Defcon is no longer a counterculture conference, and arguably hasn't been for a while. It's a place for security professionals to go to hang out in Vegas for a few days on their company's dime, or to extend their stay after Black Hat.
The conference has gotten too big for its own good. It now inhabits the Las Vegas Convention Center, which is less convenient than when it was in one of the hotels (or multiple hotels clustered together). The one positive of the LVCC is that it has a ton of room but there are still issues with things like sound equipment that plague the villages and their talks/workshops.
This was my 23rd DEFCON, and was just as counterculture as it was decades ago if you know where to go, and don't get distracted by the big pretty signs. DEFCON has always been about feds, policymakers, corpos, kids, and straight up black hat criminals partying together and shaping the future of infosec.
The author of the article decided to wander down the Military Industrial Complex track, and seems to be complaining that it had too much Army stuff. I didn't see any of that this year, because that's not what interests me. I met up with a large number of cipherpunks and activists that I don't get to see very often, and had some extremly productive conversations regarding various projects we're working on for the next year.
I'd love to go to defcon, but I fear it'll end up like every other conference I go to: wandering around, watching a few talks, ending up at a few semi-boring cocktail hours, etc. Maybe I'm that anti-cool enough to get auto-filtered?
I joined a local discord / defcon chapter, and it was mostly reminiscing about the good old days and most people saying they weren't going this year.
As a longtime attendee myself, this is absolutely true.
Also, DEFCON and DT specifically have not shifted anywhere. A large demographic of attendees shifted hard to the left, mirroring our culture in general. They are also not "counterculture" as these are mainstream/televised points of view.
I had to stop dealing with certain parts/people of DEFCON and infosec in general because of this intense noise. That's not pegging myself as being on the right, it's just that my DEFCON experience has always been about expanding my worldview and fun... this very loud and influential group isn't about either of those things.
Once they scared off the people running the Sky Talks, which were always awesome, and messed with groups like the lockpicking folks ability to fundraise, I think the idea of it being a hacker con really died and it turned into just another corporate convention.
Skytalks happened this year and was better attended than ever. Getting a seat was extremely competitive, people lined up for several hours for a single talk token. I would have loved to go to some, but unfortunately there was a ton of other stuff I wanted to see so I didn't have time to stand in line.
They were a side conference to a side conference, but the structure let them run things the way they wanted, which is important.
Scared them off? Is there any documentation of that? My understanding is that the split was amicable. SkyTalks has immunocompromised people on staff and they chose to voluntarily leave defcon because they wanted to continue masking mandates while Defcon did not. Bsides welcomed them with support in their conference(helping with Token Drops and scheduling) and Skytalks occupies a space that is physically separated from Bsides(as in a different hotel on its top floor).
SkyTalks are as awesome as they always were, I'd argue its even better since now you dont have to sacrifice other things at defcon to see skytalks. You can now have dedicated time for skytalks.
That Skytalks still requires masking is absurd. I saw the organizers at DEFCON walking around with no masks. The last skytalks at DEFCON a couple of years ago was pretty bad anyways, really disappointing.
Would CCC and Recon be better? TBH I never understand why people (not companies) need to go to Vegas. It's expensive, corrupting and hot during the summers. Montreal is a much affordable place.
Vegas (and Orlando) are probably the two cheapest places to travel to in North America. Hotels and flights are both plentiful and cheap. Before Covid you could get like $60 a night hotels on the strip and $150 flights.
Congress may be considered "better" in the sense that the MIC would not find a forum there (and would be relentlessly made fun of). More importantly and as to your point about the expensiveness: The Club and all the volunteers put an inordinate amount of work in making Congress as accessible as possible on many levels.
I go to CCC and Defcon every year and they are night and day.
CCC actively discourages companies from advertising unless they are fully open source community driven orgs. Governments are even less welcome.
While even the Privacy Village at Defcon asks you to agree to the terms of service of Discord, Slack, Youtube, and other corpos... CCC self hosts everything including Voip, IRC, Matrix, 3G, 4G, and DECT, all linked together in various ways.
