Season 3 / Episode 143
The Wild West Hackin’ Fest is a unique security conference. Not only because it's held in South Dakota and not only because of the Wild West visual vibe - but also because of the emphasis it puts on diversity and lowering the entry barriers for people who wish to join the world of information security. Eliad Kimhy talks to John Strand, one of the conference's founders.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
- Episode 252
- Episode 253
- Episode 254
- Episode 255
- Episode 256
- Episode 257
Hosted By
Ran Levi
Exec. Editor at PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
John Strand
Owner, Black Hills Information Security
John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.
Episode Transcript:
Transcription edited by Kai Pelzel
[Ran] Hi and welcome to Cybereason’s Malicious Life B-Sides, I’m Ran Levy.
The Wild West Hacking Fest is a unique security conference and not only because it is held in South Dakota and not only because of the Wild West visual vibe, but also because of the emphasis it puts on diversity and lowering the entry barriers for people who wish to join the world of information security.
In this episode, you’ll hear Eliad Kimchi’s conversation with John Strand, one of the conference’s founders, owner of Black Hills Information Security, a firm specializing in pen testing, co-host of the Security Weekly podcast, and a retired senior SANS instructor. John and Eliad spoke about the advantages of holding a conference in a relatively remote location, how such conferences can help to bring new faces to cybersecurity, and about the importance of diversity in cybersecurity in general. Enjoy the episode.
[Eliad] So today we have with us John Strand, one of the founders of the Wild West Hacking Fest conference in Deadwood, South Dakota. One of the most interesting and unique conferences I’ve had the privilege of going to. So thank you for joining us today, John.
[John] You bet. Happy to be here.
[Eliad] So you want to talk to John because we want to talk a little bit about the history of Wild West Hacking Fest and the other activities that he’s been doing all over the United States. And one of the craziest things about Wild West Hacking Fest right off the bat is that it’s happening in this small town called Deadwood in South Dakota, in the middle of nowhere. The first question I ask everybody on this segment is why start a conference, but I want to ask you specifically, why start a conference in South Dakota, Deadwood, South Dakota?
[John] So this was interesting. Most of the time, whenever I was presenting or teaching at conferences, I was always flying somewhere, right? I would fly to DC, I’d fly to Orlando, I’d fly to Chicago, and I would do a conference there. And my wife was always pushing the organization I was teaching with, she’s like, you should do one in South Dakota. And I’m like, well, no one’s going to show up in South Dakota to take a class from me. That’s just not going to happen.
But this was a conversation that we had for years. So then I got to the point where I was retiring from that particular organization and we’re still having the conversation. And I wanted to start a conference. And the reason why I wanted to start a conference was the demise of DerbyCon.
I think that the people that we hung out with at DerbyCon, the group that came out to DerbyCon, was a very cool group and it didn’t want to just go take over DerbyCon or do another con in Louisville, Kentucky, because that’s weird, right? That would be just strange. And then I also wanted to basically create something that was unique, right? You have all these conferences in DC and in San Diego and all these places. And of course, Las Vegas.
And my wife won, right? So she said, let’s do it. Let’s give it a shot. And this will be an opportunity to get all the BHIS employees around the world to come to our location in Deadwood. And maybe we can make enough money to help cover or defray the costs of that. So we did it. And it did really, really well. So well, in fact, that we ran the entire Black Hills out of rental cars, which doesn’t sound like that big of a deal, except we’re a very major tourist destination with Mount Rushmore. You know, the President Stone faces that you see on movies all the time. So it’s not like this isn’t a place that people never go to, but we completely drained the airport of rental cars the first year. And we kind of ran the hotel out of all the room space that they had.
