Season 3 / Episode 122
Jeff Moss, founder of the DEF CON Hacker convention (and also the BlackHat convention), talks to Eliad about the origins of DEF CON, its "interesting" relationship with law enforcement agencies, and some of the notable shenanigans the conference attendees pulled off over the years...
Photo of Jeff Moss by By Jason Scott - Dark Tangent, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=38404280
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
President of DEF CON Communications, Inc.
Moss is the founder and creator of both the Black Hat Briefings and DEF CON, two of the most influential information security conferences in the world. He is a internationally recognized expert in internet and information security.
Because of this background Jeff is uniquely qualified to bridge the gap between the information security researcher community and law enforcement, between the worlds of pure tech and the responsible application of policy. Mr. Moss speaks publicly on these issues and has an extensive global network.
Transcription edited by SODA
[Ran] Hi and welcome to CyberReason’s Malicious Life, I’m Ran Levy.
So far in our B-side episodes, we covered two major and well-known conferences, ThoughtCon and Security B-sides. Now I think it’s finally time to talk about the largest and most famous conference of them all, DEFCON.
So what is DEFCON?
DEFCON is a hacker’s convention established in 1993 by Jeff Moss. From a very modest beginning of just 100 participants, DEFCON route more than 30,000 attendees who gather each year in Las Vegas to hear talks by experts, see interesting demos and play games. A lot of games.
Each year the best hackers from all over the world compete against each other in contests like scavenger hunts, tech trivia, beard contest and, of course, the now iconic capture the flag competitions, car hacking, AI challenges, digital forensics and many, many more such events. There are also villages, which are spaces dedicated to specific topics, such as the blockchain village, biohacking village, ethics village and more.
Just to give you a sense of the significance of what’s going on in DEFCON, the voting machine village, which was established in 2015 and allowed hackers to test the security of electronic voting machines, ended up publishing an award-winning report and actually managed to raise national awareness to the vulnerabilities of these devices.
Jeff Moss, our guest in this episode, is an extraordinary person.
He is not only the founder of DEFCON, but he also founded Black Hat, another very well-known conference. He’s also an established security expert and a member of the U.S. Department of Homeland Security Advisory Council. Our producer Eliad Kimchi spoke with Jeff about the origins of DEFCON, its interesting relationship with law enforcement and some of the notable shenanigans the conference attendees pulled off over the years.
I’ll pop up during the interview here and there to expand on some of the topics mentioned.
By the way, we’ll also post a longer, unedited version of the interview on our YouTube channel, so if you wish to hear the entire conversation between Jeff and Eliad, head on to our Malicious Life channel on YouTube.
Thank you for tuning in.
[Eliad] So today we have with us Jeff Moss, also known as the Dark Tangent.
Jeff is, of course, the legendary founder of the DEFCON conferences and Black Hat conferences. And Jeff is here today because we want to talk a little bit about the history of DEFCON.
So Jeff, thank you for coming. And for those of us who don’t know you, could you tell us a little bit about who you are?
[Jeff] Yeah, so I’m Jeff Moss.
I’m known as the Dark Tangent. And I’ve had that handle for probably 35 years or 40 for a long time. And I’m probably best known for starting DEFCON and the Black Hat security conferences.
So it’s something I fell into doing. You know, I was a professional penetration tester before that term was invented and it was something I was kind of doing on the side, throwing the DEFCON party, and it just grew. And same thing, Black Hat was the spin out of DEFCON.
And so that was not my master plan. It was not my goal in life, but that’s where I ended up. So I ended up doing what I love.
[Eliad] So you said that DEFCON was never your ultimate goal.
How did it all start then? Where did it all come from?
I’ll tell you the story as best I can remember it. Remember, it’s been a while, but back in the day before the internet was popular, it was X25 network and it was dial-up Bolton boards. Fido networking was the dominant species in that world. And I had a Bolton board called a Dark Tangent system. And I was the Dark Tangent.