While Defcon has strictly controlled talks approved by sponsors and appointees of the Defcon corporation that themselves work for mostly proprietary corporations, CCC is an entirely volunteer driven organization from top to bottom and you can give a talk anywhere you want about anything 24 hours a day as long as someone else has not already reserved that spot.
While Defcon has villages reserved and approved by committee and corporate sponsors, at CCC any community can apply for table or an area and almost all are granted as space relative to the size of the community. You can do basically anything you want with your space. You can also access the event and your space 24/7 so the hacking and party never fully stops.
I go to Defcon because it is the corporate paid excuse a handful of actually capable hackers I like to hang out with have to hang out. And maybe two or three talks worth seeing.
I go to CCC because it is the nearest place I can go experience thousands of actual hackers that believe in making the world better through open source, right to repair, music, art, and maximizing sharing and collaboration. Almost every person I talk to is an instant friend. People who largely agree technical talents are meant for more than raising shareholder value.
I love CCC and I keep going in hopes I can bring some of that back with me to silicon valley.
If anyone goes to CCC be sure to visit the Church of Cryptography which I am usually around.
Felt like counter culture to me when I went to my first one (DC11). I remember punk kids selling manuals and lineman sets they stole out of the back of telco trucks outside the entrance of Alexis Park.
>Defcon is no longer a counterculture conference, and arguably hasn't been for a while.
This happens to literally every convention ever, not surprising at all. The broader question is is something like the original spirit of DefCon even still possible? The industry (and the stakes) are so much higher now that it seems impossible.
You do 10 things at a small conference, everyone says "we need more of X{0}..X{9}", you have more things next year, more people, everyone wants more of whatever, more people, more problems with more people (security, cost, sponsors,..), more attention of mainstream media, more people next year, more push for politics, more people, more issues with more people, etc., and in the end, you get a boring business conference like many others.
I'm pretty sure that each of the niches could make their own conference now, at some small venue where a 100, 200, 500 people would come... SNES hacking and development? Sure, a small, really nice conference... but then someone would want NES too, and N64, and sega, and PS1, and corporate sponsors, and you end up with E3 instead of 50 retro developers and 150 curious people doing interesting stuff.
It is but you have to intentionally keep it small and limit tickets. I think one of the issues that Defcon has is that they just don't cap tickets; historically they could not, because you could only buy a badge with cash so there was no way of predicting how many people would show up.
> This happens to literally every convention ever, not surprising at all.
The CCC would never.
Europe, for all its authoritarianism and infringements of human rights (even in relatively liberal places like Germany) still seems to be trying to not backslide into full-on military-industrial complex like the US is/has.
Defcon went fed when Jeff Moss went fed. But the crowd size has done way more to change the vibe. The 30% crowd post-covid year was a short return to old defcon.
This implies that you believed Moss was somehow a black hat before he got involved with Homeland Security Advisory Council, which is pretty funny. People just make these things up and state them confidently.
I went, while I enjoyed myself this year I feel it's gotten too big and too disorganized. Also I went to a couple of talks that would seemingly have been bread and butter talks for defcon that were very sparsely attended and I just wondered where everybody was.
This might just be FOMO with the organizers. It's probably time for DefCon to drop in person registrations, get smaller, and return to a hotel. Villages and village talks need to be better curated and basically the focus needs to be tightened up.
DEFCON talks are for watching on Youtube when they get uploaded weeks/months from now. It's always been about contests/challenges and partying. It's a con of cons.
For the $500 entry fee you would think they could provide earphones and someone would hack together an app that would let you listen through those earphones based on some sort of proximity detection. No doubt the first year someone would find a vulnerability in it and would need parallel deployment to the existing infrastructure, but still.
Would be a great idea, except they couldn't even operate WiFi with any stability (to which I heard was a LVCC problem, but I don't know that for sure).
>> It's a place for security professionals to go to hang out in Vegas for a few days on their company's dime, or to extend their stay after Black Hat.
