Infosec community laments loss of ‘career-defining’ event

The next edition of DerbyCon will be its last, conference organizers announced this week.

DerbyCon organizers blamed a “small, yet vocal group of people creating negativity, polarization, and disruption” for the hacker conference’s demise.

Managing a minority of disruptive attendees has seemingly turned what had started out as a labor of love into somewhat of a chore.

A flash point that flared up during last year’s edition of the annual Kentucky-based event related to a poster board at the conference where people were invited to comment on “what helps you relax”.

One delegate wrote “boobies” while another added “#metoo”, provoking complaints about trivializing sexual assault.

The offending comments were covered up, provoking complaints of censorship and kowtowing to “social justice warriors” from some quarters, as the dispute exploded onto social media.

The decision to bring the shutters down on DerbyCon wasn’t taken lightly, according to a lengthy post by conference founder Dave Kennedy.

The post cites an incident where an unnamed individual “was verbally and mentally abusive to a number of our volunteer staff and security to the point where they were in tears”.

It read: “2019 will be our last year of DerbyCon. Please know that this decision was not done in haste, and it was one of the most difficult decisions we have ever had to make in our lives.

“We looked at hiring third-party crisis management companies to deal with people directly, we looked at having entire companies run the conference where we would become more of the direction and vision, but at the end of the day, that is not why we started DerbyCon.

“It’s taken a personal toll on our lives, our businesses, and our friends, and it has gotten to the point where we don’t want to manage it anymore.”

Time’s up

DerbyCon – which started in 2011 and has since grown steadily in size and importance – will therefore end with its ninth and final edition this September.

The blog post continued: “The conference scene in general changed drastically and small pocket groups focus on outrage and disruption where there is no right answer (regardless of how you respond, it’s wrong), instead of coming together, or making the industry better.

“There is a small, yet vocal group of people creating negativity, polarization, and disruption, with the primary intent of self-promotion to advance a career, for personal gain, or for more social media followers. Individuals that would have us be judge, jury, and executioner for people they have had issues with outside of the conference that has nothing to do with the conference itself.

“Instead of working hard in research, being a positive force in the industry, or sharing their own unique experiences (which makes us better as a whole), they tear others down in order to promote themselves. This isn’t just about DerbyCon, it is present at other conferences as well and it’s getting worse each year.”

Kennedy qualified this on social media by explaining that the decision to bring down the shutters on DerbyCon was due to “culmination of things we’ve had to deal with over the years not just one thing” or one individual.

Leaving a void

The end of DerbyCon is been being lamented as the loss of a quality, grassroots, community-focused conference for the US infosec calendar.

Lesley Carhart of industrial cybersecurity firm Dragos commented: “What DerbyCon gave us that will leave a big void to fill: a medium-size, multitrack con which attracted a large swathe of OG [original gangster] and newer infosec folks, had a good lineup of speakers, but was not overrun by booth sales and marketing. It also encouraged chilling out and networking.”

“I’ve spoken at Derby three times and been four times,” said Nick Cano on a post on Reddit. “Was my first con and my first time speaking, both in the same go. The most career-defining networking I’ve done has been at Derby.”

Amanda Berlin expressed a similar positive sentiment on Twitter. “@derbycon is the reason I got into security,” she wrote.

Casey Ellis, founder of Bugcrowd, was even more fulsome in his praise. “#derbycon 2013 was pivotal in my infosec career - first @bugcrowd sponsorship, @jcran joined the company, and the ~1M cyber > irl connections showed me that i was part of a much bigger & more awesome tribe than i'd realized before.”

Jeff Moss, a US hacker and founder of the Black Hat and DEF CON conferences, commented: “The last year for #derbycon, this has got to have been an incredibly hard decision for @HackingDave and the whole crew. I have a lot of respect for Dave and the thought he puts into attendee experience.

Kennedy expressed the hope that the industry will grow out of the behaviors by some that led onto the decision to close DerbyCon.

“It’s easier to put others down than to take risk at the benefit of others to make the world better,” he said. “#DerbyCon did more for others than individuals who complain and put others down. My hope is that someday we can be civilized and communicate out of respect for each other.”

The published version of events, however, was disputed by some. “I see derbycon decided to die like it lived: complaining that holding predators to account was ‘drama’ and ‘attacking the community’,” said one critic.

DerbyCon isn’t the only infosec conference to have weathered controversy in recent years.

A right winger wearing a “Make America Great Again” hat disrupted last year’s Hackers On Planet Earth (HOPE) conference, which led to an outcry when he wasn’t immediately ejected.

Organizers of the Chaos Communication Congress were faulted for poor handling of a sexual assault allegation in 2015.

And hotel security staff in Las Vegas were criticized for invading the privacy of female delegates at last year’s DEF CON conference with a strong-armed approach to random room searches, a policy tightened up in the aftermath of a mass shooting in Las Vegas.