Jeff “The Dark Tangent” Moss is the founder of the Black Hat and Defcon security conferences which just concluded in Las Vegas. Moss ran an early social network for computer and phone hackers out of Canada and he founded Defcon (named after “defense condition 1” for imminent war in the hacker film “War Games”) as a gathering for hackers in 1993. He started Black Hat in 1997 as an education and research-oriented show for security professionals and law enforcement. Still a security consultant, Moss works in Seattle and tests computer systems for vulnerabilities. In 2005, he sold Black Hat to CMP Media for an estimated $14 million. But Defcon, the cash-only show for the masses of hackers now in its 16th year, is still Dark Tangent’s baby. I caught up with him while he was playing with a homemade toy gun made of PVC pipe that shoots marshmallows.
VB: How do you explain to outsiders what this conference is like? There are serious subjects here and goofy things too.
JM: There is the social side and the technical content. People come to learn and share knowledge. Then there is the need to make new friends. I try to grow both sides. If you grew up in the hacking scene in the early days, with no video cameras and web chat, you formed your opinion of them based on what they did. People accepted each other for what they did or what they knew. You see people here with blue hair, dreadlocks or business suits. They’ll be sitting around a table having a conversation because they have something in common and have moved past what you look like. That’s a big success.
VB: What’s the contrast between Defcon and Black Hat?
JM: Black Hat is like college and Defcon is the fraternity party. We also have really great content. At Defcon, it’s what I want to see. I want to learn about hacking Xboxes, satellite systems, and lockpicking. Weird conspiracies. That content doesn’t make sense at Black Hat where there is more of a corporate focus.
VB: How concerned are you about how the show looks to the rest of the world — about whether it’s on the right side of the law or responsible behavior?
JM: I don’t really care what the rest of the world thinks.
VB: How do you stay on the right side?
JM: You have to set an example and hope people follow it. I can’t control what they do. If they want to be criminals, they will be criminals. I try to show them there are alternatives. You shouldn’t be ordered what to do. If you find a new bug, there is a big debate about what you should do. Should you disclose it responsibly? Tell it to the whole world? Responsible disclosure, full disclosure, partial disclosure? I believe in the responsible disclosure model, where you tell the party about the bug and give them time to fix it before you disclose it to the world. I select speakers that I think are ethical and create contests that are legal and hope people will follow the lead.
VB: You have federal agents coming in to give their own talks.
JM: Since the very first Defcon. Well, we had a state prosecutor come in and talk. In the audience was someone who was being prosecuted by her. We’ve tried to have different viewpoints.
VB: So it’s almost like a neutral ground?
JM: That’s what I’ve created it to be. Originally, there was no Internet or Amazon.com. If you wanted information, you had to get it from the horse’s mouth. It was about getting the experts in the room to dispel myths that came from word of mouth. I knew federal agents would show up. I invited the FBI, Secret Service and others to come from the very beginning. Everyone thought I was absolutely insane because nobody had done that. I called the Secret Service about it. They said, “We are aware of your activities.”
VB: They haven’t arrested anyone here?
JM: The FBI arrested one speaker, Dmitri Sklyarov, in his hotel room after Defcon [in 2001]. That was because the Russian company Dmitri worked for was in a dispute with Adobe. Dmitri was kind of a hostage because they couldn’t go after the company in Russia.
VB: There are a lot of controversies every year. The Massachusetts Bay Transit Authority sued to stop three of your speakers from proceeding with a talk. How do you deal with that every year?
JM: It sucks. In certain circumstances, it might be the right thing to pull a talk. But it seems most of the time it’s overreactions by security vendors who don’t understand. It’s a disservice for the whole community. How can businesses make informed risk decisions if they never get to hear real-world information? They only get to read press announcements and product literature. There are bigger implications for every conference. If everyone is afraid to speak, who will do and talk about interesting research? We’ll just lose that edge.
VB: Have you had fun doing personal hacks?
JM: I have older hacks I’m really proud of but not lately. I manage the Defcon network and configure them. I watch them withstand millions of attacks. I’m fairly proud that no one has broken into me yet. But I’m smart enough to know it can’t stay like that forever. That’s where I put my creative energy.