Now, that’s a name that you don’t hear much these days, but it played an important part in the evolution of our modern technological world. It began with bulletin board systems, or BBSs, which were servers that users could connect to, usually using modems over phone lines, and browse for software and data using a terminal interface.
According to Wikipedia, in the early 90s there were about 60,000 such BBSs serving 17 million users, not an insignificant number. Now, each BBS was a standalone machine, but many of them were interconnected, in a sort of internet-before-the-internet kind of way, by messaging networks that relayed information between BBSs worldwide. FidoNet was one such network and the most popular. At its peak, in 1996, it connected around 39,000 BBSs.
[Jeff] This Bulletin board system ran, I think it was a teleguard BBS, and I was networking with about 11 or 12 different networks. Some were phone-freaking, some were piracy, some were hacking, some were whatever it was. I had had enough jobs, temporary jobs, whatever, that I could pay for my long-distance bill, which was rare back then, because remember, you had to pay long-distance, and that was expensive. Networking was expensive.
Since I paid for my dial-outs to all these FidoNetworking hubs, I could be a reliable place to drop off and pick up message bundles. My Bolton board quickly became a hub for North America, for all these networks. Because of that, I was highly connected and talking to a lot of really interesting people.
One of the networks I was connected to was this network called PlatinumNet. It was out of Canada, the guy who organized it, but since I was a North American hub and most of the users were in America, I was the biggest, most important hub, and so I got to know the guy who started it in Canada.
A couple years went by, and I was now probably ending college, leaving college, and the internet had started, and you could get onto it, but it was kind of difficult.
All of a sudden, he says, hey, my dad’s taking a new job, and we’re moving from Canada, and I’ve got to take down PlatinumNet. We should throw a going-away party, and I said, okay, great, where? He said, well, nobody’s going to want to go to Canada. Most of the users are in the United States. We should organize it in the United States, and I said, okay, that sounds like a great idea, and that was it.
I never heard from him again.
The conversation ended mid-sentence, and that was it. If he’s tried to reach out to me over the years, I’ve never gotten a connection. I have no idea what happened to the guy, but it had planted the seed in my head to throw a party, and so then I said, well, if I was already going to do a party, I may as well try to organize and invite everybody from my other networks, and at about that time, I torched my hard drive for my Volcom board.
I had saved up forever, and I bought this $2,000 hard drive.
It was one gig. It’s like five and a quarter full height. I mean, it’s a huge thing, Mac store, and I smoked it, and I was like, not to worry. I have tape backups.
Have you ever tried to restore from a quick 40 tape backup? I mean, no. I was totally let down. My backups failed me. The tape backup thing was…
So basically, this bulletin board I’d put years and six years into my life in the building was mostly just gone. I had some floppy drive backups of some config files. So I’m like, well, that’s the end of my bulletin board and the thing I’ve poured my life into for years all through high school and college, but I was still planning this party.
So now I started promoting the party on IRC for Pound Hack and Pound Freak and Usenet, and it just forced me to transition to the internet faster, and so then I just started inviting everybody because now it was my party. It wasn’t a platinum met party or the other party. It was whatever I wanted to make it, and also you have to remember at that time, there’s some other hacking parties. There was SummerCon, which was the first one I’d heard of. That was in Atlanta on the East Coast, and that was invite only, and I wasn’t elite enough back then to get an invite, but one of my friends was. He went in and he had a blast, told me all these crazy stories and all these hackers you read about in Frac and all these underground zines were there doing crazy stuff, and that kind of bothered me that I couldn’t go, so I was like, you know what?
Anybody can come to mine. Anybody that can come to Vegas will come to mine. So it’s going to be not invite only, very intentionally, and also there was also another hacking conference down in Texas run by Drunkbox called Hococon, and I went to that.
So I was planning DefCon.
I don’t think DefCon had happened yet, but it was about to happen. I went there at Christmas, and then my con was coming up in July, and that was also crazy, and I learned a lot from that, and the number one thing I learned was don’t ever throw a convention in a city that closes at five o’clock, because by 5.30, the hackers were going crazy, like lighting garbage cans on fire in the hotel, pulling the fire alarms.
