THOTCON Hacking Conference [B-Side]

THOTCON is not your ordinary, run-of-the-mill security conference - and it's even obvious from the moment you browse their website. How did a local, small-scale event in Chicago, grow to become a major cybersecurity conference, and what is its connection to The Matrix movie? Producer Eliad Kimhy talks to Nick Percoco and Jonathan Tomek, two of THOTCON's founders.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Nick Percoco

Chief Security Officer at Kraken Digital Asset Exchange

With more than 23 years of information security experience, Nicholas was recently the Chief Security Officer at Uptake.
In 2011, SC Magazine named Percoco Security Researcher of the Year. In addition, he was inducted into the inaugural class of the Illinois State University College of Applied Science & Technology Academy of Achievement.
Percoco is the creator of THOTCON (a hacking conference held in Chicago each year), & co-founder of The Cavalry movement.

Jonathan Tomek

Founder @MadX

Researcher, Nerd, Marine. Cyber Threat Analyst.

Episode Transcript:

Transcription edited by SODA

[Ran] Hi, and welcome to Cybereason’s Malicious Life, I’m Ran Levy.
If you wish to get a sense of how unusual THOTCON is among the other cyber security conferences out there, you should probably start by visiting the website, It’s designed to look like a plain old terminal, black and white only, naturally. It’s partly written in Russian and Chinese, and under the heading of location it says Top Secret.
So yeah, THOTCON is pretty unusual. In a previous Malicious Life B-side episode we had Jack Daniel from the B-sides conference, and in this episode we’re continuing our tour of the most notable cyber security conferences with Chicago’s THOTCON, spelled T-H-O-T-C-O-N, which celebrates its 11th anniversary this year.
How did THOTCON come to be? What makes it unique among the other conferences? And what does it have to do with my favorite movie of all time, The Matrix? Eliad Kimchi, our producer, spoke with Nick Percoco and Jonathan Tomek, two of THOTCON’s founders.
Enjoy the episode.

[Eliad] All right, today we’re talking to Nick Percoco, aka C75, and Jonathan Tomek, aka Sakebomb. And we’re here to talk about THOTCON.
For those of you listening, living in the Chicago area, you probably recognize THOTCON as one of the biggest and oldest hacker cons in that area. It has a unique vibe and feel to it, and it draws thousands of people every year. So Nick, Jonathan, thank you so much for joining.

[Nick] Yeah, thanks for having us.

[Jonathan] Our pleasure.

[Eliad] Before we dive into THOTCON, can you guys tell us a little bit about yourself in a few words? Nick, you can go first.

[Nick] Sure, yeah.
Hi, I’m Nick Percoco. My day jobs have been in the security industry for coming up maybe on 25 years. Today I’m the chief security officer at a cryptocurrency exchange known as Kraken, and I run security and engineering there.

[Jonathan] And I’m Jonathan Tomek.
Probably I’m probably Nick’s like secondhand guy when it comes to a lot of random things when it comes to like swag and admission, the games, the CTF, things like that. So together we kind of make a pretty good team there. And my personal stuff, so I started my company called Maddox, and I’ve been doing a lot of cyber threat analysis and sci-fi, cyber to physical discovery of IoT devices.

[Eliad] Where did it all begin for you guys? Why even start a conference?

