Two premiere
security conferences -- Black Hat and DefCon -- run back-to-back in Las Vegas this week, each with their own distinct flavor. But even these events don't meet the needs of all computer security pros, setting the stage for a widening set of satellite events.
Some of these alternatives are corporate sponsored and some are grassroots, but all contribute to making Las Vegas the place to be this week for anyone hoping to raise their security know-how.
Black Hat's most notorious incidents: a quiz Jack Daniel, who is community development manager for German firewall maker Astaro GmbH & Co. KG, says he's getting to town a day early specifically for a four-and-a-half hour conference run by security vendor Codenomicon, then sitting on a panel at Security B-Sides -- which directly competes with Black Hat -- then speaking at DefCon. That wealth of content in one city at one time is a big draw. "It's a reason to get to Vegas this week if you can afford it," Daniel says.
See Network World Canada’s coverage of Black Hat 2009
More holes found in Web's SSL security protocol
Black Hat bloggers tackle SMS, SSL exploits
Conficker talk sanitized at Black Hat to protect investigation
DefCon (the oldest of the bunch) and Black Hat were both founded by security consultant Jeff Moss and each have their own appeal. "It's the dark side of the force and the light side of the force," says Josh Corman, an analyst with The 451 Group. DefCon is "a visceral, personal confrontation with what the adversarial community really is. It's more raw, more intense," whereas Black Hat is the more corporate side of the coin with briefings by white-hat researchers.
Check out IT World Canada's security blog
Inevitably some quality talks proposed for these conferences get rejected, which led to the formation last year of Security B-Sides, a much smaller but more populist conference where attendees can directly engage speakers rather than being talked to from the lectern. Talks aimed at niche sections of the security community can find a home here, Daniel says. The largest talk last year was attended by 60 people; Black Hat and DefCon meeting rooms can hold hundreds.
Ten thousand security maniacs
And the larger shows drift toward presentations by big names that don't necessarily have pure security credentials. For example, last year Adam Savage, the host of the TV show "MythBusters," spoke about carrying on through failure, not a security talk but nevertheless popular. "You couldn't get down that hall to the room," says Daniel. It's difficult, he notes, to maintain the feel of an elite hacker conference when it has more than 10,000 attendees.
Hence the rise of the anti-conference, Security B-Sides, Corman says. "It's almost parasitic; ideally it would be symbiotic," he says. B-Sides -- young, healthy and vibrant -- could actually help keep the larger conferences more focused and relevant.
Last year B-Sides was held in a rented home that had a large meeting room often used as a wedding chapel. This year the group has rented a larger mansion with more and larger rooms and has hired shuttle buses to run continuously between it and Caesar's Palace, where Black Hat is held.
Despite B-Sides running the same days as Black Hat, Daniel says he sees the two as complementary. "Black Hat is a very corporate feel. Vendors are vendors at Black Hat," he says. "At B-Sides our sponsors are not acting like vendors. It's not about lead generation."
That corporate tone at Black Hat is reflected by vendor booths that line the corridors, product announcements released there and even corporate launches. This year, for instance, start-up SlimWare is coming out of stealth mode and announcing availability of its PC-optimizing software that relies on crowdsourcing to direct product development. Black Hat offers a knowledgeable body of technology users as part of the community SlimWAre taps to help guide its product roadmaps, says Chris Cope, CEO and founder of the company. He sought out Black Hat because he sees it as being attended by security enthusiasts who don't necessarily work for vendors. "That's just what we really want to populate our community," he says.
Black Hat's corporate feel also stems from a set of special events ranging from an awards show (the Pwnies) to a demo area (Black Hat Arsenal) to the Cloud Security Alliance Summit, each of which has its own set of vendor sponsors whose names are affiliated with the events. Those not sponsoring official events often host parties instead, with more than 25 after-conference affairs, most corporate-backed, being scheduled. Some, such as the DefCon-related Toxic BBQ, rely on food contributions from those who attend.
By contrast, B-Sides has more of a frat house feel, Daniel says, with attendees able to collar speakers and sit down in a living room setting or by the pool to talk over a beer. "There's spaces for side conversations without having to stand in the hall," he says. "You can sit in an air-conditioned room and have a burger or some chicken. The spirit of B-Sides is engagement."
Another upside for B-Sides is it's free, which makes it fit better into a lot of training budgets, Daniel says.
Corman sees B-Sides as a place where the security digerati -- analysts and influential bloggers -- can float ideas and get immediate and knowledgeable feedback, which serves to hasten the development of their ideas about where threats lie and what to do about them.
Success could lead to yet another conference, he says. "When an anti-conference gets big enough, it necessitates its own anti-conference," he says.