Like they were going crazy, you know, lots of drinking, all of that, and so again, I was like, aha, Las Vegas is a good location, 24-hour city, lots of things to do if you don’t like the convention, and back then, I didn’t know how many people were going to attend, so I was thinking if it all else fails, I’ll be in Vegas, I’ll be broke, but I’ll be in Vegas. I’ve never been to Vegas before, and it’ll be a big story, a big adventure, you know, and I’ll figure it out, because it wasn’t that much money, even if it crashed and burned, it was like I was out $1,000 or $2,000, it wasn’t too bad in the scheme of things.
[Eliad] Well, it’s good to know that not a lot has changed.
These conferences still get pretty rowdy, but of course, I’m sure a lot has changed as well. For those of us who haven’t been to any of the early ones, what was it like? What was the atmosphere like in one of the earlier DEF CONs?
[Jeff] That first one was we didn’t know what to expect, didn’t know a thing about running a convention, and I didn’t really know how to invite anybody, so what I did is I sent out a ton of emails. I had a call for papers, I believe, but it was really a lot of word of mouth, and so if you look at that first DEF CON list of speakers, it was pretty awesome.
We had Dan Farmer, who was like the Unix god. Everybody wanted to be Dan Farmer, everybody wanted Dan Farmer’s job. He was essentially the security guy at Sun Microsystems, and he gave a talk, and he was saying, you know how they have more and more systems at Sun, and it’s too time-consuming to try to secure them all, so he’s thinking about writing essentially scripts and ways of scanning his network to find problems, to find vulnerabilities that he can use, like a security analysis network attack thing. Maybe I’ll call it Satan, and what do you know, six, seven months later, he releases his tool, Satan, gets him on the cover of Time Magazine, and that starts the whole automated scanning for vulnerabilities thing.
We had Gail Thackeray, who was famous back then, she participated in this Operation Sun Devil, which was the first big sort of federal organized push against software pirates from Maricopa County in Arizona. So we figured, well, there’s so much bullshit in the underground back then, because there wasn’t Google, there wasn’t Amazon, there weren’t a lot of sources of truth. So everything spread by word of mouth, and it always got embellished, and pretty soon, all the things you heard were nonsense.
And so the whole point of that first one is like, let’s hear it from the horse’s mouth, let’s hear it from Dan Farmer, let’s hear it from the prosecutor, let’s hear about it from a lawyer, Curtis Carnell, let’s hear about it from an EFF attorney. And you quickly find out that reality is different when you hear it from the people who do it for a living, right?
It was funny, one of the speakers was supposed to speak, but he was busy being prosecuted by Gail Thackeray, the other speaker, so now they’re in a different state and everything, but that made him so intimidated that he decided not to speak.
[Eliad] Are there any crazy stories that you can share from those early days?
[Jeff] I remember DEFCON, DEFCON 1 was pretty smooth because it was just one room, and the people who showed up the first DEFCON were pretty, you know, they were into it, whatever the announcement said, they were going to go there and experience that.
The second con, word of mouth, it spread, and we went from like 100 people to maybe 300 people or so, but by the third con, that one made me think maybe this isn’t such a good idea, because by the third con, there was enough people that were just along for the ride to cause chaos.
[AD] If you’re a defender fighting cyber attackers, you must be successful every time, they only
need to be successful once.
Cybereason reverses the attacker’s advantage, and cyber attacks from endpoints to everywhere.
[Jeff] They were breaking shit, they were, I mean, they’re definitely some troublemakers. And more than just normal shenanigans, right, they were like, doing stuff that could potentially have the hotel arrest them and stealing microphones and breaking into the bars and pouring themselves drinks and, you know, stuff that’s kind of shenanigans, but like I said, but then there was one, this guy, you know, you have those PA systems where they page people over the thing. And they would also have these bingo rooms, I guess, where you have these stamps and you stamp out your numbers, they’d call up these numbers over this PA system.
