Defcon founder's message to feds fair to some, hypocritical to others

Dis-invitation is interesting because last year Defcon opened with General Keith Alexander, director of the National Security Agency

Defcon founder Jeff Moss' request to government agencies asking them not to attend next month's annual Defcon hacker conference has evoked a mixed response from the security community.

Many see it as little more than a symbolic gesture meant to convey the hacker community's discomfort over recent revelations of government surveillance activities by fugitive document-leaker Edward Snowden.

Others though see it as somewhat hypocritical move by an organization that has for long prided itself on giving a platform for all members of the security community to exchange ideas and share information freely.

Two researchers from the network security-consulting firm Secure Ideas on Thursday announced that they would not present at Defcon as scheduled, to protest Moss' actions.

Moss launched Defcon 21 years ago and has overseen its growth into one of the industry's largest hacker conferences. On Wednesday, he published a blog post in which he asked government agencies to "call a time-out" from the conference.

"For over two decades Defcon has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect," he wrote.

"When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship," he said in asking them not to attend Defcon this year.

The dis-invitation is interesting because it was only last year that Defcon had opened with a keynote from General Keith Alexander, director of the National Security Agency, the entity at the center of the surveillance controversy.

"Jeff Moss's post was a statement, not an order, but it was an important one," said Michael Sutton, a vice president of security research with Zscaler.

Moss is well respected within both the black hat and white hat communities and has strong government connections in his role as an advisor to the U.S. Department of Homeland Security (DHS), Sutton noted.

"His statement illustrates the deep disappointment of the Defcon community, who feel that they were blatantly lied to in light of the PRISIM scandal," he said referring to Alexander's denials last year when asked at the conference if the NSA was spying on U.S. citizens.

"Jeff is standing up for the community by saying 'you disrespected us in our own house -- we'd prefer you not visit this year'," Sutton said.

For many at Defcon, Edward Snowden's recent revelations of widespread NSA surveillance activities are likely to have only reinforced their suspicion of all things government, said Richard Stiennon, principal at IT-Harvest.

With Defcon, there's always been a bit of the "young generation versus the Man," Stiennon noted. In recent years, NSA and other three-letter government agencies have been recruiting from Defcon ranks, leading to a gradual thawing in relations between the two communities, he said. Even so, members of the Defcon community have only shown a "wary willingness" to interact with government types at best.

That willingness likely has been tested by the Snowden affair, Stiennon noted. "A group of security professionals who are aligned to doing things and creating things that are protective of security and privacy and going to find themselves at odds with the NSA. So it may be best for both sides to cool off a bit," Stiennon noted.

Lawrence Pingree, an analyst at Gartner cautioned against making too much of Moss' statement. From a publicity standpoint, it makes a certain amount of sense to ask federal agencies not to attend Defcon, considering the sentiments that have been aroused by Snowden's revelations, he said.

In reality, it is unlikely that Moss will want to, or will even be able to stop government security types from attending the event if they really want to, he said.

In the end Moss is just sending a gentle reminder to the government that they are likely to be less than welcome among those at Defcon considering recent revelations about PRISM, said Robert Hansen, a white hat hacker and director of product management at WhiteHat Security.

"I don't believe that anyone who works directly with the staff at Defcon really hates feds," said Robert Hansen, a white hat hacker and director of product management at WhiteHat Security. "What they hate are that the free and open Internet has been taken from them in some sense and that theft is embodied in some sense by the people who are tasked with fulfilling often secret laws."

"The only issue I see with Jeff's announcement is that a lot of the most important, die-hard, freedom advocates work in or work directly with the military industrial complex, and it's unfair to paint them as the enemy of hackers," Hansen noted. "Though Jeff has never said that directly, and I don't believe he feels that way, I worry that people less familiar with the situation would mis-represent his words."

Others though see Moss' stance as needlessly politicizing the annual hacker fest.

In a blog post, James Jardine and Kevin Johnson, two researchers from Secure Ideas, announced they would not present at Defcon this year citing Moss' statement about not wanting the government at the show, as the reason.

"The basis of our decision, is that we feel strongly that Defcon has always presented a neutral ground that encouraged open communication among the community, despite the industry background and diversity of motives to attend," the blog noted. "We believe the exclusion of the 'fed' this year does the exact opposite at a critical time."

Ira Winkler, president of the Information Systems Security Association, and a Computerworld columnist said that Moss was being unfair in asking the federal government not to attend Defcon.

Much of Defcon's popularity has stemmed from the effort put into making it completely neutral venue for the information security community. By asking the government to stay away, Defcon has lost some of that neutrality, he said.

The surveillance activities revealed by Snowden, and that Moss alluded to in his statement, have all been found to be completely legitimate and vetted by all three branches of the government. So rather than try and exclude government agencies, it would have been better to use Defcon as an opportunity to get more answers on the surveillance practices, he said.

"It would be better to have a legitimate discussion on the issue," Winkler said. "Why is it legal, why is it constitutional. Stopping a group of people from attending goes against the spirit of what Defcon is supposed to be," he said.

Defcon has always thrived on presenting controversial security topics and has gone out of the way to make it possible for people to do so, Winkler noted.

"Why is the government being singled out when no group has been singled out and prevented from speaking," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Tags privacynsaDefconCybercrime and Hacking

Show Comments