how DC 9 seemed to be under "tighter" control because of the additional security guards as opposed to past years. The problem is that the hotel does not allow us to hire outside rent-a-cops. We have to hire their security staff and when you hire said staff a certain amount comes with guns. So it was a trade off - pay more to get hotel security to save my hard-working volunteers from boring, repetitive work. DEF CON volunteers work very hard, so we tried experimenting with the hotel guards and the outside registration people. The idea is to reduce the workload of your peers who come to DEF CON to help out in anyway they can to make sure you have a good time. With a bigger show this year we spent more on outside help. I like this model of relieving stress on the staff, and will try it again, with some tweaks, at future shows. Because the hotel is providing the security, they are not under DEF CON direct control. Sure we can ask them to go easy on people, but if they catch people messing with the hotel we can't control them. For example, if someone is caught damaging the hotel and hotel security finds out, things get out of our control pretty fast. Their concern is their hotel, not the happiness of our attendees at that point. At DC 9 we actually had to talk the hotel out of calling Las Vegas Metro Police and getting two people arrested. We don't need more hackers with criminal records, and if we can help it we will. In one instance two people did get in trouble with the police, but they had previously gotten in trouble with the hotel at DC 8 for stealing, and were not supposed to be back on hotel property. Remember, DEF CON is a self-organizing group of people, largely with out any oversight or control. Everyone is operating under their own responsibility with the staff there to help people out who need it. If the community can't keep themselves in check, we won't do it for you, and the Con will go away. I don't want, nor can afford, to have staff and guards to take care of every little problem. That's not the point of the Con. They are there for bigger problems than traffic guard duty. For example, there were some medical emergencies this year, and the staff most likely saved a life. CHANGES WITH DEF CON I decided to close the vendor area at 7pm this year so the people with tables could get some actual sleep with out having to worrying about their stuff. I decided to pay more to allow for greater wireless network access coverage so attendees didn't have to be concentrated and crowded in the immediate conference area to have net access. We even rented an additional tent for the hotel roof to hold more people. Finally, we managed to talk the hotel into reducing its costs on food and drink. While I don't think DEF CON is quite dead, I do think it is time for even more changes to stave off a quick and painful death - "Evolve or die" comes to mind. We spend a lot of time deciding on what changes to make each year to help things go smoother for everyone. In light of this year's show, I have decided to ask the community for their input. If you have suggestions on what changes or additions you'd like to see at DEF CON for next year, please email suggestions@defcon.org. We are looking for your opinion on how to manage growth, speaking topics, events, and ideas to keep the con from getting out of control due to its size, etc. Heck, all suggestions are welcome. Suggestions already being discussed include: - There will be no overlap of other groups with DEF CON. From Thursday evening to Monday Afternoon only DEF CON attendees wil be able to check in. This will hopefully prevent the types of problems we had Sunday night when there were other groups on-site. - A different way of dealing with hotel and con security. - Speaker selection (Filter out poor speakers and bad talks) - How to deal with rapid network growth We're looking forward to you comments, and thank you for taking the time to send them in. The Dark Tangent (aka Jeff Moss)