Well, it’s one phone freaker guy goes in and total like, knows no fear, just goes in, walks into the staff only door, opens up the next door he sees, goes down some steps, he’s in the basement, he’s wandering around some basement, he opens a door, he’s in the IT center, it’s at night, nobody’s there, he sits down, he gets on the console, and he just starts hacking the phone system. And he prints out a list of every extension in the whole hotel, prints it out, grabs it, leaves. And so he gives me a copy, or he gives me the extension after they’ve gone through it, they’ve already had fun with it for a day or so, and it’s toward the end of the con, he gives me this list, I’m like, Oh, it was you.
And what they were doing is they would know, like, if I call this one extension, I’m in the PA system in the room where they’re doing the bingo thing. So they just call it extension, and be like, b 32, c seven, and just random stuff, paging IP spoofer, Mr. IP spoofer, you know, and they would just take over the intercom system for the hotel and just do all kinds of pranks. But as you stack up enough of those things in the hotel starts to get a little nervous.
Those stories like there was one year, about around that time, Defcon three, Defcon four, definitely by five, the conference had gotten big enough that I couldn’t know everything that was happening anymore. It was bigger than me.
And I remember that had a big emotional impact on me, because it’s sort of like, Hey, this is my party. These are all my friends helping me run it, but I’m not experiencing it all anymore, because too many things happening in too many places that I have to hear the stories from people. And I’m okay with that now.
But at that point, it was something to get over, like you had to be okay with that. Just like you have to be okay, knowing that you’re always going to allow people in, or you’re always going to grow or, you know, it’s a fork in the road, but if you’re not okay with not knowing everything that’s going on, you’re going to have to cap attendance.
So there was one year, it’s particularly destructive year, and, but I want to tell you the story, just because visually I find it, it’s the best story visually for me to tell. So I can’t remember the name of the hotel and people, if you went into the elevator and you, they didn’t screw in their elevator panel, I don’t know why, but they didn’t use any screws. So if you pressed up against the elevator panel and slid it up, you could pull the whole elevator panel off, spin it around. And then people would just cross-connect all the buttons and then put the panel back.
So you had no idea where you were going, right?
And I remember there was also the scavenger hunt was going on. And one of the scavenger hunt items was a door from a telco van, didn’t matter if it was GTE or AT&T, it was just a telco van. And so I remember I’m sitting there in the lobby, it’s late, it’s like probably one in the morning and I’m talking to someone and I’m waiting for the elevator and the elevator door opens and there is a GTE door just in the elevator by itself, right? That’s the door prize for the scavenger hunt, like not getting in there, ding, closes, ding, next door opens. It’s the satellite dish from the roof of the hotel, right? The hotel next door couldn’t process any credit cards apparently because their satellite system was down. Okay, door closes.
So they’re having a lot of fun with the elevator as well.
On one of the floors, they were wiring in new smoke detectors. And so when you got off the elevator and you look down those big long hallways you’d have
in Vegas, you’d look straight down this hallway, they had all the smoke detectors like half hanging out, like the electrician had strung them in, but they’re hanging a foot or two from the ceiling waiting to be found in the ceiling and it’s late and it’s party time and somebody comes skipping down the hallway and he jumps up in the air, grabs the smoke detector closest to the elevator, throws in the elevator and presses the down button. Doors close on the smoke detector with the cable and goes down and it starts pulling out all the smoke detectors like a chain, like it smashed one into the ceiling and popped and the smoke detector would fall on the street and then the next one popped and it just ripped out the smoke detectors down the whole hallway.
I mean, that seems like something from a movie, but like I said, some of the stuff was pretty destructive and I never got a bill for it. The hotel never brought it up, it was never mentioned and that’s when I realized they must be making so much money that they don’t care or to us that seems really destructive but maybe that’s kind of normal in Vegas as far as I know.
