I never really cared for saunas, and the early-August Las Vegas atmosphere was far worse – 104 oppressive degrees with a thick, distasteful aroma of…some ungodly New York City subway-esque mixture best left unexamined. I tried not to breathe too deeply, as John and I exited the Flamingo and waited for the walk signal across Las Vegas Boulevard toward Caesar’s Palace. John looked down at me, a bit concerned.
“Max, you OK? You look kinda out of it”
“No, I’m good. Very excited to be attending DEF CON!”
John smiled as we walked across street among a gathering crowd.
“It’s an awesome conference…just keep in mind all the guidelines we talked about”
“I know, I know” I replied, a touch impatiently. “Don’t use the Wi-Fi, turn off Bluetooth, and drink plenty of water”
“No. Well, yes, but more importantly…talk to people. Make new friends. Go outside your comfort zone”
I looked at him, paused, and dialed back my annoyance level. John was a friend. And a mentor. And a co-worker. And a cousin. My, there was a lot to unpack here. Too much to do so and still cross the street safely.
“I’m good, John. I promise, I’ll make some new friends while waiting in line.”
“Great”, he replied, “cause I’m not here to babysit you!”
#
After walking through the overpriced, underpopulated, and overwhelmingly bright Forum Shops, John and I wound our way through the labyrinthine hotel and casino, declining to engage with the mythicals sirens personified as table games and slot machines. I’d been to Caesar’s several times to attend the Gartner Identity and Access Management conference – about as diametrically opposed from DEF CON as you could get and still be in the same infosec universe – so I was navigating somewhat familiar territory.
It was when we stepped onto the long bank of escalators leading up to the conference center that I first noticed how different the people were. A preponderance of t-shirts, a plethora of beards, a teeming mass of tattoos, and a veritable explosion of brightly colored hair. I suddenly felt very straightlaced in my sensible sandals, khaki shorts, and blue polo shirt. When did hacking get so edgy? Maybe it always was, and I was just boring?
I pushed that thought aside, wrestled it to the ground, and shot it through the head. I was happy with who I was. Nothing wrong with spending an evening reading a good book, Or doing a crossword puzzle. Or reading a good book about crossword puzzles.
“Careful, Max!”
John grabbed my arm and pulled me out the way of an oncoming Goon parade. Mostly large men, the wave of red shirts was walking in loose formation and chanting something unintelligible. The crowd parted in front of them in a metaphorical, or perhaps allegorical, inversion of Moses parting the Red Sea.
I smiled back at John
“This is gonna be fun!”
John nodded, and pointed over to a line of people snaking around one of the side hallways.
“Hey, I’m going to get some swag before they sell out”
“OK, cool. I’m going to the Skytalks room – they’re just starting now”
“Great, I’ll meet you there in a bit. Want me to get you a t-shirt?”
I nodded, handed over some cash to John, and waved goodbye.
“See you soon!”
#
In the Skytalk scrum I found myself next to a petite woman with a streak of bright blue in her otherwise dark black hair, framing an ear bar displaying a moving pattern of green LEDs.
“Hey”, I said, feeling outgoing and energized. She looked at me, paused as if she were thinking about something, and replied.
“Hey”.
I held the door open for her (as well as for the person behind me), and the Skytalk Goon shepherded us into adjacent open seats.
“So, uh, have you been to DEF CON before? This is my first one! I’m Max, by the way”. Probably not the smoothest opening line, but I was just trying to make small talk.
She gave me a small smile before responding.
“No, this is my third con. It’s a blast! And I’m Grace.”
I nodded, pleased with myself for initiating a conversation, and replied.
“Yes, I’m really looking forward to this. I work in infosec, for, uh, a large financial services company on the east coast. I’m on the network security team.” Presenting my street creds, as it were, this felt a bit like a predetermined and well understood greeting ritual, like prairie dogs sniffing one another.
“Hey, I work in network security, too – for a large retailer on the west coast. And thank God you didn’t say ‘cybersecurity’. People at work use it all the time, and it drives me crazy! It’s just a stupid meaningless prefix!”
I nodded back, smiling. This conversation was going well!
“I agree, but it is useful as a mainstream shorthand for what we do. I mean, my grandmother doesn’t know what infosec is, but she’s proud to tell her friends that I work in cybersecurity!”
Her face darkened as she replied.
“That’s exactly the problem! People like you are perpetuating the misuse of a stupid phrase. At work we have an entire lame security education program called ‘We R Cyber Aware’ ” she continued, angrily punctuating the expression with air quotes. “It’s moronic and I have to use it constantly in training!”
I began to formulate a thoughtful and sensitive reply which would argue my point without further antagonizing Grace, but the session speaker interrupted my thoughts.
“OK, folks, we’re getting started. Welcome to DEF CON!!”
Everyone cheered happily, including myself and my new acquaintance.
“This is my fifth year emceeing the Skytalks track, and I couldn’t be more excited about it. Before we start our first talk, let’s do a quick poll….how many of you are here at DEF CON for your first time?”
I raised my hand, along with about 25 out of the 200 or so people present, as the speaker continued.
“OK, all the rest of you listen up. These folks are noobs. Be gentle with them, OK?”
The crowd chuckled and hooted. Somehow, I wasn’t too optimistic that they’d follow through on the suggestion.