[Nick] Yeah, I mean, I could talk a little bit about that.
I think going back, if you roll back the clock in like 13, 14 years ago, I personally was in a place where I was speaking at lots of hacker conferences and security conferences, like all over the place, not even only in the United States, but all over the world. And I think coming back from Defcon, I don’t even remember which Defcon this would have been, but it would have been a Defcon, I think in like 2009.
I remember I was on a plane and thought, why isn’t there, why is there not a hacker conference in Chicago? And there have been like some conferences that have started and stopped over the years. Like there were, I think there was one called like ChicagoCon possibly that existed for a little bit. And then there was just like small little pockets of things, but nothing at the scale or even just not even really scale, just nothing of sort of the spirit that I think we wanted. I wanted at the beginning, like thinking about what THOTCON could be or like a conference like THOTCON could be. And the whole idea was to be very non-commercial, not like this conference where there’s like this giant exhibit hall and there’s like 50 vendors and then there’s like one track of talks and you get six people in the room because everybody else is just hanging out, being smoothed by vendors. Like that’s not what it sort of wanted.
It was more akin to what I experienced down in Brazil and Sao Paulo is a conference called You Shot the Sheriff that’s down there and it was very casual, held at a bar, sort of a top secret location. So I sort of borrowed that from Luis, sort of like the template basically of what I thought a conference could be in Chicago. It sort of fit, similar city vibe or it’s Sao Paulo, Chicago is sort of similar in that regard.
So THOTCON it could work well here in Chicago as well and thought, okay, well, what should we do with? How would it be organized? You know, what should it be called and sort of just started going down that path. And then chatted with Saki and a handful of other folks in Chicago and said, hey, let’s do this. So yeah, so that’s where it sort of all started was back in 2009. And I don’t actually remember like, I know Jonathan and I got connected up through just sort of the local, you know, hacker scene in Chicago, I think at that point.

[Jonathan] Yeah, I mean, the scene in Chicago was just so ripe for, we were so itching for something. And yeah, once we got together, I mean, that’s why we even had at Joe’s bar. I mean, that was, yeah, it was so perfect because the venue was just, it was so raw. And I think that was why everybody really enjoyed it so much. I mean, it really kicked off and we had that we packed that place. That place loved us so much.

[Eliad] Did it meet your expectation or was it completely like shattered as soon as it started, things just kind of were fly by the seat of your pants?

[Nick] I would say we had something pretty special, you know, at that first one, it just like the venue, the lighting, the screens, you know, like all that sort of just sort of clicked with what we were going for from a theme perspective. And then the population of people that came were this were the same folks that attended like 2600 locally every month that attended like DC 312 every month that attended shot, you know, the shy sec conferences, you know, not conferences, but meetups. And so like just drawing from that, that group of people, we usually, I think we had like, you know, 130 people and it was almost like no advertising. I think I posted the only advertising I did, I think I posted it to full disclosure when like the call for papers, you might be able to find like in the archives of full disclosure, my first email out there. But that’s we did the sort of like this call for papers and then advertised it. And then we got some really awesome people to present talks and speak and, you know, and it was a good time. I think everybody had a really great time.
And then we just decided to do it and do it once more. And it grew just a little bit. And then I think that’s when it sort of started taking off, like the demand for like the space and the tickets and the people sort of, we were, we always capped it, but it was always sort of outpaced what we’re looking for. And today it’s even the same, right? We’ll sell tickets out.
I think we sold out tickets for this one that we’ve postponed for, it feels like forever. We sold out this one on October 1st, 2019 in like something like 12 hours or something like that. Like all the tickets were gone and we still haven’t had the event, right? It’s sort of, the event’s going to be in October of this year.
So it’s going to be almost two years, it’s going to be longer than two years after we sold the tickets is when we’re having the event this time, but they sold that the demand for it was crazy, sold out like almost immediately.

[Jonathan] Oh yeah. So many people still ask me like, Hey, do you have any more tickets? I’m like, Nope, sorry.

[Nick] What we learned is that at our events, things got a little raw and not as like buttoned up and professional as like most of the other conferences. I would say even like DEFCON, right, at that time, right, because DEFCON you’re on stage in front of like, you know, 3000 people, there’s cameras everywhere, there’s reporters.
Things are a little more reserved and we found our events, the speakers, even though these were the same speakers that were speaking at places like DEFCON and Black Hat and RSA and big conferences that were speaking at our events, they enjoyed, you know, letting loose a little bit and going a little deeper, telling backstories about certain things. And so we made a decision, I think after THOTCON 2, like no more recordings at all. And we haven’t, so there’s no, there is no like video record of like, you know, hundreds of talks, right? Like actually more than that, like maybe a thousand talks now, there’s no video record of them. They don’t exist. And the whole idea is you had to be there, you had to be at the event. And that was it.

[Eliad] Before we get to the visual elements that I do, I do want to talk about because they’re really cool.
We have to talk about the name, right? Because I think for those of you listening, for the listeners of the podcast, might think that THOTCON is spelled T-H-O-G-H-T, but actually it’s spelled T-H-O-T, which in popular vernacular, popular lingo might mean something else.