So I asked them, I asked them one year and I said, hey, where do we rate in the destructiveness scale and they said, you’re not as bad as the American Heart Association. Like I said, wait a minute, the American Heart Association, oh yeah, yeah, they would get drunk and they would in the cafeteria, they would stand on the back of the chairs, they’d jump up and they’d swing on the chandelier and rip the chandelier out of the ceiling. Okay, you know, maybe we’re not, that’s when I realized that Vegas has seen a little bit of everything and we might like to think we have a bad boy image, but maybe, maybe not so much bad boy.
[Eliad] So compared to today, what did it take in the early days to produce something like Defcon?
[Jeff] Back then I was really inspired by these magazines, Mondo 2000, there’s 2600, I believe there was maybe even, I wasn’t sure if Blacklisted 411 was out then or they came out later and then there was another magazine I think came out a little bit later, Adbusters, anyway there’s a slew of this sort of e-zine world was exploding, right, desktop publishing, a lot of zines were coming out, a lot of alternative voices and different perspectives and it was
really inspiring. So when we made that first program for Defcon, it was made with like a Logitech handheld scanner and a laser printer, which was all new stuff and that allowed us or allowed me to produce materials that looked a little bit more professional, that whole desktop publishing thing.
And luckily I had a friend, as I started to play in this, I had a friend from my Bolton board days, a dead addict, and he was living with some people who had a laser printer and so I’d go to his place and use his printer and we’d hang out and I’d bounce some ideas off of him and so it’s good at the very beginning to have someone else to get their feedback. I had a whole pool of people from the bulletin board days, but he was local, he was close to me, so it was one of the only people from the bulletin board days that was there.
[Eliad] You invited the, or you sent faxes to the FBI and the CIA, you thought they might as well, they’ll find out.
[Jeff] Right, so yeah, right, the faxes, everything was a lot of it was faxes back then, like we would get the fax numbers to every publication, every magazine we could find, new media magazine, I was writing little stories for our little pieces for a new media magazine, so anywhere we could we tried to get an advertisement placed or get them to mention us as an upcoming event.
And I was like, well, you know, the feds are going to come, I may as well just invite them, right, I already invited a prosecutor.
[Ran] Let’s pause for a moment to talk about DEFCON’s relationship with law enforcement agencies such as the FBI and the NSA, which has known ups and downs over the years. It’s easy to understand why intelligence and law enforcement agencies, both US and foreign, were always interested in what’s going on in DEFCON and the hackers attending it.
At least two participants in the conference were arrested over the years, one Russian hacker in 2001 and, more famously, Marcus Hutchins, the British researcher who stopped WannaCry, was arrested in 2017. As Jeff will elaborate in a moment, DEFCON has always welcomed law enforcement officials.
However, in 2013, Jeff posted a notice on the conference’s website asking the feds to not attend that year’s DEFCON. This came following Edward Snowden’s exposure of the NSA’s surveillance programs and the staggering amount of information gathered on US citizens.
Just a year earlier, in 2012, the NSA’s director, Keith B. Alexander, gave a keynote talk at the conference and, in response to a direct question from Jeff Moss, denied that the NSA was keeping dossiers on millions of citizens.
[Jeff] How do you invite the feds?
So I wrote a fax, basically just saying, hey, this is my name, Jeff Moss, I’m throwing this party, DEFCON, it’s gonna be for a bunch of hackers, it’s gonna be in Las Vegas, love to have you come and speak. Come on down.
Send off the fax to whatever I found for the Las Vegas FBI agency, whatever. Now, about a month goes by, it’s getting a little bit closer, and so I call him up and I get the receptionist and I say who I am, I’m doing this party, I sent this fax, I’m trying to find out if, you know, then I go, okay, let’s transfer you to the agent, you know, special agent in charge of the office, whatever the guy’s name is. So he transfers me in, ring, ring, phone picks up. This is a special agent, so-and-so, like, hi, yes, I’m Jeff Moss, and I sent you this thing and blah, blah, blah, blah, blah, hacker conference, I love to have you. And there’s this big, long, pregnant pause, I still remember this day, it’s a big, long pause.