So then we went to a bigger venue the second year. And once again, people had to go like two cities out to basically get hotel rooms so that they could come into the conference. And I think the max of this conference will probably be about a thousand people. And that’s cool, right? We’ll try to keep it small, because that was one of the downfalls of DerbyCon. And Dave will talk about this openly too, is DerbyCon got so large that it became not fun. You know, there’s a certain element of people that show up once something gets so big and they get weird and it gets strange and you keep it under about 1500 people. And we think that that’s the sweet spot, right? So that’s kind of why we set it up. It was basically a bet between my wife and I and my wife won.
[Eliad] Yeah, it’s funny that you did mention that it’s a bet between your wife and you and actually Deadwood is a kind of a gambling resort.
[John] It’s funny that you mentioned Deadwood and gambling.There was actually a fight inside of the hotel with hotel management, the people that were running the bar versus the people running the casino. So a lot of us that show up at these conferences, we’re good at math, right? And we don’t really get excited about going to a machine that we know is basically there and card coded to screw us over so we don’t do that. So we weren’t gambling all that much. The gambling floor was like dead, but the bar, the bar loved us. Like the bar ran out of alcohol. Like every year we’ve done this, we go and we talked to the bar and we’re like, look, you need to stock up on a lot of alcohol. They’re like, well, I’ll tell you what, son, we got the rally, we can handle it. And after the first night, they’re like, who are these people and why do they drink so much? But, you know, it’s kind of funny, there’s that little kind of debate within the hotel as to whether or not this conference is worth it to them. But I think we made up for it in liquor sales.
[Eliad] I mean, I think a lot of the conference organizers talk about the types of shenanigans that come around these types of events. And of course, bringing a thousand hackers down to South Dakota with kind of being isolated, nothing to do. Were there any kind of shenanigans, interesting things that were happening first year, second year that you kind of fondly remember?
[John] No, we don’t have any like overt shenanigans. Like you know, the ATM machine showing up mysteriously on the lobby at DEFCON at I can’t remember what hotel it was. But no, we had nothing like that where people were taking over video screens. One of the things that’s nice about South Dakota is you have to want to be here and you have to be able to pay to get here. It’s not like you can just hop in your car and drive there, right?
[Eliad] I mean, how do people deal with this type of isolation? I was there the first year and we stayed in this cabin out in the woods. And this was one of the first times I’d lived in the States for a long time. And one of the first times that I just realized how isolating it can be living in some of the rural areas in the States. I was like, wow, this is like a bear could come and assault me at any moment. What have you noticed? Does it take people out of the sort of the experience?I mean, there’s no reception. A lot of the times, do you feel like the mood that affects the way people are?
[John] By the way, if you stay in the hotels, there’s high speed internet. We have cell coverage. We have 5G. We have all of that. So people are like, wow, there’s no connectivity. There is, right? But like where you were staying, that’s a choice, right? And we do have those cabins where you literally show up and you’re like, wait, I don’t have any cell phone coverage. Like am I going to die now? Like is this it? Is this the end? And there’s some people that really, really, really kind of dig that kind of isolation because it’s interesting what that does to you psychologically.
So in the Black Hills, my house where I’m at now, I don’t have cell coverage at my house and I haven’t for 10 years. My internet is bouncing off of two ridges using microwave going to a ski area to get 10 megabits per second. That’s going to change here quickly with Starlink and everything. But there is something that’s very, very nice about being able to disconnect. And you see this a lot in people in our field where they get so excited. They’re dealing with hackers. They’re maybe breaking into organizations. They get so wrapped up into that that it becomes their job and it becomes their hobby. And after a while of doing that, there’s a burnout point that exists. So you see a lot of people in the industry.
Like you look at Dave Kennedy. He’s gotten into working out and weightlifting. You look at Mike Pore. He’s actually doing things like he’s got a forge and he’s making knives and swords and things like that. You’ve got a number of people in the industry. Kevin Johnson is big into Star Wars dressing up like Star Wars characters like Chewbacca and Darth Vader. I think it’s important for people to have a point in this industry where you can detach and disconnect. And it actually makes you a better security professional because it resets your brain. You’re not constantly swimming in this ocean of new IT. So I do think it has helped me even though it’s been absolutely infuriating at times, but it does help me quite a bit to kind of reset the palette and come back with a cleaner frame of reference.
