Jeff: That was one of twelve underground messaging networks, Fido network that I belong to. And they all used the Fido net method of straight forward messaging. It wasn’t the part of Fido net but it used the Fido net protocol to reach on private messaging networks. It was a pretty small network out of Canada and it dealt mostly with the hacking information, and how to modify your car engine and whole bunch of random hacking kind of related topics, that was the reason I start DefCon,15 years ago because I was a friend with a guy who ran Platinum Net there. He ran the US main node and redistribution in United States. He got a new job; his parents had to move, so he had to take down the network. He wanted to do a party for every body and he asked me for help. But then his parents left early and he had to go over night as well. I was just stuck there, holding my bag, thinking about how to deal with the situation. I turned off to the other networks I belong to and invited every body to DefCon.
Omer: Jeff Moss was already in place, why did the idea of black have evolved? pmon real
Jeff: When DefCon started it was all a passion. Nobody at our age could get jobs; there were no jobs in computer security. And there wasn’t really even a market. The only people who were doing security work were people working for government, banks or universities or maybe manufacturers. There was really no chance to get a job. But then the internet boom sort of changed all that and as the boom was beginning, people started looking for IT people for installment of networks and other infrastructures. All of a sudden everybody started getting jobs that we knew. And they were looking for jobs, they got it and then they tried convincing their bosses to pay for their trips to DefCon. DefCon was just a straight hacking convention, and not really something serious. The announcements made there were not really serious, so you show that to your boss and he is not going to pay your way to DefCon. So everybody suggested that there should be something more serious and conventional event similar to the nature of DefCon. So they can show it to their bosses and their trips can be paid. A friend of mine, Larry was his name, suggested to do a whole new convention which is more serious sounding and charge them a bunch of money for it, because when you charge money for something, you can sort of manage expectations. So by charging money we could fly in the best speakers, we can pay the flight rent, we can pay to spend some time to develop the content. So that’s what it sort of became. Black Hat was totally a spin off.
Omer: What do you think that how the whole idea of security has moved a step further, from PDP’s to the modern computers, how far has it come from the early days of personal firewalls to the unsupervised IDS algorithms?
Jeff: It is fantastically more complicated now. The market just for security skills is fantastic. Competition sort of breed specialization and so 15 years ago it used to be 4 people each with different knowledge and you can pretty much understand any problem, you know the telephone problems, the UNIX problems, it wasn’t that complicated back then. Now you can have hundred people in a room and still not understand all the implications of dynamic html and a virtualized system on the multi processor core and it goes on and on and it can be hideously complicated. So on one hand it has matured the security market and on the other hand, the problems it created for it self are more and more complicated and harder to understand specializations. So it isn’t about one technology anymore. For example, if someone is expert on “SQL Injection on Oracle”, they don’t know much about anything else, because they have specialized it so much and it has extremely vast scope. And I don’t know if that is the best for the market place because if that person is to go find a job again, there will not be many places out there, hiring people who know about SQL injection on Oracle. So after re-training, they can pick those skills and may be do SQL injections on Microsoft products. But even that is completely different from what it was probably 6 to 7 years ago. I think it has changed a lot to what it used to be 10 years ago.
Omer: How do you think that DefCon and Black Hat have helped the security industry?
Jeff: I think yes, it has helped a great deal. It has raised a level of awareness in masses. Just to read the articles written about security makes you understand about a lot of stuff that you never knew before. There are some people out there who really know the technology and its weaknesses, and they might use it for bad purposes. So it’s our responsibility to figure out weaknesses and make people aware about it. Back then it was just kids who were curious and not a lot of organized crimes were there. You had to find somebody to teach u. Now you can learn how to break into others computer and never have to meet another human. You can be just reading web pages online, buying books and practicing the hacking skills. So, now it’s easy for criminal groups. They can easily learn these things in the comfort of their sofas. And the motivation now is so much greater, I mean now there is enough money online, enough consumers online, and enough commerce floating around. Now there are actually big targets. 10 years ago my mom wasn’t online, just then there wasn’t so much money online to go after. But now everything is online. So of course that’s where the criminals are going.
Omer: Last year, there was a lot more nuisances, Michael Lynn’s controversy, about the black hat bug probably? How do you deal with all those political and social pressures? And how does it impact Black Hat content?
Jeff: Well that’s a really interesting problem there. First of all it was really stressful at that time, because we were actually at the same time trying to sell the business. We had 6 prospective companies, who were at the show, trying to decide that maybe there is something that they are interested in buying. So we are in the middle of trying to sell our business and getting sued by Cisco and ISS and trying to run a show at the same time. 3-4 prospective buyers were scared away thinking that security conference base is too much risk, too much chance of being sued. But the remaining people, 3 companies said “Wow you are getting fantastic press attention and this is really good because they are not going to be scared away”. And you’re really spaced with the dilemma that if you don’t try to defend your self, you can wreck the whole business, because the public will never gain the knowledge that these researchers have acquired because they will be shut down through these lawsuit and it will pretty much wreck my business. Its like I have to fight or I have to give up. So we had to save more money for possible law suits. The good thing with Cisco was that it ended up looking pretty bad that a lot of people have learnt the lesson. That it is probably better to contact the speaker and try to work it out behind the scene and not make it public on the front page of a news paper.