[Nick] Yeah.

[Eliad] What’s the origin? Of course, this predates any of that. What’s the origin of the name THOTCON?

[Nick] Yeah. Well, it means that hacker over there. No, I’m just kidding. Yeah. So, yeah, we predate any of that vernacular that exists today. It basically was me with a United Airlines napkin, just like jotting down names of a potential conference. And I sort of, you know, I knew ChicagoCon had sort of existed, you know, sort of wanted to get away from that.
I think I had like ChiCon or something like that was with some ideas, but there was ChiSac and I didn’t want to like conflict with that. And then my original idea was just the numbers, 312Con. And I thought, you know, that’s sort of generic too. Like I don’t know. It doesn’t have like a, it doesn’t feel like a brand. It doesn’t feel like something you’d want to, you know, continue to go to for years. And so I was writing down like the words 312 on a piece of paper and then underlined the T-H and then the O from one and then the T from the two. And I got Thought and I put THOTCON together.
And Thought, it’s in thought that it sounded great, right? Because it’s sort of, you could say THOTCON and it sounds like thinking and ideas and a conference, but then it’s not spelled that way, right? It’s spelled different and that’s where it really came from.
And the first thing I did when I got off that flight back from DefCon is I was in the back of the cab, like on network solutions, like trying to see if that domain was available and sure enough, .org .com and .net were all available. So I just bought all three right there. Which is kind of odd, right? Like for that time period for, you know, a seven character domain name, like you’d think someone would have, you know, randomly sucked that one up and been squatting on it by then, but they weren’t. So miraculously, we grabbed it and we were able to start building a website around it and doing all these things.

[Jonathan] So something funny about all of that is I think it was really like THOTCON 4 it had to be because that’s, it was like right after we moved to the new venue, we had the after party at this venue and we had a couple of couples show up really, really dressed up that were obviously not part of the THOTCON crowd and we’re like, hey, what’s going on? What are you here for? They’re like, we’re here for the THOTCON party, like, oh, well, you’re welcome to stay today. But they looked around and they saw all these people and thought they were

[Nick] dressed to the nines, like dresses and like very flashy tuxedos, right? It was like this whole like get up. It was like pretty incredible. I was like, that was the first time I actually thought that there was anything else that was named that. And I still didn’t really quite get it.
Even after that time, it was like, I think it was THOTCON 4, right? It was like THOTCON 4 and like that was it. And then like it never crossed my radar after that, probably until like maybe four years ago.

[Jonathan] Yeah, six or seven.

[Eliad] So when I think of THOTCON, I mean, sort of shifting gears, but also still in line with the whole abandoned warehouse. When I think of THOTCON, I think about the style, the experience, the visual style. When you go to sign up for THOTCON, it’s all text-based. It’s ASCII. There’s no visual. There’s no GIFs, if I remember correctly.

[Nick] Yeah, that still is.

[Eliad] And the whole feel of it is very, very underground to the point where you would not reveal the location. Even if it was the same location, you wouldn’t reveal it.

[Nick] Yeah, we don’t.
We never published the location. It’s never been published by us online. It’s never on the ticketing site, never on the website. Yeah, that was part of the idea.

[Eliad] So there’s a real like HackerCon vibe to use the term liberally.
Where did it all come from and what’s it like to keep this going, to keep it up?

[Nick] The idea that I had even early on, if you look back, you can look at our archives and you can see what the first THOTCON website looked like, and it looked very similar to what it looks like today. We’ve expanded the view, right, I think it was like 40 column, like commoner 64, 40 column, kind of like just fit into a screen kind of thing, as with the first website.
But the idea was really just bare bones, kind of look and feel. We wove in, even from the first one, it was very like, we also wove in Chinese and Russian,
even into the first one. There was always Chinese or Russian tax. And the whole idea was like this backstory, putting this backstory around the conference that really never existed was like, the backstory I sort of mentally wrote was, this is some underground hacker conference, international, where people from all over the world show up.
And it’s like, there’s Russian hackers that come possibly, there’s Chinese hackers that come possibly, and there’s folks in the US that are there as well. That was sort of the implied backstory to it, and sort of put that into the look and feel into design, even to the point where like, when you first came to the conference, the idea was that everybody got the same things, right? So it was like, when you go to a conference, you’re like, oh, I get this, I get a badge and that’s it. Like what we did is, the first conference, you got a bag that had a t-shirt in it with your size, it had a program, it had one sticker, it had one pencil, it had a pencil sharpener in there. And then all of this was packaged in this black envelope that had a sticker on it that was randomly in, it was like printed in Chinese or Russian or English, sort of overlaid over it. And so that was the sort of like unboxing feel that the first one had.
But the whole idea is just like, and it’s the same, we haven’t changed that since… Since forever. That’s the same sort of thing that we carry over and the same components are in there. And I think people really look forward to that.