[Eliad] Kind of like a Faraday cage for kind of like…
[John] South Dakota is like a reverse Faraday cage.
[Eliad] That sometimes feel like when you take away one of these things, we’re so connected in general. When you take it, you elevate other things within ourselves that we just kind of start to pay attention to.
[John] Well, you know, I like that thought because it’s interesting because if you basically give someone like all the candy that they can possibly have after a while, that means nothing to them, right? And if you have absolutely every video game that you have ever wanted in your life after a while, that means nothing. So I think that by having that separation, I think it allows these things to have deeper meaning for us. Well, this got philosophical quickly. I wasn’t expecting this, but…
[Eliad] I was about to bring it back. So South Dakota conference, let’s stop with that. No, but I feel like that’s maybe part of the uniqueness. I mean, there’s a lot to be said about the vibe of going out to South Dakota. It’s like you said, you still have 5G and you still high speed internet, but you’re out there. And I feel like even subconsciously, you kind of feel it.
[John] Yeah.
[Eliad] It’s kind of like the same effect of being in the middle of Vegas or big city in Vegas.
[John] I think it’s so easy to get distracted. Like there’s a bunch of people I know that show up to these conferences in Vegas and they get sidetracked by the other things that Vegas has to offer. And then they don’t even go to the con. And I think that that’s sad, right? Vegas is always there. If you want to do that, don’t treat it like a boondoggle because there’s something deep in being able to like hang out with a bunch of IT professionals, learning a new skill, going to a talk. That’s important to us. We thrive on that.
[Eliad] When we talk about how conferences evolved, when you were talking about how conferences grow and they become too big, a lot of that ends up being to some degree, people not being able to socialize anymore and not being able to connect anymore. Do you find that maybe that being in South Dakota helps people connect is kind of like how you were?
[John] I think it does. So let’s talk about Defcon, right? So Defcon got into a problem where they were so big, it was overwhelming. And their solution to that problem was to basically move. So Defcon had multiple stages and multiple villages and multiple different hotels, which on the face of it sounds like you’re _exacerbating_ the problem. And I don’t think that’s true. One of the things that’s really cool is if you go to the hardware hacking village at Defcon, you have couches, you have like people around the periphery setting up all these cool labs for you to do. It’s very intimate, right? It’s a room. It’s a good sized room, but it’s set up in such a way that it just has a super cool low key vibe. If you want to go to the red team village, same thing. Blue team village, same thing. Even the CTF now, you don’t necessarily, it’s not set up where you feel like you’re under a microscope.
So by breaking that con up into multiple different hotels, it really created these kind of enclaves where you could feel like you were connecting to people again. And that’s awesome. Hats off to Jeff for pulling that off, a way of making a conference bigger, but making it feel smaller. And when we were setting up Wild West Hacking Fest, of course, DerbyCon was always foremost on our minds because the way everything was set up in the old hotel brought everyone together. You had the vendors around the periphery, you had the rooms opening up into it. And then the other one that I loved was BrewCon. And BrewCon had like a ton of nonsense, right? They had a room that was set up with a bunch of video games. They had all these different villages, but it all kind of came back to one centralized area when it was in Ghent. And it had this awesome vibe.
So what we really wanted to do was basically take our two favorite conferences, taking DerbyCon and taking BrewCon and set up that same vibe here in Deadwood, South Dakota. So you have all of these hands-on labs. There’s more hands-on labs than you can get through in two days at this con. And that’s by design. We want people to just have this ocean of things that they can do and they can jump in anywhere and we have people helping them out constantly. We have the workshops, we have the training, but we’re constantly trying to create that vibe where everyone kind of comes back to a communal area. And as you know, the first year that we did it, we provide dinner to everybody. So we had a steak dinner. Actually, I think you were there with tacos, but we’ve kind of gone down into a steak dinner, chuckwagon dinner. Cowboy comes out with his family, cooks it all out behind the conference and they get beans and hot dogs and chicken and biscuits and everybody eats together. And it’s not just like a crap like box meal. It’s like, this is a really good meal that we’re putting on because our goal isn’t to make money.