That is me! :) I do not know where the counterculture hangs out at DC, because I have never been a cool kid, just a brainy weird kid among the brainy weird kids, even as an adult! But there are often quite a few insightful papers at DEF CON. I didn’t go this year, I think my managers are on to me. :)
if you s/counterculture/maker/g , so less about anti and more about doing, i'm with the others -- it's just bigger, with some individual subcommunities having ossified while new topics have opened their own new shiny & vibrant communities
ex: ai village was a new weird thing just a small number years ago, but now that ai is the #1 topic at blackhat (commercial side), it even has its own big event that overshadows blackhat proper . imo that's a success story for defcon fostering doers.
Doesn't everything counterculture ends up absorbed by the capitalism system eventually? I think I learned that from Tamala 2010: A Punk Cat in Space, or maybe from a youtube video about it.
It's not exactly new. Mudge is the current CIO of DARPA, and other people around the L0pht went on similar trajectories. Feds openly participating in DEFCON is itself a rather old flashpoint.
Way back in the times of hippies and yippies many were subsequently recruited by the empire. While he was troubled in other ways Abbie Hoffmann was, as far as I know, a notable exception.
In 2022, Google TAG were awarded a "lamest vendor" award at defcon for fixing a Chrome vulnerability they discovered was being exploited in the wild... without asking for permission from the NSA first. That was the turning point for me.
Ok that's weird indeed. Here at European hacker events this action would be applauded. Getting permission from spy agencies before fixing something would be a surefire way to get lamest vendor, lol.
Most there don't trust government. And besides security holes can be used by all sides so it's imperative to fix them asap.
The top two winning teams of that xTech AI pitch competition were not even AI solutions. It just seemed like a vehicle for the Army to now be able to award those companies non competitive contracts.
Not a new topic - few years ago, the Jen Easterly-era CISA made a hard recruiting pitch at defcon. Patriotism and service-messaging one might recognize from their own time in the military.
What was surprising was the intense applause from a hacker con to this pitch.
Given what was to come, also notably absent discussion from the audience or speaker about how working for CISA did or did not mean working for DHS. Assurances of firm segmentation on this aspect from speakers after the formal talk ended were similarly a bit weak.
Not that anything was inherently bad about her recruiting pitch, but for a hackercon, it was a bit close to the flagpole. And notably that CISA crew is “no longer at CISA” and under prosecution, or intense social pressure, or otherwise.
Spooks have been doing keynotes for a few years now. The so-called hackers are on toes, because deep down they wish to be daddy'd up to get to do some silly, secret-type shit. Contrary to the past, when spooks despised computer people (that's how cypherpunk came about.) On the other hand, Clearances are not what they used to be, too; every fart having to do with computers, analysis, collection is classed TS by default.
Readit News
The conference has gotten too big for its own good. It now inhabits the Las Vegas Convention Center, which is less convenient than when it was in one of the hotels (or multiple hotels clustered together). The one positive of the LVCC is that it has a ton of room but there are still issues with things like sound equipment that plague the villages and their talks/workshops.
The author of the article decided to wander down the Military Industrial Complex track, and seems to be complaining that it had too much Army stuff. I didn't see any of that this year, because that's not what interests me. I met up with a large number of cipherpunks and activists that I don't get to see very often, and had some extremly productive conversations regarding various projects we're working on for the next year.
I joined a local discord / defcon chapter, and it was mostly reminiscing about the good old days and most people saying they weren't going this year.
Also, DEFCON and DT specifically have not shifted anywhere. A large demographic of attendees shifted hard to the left, mirroring our culture in general. They are also not "counterculture" as these are mainstream/televised points of view.
I had to stop dealing with certain parts/people of DEFCON and infosec in general because of this intense noise. That's not pegging myself as being on the right, it's just that my DEFCON experience has always been about expanding my worldview and fun... this very loud and influential group isn't about either of those things.
They were a side conference to a side conference, but the structure let them run things the way they wanted, which is important.
SkyTalks are as awesome as they always were, I'd argue its even better since now you dont have to sacrifice other things at defcon to see skytalks. You can now have dedicated time for skytalks.
CCC actively discourages companies from advertising unless they are fully open source community driven orgs. Governments are even less welcome.