[Eliad] Just to put things in perspective, by the way, how many people are attending this next one?

[Nick] Looks like about 1,800.

[Jonathan] 1,800.

[Nick] Yeah. Yeah. I think we, yeah, I think we sold like about 1,700 tickets or total tickets were issued. And then you include the speakers and you include the operas. And so I mentioned operas earlier, so operas are volunteers at the event.

[AD] If you’re a defender fighting to protect your organization from cyber attackers, you must be successful ending attacks every single time. They only need to be successful once. Cybereason reverses the attacker’s advantage. Our future ready attack platform gives defenders the wisdom to uncover, understand, and piece together multiple threats and the precision focus to end cyber attacks instantly. Cybereason ends cyber attacks from endpoints to everywhere.

[Eliad] One thing I think is really front and center is the puzzles. Are the puzzles, you guys mentioned that, but as soon as you open the program, there’s
puzzles, there’s always strings, what, how, how did that come about? And you know, there’s, they are some serious puzzles.
How do you guys do that? How do you develop that?

[Jonathan] Being curious, you know, everybody always wants to, to learn. So you got to hide stuff and gives people something to look at, gives you the ability to start hacking away. I mean, whether it’s hiding some ciphers in there or just, Hey, I want to go connect to this server and see what’s on. And that’s been the whole intent of literally all the puzzles is let’s, let’s hide it in the program. That’s always the way to start and learn something.
I mean, at least from my perspective, I want you to come out of there with something to say, Hey, I, I’ve gotten better in some way, or there’s something I didn’t even know about. And the, the grading of how difficult the puzzles are is just based upon us. How far you want to go. So you kind of have to work together with some people that might not know it.
I mean, I remember one of, one of like just the cipher puzzles. It was like, it was like a 10 phase step that was literally in the badge. It was just on the top row. And I forget, that was probably one of the first years you attended there. And that basically went through every different language and you finally got to the final answer and it was like, Hey, let’s, Hey, just try it, you know, something to do.

[Eliad] How many of these things?
I mean, it’s, is this a kind of a rabbit hole for you? Do you brush up on your crypto like cryptology every, every THOTCON, trying to find new ways of…

[Jonathan] You better believe that I think the one thing you can say, and I think this will go the same thing for Nick is it’s incredibly more difficult to be a teacher or that leader because you have to be able to broaden your mindset over everything that’s going on. So you have to know a lot in order to teach people, but you also have to know how to be within your theme of the year too. So you don’t want to stray.
You want to kind of keep people on a path, but yeah, I’m, I’m constantly coming up with puzzle concepts or different crypto puzzles that one are solvable and not like crazy obscure, but two can somehow make somebody go, okay, I see the rational. I see the plan and how this is going to like unfold itself.

[Eliad] So I’m switching gears again, going back in time to the first, first couple of first few THOTCON were there any memorable moments in those few THOTCON, memorable talks or experiences that you guys remember?

[Nick] Yeah, I don’t. There’s probably a few we shouldn’t talk about maybe?

[Jonathan] We, we, we got to talk about one. That’s just at least really hysterical about the, the boxing match after the, the UFC fights.

[Nick] Oh yeah! Yeah, Yeah.

[Jonathan] So that’s a good first one. That’s PG ish.

[Nick] Yeah, definitely.
So I’ll tell a little bit about it and then maybe Jonathan, you might have more, more details in it, but I think it happened. Did it happen? It was only the second, if there’s, it was after con two, right?

