Hacker/Infosec Con Types & Getting More Out Of Hacker/Infosec Conferences
Hacker/Infosec Con Types & Getting More Out Of Hacker/Infosec
Conferences
I was inspired to work on this post
again by InfoJanitor on Twitter. When I asked for blog post ideas, he suggested
"Through the Lens: Five Cons in Five Months", and I was like “five in five
months? Wish I had such a lax schedule”. In 2018 I attended 22 cons and recorded
19 of them. Arguably, I’ve been to more infosec/hacker conferences than most
people, some as a speaker, way more as a videographer. The only people I know
who have more con badges than I might be Jack Daniel or Jayson Street. I use
this to imply that I have some authority as to my expertise when it comes to
infosec/hacker cons. In my view, there are maybe five types of hacker/infosec
conference:
Enthusiast Party Hacker Cons
Enthusiast/Professional Infosec/Hacker Cons
Commercial Infosec/Hacker Cons
Vendor Cons
Awareness/We Care Conferences
Now, to explain my views on this,
let’s look at my early “con history”. One of my first cons was an “Awareness/We
Care Conference” in the form of the conference at a university I was once
affiliated with. I spoke at the conference circa 2005 about password cracking
and such. My first real hacker con was PhreakNIC in 2005, where I got a taste
for con life. Many of us attending were younger, did not have a ton of money,
and slept five to a room to save on costs. Hell, it was not like you spent a lot
of time in the room anyway, unless you were working on some crypto or hardware
challenge. The next year, I gave a talk at Notacon in Cleveland where the
research almost got me fired, and then PhreakNIC on “Creating a Windows Live CD
for System Recovery and Pen-Testing”. For a couple of years, IU's CACR,
PhreakNIC & Notacon were about the only cons I went to, that was till I got
involved with my local ISSA. They had been running the Louisville Infosec for a
few years, and in, I believe, 2008 I asked if I could record the main track. I
got contacts & content for my site, they got promotion. Later I started giving
Skydog crap about how long it was taking to get the videos from Phreaknic up, so
they gave me the DVDs so I could rip them and post them myself. I had a
university job at the time, which meant I had less money but more time and
bandwidth than most people. This led to me coming to Outerz0ne and ripping DVDs
as they were recorded. For a later Outerz0ne I figured out how to do picture in
picture with AVISynth, and people began asking me to help record their
conferences. After the success of the Louisville ISSA Metasploit class, Martin,
Dave, Erin, Alex plus a few others and I put together Derbycon, where of course
I was tasked with recording. Since I was the person most likely to use it, I was
left with the video gear to record other multi track cons. After that, I’ve done
a bunch of cons. I’m recording more than 20 per year at this point. Let me
define my subtypes listed above. Bare in mind, few conferences fall solely into
just one of these categories, and the ones I really like have a lot of
crossover.
Enthusiast Party Hacker Cons
I get the impression this is what
DEFCON used to be, and still is to some degree, but my first DEFCON was 2009 so
my perspective is limited. This is definitely what I would call PhreakNIC, and
Skydogcon, maybe NolaCon to some extent. A bunch of people who love infosec/bypassing
limitations/etc, but also love damaging their liver a bit too much perhaps. Many
conferences have aspects of this.
One interesting thing about
enthusiast party hacker cons is that they sometimes draw people that or not so
much into hacking as the scene itself. They may have a mild interest, but they
are mostly there to party, or just to be seen. You will wind up seeing more of
these people at DEFCON for example than at other cons because Vegas is a fun
place to go for many, even if hacking is not your interest. I don’t mean this to
be insulting to DEFCON, it’s just sort of the nature of being in Vegas. I’m sort
of surprised that NolaCon has not encountered more of this, as New Orleans is a
great town to have fun in. Then again, NolaCon being newer likely limits this as
people may not know about it (great conference, good content, & never had a bad
meal in New Orleans).