Our goal is to get as close to possible as breaking even and putting everything back into the conference. And that’s something I’ve learned from Kennedy and the crew at TrustedSec, what they did at DerbyCon. And the reason why it rocked is they just kept on putting the money back into the conference.
[Eliad] What kind of after parties, other than the food, was there any other notable aspect of sort of the after party or?
[John] So we brought out dual core or one half of Dual Core. Hopefully this year we get both members of Dual Core. Then he brought a whole bunch of friends and they set up this kind of nerd core rap thing. We’ve also done open mic nights and every once in a while Bullock or Daft Hack and I will put on a metal show. Last year we did a whole bunch of Metallica covers and some original things and it’s just that people get sloppy drunk and then they start rapping to Slim Shady and singing I Will Survive. I mean, and it feels like that scene in Gremlins where they’re all watching, I think it’s like Snow White and the Seven Dwarves or something. And all of these gremlins are hanging from the chandelier and they’re all partying and they’re all singing and they’re all doing all this stuff. That’s what it feels like. That’s the vibe we’re going for where it’s just chaos and sanity and just fun.
[AD] Malicious life is sponsored by Cybereason. There is nothing better than a live simulation, especially when you’re fighting cyber attacks that are becoming more and more complex. Defenders are always looking for the critical edge to reverse the attacker’s advantage and it’s only through live attack simulations that you can truly see what might provide you that winning edge. Join Cybereason’s global attack simulations to watch firsthand how attackers use the latest infiltration methods and execute on sophisticated malicious operations and more importantly how to end these operations before they happen. Reserve your spot today at cybereason.com/attacksim.
[Eliad] Was there any thought given to sort of the visual vibe of the con?
[John] So, the visual vibe of the con, the first one that you were at, it was just let’s get this stupid thing going, right? And I think they went with like a howdy duty theme. So that was the first year and I hated it. Everyone on the team voted for it and they liked that and the current director that we had that was running it loved it and that’s great. I’m not a fan of that kind of goofy 50s, 60s cowboy stuff, but it worked well.
[Eliad] That’s the real bombshell from this interview.
[John] Yeah, that’s the bombshell, right? But you know, that was kind of their thing. I don’t want to come in and be like my thumb prints on absolutely everything, but that was their thing and the attendees loved it. What we’re kind of moving towards now is this kind of like a steampunk Westworld kind of theme, right? So you have this wild, wild West kind of motif, but underneath it, you know, it’s all technology, right? And I think that that’s kind of when we’re talking about the archetype that we’re trying to get across is we’re still in the wild West, right?
We’re still in the wild West of IT cloud computing and I think the ransomware attacks that we’ve been seeing really highlight and articulate that but underneath it all is still like the same stupid gears and pneumatic drives that we’ve been dealing with. It’s all TCP IP, right? You’re dealing with various forms of XML and JSON. You’re dealing with all of these different technologies that are really built on a technology base that is still fundamental and it’s still a lot of the same technologies that existed 20 years ago.
So it’s kind of this weird dichotomy and security where it’s like super glassed over and everything looks really, really basic with complexities of basic components underneath that working together. I mean, I think that that’s kind of the motif that we’re going with right now for the period moving forward.
[Eliad] It’s a really cool and apt metaphor, I think, because people who are listening to this podcast might find some connection to it because of course, we talk about the history of cybersecurity and as you look back, you find that a lot of things stay the same, a lot of the motivations of people, a lot of the things that are being done behind the scenes are sort of similar, even as the technology moves forward.
