The Discontinuation Of DerbyCon, The State Of Infosec Social, And How We Get Our Chill Back

I don’t usually take to my blog to write out my feelings in long form on social issues related to infosec, but in light of the announcement that 2019 will be the final episode of DerbyCon, I decided that now is a good time to write some things out. My goal here is to highlight some of what I think contributes to our current landscape and maybe add some things to think about that might help bring everyone together.

Announcement: We write this with tears in our eyes, this year 2019 will be our last year having a DerbyCon.

Thank you all for the continued support, it was just time for us to end on a high-note.

Full message from the team below:https://t.co/Ld66DGxGVR#DerbyCon— DerbyCon (@DerbyCon) January 14, 2019

I’ve been an infosec professional for almost 10 years, but I’ve only been an active participant in the social aspects of infosec over the last maybe 3 years. In the amount of time I’ve been involved socially, I’ve seen the infosec community go from a relatively carefree gathering of friends and soon-to-be-friends, to being just another battlefield in a culture war nobody asked for. The latest casualty in that war, apparently, is Derbycon.

In some ways, this war was bound to be fought with the changing times. Hegemony as an institution favoring nearly exclusive leadership from one particular group of people who share a common race, religion, gender ID, and sexuality is being challenged, and infosec was destined to go through the same cycles we’ve seen in other industries. Some have chosen to look at this evolution as a tragedy, others look at it as an opportunity, and in a bi-polar setting like that, conflict is bound to arise.

Reactions to the news that 2019 will be the last year of DerbyCon have ranged from sadness to anger, all valid emotions. Some people feel like they’ve lost a friend; one of the only mid-range conferences in price that got you into a setting with a very cool group of people who are a good mix of hardcore technical, and just social enough to get a drink with. While the reasons for the cancellation were left intentionally vague, the one thing everyone can agree on is that it’s a tremendous loss and the grief is real.

The official announcement posted to the DerbyCon website reads:

Conferences in general have shifted focus to not upsetting individuals and having to police people’s beliefs, politics, and feelings. Instead of coming to a conference to learn and share, it’s about how loud of a message a person can make about a specific topic, regardless of who they tear down or attempt to destroy.

The loss of DerbyCon comes at an awkward time for infosec conferences in particular. It’s hard not to discuss the discontinuation of Derby without taking stock of the socio-political climate we’re in.

In case you haven’t noticed, the United States is having a bit of a moment right now. The backdrop of infosec conferences over the last few years is of course American politics which has been poisoned by a number of different prevailing winds that has put everyone on edge. The most controversial president of the modern age has brought out a lot of emotion in Americans, giving some reason for fear and others ammunition to antagonize.

It hasn’t even been a year since a man walked into HOPE ’18 wearing a “MAGA” hat with the sole purpose of pissing people off, sparking an aggravating and entirely unnecessary side-conversation about what hats should be allowed into conferences which is honestly too obnoxious to even go into detail in here. The response of the organizers was inadequate, disappointing, and predictable. Suffice to say, it’s a hard time to run a conference and make everyone happy, and not every group of organizers knows how to navigate the changing times. In the context of our diminishing civility , some organizers are moving on…and frankly, I can’t blame them.

Politics is like glitter. It’s distracting and it finds it’s way into every orifice if you aren’t careful with it.

Politics is like glitter. It’s distracting and it finds it’s way into every orifice if you aren’t careful with it. It’s inevitable that even the purest things are will be contaminated by it unless extreme measures are taken to insulate yourself. For most of us, conferences are a place to blow off steam in a particularly demanding profession, see friends, make new friends, sharpen our skills, and hopefully learn a thing or two if we aren’t too drunk. (Author’s Note: we’re usually too drunk.)

Friends at Derbycon 2018

For most of us, the experience hasn’t ever been about “triggering” either inflicting or being inflicted, but a growing number of people participating in the aforementioned culture war have been concerning themselves with one form or another to the detriment of everyone’s experience. Despite all the effort the more positive influential members of our community have put into trying to get us all to treat each other better, we still can’t seem to back off the old bad habits. It’s worth remembering that this time last year, we weren’t mourning the loss of something as abstract as a conference, we were literally mourning the deaths of our friends after a wave of suicides hit our community.

The central tenant that may be the cause of all the trouble might be one of our most treasured community values. Trolling/griefing has always held a special place in the hearts of infosec dorks like us. It’s fun to get a rise out of people, and I myself have been a participant of this activity for years, so far be it for me to criticize others for the same behavior. The thing about trolling though is that it exists on a spectrum between gentle/fun, and mean spirited/inappropriate. The lines for which can be difficult for some people to spot.

It’s easy for trolling to be taken too far and become harassment, and it has ultimately put people (particularly minorities coming into the infosec community) into a defensive mode. We notoriously play hard in infosec, and the way some people end up getting treated is less than acceptable. The truth is, nobody likes to feel like the ass-end of a joke, and when griefing becomes harassment, everyone involved starts to have a bad time.

So where does this leave organizers? Right in the middle of course. Having to decide who is right and who is wrong in the midst of rapidly changing social constructs is not an easy task, but it has to be done. This need has forced a lot of longstanding cons to do some soul searching, and crystalize their conclusions into reformed codes of conduct. Others have chosen to walk away from the people-management aspects of their events leading to the either the closure of the event, or a list of very public and melodramatic controversies year over year.

Harassment is never cool, and while most cons nowadays have codes of conduct to prohibit it, not every con really knows how to spot it and to what extent their rules should be enforced. Once all sides have been heard, if someone has been abusive, they should be asked to leave. Period. Doesn’t matter who, doesn’t matter why.

At the same time, not every person who raises a complaint about something should be branded an agitator. Some people have legitimate concerns, and if we can all agree that more participants in infosec is better, not worse, we can all agree that people raising concerns should be heard.

We only have a few events that we can all attend and have fun at every year, and what’s in even less supply is the quality time we have with our friends. We all want to get through this hellscape of a political climate and get back to having fun at these conferences in a way that is (hopefully) more inclusive of everyone, and much less ambiguous and tense.

In the meantime, we really do have to get serious about treating each other with a little more kindness and respect. That doesn’t mean we can’t still have fun with each other, it just means that we have to be a bit more conscious of who’s expense our fun comes at. Maybe trolling huge groups of random people needs to go out of fashion for a little while, at least until we can get our chill back…but that’s a decision we all have to come to collectively.

We can all afford to have rounder elbows going forward, but we have to do our best to squelch the efforts of those among us who feed on dramatics. Some of these people are our friends and colleagues. Most especially with these folks, we need to be willing to have these discussions with them for the greater health of everyone and everything around us. If we all don’t start taking it upon ourselves to promote positive experiences, DerbyCon will not be the last conference that gets shut down because of our inability to be polite when it matters most.

I know that personally, I’m going to miss DerbyCon. It was a fun event, and even though 2019 will be the last year, I know that Dave & co will make it outstanding.