We are aware of your activities.
I’m like, oh, good, okay, yeah, so you’re coming, right? And then that kind of broke him down, he’s like, no, I’d love to come, sounds fun, but you’re asking for somebody to talk about policy, and we’re enforcement, and we can’t talk about policy. He was really nice, and forwarded us off to DC, nothing ever happened. But at the end of the first DEFCON, when it was all over, and we’re cleaning up, I mean, the whole con happened in like one room, and it was all cleaning up, and it was kind of over, a guy came up to me and said, hey, I’m special agent, blah, blah, blah, and he shows me his, he lifts up his shirt, shows me his badge. And I’m with the FBI.
He’s like, hey, I thought you guys said you weren’t going to come. He’s like, oh, well, we couldn’t speak, but we were interested in what was happening. And I’m convinced to this day that that kind of friendly beginning banter, whatever, breaking of the ice, showing that they were welcome, because they’re going to show up anyway, really set the tone, that it was sort of non-confrontational, it was more cat and mouse, maybe, but it wasn’t aggressive. You know, it grew from there, and then other agencies and other departments and other countries, other people from other nations sending their secret spy people, but it was all going to happen anyway. And so we just tried to gamify it, and we turned it into that Spot the Fed game.
[Ran] Ah, Spot the Fed, DEFCON’s all-time favorite game and pastime. I think I’ll let Jeff himself explain the rules. The following is taken from a post Jeff wrote for DEFCON 15.
Quote, Basically, the contest goes like this.
If you see some shady men in black lurking about, point him out.
Just get my attention and claim out loud you think you have spotted a Fed.
The people around at the time will then, I bet, start to discuss the possibility of whether or not a real Fed has been spotted.
Once enough people have decided that a Fed has been spotted, and the identified Fed has had a say, an informal vote takes place, and if enough people think it’s a true Fed, you win I spotted a Fed shirt, and the Fed gets an I am the Fed shirt.
Note to the Feds, this is all in good fun. Just think of all the looks of awe you’ll generate at work wearing this shirt while you file away all the paperwork you’ll have to produce over this convention.
[Jeff] Try to lower the tension over it and also sort of say like, hey, you’re not fooling anybody, we know you’re going to be here, it’s not like you’re going to sneak up on us, and oh my, we didn’t realize it, there could be undercover agents.
[Eliad] I still hear about spot the Fed today, a lot of people still play it, I assume this is another thing that has changed, was it different in the old days, I mean, the guy didn’t tell you that he is a Fed until after the event, what was it like to spot the Feds back in the day?
[Jeff] Back then, Feds were wearing, you know, nicer shoes, and they always kind of had, you know, the haircut, they wasn’t very crazy. And then once the word was out on that, any all the Fed sent people to look normal after that, you know, within a couple of years, you couldn’t tell all the tells went away, the penny loafers. And then for a while, it was that they wore the little, what’s it like the butt sack, the little thing you’d clip around your waist, waist fanny pack. And because in the fanny pack, they’d have their badge and their gun, if they were law enforcement. So you just look for people that had fanny packs, and then you eyeball the fanny pack really closely and see if it held a gun, because you could tell that make and model. And so then, of course, they caught on to that.
But yeah, it’s been a it’s been a fun adventure there.
[Eliad] So are there still tells or how do you spot Feds today, or are they just not trying not bothering to hide it?
[Jeff] Yeah, let’s bet feds now that that we do spot for a while there, it was the feds were outing each other because they wanted to get they wanted to get the swag. So one fed from one agency would try to out, you know, a friend or whatever competitor from another agency.
But then it’s kind of turned into this bigger, more nation state thing. And a few years ago, we were at one of my friends works with DEF CON. We’re at Bally’s, or maybe it’s Paris, one of the two, and he’s looking around, okay, is everybody having a good time? Is there a problem? Is it bottlenecks in the hallway? And he sees this guy, he’s kind of got this like serious look on his face. And my friend’s like, hmm, that guy’s not having a good time, something must be wrong. Like, what if you lose something, is he trying to find what’s going on?