[John] Yeah, exactly. Absolutely true. And that lurching forward, I don’t know if it’s necessarily good, right? I mean, if we’re looking at what’s going on with like the ransomware attacks that have been popping up all over the place, I don’t think that it’s as an industry we’re improving or getting worse. I just think that we’re kind of separating into kind of first world country computer like networks and organizations and people that’s still running Windows Server 2003 in the closet. You know, you kind of got this first world third world that’s starting to exist. And it’s getting more and more separated as time goes on. We have organizations that are trying to do the right thing. And then you have organizations that don’t even know how their paychecks show up. It’s just by this magic box in the sky that sends them checks. And the attackers will find out for us, they’re going to show us the error of our ways one way or the other.
[Eliad] Going back to the conference, you’re one of the only people I’ve talked to that have started two conferences. So you have Wild West Hacking Fest and that’s about four years ago or three years ago.
[John] I think about four, yeah.
[Eliad] And now you’ve started another one that you just come back from.
[John] Yep, that’s Way West Hacking Fest.
[Eliad] Way West Hacking Fest. So tell me about that. How did that come about?
[John] So we have this team and like Velda is our director. She’s the COO of the group that we call Anti-Syphon and runs Wild West Hacking Fest and our training offerings as well. And Velda is used to pulling these things off once per month. And then we’ve got a video editing team and Ryan and we have Jason and Deb and Shelby and Megan. So we have like these people that are just amazing at what they do and they’re used to doing it at a clip of like one to two per month. So if we’re doing one per year, all of a sudden they’re sitting around and they’re like, what do we do now?
So we started doing online training, a lot of pay what you can training, which is just awesome and then started up another con and eventually we’d like to bring our next one to like DC or Florida, one of those two, but we want to keep kind of taking this template that we have. And I wish I could show you in the room next door, we just got all of our crates and we have video kits, we have audio recording, we have engineering equipment and we’re ready to go at the drop of a hat and spin up another conference that can be virtual and ground based at the same time. So it’s just a matter of having the team that knows how to do this and them being bored is dangerous. So we’re going to keep spinning up new conferences until, you know, they basically tell me they’re no longer bored.
[Eliad] Why do you want to create all these conferences? What’s at the center of this desire?
[John] I think that it’s because a lot of conferences suck. So if you look at a lot of the corporate level conferences, and I’m just going to rip on RSA, right, RSA is miserable. I know that there’s lots of people that love RSA, they love going there and they love doing _photo to show_ across the street or they love going to the bars in downtown San Francisco. But I feel like there’s this huge disconnect that you have RSA, which is like ran by massive corporations and computer security. And they’re loud and it’s obnoxious and their boots are millions of dollars. And that doesn’t seem fun to me.
And even Black Hat with their floor is very much like another RSA. And then you have DEF CON, which is just absolute total chaos and insanity in a fun way, right? And then you had this con, you have all these B-sides events and B-sides are all over the place, right? You can go to some B-sides events like B-sides Cleveland and B-sides, I would say Orlando as well, just two that jump out at me. They’re amazing. They’re incredibly well done B-sides events where there’s this massive like local culture and this flair that shows up that’s just top notch. So like those are two examples, but I’ve been to a lot of B-sides events that are really weak and they just aren’t that good.
So basically why we wanted to start this up is we wanted to create kind of that feeling that we had, like I said, at DerbyCon and BrewCon and started up kind of continue furthering a conference that’s very focused on education and making sure that people can take something away from it and do better at their jobs, progress their career as much as they can because you have total blowout party on one end and total corporate America on the other end and I feel like there’s this unserved market that’s like come to our conference and we’ll make you better security professionals, period. And that’s something that we don’t see a lot of people doing in the conference space and we just wanted to carry that forward as much as we could.
[Eliad] Well, you mentioned the pays as much as you can training. I mean, Wild West Hacking Fest, I mean, originally you guys started out by doing these trainings and then came Wild West Hacking Fest. What is the importance of that to sort of Black Hills SAC and to you?
