If you work in IT, you’ve heard of hacker cons — the conventions where computer security professionals and hobbyists get together to develop their skills. DEF CON, held every summer in Las Vegas, is arguably the best known. But there are plenty of other gatherings, ranging from large events overseas to local meet-ups.
The major hacker cons often make news because presenters reveal major security vulnerabilities. But these disclosures also represent valuable intel for IT professionals in the private and public sector. In some cases, hackers using pseudonyms bring oversights to light out of a sense of altruism, giving organizations a chance to fix them rather than selling the information on the black market.
Attendees are the first to admit that hacker cons can be a gray area. Many of the participants are passionate about issues such as net neutrality and free access to information, and they are not always friendly to corporations or the government. But while the heart might quail at workshops on key impressioning and phreaking, the amount of actual criminal activity is negligible.
Then there’s the fact that federal agents attend hacker cons in droves. That alone reveals a truth: The people whose job it is to protect the country from cybercrime are there to learn. Wouldn’t it make sense for IT pros to give their organization the same advantage?
At business-oriented computer security conventions such as Black Hat, which runs back-to-back with DEF CON, you can pre-register with your corporate account. But at others, there’s no pre-registration and payment is cash only. It’s not because there’s anything shady about attending, just that attendees feel strongly about electronic privacy. In fact, if you don’t guard yourself as closely as they do, they’ll make an example of you. At DEF CON, if you log into your mail or IM over an unencrypted, sniffable connection, your login (with the password obscured) is projected on the “wall of sheep” for everyone to mock. The idea is that public humiliation breaks people of bad security habits.
“At DEF CON, I always turn off the data on my phone,” said a network administrator at a social media company who only wanted to be identified as Allison. “I only use SMS. You also don’t want to go to an ATM because, in past years, the ATMs have been compromised. It’s usually not in the spirit of maliciousness. It’s more like, ‘Let’s see if there’s a chink in the armor.’”
These unique social conditions might seem intimidating, but it’s that very spirit that makes these conventions useful. Observing a hacker break into a commonly used piece of software offers lessons on how to protect organizations against similar attacks. The sheer volume of knowledge shared at hacker cons means that even seasoned computer-security specialists pick up tidbits that will make them better at their jobs. Recent hacker cons have covered how to block older, less-secure types of password encryptions and using SSH port forwarding for additional privacy.
Allison adds that the software and tools developed by attendees are usually open source and designed so that others can download and contribute add-ons.
“It’s a very free community,” she said. “There’s a belief that you share the software and everybody benefits from learning about other people’s experiences with it.”
Finally, there’s the networking. Hacker cons attract a mix of industry experts and up-and-comers that could become valuable resources and informal consultants on security matters.
Having friends on the cutting edge? That alone might be worth the price of admission.Tags: Security,Technology