And then he’s looking at him a little bit, he’s like, Oh, no, he’s working. He’s, he’s doing something. This is work for him. And so he starts eyeballing the guy as this Chinese looking guy, and he has a backpack on with a pouch on the pouch for like a phone or something, but the pouch has a hole in it. And it’s got a camera in it. And the guy’s standing in the middle of the hallway. And he’s just recording everybody coming and going up down the hallway. He’s like, okay, that’s not cool. I’m going to go get somebody and as he goes to get some guns to try to kick the guys out, he notices another one of them. Another guy dressed the same way, same backpack, same everything recording another area.
So it turned out that we heard from some law enforcement that there are some foreign nationals trying to record everybody that looks like they’re anybody in information security.
[Eliad] Next year is going to be DEF CON 30, which is the humongous milestone for any type of event. And my question to you is, what do you think is the future? What do you think is the legacy of DEF CON? And what would you want the legacy to be in five years, 10 years, 20 years, 30 years, and so on?
[Jeff] I know the next thing we’re going to be working on, I alluded to it earlier, which is we’ve got this idea of DEF CON labs or some sort of DEF CON working with villages or policy folks to try to make all the things that hackers are doing more accessible to policy people so we can have an impact.
Ten years ago, 15 years ago, we could have tried, but the policy makers weren’t ready. You could show up with all the reports in the world and nobody got it. But recently, in the last four or five years, policy makers are really starting to get it and you’re really starting to see legislatures around the world making moves in technology. With AI policy and everything is going in the right direction.
So here’s our chance to be useful and show that hackers can make an impact, right? Right to repair, election security, all these areas, automotive. So we’re going to probably do something with that. So over the next bunch of years, you’ll see maybe DEF CON working with like the AI village to write a report or the car hacking village or whatever it is. Try to duplicate what we’ve done with the vote hacking village.
And then the second thing, though, is I’d really like to over the next five or ten years really figure out what sort of the end game, I mean, not end game in that ending DEF CON, but an end game of what should it end up looking like? Should it be a foundation? Should we have scholarships?
Like you said, the legacy, what is the enduring impact? If I get hit by a bus, I’d love for it to continue in one form or another, but it has to have the structure to do that and there has to be an overall plan.
And one of the things we’re thinking about is we’re bringing back the DEF CON awards. We did one last year, but it was we did it in a kind of a rushed, you know, way. And we’re really thinking, you know what, the DEF CON awards could work really well with Hacker versus InfoSec, really thinking about what makes a hacker in the sense of what are the characteristics? It doesn’t have to be a hacker in computer security. It could be somebody making the Mars lander work. It could be, you know, a new technology and computer vision. The mentality of a hacker, not bounded by just computer security, and really try to call that out and grow that and sort of an award for our series of awards for that kind of lateral thinking because I think there’s a lot of awards for best podcaster and most bug finder and most interesting bug, worst security response, but I’d love to focus a little bit more with our awards on the human and on the traits and characteristics of good hacking, not just who earned the most money on a bug bounty this year.
You know, I’d love to create another documentary for DEF CON 30. I was hoping to do it, find somebody who could do the documentary, a crew this year that would come out and look at DEF CON 29 and then shoot at DEF CON 30, but COVID is just making it a nightmare. But we had such fun with Jason Scott’s DEF CON documentary from DEF CON 20. I’d love to do one again for DEF CON 30 and see really how much has changed in the last 10 years.
So, an open call to if there’s any filmmakers out there who would like to produce this, they can reach out to us or they can reach out to DEF CON directly.
But on that note, it was a pleasure talking to you. Thank you so, so much for spending so much time with this podcast. I’m glad we had a chance to do this.
Thank you so much, Jeff.
[Jeff] Yeah, you’re welcome.