Enthusiast/Professional Infosec/Hacker Cons
This is where cons like Derbycon,
Shmoocon, NolaCon and many BSides come in. The folks that show up are still
enthusiasts, but they also seem to have jobs in the field or are looking to get
into the field. There is a lot of partying, but also the people are legitimately
there to learn stuff for work. I would say Defcon almost falls into this
category, but Dark Tangent seems to have resisted the urge to have traditional
sponsors (vendors who sell hacker merchandise I put in a different category than
just a for-money sponsor). At the larger ones you can make good connections to
both find work or to hire someone. Cleared Jobs even distributes wrist bands to
some conferences to identify if you are looking to hire or get hired, which may
help while mixing with others. Smaller events like many of the BSides seem
better for acquiring talent then drumming up business for a consulting company
as most of the attendees seem to be enthusiasts/practitioners and not managers.
The same can be said for conferences that happen on weekend (more enthusiasts)
and during weekdays (more managers).
Commercial Infosec/Hacker Cons
This would be things like BlackHat
and Hacker Halted. The promise is something like: We will show you what the
underground is doing, but we will provide you better food and it will be during
a weekday so you can take off work. Some conferences deliver on this promise
better than others. Truthfully, some cons ride between this and
“Enthusiast/Professional Infosec/Hacker Cons”, for example ShowMeCon is done
during weekdays often which appeals to the infosec professionals that want to
get out of the office, but it is ran by a bunch of enthusiast/practitioners who
really dig hacking and general geek culture. The upside is food is provided, the
downside is that can greatly increase cost of ticket.
Vendor Cons
Theses are all about selling stuff.
People are there to hawk tools, appliances and services plain and simple. Most
ISSA events are this to some degree, as is RSA so I understand (never been
there, so may be talking out my buttox). I’ve heard RSA referred to as being a
conference about the business of infosec as opposed to being about infosec
itself. I’ve been told some BSides may fall into this area, but that is highly
dependent on who is running it. While the talks may aim towards vendor pitches,
they can be good for making contacts to get hired on drum up business.
Awareness/We Care Conferences
These are normally small affairs, for
limited audiences. I already gave the aforementioned example of the “Indiana
University Center for Applied Cybersecurity Research” conference. Mostly, these
are conferences held internally in organizations for people that may not be
directly involved with security. The core idea seems to be to “raise
awareness”/”show we take security seriously”, so many times the talks seem wide
in subject but not very deep technically. Maybe they help, maybe not?
So, what do I think of various cons
besides the bit of info I gave in the descriptions above?
DEFCON
Why not cover DEFCON, it is the 800
pound gorilla of hacker conferences. Apparently it reached close to 25,000
attendees in 2017, and nothing else in the States matches it. I’ve only been
going since 2009, but I’d mostly put it in the “Enthusiast Party Hacker Cons”.
Having seen videos and hearing stories of the shenanigans from years past it
seems to have mellowed a lot, which is to be expected as 90’s kids grow up, get
mortgages and have kids. DEFCON has moved several time around the big conference
spaces in Vegas and keeps growing to the fill whatever space it is held in. You
can pretty much expect to stand in line for big name talks. It’s easy to miss
people you know are there in all the crowds. I kind of like Vegas, but after
about a week I’m ready to go home.
Blackhat
I’ve only been to Blackhat DC as a
speaker and Blackhat USA in Vegas as a training helper. Large price tags for
attendance keep many enthusiast away, and truth be told many of the talks seem
to be present at the more affordable BSides events around the country. Trainings
are a major draw for going in my opinion, getting some hands on knowledge and
CPEs. If work will pay for it, I’d recommend it. If you are just someone getting
into the industry, you might be better off visiting cons within driving
distance.
Derbycon
Obviously the best conference because
of the stunning good looks of the videographer, Derbycon sprung up after the
Louisville ISSA Metasploit Class for Hackers For Charity was such a success. No
one was watching the signup form for the class, and all of a sudden we had way
more people signed up than expected, forcing us to change venues. Dave, Martin
and I thought “we got so many people here for just a one day class, why not put
on a conference”? We went with the name Derbycon because Louisville is only
known for about three things, horse racing, baseball bats and fried chicken.