[John] The whole concept of our training and kind of where that actually came from was actually COVID. So like the actual training that we kicked in, that was after Wild West Hacking Fest, even though the first one we had training from like Egypt and Mubix and Landmaster 53 and Deviant came out. So we had the training at Wild West Hacking Fest, but then COVID hit. And with COVID, whenever it first happened as a business owner, I’m looking at a company where you have like 65 full-time employees, we have 1099 contractors and interns and we push that number up to about 100 whenever you add in everybody that we send checks to. And I’m looking at the end of the world, right? We’re looking at this is it, we’re shutting down entire economies, this is bad. We don’t know how long it’s going to be bad, what are we going to do?
So we immediately started throwing poop at the wall and just to see what would actually fit. So we moved Way West Hacking Fest the first year from San Diego virtual and we did it in the space of five days and it worked. And then we helped out PancakeCon and KernelCon and a bunch of other cons lift and move their conferences virtual with our Discord servers and our GoToWebinar licenses and everything. And that was one thing that was hugely successful because it allowed us to do content and community at a level with a large number of people and still keep that con vibe but doing it virtually seemed to be a lifeline for a lot of people in the industry. And then the other problem that I ran into was the idea of marketing and outreach was an issue. But then the other problem was how am I going to keep all of my employees happily fed and moving through this COVID nightmare that we were all staring down in February and March last year?
So then we started throwing together online training because we had all of the infrastructure for doing an online con and it’s basically like we’re going to do online training, we’re going to give you the split that I wish I would have always had, which is a 50-40-10 split. 50% goes to the instructor author, 40% goes back to the group that puts it on and 10% goes back to the open source community. And this is one of those things that kind of makes me mad. There’s tons of training out there and they’re using all of these open source tools that are written by people who put their blood, sweat and tears into this product and release it for free. Training organization makes tons of money. The organization that uses the tool saves tons of money and yet you meet these people and are putting these tools and they don’t get a dime.
So we wanted to be able to give this back to the community. So we figured it would be good. It’s a win for us. It’s a win for our testers and our employees that want to do training and it’s a win because we can give back to the open source community that’s kind of like underpinning everything we do in this industry. And that’s poop that we threw at the wall. So like the online cons, stock, the training, stock. We had training classes that were putting 200 people in and that was amazing. But then the conversation started of how do we get more people in underrepresented communities into security? And the first thing that a lot of people reach for and their heart’s in the right place, but I think it’s stupid, is they go for scholarships, right? We’re going to go get a scholarship for African Americans, women’s, Native Americans, Pacific Islanders, like whatever group that you can think of, and we’re going to do a scholarship for those groups.
And I hate that for a couple of reasons. One, I know it’s really life-changing to some people that get those scholarships and that’s great and I know the organizations have their heart in the right place to do that. What really frustrates me is it doesn’t change the game, right? It doesn’t fundamentally change it in such a way to start increasing the diversity that we need in this industry. And I do believe that too. People talk about diversity and sometimes guys will get around and be like, why do we need diversity? And I look at it like music. Music is beautiful whenever it’s diverse. You have punk rock, you have rap that came out at the same time in New York City, and you have these two genres that just exploded and do amazing things. Diversity is amazing for creativity and in security, we need creativity. So that’s easy to put those two things together. But if you’re just giving scholarships, that doesn’t solve the underlying issue at all. It’s basically an organization saying, look, we gave a scholarship. We’re not racist or sexist or whatever.
