A number of experts weighed in on this month's debate concerning a statement from DefCon founder Jeff Moss that feds should stay away from DefCon.
Robert Hansen, director of product management, WhiteHat Security
While, I can't speak for Jeff Moss on this issue, my gut tells me his heart is in the right place. His concern is likely that tensions are too high and an angry mob of hackers is not a place for people who may be associated with PRISM and other secret programs. Jeff can¹t control an angry mob directly, but he can give gentle guidance to federal agents that it may be risky to walk into the lion¹s den given the current state of affairs on the Internet. They can choose to ignore him if they wish.
Many hackers feel that the free-and-open Internet as we know it is in jeopardy by these secret programs. Hackers may lash out at people who may be involved by association or otherwise, and it¹s simply a matter of caution to warn the government that they may face resistance from some percentage of conference go-ers. This is proactive conflict control – not government hatred.
Jeffrey Carr, CEO, Taia Global
I'm in agreement with the proposition that DefCon organizers should not have discouraged feds from attending this year's event. Hackers and government agencies have a long history of positive interaction and DefCon has historically played a big part in that. Many hackers have either come out of government to start their own business or have contracted with the government to continue their work, including Jeff Moss, the founder of DefCon. Other high-profile examples include security researchers Charlie Miller, who worked for the NSA for five years; Dave Aitel, who worked for the NSA for six years; and Peiter “Mudge” Zaitko, who worked for DARPA for three years.
I could list another dozen hackers who've started cyber security businesses that include the intelligence community and Department of Defense as customers. While some antagonism certainly exists between hackers and feds, banning feds from DefCon seems to me like a knee-jerk reaction that wasn't well thought-out.
James Jardine, principal security consultant, Secure Ideas
One of the great things about DefCon is the convergence of all types of people interested in information security. DefCon provides one of the greatest environments for openness and sharing of information – as even Jeff Moss noted in his request. When the announcement was made, it created a divide between attendees. A group that aims to bring people together, consequently, broke them apart.
Instead of asking them not to attend, why not specifically invite them, like they did back at DefCon 1? We should be using this environment to be open about the concerns and have honest discussions in a friendly environment. Rather than ignoring the issues that attendees are concerned about, lets create a way for people to express their concerns and for the feds responsible to respond respectively.
Asking the feds, even the majority that have nothing to do with the concerns, not to come is not going to solve any issues, but more likely, just mask them or make them worse.
Ira Winkler, president, Secure Mentem
While I understand that Jeff Moss senses a distrust of the U.S. government, telling all “feds” to stay away from DefCon is inappropriate. DefCon fosters an environment to change the perception of hackers as criminals. It helped to legitimize the hacker community by bringing in government agencies and highlighting talks by government executives. Instead of trying to clear up misperceptions, Moss instead tells a complete group of people to stay away. He didn't tell the Chinese government to stay away given countless, ongoing hacking incidents of innocent U.S. citizens. He doesn't tell hackers who hack innocent people to stay away. It is not fair to tell people securing data at federal agencies to stay away, who have nothing to do with NSA. More ironic is that Moss, an adviser to the Department of Homeland Security, qualifies as a “fed.” Will he stay away?
Marcus Carey, principal developer and security researcher, ThreatAgent.com
Imagine a firearms trade show saying they don't like the Iraq War, so anyone affiliated with the government should stay away. Gun shows are for gun lovers. Hacking events are for hackers.
The hacker community should only worry about technical skills because motives and ethics are always a grey area. For instance communications interception has been common at hacker cons, even exposing individuals who use plaintext authentication by posting their credentials on wall of shames for everyone to see. If that's not an invasion of privacy I don't know what is.
In the past I served in the military and at NSA, during those times I would have been considered a Fed. Hackers associated with the government are just doing their job. Most of the people I know in the industry are either government contractors, in possession of a clearance, or sell products such as exploits to government. If we were to rule all of those people out DEF CON would be tiny.
If people are truly concerned about NSA hacking and privacy then they should take up the issue with their politicians. Hacking events aren't the place for politics although they are surely a place for drama.