While even the Privacy Village at Defcon asks you to agree to the terms of service of Discord, Slack, Youtube, and other corpos... CCC self hosts everything including Voip, IRC, Matrix, 3G, 4G, and DECT, all linked together in various ways.
While Defcon has strictly controlled talks approved by sponsors and appointees of the Defcon corporation that themselves work for mostly proprietary corporations, CCC is an entirely volunteer driven organization from top to bottom and you can give a talk anywhere you want about anything 24 hours a day as long as someone else has not already reserved that spot.
While Defcon has villages reserved and approved by committee and corporate sponsors, at CCC any community can apply for table or an area and almost all are granted as space relative to the size of the community. You can do basically anything you want with your space. You can also access the event and your space 24/7 so the hacking and party never fully stops.
I go to Defcon because it is the corporate paid excuse a handful of actually capable hackers I like to hang out with have to hang out. And maybe two or three talks worth seeing.
I go to CCC because it is the nearest place I can go experience thousands of actual hackers that believe in making the world better through open source, right to repair, music, art, and maximizing sharing and collaboration. Almost every person I talk to is an instant friend. People who largely agree technical talents are meant for more than raising shareholder value.
I love CCC and I keep going in hopes I can bring some of that back with me to silicon valley.
If anyone goes to CCC be sure to visit the Church of Cryptography which I am usually around.
This happens to literally every convention ever, not surprising at all. The broader question is is something like the original spirit of DefCon even still possible? The industry (and the stakes) are so much higher now that it seems impossible.
I'm pretty sure that each of the niches could make their own conference now, at some small venue where a 100, 200, 500 people would come... SNES hacking and development? Sure, a small, really nice conference... but then someone would want NES too, and N64, and sega, and PS1, and corporate sponsors, and you end up with E3 instead of 50 retro developers and 150 curious people doing interesting stuff.
The CCC would never.
Europe, for all its authoritarianism and infringements of human rights (even in relatively liberal places like Germany) still seems to be trying to not backslide into full-on military-industrial complex like the US is/has.
This might just be FOMO with the organizers. It's probably time for DefCon to drop in person registrations, get smaller, and return to a hotel. Villages and village talks need to be better curated and basically the focus needs to be tightened up.
For the $500 entry fee you would think they could provide earphones and someone would hack together an app that would let you listen through those earphones based on some sort of proximity detection. No doubt the first year someone would find a vulnerability in it and would need parallel deployment to the existing infrastructure, but still.
That is me! :) I do not know where the counterculture hangs out at DC, because I have never been a cool kid, just a brainy weird kid among the brainy weird kids, even as an adult! But there are often quite a few insightful papers at DEF CON. I didn’t go this year, I think my managers are on to me. :)
ex: ai village was a new weird thing just a small number years ago, but now that ai is the #1 topic at blackhat (commercial side), it even has its own big event that overshadows blackhat proper . imo that's a success story for defcon fostering doers.
Being in tech and partnering with the US Army on 2025 is counterculture.
"When I first started coming to Defcon, it was full of hackers and we played spot-the-fed. Now you're all feds and we play spot-the-hacker."
Way back in the times of hippies and yippies many were subsequently recruited by the empire. While he was troubled in other ways Abbie Hoffmann was, as far as I know, a notable exception.
Most there don't trust government. And besides security holes can be used by all sides so it's imperative to fix them asap.
What was surprising was the intense applause from a hacker con to this pitch.
Given what was to come, also notably absent discussion from the audience or speaker about how working for CISA did or did not mean working for DHS. Assurances of firm segmentation on this aspect from speakers after the formal talk ended were similarly a bit weak.
Not that anything was inherently bad about her recruiting pitch, but for a hackercon, it was a bit close to the flagpole. And notably that CISA crew is “no longer at CISA” and under prosecution, or intense social pressure, or otherwise.
Feels worth evaluating!
Deleted Comment
Most cybersecurity work in the US, by volume, rolls up to one of about five organizations - all of whom are US government entities.
Most cybersecurity work has nothing to do with keeping Russian bot farms out of outdated WordPress installs.
And he seems really well loved, as evidenced by https://www.reddit.com/r/Defcon/comments/1mlaw4s/comment/n7p...