Now in its 21st year, DEF CON is America's flagship hacker conference - a place where hackers, security researchers, corporate recruiters, digital frontier legal eagles and law enforcement have mingled and boozed it up on noncombatant territory.
But this year DEF CON is sending a serious message: organizers posted on the official blog that Federal agents are not welcome in any form at this year's conference.
The short post "Feds, We Need Some Time Apart" went live tonight on the DEF CON blog, just three weeks before the enormous hacker conference sets to kick off in Las Vegas:
For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.
When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a ‘time-out’ and not attend DEF CON this year.
This will give everybody time to think about how we got here, and what comes next.
Last year NSA Director Keith Alexander keynoted - amidst controversy - and the NSA had an information and recruitment table on the vendor floor. As we reported from DEF CON last year, the NSA table was placed next to the Electronic Frontier Foundation's table in whimsically trollish style for the duration of the four-day conference (the EFF filed suit against the NSA in 2008 to end the NSA's dragnet surveillance on American citizens).
Tellingly, this year the NSA will not have a table in DEF CON 21's vendor area.
As the conference nears opening day on August 1st, this move by DEF CON organizers eliminates any speculation about the possibility of the NSA participating in the hacker conference, and raises questions about what feds might encounter should they decide to attend DEF CON anyway.
The no-feds-allowed caution is ominous in light of recent world events.
As hackers and feds alike prep for Vegas, the world still reels from recent NSA/Prism revelations of extensive digital mass-surveillance on citizens worldwide, from information leaked to UK press by former fed Edward Snowden.
Just last week, a Federal judge gave the EFF a crucial winning point in its lawsuit against the government's illegal dragnet surveillance programs when the judge rejected the U.S. government's invocation of the state secrets privilege to have the EFF's case dismissed.
With this new development, this will certainly be one of the most interesting DEF CONs to date.
DEF CON occurs every year in Las Vegas just after the massive professional security conference Black Hat (at Ceaser's Palace, a short cab ride from DEF CON's Rio). The two conferences typically blend attendees.
Black Hat will prove to also be quite interesting this year as well. With the timing of current events, the conference is embracing controversy: This year, NSA's Keith Alexander will be keynoting Black Hat on July 31 at 9:00 am (the conference runs from July 27 to August 1).
Black Hat is the "work" conference for security researchers and professionals, and DEF CON is where a significant number of Black Hat attendees go afterward to get out of their suits and attend a less formal, hacker's security conference.
This year Black Hat also has a number of into-the-fire briefings on its schedule, and expects to see around 35 zero-day vulnerabilities released in the sessions.
The sessions include a presentation by security researchers Angelo Prado and Neal Harris called "SSL, Gone in 30 Seconds - A Breach Beyond Crime." The talk introduces techniques that allow attackers to obtain encrypted session identifiers, CSRF (cross-site request forgery) tokens, OAuth tokens and more - plus the researchers plan a proof-of-concept, 'gone in 30 seconds' attack against a "major enterprise product".
Law enforcement of all stripes typically attend larger hacker conferences, but DEF CON is a prime example of what happens when these strange bedfellows cross paths in a designated grey area.
Feds who are now unable to attend DEF CON are welcome to watch the @defcondoc so they can feel like they're there.— DEFCON Documentary (@defcondoc) July 11, 2013
Security writer Brian Krebs points out that in the past, feds trying to attend undercover have been playfully, openly poked at by Def Con attendees in a game called “Spot-the-Fed.” In light of DEF CON's 'no feds' statement this year Krebs soberingly wonders, "if 'Spot-the-Fed' could well turn into a hack-the-fed competition."
DEF CON's organizers framed the "no feds" statement as a sort-of cooling off period, but the decision was likely made to head off any potential conflict, confrontations or Prism leak anger fueled attacks between attendees - which would end well for no one.
We will be attending both conferences, reporting all developments and news as it happens from Las Vegas.
UPDATE Thursday July 11, 2:15 am: Reaction to DEF CON's decision is strong and hackers are voicing both anger and support - fights are breaking out on Twitter and other social mediums. Hacker News doesn't fail to extrapolate that DEF CON's founder (and author of the organization's statement) The Dark Tangent - aka Jeff Moss - is a member of the Homeland Security Advisory Council for ICANN. However, this is not a secret and if there is a connection it is not apparent and organizers are making no comment either way.
Big news from DEF CON. DT tells Feds to take a time out this year. Bravo. https://t.co/B84FdA7tyK— Bill Pollock (@billpollock) July 11, 2013
But not everyone agrees.
@Beaker The only dumb thing is assuming for 21 years that feds showing up at DefCon was a good thing.— Robert David Graham (@ErrataRob) July 11, 2013
OpenStack developer and DEF CON speaker Matt Joyce wrote and published a lengthy opinion piece that echoes sentiments on Twitter and Hacker News, positioned in contrary to DEF CON.
Joyce sums it up in A Note of Dissent, Regarding DEF CON:
(...) Which brings me to my second point of contention. This is a moment in our nations history when a great deal is at stake. The last thing our community needs at this moment is balkanization, and bridge burning. If we really want to change the way our government approaches security, and intelligence gathering, no group is better positioned to open a truly positive and beneficial dialogue than the Def Con community. This is an opportunity for us to converse, and debate as a civilized people. And instead we have the organizer of the conference publicly burning bridges, and stating his hope that, that simply does not happen. That’s tragic.
We’re hackers. All of us. Fed, State, Non-profit, Money loving entrepeneurs, we’re all hackers. That has always been one great defining aspect of our community. Def Con has been one of the most successful commons of the people who wear the moniquer of ‘hacker’ proudly. It truly is a place where people of every background can meet, exchange ideas, and grow as hackers, and as people. And suggestions that some part of that greater community should simply excise itself is a betrayal of everything that Def Con has become over it’s 20 plus years. And I figured it warranted a public note of dissent.
Joyce then openly invites government employees to "Fed Con."
Perhaps the best summary came to me via email after the news hit - regardless of what side you take, it's safe to say that DEF CON has been snowed in.