[Jonathan] It was after two.

[Nick] Yeah. So we had at this bar called Joe’s bar in Chicago that is still around that had sort of evolved. I think it used to be like a sports bar, but then it sort of evolved into like a country bar and then also would have like these obscure, like other kinds of events that they would host in there.
Cause it was a unique space, it was literally like a large room, lots of televisions all over the place, floor painted black ceiling painted black, you know, it was like, you know, it was like almost like this sort of like a theater kind of feel to it, but it was a bar as well. Like it was this, you know, it was a bar, like a sports bar kind of feel.
And they told us going into it that we needed to be done by like a certain time. It might’ve been like six o’clock. Like we only had it for one day. This is when the event was only one day. It was on a Friday, just once one day and that’s it. It was not two days.
And they told us we needed to be done because they needed to set up for an event that evening. And I don’t think they told us what the event was. I’m pretty sure. And so like right at like, cause we had to be done at six, but like right at like 540 or maybe 530, these people started bringing in like, like, like chain link fences, right? And like, and like stage material, like, like debt, like sort of like risers and like all this kind of stuff.
He started bringing it in, like, just sort of like putting it in like the doorway, like getting into like where we are, and it was just sort of, okay, we’re closing up or talking about stuff. And then we had this VIP area that we had that was upstairs that overlooked the stage area and people were up there finishing up their drinks. And all of a sudden, like all of these girls in like, like different costumes started showing up. Like, wasn’t it like Snow White? There was like all these different costumes and they started showing up. And, and basically this was like, this like women’s wrestling cage match kind of thing that was going to happen at the venue after we were done.
I think there might’ve been like guys as well that were going to fight, but it was this whole like real crazy thing. It was like amateur cage match fighting. And while we were cleaning up, they were like just pushing the chairs away and like setting up these like caged walls for like the stage that was going to go in the middle of the room. It was pretty crazy.

[Jonathan] Oh yeah. Everybody was asking us like, is this what happens after dog hunt every year? Is this the next part? Is this the after party? Is this the after after party? Yeah. Nobody knew. Oh man.
[Nick] It was pretty, it was like, we had no idea what was going on. People were asking us and we have like really confused about like why there was like this cage match that was forming.
And they’re like, oh yeah, that’s what we scheduled after your event. And so then we’re, I think after that we were like the next year we moved venues, but we were like, there cannot be an event after our event. Like we need to be able to book the whole venue from the, for the whole day, no events afterwards.
And so what we ended up doing, I think in THOTCON three, it was in THOTCON three, maybe even THOTCON four, maybe five as well. I don’t know. We, we had like our after party at the venue. The venue was big enough that we were able to convert the whole venue into an after party. So we didn’t run into that situation.

[Jonathan] We at our very first year, we even had some guy starting to DDoS, it wasn’t even DDoS network. He was just trying to hack the whole network and we’re like, we’re looking around trying to find this dude.
Like everybody’s complaining like what’s going on? Why, why is the internet down? And we, we barely had like internet at that, that first conference anyway, that was, that was a hard pull. And we ended up looking around with security guys like, where is this dude? Where’s this dude trying to figure out what’s going on? And he’s sitting at the table with this, the, I don’t even know, it was like the high boy by the bar. And we’re like, that was like the first major security event we had at THOTCON one. We’re like, what the heck? Why is this one guy doing this?

[Nick] Like the guy, he had like no good reason to, he was like, what the, I thought this was a hacker card. I thought this was all cool. Oh man, those are ridiculous. But that also, after that whole day, that’s what ended up starting the after-after party when we were going to Neo.

[Nick] Maybe for, maybe for some of the people who are listening, maybe you could explain what Neo is.