The speaker began the initial discussion, which was about diversity — lamenting the lack of women and minorities in security today, especially in the more technical roles. I was genuinely, and pleasantly, surprised at this topic.
“Bullshit! I call bullshit!” someone suddenly shouted from the front of the room.
“Well, that didn’t take long”, someone else quickly replied, spawning scattered laughter. So that’s how these talks go, I nodded to myself.
“How so?” replied the speaker, responding to the bullshit-caller in a surprisingly patient manner
“Historically – and I’m talking about the 1970’s up to the early 80s – most programmers were women. I think we need to talk about why this shift happened in the first place before we can cover today’s gender imbalance”
“I don’t disagree, actually…let’s explore that for a few minutes …”
#
When that discussion wrapped up, after about fifteen minutes, I turned to Grace, hoping she’d forgotten our earlier disagreement.
“Wow, that was really interesting! A surprisingly thoughtful discussion. What do you think?”
“Yeah…” she replied, in a voice that exhibited at least a hint of warmth, something I considered a victory under the circumstances. “I didn’t know about the history of women in programming. That’s cool.”
I started to reply in agreement, but Grace continued.
“In any case, I don’t take people’s shit at work. I just find a way to get things done”
“What do you mean?” I replied, a bit puzzled
“There’s just a lot of stupid at work…you know, stupid as a noun, not as an adjective.”
I nodded, expressing my familiarity with both the concept and the terminology.
“So sometimes I just have to work around it. Let me give you an example. Because we’re a retailer, we process a lot of credit card data. PCI, you know PCI?”
“Yes, I’m on our PCI compliance team for network”
“Well one of my tasks – because I’m the newest member of the team – is to capture log data from our PCI zone. To do this I literally need to use another computer to manually capture this, and copy files to my main computer. “
I nodded again – this was standard practice to keep the PCI zone as small as possible.
“This is stupid busy-work that takes me a half-hour every single day! So I just created a VM image of the PCI log collector that I run on my PC, and wrote a script to extract the data locally. Takes me 5 minutes, tops.” She smiled at me, proud of her technical accomplishment.
While what she’d done was technically clever, my reaction was actually one of near-horror.
“Uh, you can’t do that.”
“Uh, I did, and I’m a lot more efficient because of it! “. Wow. She’d managed to subtly mock me, disagree with me, and confront me, all within a single short sentence.
“No, I mean of course technically you can do it, but PCI compliance rules require strict segmentation of the CDE and…”
“It’s segmented! And I’m not transmitting any data other than the aggregated and sanitized logs!” she replied, defending herself.
“I realize that, but what you’ve done makes your computer – and therefore the entire network – part of the PCI audit scope.”
“No, it doesn’t! I read the damn PCI DSS network segmentation guidelines, and this is OK!”
I shook my head. “Sorry, but that’s just not right. “. I was trying not be be condescending, and probably failing.
She gave me an angry smile in response. “You’re wrong! I can show you the spec!”
“Hey, keep it down!” from a few rows away.
My voice had apparently gotten louder than I intended, and a cascade of people began shushing me, some using actual profanity. This vile (or at least viral) wave made its way across the room, as new shushers piled on and shushed the original shushers in a perfectly constructed positive feedback loop of negativity. At last the speaker chimed in, sounding aggressively resigned:
“Hey, you two bozos either need to have this debate publicly on stage, or shut the hell up”
Everyone in the room looked more or less at me. I looked at Grace. Grace looked at the ground.
I exhaled a deep breath, stepped outside my comfort zone, and stood up.
“Okay” I said, looking around. “Okay!” I repeated, glancing up to the speaker. I turned to Grace. “Let’s talk about this up there.”
Grace stared at me, her surprise quickly morphing to anger.
“You’re out of your mind! I’m not going to be forced into a public debate.” She stood up, and quickly stormed off. As she reached the exit and pivoted back to face me, the door swung open behind her, revealing John bearing an armful of swag.
Grace raised her voice above the crowd and delivered her parting words: “Max, you’re an asshole!”
As the room devolved, or perhaps exploded, into laughs, hoots, cheers, and boos, I felt compelled to defend myself.
“For the record…” I shouted, probably ineffectively, against the roar, “…I’m not an asshole!”
While the leader forcefully reasserted control over the room, John strode over to me, and sat down in Grace’s newly vacated seat. Eyebrows raised, he furiously whispered at me “What the hell? I leave you alone for 15 minutes at DEF CON, and this is what happens??”
I held up my palm to wave him off, whispering back. “I’ll tell you later. Believe it or not, we were arguing about PCI compliance”
John just looked at me, and slowly shook his head in surprise, wonder, or perhaps just disbelief.
#
Author’s notes: I love attending DEF CON, and I wrote this to try and capture one small slice of the experience. In this story Max is trying to be outgoing, and in some ways partially succeeds. Of course, he mishandles the interaction with Grace, which explodes in a dramatic and hopefully humorous way. Was Max right about PCI? Was Grace wrong? Possibly (probably)…but I wrote this to be deliberately ambiguous. I hope to have the chance to revisit Max, John, and Grace in future stories. Thanks for reading this, and I welcome your feedback.
Stories exploring security, technology, and society 