Since a derby is also a type of hat, and the black/grey/white hat hacker meme
exists, Derbycon seemed like the name to go with. We aim to have good technical
content but stay affordable. Louisville also has the advantage of being within a
5 hour drive of many large cities in the midwest and south. Things generally
don’t get as wild as at some large conferences, but you will see people calmly
sipping bourbon and showing off projects in the lobby while commensurating with
friends. Sadly, Derbycon 9 is planned to be the last because of peoples drama
(yes, it was drama, if you don’t understand that maybe you should not believe
everything you read on twitter. Twitter is like the “telephone game”, where
people spread misheard misinformation and has taught me many infosec people are
terrible at attribution). Plans are in the works for another midwest/southern
border replacement conference.
Shmoocon
One of my favorites, and the “Own the
Con” talks Bruce and Heidi do each year were useful when we were planning
Derbycon. I was a every Shmoocon from 2010 to 2016. While there is much
partying, I’d say this con is firmly in the “Enthusiast/Professional Infosec/Hacker
Con” arena. Have some fun, see some friends, learn some stuff and talk to some
recruiters. Getting chosen to speak is a pretty big honor, and not easy. Since
they limit attendance to a little under 2000 people, and the con is so popular,
to get a ticket you might have to play the F5 olympics. I think one of the
reasons it is so popular is that it is held in Washington DC, so lots of infosec
folks from the federal government come out. People complain every year about how
hard it is to get a ticket, but people also don’t want the con to grow larger
and you can’t have it both ways. Apparently the logistics of getting a bigger
hotel in DC is difficult.
BSides Events
Everyone of these varies depending on
location and who is running the event. They can fall into any of the loose
categories I gave above. Because they are affordable, usually costing no more
than $20 or even free, they are a good choice for a first conference for people
trying to get into the field. Definitely submit to the CFPs to get your name out
there and get some experience speaking. Personal favorites of mine happen in
Nashville, Cleveland, Detroit, Columbus, Philadelphia, Baltimore and Tampa but
there are many that have popped up around the world.
What To Do At Con?
Talks: Yes, that is one of the major
announced features. People come to see, listen to and meet certain well known
speakers. You can get a lot of good information this way, but anymore so many
talks are recorded, people spend time on “hallway/lobby con” instead. Always
good to ask ahead if there are any talks that will not be recorded so you can
attend those. Also look for talks where you would want to be in the audience to
ask questions.
Contests: Some cons have contests
like capture the flags, lock pick competitions and crypto challenges. Probably
not the best for meeting people if you’re face is down in a screen all con, but
good for bragging rights and demonstrating skills.
Hallway/Lobby Con: People call it
different things. With most talks being recorded, you can watch them later, but
hallway con is harder to substitute. Nothing like getting to talk to people in
small groups to make connections and learn things, learn who specializes in
what, and track down potential job leads. Making that personal connection. I’ve
heard some people complain about cliques but I’ve found people to be friendly if
you are friendly. If you, like many in tech, are introverted you may want to
contact a few people on social media that you know will be there to help get you
introduced to others.
Speak: Speaking at conferences is a
great way to get your name out there. I know a lot of people have a fear of
public speaking, but having a bunch of presentations under your belt can be good
for a resume/CV. Also, if you are not good at striking up conversations, people
will come up to you to ask questions after your talk.
Volunteer: Consider volunteering at
conferences. It’s a great way to meet people and let people know you are
reliable while getting a free ticket at the same time. Conference organizers who
also have management positions or companies of their own and notice reliable
volunteers and have been known to hire them. Older established conferences may
have their volunteer spots filled up by old timers, so get to know some old
timers and worm your way into volunteering.
Finally, remember Trevor Hearn’s
saying: at least three hours of sleep, two meals, and one shower per day.
Thanks to @InfoJanitor, @vajkat, @jack_daniel, @thesl3ep and @InfoSecSherpa for
some input on things to add.
Printable version of this article