With a vast array of tech conferences available, it can be a challenge as an IT manager to figure out which are the best ones to attend or to send your employees. Some of the more “head-scratching” tech conferences around are those that cater to computer, physical security and social hacking. Among the biggest of those are Black Hat and DEF CON.
Some IT managers are dead set against their security teams attending these types of conferences. After all, these are the people you hire to prevent hacking, not learn the trade themselves. Because of this thinking, I’ve known many employee requests to attend DEF CON have been denied. Yet, most former DEF CON attendees insist that hacker conferences are far more than hacking -- and can be highly educational for corporate IT security staff.
Given this wide contrast in opinion, I took it upon myself to attend DEF CON 27 in Las Vegas. My goal was to see if the content presented could translate into value from a corporate IT security perspective. Here’s what I learned.
To give you a sense of how different DEF CON is from most any other IT conference, I'll offer a few observations of my first day in attendance. First, you can't pre-register for DEF CON online. Instead, you simply show up in Vegas and pay the $300 fee -- cash only. Cash because, you know, these are a bunch of hackers. Second, I was quick to observe that the corporate or business casual attire that is common with other IT conferences was virtually non-existent here. Instead, you’ll find lots of cargo shorts, t-shirts and crazy hairstyles. Lastly, if you take a cursory glance at the titles of many DEF CON sessions and specializations villages, it’s easy to understand why some IT managers might be quick to dismiss DEF CON altogether. Session titles such as "How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market" -- or the “Lock Bypass Village" may seem as if this hacking conference is geared more toward black hats than white.
But here's the thing, once you push past the thin counter-culture veneer that the conference promoters wrap themselves in, you find the information and skills that can be gleaned are easily transferrable to the corporate security world. Despite the likelihood of a few “bad actors” in attendance, I found far more white hats representing both the private and public sectors. Additionally, many of the speakers and conference staff (known as "goons") are well known, well respected and work or consult in corporate IT as their day job. Even a US Senator was part of the conference this year.
It’s the non-corporate vibe that I think makes DEF CON so successful. Attendees see it as a way to embrace a unique computing culture while learning useful security skills that can help them understand what they’re up against back home. If you get the chance to go, you’ll find a wealth of security information being taught by some of the greatest security minds in the world. You’ll also find that attendees are truly interested in learning hacking skills, methods and tactics that they wouldn’t find at any other conference. It gives both IT security novices and experienced pros the chance to step into the shoes of a modern black hat to see how they approach a target. Doing so allows the white hats to stay one step ahead.
I believe that my attendance at DEF CON 27 was time and money well spent. My hope is that this article will convince IT managers once and for all that hacker conferences can be highly educational and beneficial from a corporate IT perspective. Plus, for only $300 to get in the door, it’s one of the best deals going. The bottom line is, if you can trust your security staff to protect your corporate enterprise infrastructure, you can undoubtably trust them to learn something of value at a hacker conference like DEF CON.