The Magical Imploding Hacker Cons

June 17, 2019

A huge phenomenon in our industry was the emergence of the hacker conference. Just over a decade ago, small groups of self-identified hackers and vulnerability researchers pioneered an entirely new class of technology conference. I will simply refer to these as Hacker Cons. Alongside these geeks showcase events with stunt hacking, lock picking, and alcohol fueled parties grew the trend toward the anti-conference. These were groups of people who had their papers and talk proposals rejected by the big-name InfoSec conferences such as the RSA Conference. Ten years ago, these people advertised a meet-up that coincided in both time and location with the big event and charged little or nothing for those who felt they had worthy content but were blocked out of existing events by paid sponsors and deep pocket vendors who could afford to push out individual researchers and start-ups.

These events were a novel way to feature new research and up-and-coming technologists who just needed a little exposure. Like a tropical forest where mature trees expand to monopolize the most sunlight and rain, these established conferences became unintended gate keepers stopping or slowing the development of creative and new research as they catered to well-funded sponsors. Old school antivirus and firewall vendors could afford to drop millions in marketing capital, thus ensuring their messages were always dominant. They have been challenged by the hacker cons and local conferences burgeoning over the last decade.

These new conference formats also place a great deal of emphasis on having fun alongside the presentations. Some hacker cons became notorious for speakers who would take tequila shots on stage, cosplay, and marginally affiliated groups featuring lock picking classes and sex toy hacking. There were few limits placed on potential participants and speakers, so the actual value as a training venue for corporate security personnel was usually questioned. That was just fine with most of the organizers as they courted the rebellious and encouraged people to attend on weekends and on their own dime. They were as much social as technical.

But that early dynamism has been sorely tested. Some participants eventually interpreted the informality and fun times as a license to misbehave. Conference organizers were forced to become that which they organized against. They had to establish elaborate codes of conduct and start to strictly police both presenters and attendees alike as they sought to find the middle ground between stuffy, formalized conferences, and the free-wheeling, zany atmosphere that spawned licentiousness, abuse, and general tawdry behavior. They didn’t want the RSA Conference, but the Burning Man model wasn’t going to advance the profession either.

As this trend continues, it has come with mixed reviews. Several conferences have decided to call it quits as the organizers are being asked to navigate social and cultural minefields our country as a whole haven’t even resolved. Others have simply morphed into the same pro forma pay-to-play format they used to reject. However, the best outcome has been a global network of loosely affiliated groups hosting everything from small, local meetups to full-blown regional conferences.  We now have dozens more avenues to reach out to a much broader spectrum of our profession than the big, traditional conferences ever imagined, no matter how large they become. In the next few years, we should see the unnecessary tomfoolery and excesses be exposed and ultimately expunged. It’s a refreshing and much needed change to drive innovation and bring the next generation of professionals into technology leadership roles.

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].