VB: Where did your handle, “The Dark Tangent” come from?
JM: There was a comic book produced by one of my favorite artists. It was D’Arc Tangent. It was about an intelligent robot that got infused with a personality. Only one issue was ever produced. It was about what does it mean to be human. I wrote for a magazine and used it as a pen name.
VB: One of the government panelists said that after he leaves this show, he never feels really good. It’s that scary feeling that security vulnerabilities are everywhere and you have a whole lot more work to do to improve security.
JM: It’s a common reaction. You see five or six talks and wonder how we function as a society. We’re so dependent on technology and it’s so half-assed and jury-rigged. You poke any bit and it comes tumbling down. Automobiles aren’t like that. We put engineering thought into buildings and airplanes. But technology is really shaky. It energizes people who see there is so much more work to do. It’s not an area where everything is sorted out. You can explore and experiment with new ideas. The creative high keeps me going for months.
VB: Where did traditions such as the “wall of sheep” come from? (Where you post the passwords and usernames of laptop users who aren’t careful on the wireless network).
JM: It just started one year where people wrote them down on paper plates and put them up on the wall. The wireless network is like a free-for-all combat zone where you take your own risks. The No. 1 offender this year is the iPhone. The iPhone wants to auto-associate with any wireless network that it finds.
VB: Your badges are electronic gadgets. And there is the press badge and the “human” badge, as if the press were not human? And there are strict guidelines for the press.
JM: That’s right. The press behavior has been sporadic. The guidelines wouldn’t be there if they behaved. We had to kick out G4 this year for violating the rules. They panned through the room without getting permission from people they shot, as the guidelines say. It’s always the TV cameras that violate the rules. They just want to get great shots. They want the green hair or the pierced faces for their 15-second sound bites. We get better stories from writers.
VB: Is there a connection between physical security and cyber security? You have lockpickers here.
JM: It’s more that physical and computer security are interesting to the type of people we draw. They are interested in how things work. They take things apart. It’s using a different part of your brain for hands-on work. They like to do the unconventional.
VB: How are security start-ups doing now?
JM: The VCs are smarter now. They ask better questions. From what I hear, they are interested in investing in sure things or things they can cash out in a few years. They aren’t interested in things that are harder to describe with longer time horizons.
VB: It seems like security as a career path is a good move still.
JM: There was a lot of excitement when there were movies about it. Fresh blood was coming into the scene. Now, it’s not as sexy. That has shifted to things like forensics because of Crime Scene Investigation. But the culture will have plenty of demand for people with knowledge of computer security.
VB: Some independent security researchers can make more money now because they can sell the bugs they find to companies that buy them.
JM: If you have the skills to find those kinds of bugs, then people will hire you. Some people work for security companies by day, and then at night they will find bugs to make extra income. If people stop talking about the bugs they find, and they sell them instead, and only the companies that buy them know about them, then you have a situation of the information have and have-nots. Will we just get second-tier information at this conference because all of the valuable stuff has been sold? We have a good line-up this year and so it hasn’t happened yet.
VB: Do you worry that some of the sensational events here overshadow the real news on some kind of important crypto attack?
JM: Well, the crypto people would notice. Information finds its own place. I’ve long since given up on directing where the press should focus itself. Some of the sensational stories can be understood by larger audiences.
If you liked this Q&A, please check out our others:
Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft
John Antal, chief of staff and military/historical director at Gearbox Software, making “Brothers in Arms: Hell’s Highway”
Wagner James Au, author “The Making of Second Life”, on life in a virtual world
Cammie Dunaway, sales and marketing chief at Nintendo’s U.S. unit, on broadening the game market
Jon Goldman, chairman Foundation 9, on game development as a model
Seth Goldstein, CEO Social Media, on social networking’s future
John Schappert, corporate vice president at Microsoft’s game division, on changes to Xbox 360 gaming
Curt Schilling, founder of 38 Studios and Boston Red Sox pitcher, on starting a fantasy online game
Dwayne Spradlin, CEO of InnoCentive, on expanding R&D crowdsourcing