So the problem with getting into security is gates and the gates associated with security regardless of your socioeconomic status, your class, your religion, your ethnicity is always money, right? That’s always the gate. So instead of trying to do scholarships, what we did is just blew the gates open. We basically said, look, you want to take training that’s at the highest quality training that you can get in the industry at that level. And you want to take that training and you don’t have any money or you have 20 bucks, 50 bucks, 100 bucks, 200, $500, pay us what you can. And we don’t judge on that, right? We don’t basically, well, you’re poor, therefore you suck. But we wanted to make sure that those gates were systematically broken down across the entire industry, regardless of where you were coming from. Because you mentioned South Dakota, dude, you were here. There’s poverty in South Dakota. It’s absolute, like in some of the places, people live in really horrible conditions and they don’t have a way out. And they may be white guys that are living that way or white women that are living that way, but they still have this poverty hurdle that they have to get over. This allows them to get into this industry. And we started up that pay what you can training and it just exploded.
The first time it was like 5,000 people and then it started coming down. We’re sitting at about 2,000 to 2,500 every time we do a pay what you can training class. And the weird thing about it, there’s two strange things. The first strange thing is we’re actually making money. So we would expect to make nothing. And just by people paying 20 bucks, we’re doing fine. I’m actually making more teaching in four days than I used to make teaching in an entire year.
So that’s kind of weird. And then the other thing about it is it’s actually making an impact. So like last way West Hackin’ Fest, we had about 200 people live that were attendees and I have four of them come up to me and they’re like, look, I got started in security and I got a job because I put on my resume that I took your pay what you can three sets of classes and I literally got a job on that.
Before that, I was washing dishes. I was waiting tables. I was working construction.
And that was a huge shock that it happened to that quickly. But I fundamentally believe if you give people a chance, they’ll take it. And if people do get a chance and they don’t take it, they just kind of go back off the ether, that’s fine. But I at least opened that door for them. And I think that that’s important that we kind of break these doors down systematically across the industry because we’re outgunned, horribly outgunned.
[Eliad] Well, yeah, I think that makes a lot of sense. And even if you want to offer scholarships, which a lot of organizations do, not everybody has the means to offer it and sort of you’re taking some alternate approach.
But I guess since you touched on diversity, do you have any stats or do you have any idea of how your courses are, if there has any impact in the sense of sort of?
[John] So I don’t have any statistics because we don’t ask those questions. But whenever we get to the beginning of the conference, we have people type in just a simple thing, where are you from? And it’s amazing because we have people from India, we have people from Singapore, we have people from Africa, we have lots of people from Europe, Norway, Sweden, Netherlands. It’s basically very much global.
So that’s probably the single biggest stat that means something to me. But if we’re going to look at stats, one of the stats that always gets to me constantly is if you look at BHIS diversity, I once had somebody ask a question, well, what’s the percentage of underrepresented people in your company?
And I said, I don’t know that exact number, but I’ll tell you, it’s not enough. And this is one of those ways to address that. And we’re already seeing candidates that are coming up from diverse backgrounds that are just badass BHIS employees that we’ve picked up over the past few months that have came up through that program.
So yeah, as far as collecting those stats, we don’t get it. But I do know it’s very much international. And I do know just looking at LinkedIn and things like that, we do see a much more diverse array of people coming back and saying, thank you for putting this class on.
[Eliad] You talk about taking down gates, you talk about taking down the sort of the education is something that is part of seems like almost part of your mission.
[John] Yeah. Well, and it always was like whatever I was teaching before, I love to teach. And whenever I retired from that organization, I wasn’t going to stop teaching. It’s absolutely built into me. I’m not that good of a pen tester. I’m not that good, I think, at doing a lot of scripting and coding and things like that. But I am very, very good at teaching computer security to people and getting very complicated concepts and breaking those concepts down. And that education is like very much core into who I am. It’s core into who Jof is, it’s core into who Bo is.
And with the conference for Wild West and Way West, that carries forth, like you knew the labs around the perimeter where you came in and you saw Wild West Hack and Fest. Those labs have expanded. Like we’ve got a hall of doors where you get to learn how to pick doors and do forced entry, do RFID cloning. And it’s all step by step. And you have professionals there that have that focus on education. I’m sick and tired of wizards trying to impress other wizards in this industry where they’re like, look at the zero day I wrote. I once wrote a zero day that was this big. I’m sick of that. I’m sick of it being an elite kind of group where people look at other people as noobs.
