Jeff Moss (a.k.a. “Dark Tangent”) made news on Wednesday by abruptly and formally disinviting government and law enforcement officers (“the FEDS”) from his annual hacker confab. The symbolism was powerful – coming after years during which the lines separating “hackers” and “the FEDS” got ever more blurry.
But I’m afraid that Moss’s gesture will have to go down as a “nice try.” Simply put: relations between the hacker community, the private sector and the federal government and law enforcement agencies have only grown more cozy with each passing year. DEF CON is no exception. Given the money at stake, hurt feelings and bruised ideals caused by the National Security Agency’s PRISM surveillance program aren’t likely to change that relationship in the slightest.
Of course, this goes against what we would all like to believe about DEF CON, which still goes to great lengths to maintain its counterculture air, even as its sister conference Black Hat (now owned by CMP) long ago donned lipstick and sensible shoes for a roomful of corporate suitors.
Part of the lore of the annual DEF CON is its anti-authoritarianism. For years, that was embodied not just in F-bombs from the podium, but in the annual “Spot the FED” contest, which enlisted show participants to out attendees they suspected of being federal agents or law enforcement. (Essentially: anyone wearing chinos and a collared shirt.) The prize (for both spotter and FED) was a t-shirt.
Back in the day, the concern was that the lawmen were there to keep tabs on black hats, gray hats and anyone else who knew their way around a Unix shell. And, indeed, there have been no shortage of DEF CON attendees (and even speakers) who have gone on to make a name for themselves as cyber criminals. (Credit card master-thief Albert Gonzalez’s right hand man, Stephen Watt (a.k.a “Jim Jones” a.k.a. “Unix Terrorist”), spoke at DEF CON 10 years before he was arrested and jailed for his role in hacks against TJX and other prominent firms.
But that was a moment in time. With each passing year, more and more government and professional types filled the hallways of whatever down-on-its-luck ‘Vegas hotel the annual event calls home. (Lately, that would be the Rio Hotel and Casino). They came not to keep tabs on hackers, but to keep tabs on hacking craft and the latest attacks and exploits. Even more important: they came with job offers in hand for the most talented and in-demand security folks.
In short order, “Spot the FED” (DEF CON 17) gave way to “Meet the FEDs” (DEF CON 18), a panel of federal agents who wondered– wait for it – “how do we conduct robust continuous monitoring across a large multi-organizational enterprise yet stay within the constitutional requirements for privacy, civil rights and civil liberties?” I guess we all know the answer to that question!
But now something has changed. A line has been crossed.
“When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship,” Moss wrote on the DEF CON web site. “Therefore, I think it would be best for everyone involved if the feds call a ‘time-out’ and not attend DEF CON this year.” The time off, he said, will “give everybody time to think about how we got here, and what comes next.”
While I can feel Moss’s outrage at PRISM and know it to be genuine, who among us can really say we’re surprised to learn about the extent to which the government is using its authority and the availability of “big data” to monitor citizens activities? Protest too much, and we sound like Inspector Renault in Casablanca peeling away from the Roulette table at Ricks Café to declaim that he’s “Shocked. Shocked! To find that there is gambling going on!”
As for “what comes next?” I think the answer is pretty clear: more of the same. Because, while everyone who has ever donned a DEF CON badge may, as Moss says, be “uncomfortable about the relationship” between the hacker community and the federal government, the amount of money and resources flowing into computer security is likely to remain an irresistible lure for any DEF CON attendee with even moderate skills. Indeed, in an era of government sequesters and forced austerity, cyber is one of the only areas of the Defense Department’s budget that is likely to see an increase in funding in the coming years. And, as the government’s appetite for computer security and hacking talent grows, shows like DEF CON – watering holes for hackers of all stripes – become must-attend events.
It’s not clear what the impact of Moss’s blog post will be. Maybe the Feds will just go back into disguise and “Spot the Fed” will find a new relevance in the post-PRISM world. But one thing is for sure: the Feds will surely keep coming, invite or no.