[Jonathan] Oh man, you’re right. This is a fun one.
So if anybody, well, everybody should be familiar with The Matrix, the Wachowski sisters attended the Neo nightclub for years. I mean, it was a staple of Chicago scene. And the club, if you really want to get a feel for it is when you first watch The Matrix, when he says follow the, or when they say follow the white rabbit and you go into that club, that feeling right there is literally what Neo, that club was. It was underground down a back alley.You would not have known it was there. It’s in like middle of the street that you’re just like, oh, hey, it’s all nice retail stuff. But you go down this alley and you walk in there and you’re like, wait, this is where we are. What’s going on?
And it’s the, if anything could be more like industrial cyberpunk feeling, this is exactly what it was. This was, it goes back to all of our youth and which is why we were so excited about it. But the, it just became like this after-after party where everybody could just be completely free and enjoy industrial music, enjoy like EBM, EDM. And that’s actually the same feeling that we’ve been going for, for THOTCON.
I mean, I kind of weave some of that into like the programs and stuff, but that is, I mean, that’s always been us. So if you haven’t attended, definitely recommend it, but it’s also kind of, it might not be for everybody, but who cares? I mean, it’s something that’s a lot of fun, but we still, since Neo has closed, which is now, I think it’s like children’s daycare.

[Nick] It was just pretty crazy, taking your kids to their, I’m sure they had to really clean that place up. But I imagine like people unknowingly in Lincoln Park in Chicago, like, hey, there’s this new great daycare. They have no idea that they’re taking their kids to what used to be Neo.

[Jonathan] Oh yeah. So what we ended up doing now is every year now, we find a venue and we remake a Neo night even with the same old DJs and everything and have a lot of the same old attendees that come. And this includes like the scene formerly from Chicago that used to attend Neo too. So it becomes like all around a really, really great night.

[Eliad] I kind of wanted to end on a future looking, you know, I was thinking about asking you guys, what do you think is the impact that you’ve made on the community around you? And what are you looking forward to?

[Nick] The one thing that I get the most out of THOTCON are the people that I’ve met and then reconnected with over the course of the year, many years that we’ve been running it. So there’s, there’s countless numbers of people that I’ve met or seen at like one of the early THOTCONs or even just different THOTCON over the years who have, who have like met up with me or like, you know, walked up to me at other events who have said things like, hey, my first hacker conference ever was THOTCON. And you know, the first time I ever went to a hacker conference and now I’m speaking at
DEFCON this week, right?
Or they’ve said things like, you know, I was a, you know, a Windows administrator at a bank in Chicago and, you know, was really interested in security, but really couldn’t get into security in my bank. Like, you know, it was sort of like this, this wall that I couldn’t get past. So I decided to take it upon myself and I bought tickets to THOTCON, I attended a bunch of, you know, talks, I met a bunch of people and now I’m, you know, now I’m in security at this other organization because of the things that I learned or the people I connected with.
And so that’s, that’s where I think the biggest impact that’s really given people opportunities or created opportunities for people in the Chicago community, but also in the global community who have come and attended, you know, when you just run a conference for like maybe one or two years and ended, you don’t really get to see that impact.
But since this has been around for a decade, there are people who started coming to THOTCON when they were like 17 years old, who are now almost 30, right? So they’re now getting into like the mid-career and they can tell us like how they got into the, get into the community, got into the industry and are now doing great things, which is really, really exciting and awesome to see.

[Jonathan] What’s so cool about THOTCON, which I never really would have thought possible, but other than it just being like a localized Chicago conference, which was originally our core goal, it kind of became international that like I’ve, I’ve been to Taiwan and I’ve been to HitCon and they’re like, oh yeah, you, you, you’re, you work at THOTCON.
I’m like, yeah. I’m like, how do you know who I am? I’m in, I’m in Taiwan. They’re like, oh, I’ve been, I’ve been there. I know people that went there. I’m like, do you want me to have a side of the world? How do you even know about this?
But it’s, it’s, it’s really wild to just see how the influence spreads about the community and just seeing people grow and keeping that cultivate because I’ve met many, many people now that are just so excited about just not only growing and learning something new, but bringing others into the community. And this is why we keep it as raw, why we keep it as like old school as possible is because everybody really resonates with that. That is in the hacker community and with that, like keeping that community going is probably the most, is probably my favorite thing about it because it’s something that I, I love the nostalgia of it, but so does everybody else. So it kind of keeps us all really tied together.

[Eliad] Really appreciate you guys. This was a really fun conversation. I hope you enjoyed it as well.

[Nick, Jonathan] Thank you too.