And I think that we’re changing that. I mean, royal we, like everyone in the industry, not just BHIS, where we’re kind of sick of that crap where somebody is talking themselves up and putting other people down because we’re not going to be better if we’re constantly trying to create strata and levels within the industry as a whole. So by doing this, inviting more people, making it more accessible, getting more people into the community, and when they show up to a con, they can break into a garage door opener through a software defined radio for the first time. And that lights that fire. And the next thing you know, they’re like doing RFID and SDR all over the place. That’s magic.
To see someone who ends up in their career far exceeding anything that you have ever done from a technical perspective, and you were there at the beginning, right?
You were the one that planted that seed that got them hooked on that. And then they just took off. There’s absolutely nothing better in my career than that.
[Eliad] Well, speaking of sort of the future, where do you want to see, I mean, I think you touched on this a little bit, but where do you see the, let’s call them West Hacking Fests, where do you see that series of conferences going and the training that goes along with them?
[John] So we now have two, right? San Diego, we’re going back to next year. And then Deadwood is coming up here in just a couple of months in October. And that’s going to continue.
Next year, we want to have a conversation about where we go next. And I think we’re going to try to add one per year and grow into it, grow into it slowly. So right now we’re debating between like Baltimore, Virginia Beach area and Orlando. The issue with Orlando, there’s already a really kick ass conference there. We might just go and support them because they do such an absolute bang up job. But like Virginia Beach and Baltimore area, maybe even DC, who knows?
But we want to bring one out there just because there’s so many people out there. So we want to keep with San Diego, Deadwood, and then one out on the East coast. And then maybe, who knows, like I said, Florida or Atlanta, maybe where we’re going to go. We’re going to basically kind of plan on that.
My wife is also very keen on getting international. We got invited to do Wild West Hacking Fest down in New Zealand, and we couldn’t make that work because of COVID, but that’s going to happen just because New Zealand is awesome. But basically, you know, we want to continue to do this and maybe we’ll continue supporting BrewCon and finding other cons around the world that we want to support and kind of work with.
But no, we’re definitely going to expand. It’s just we want to be very conscious about how we expand.
We don’t want to all of a sudden blow up in every single city in the United States and start hitting Europe with dozens of them. I like having a small team and I absolutely thoroughly enjoy being conscious about what we’re doing. And every time we grow in little increments is an achievement.
[Eliad] What are you going to call it when you do it in Florida, since it’s going to be a little bit to the east?
[John] I don’t know. We might call it like, you know, East West Hacking Fest. That’s really whenever we’re starting to get to the tagline of everywhere is west of somewhere. It’s going to get weird at some point. Maybe we have to come up with a different naming convention. But I also think that that makes it strange and that’ll make it stick out. So like we did a Wild West Hacking Fest Singapore, people would be like, Singapore is west? Yeah, everywhere is west of somewhere.
And it’s also Wild West, right? And that goes back to the IT analogy that I was talking about at the beginning. It’s the Wild West and IT security right now. And that’s not a geographic location in one specific part of the globe.
[Eliad] Yeah, I feel like as a maybe a last shout out, where can people find the resources that you’re offering?
[John] Right now, I announced it on Twitter, of course, @StrandJS on Twitter, because everyone gets their personal affirmation by how many followers they have on Twitter, right? So they’re there, but also the Wild West Hacking Fest website. And you can kind of track our events there.
And then, of course, we’re on LinkedIn, Black Hills Information Security, Wild West Hacking Fest are out on LinkedIn. There’s plenty of places to get plugged in so you know what’s actually coming up.
[Eliad] All right. Well, thank you so much, John. Thank you for this conversation.
[John] You bet. All right. Have a great one, everybody.
[Ran] Thank you so much for joining us, and we’ll see you next time.