A few years ago, I was allowed to attend one of the most impressive and most influential events of my career to date. In 2007 I was at the Chaos Communication Camp 2007 in Finowfurt. The reasons for my being there are many and not quite that easy to remember. Most likely I went there because – among other reasons – the convention was held in an old airport that was converted to a museum where world-renowned researchers held talks in repurposed bunkers. At the same time, there were thousands of tinkerers who let their LED-studded Quadcopters fly, presented their RFID-Gadgets as well as other technological tools that seemed way more futuristic in 2007 than they do now, more than half a dozen years later.

The Chaos Communication Camp wasn’t the first conference that I attended. Even as a teenager, many years ago, events like the annual congress of the Chaos Computer Club fascinated me. The biggest event, the DEFCON were still unreachably far for me, but it had its allure. I went to many a local event, most of them organized by Linux User Groups (LUGs). They were welcome events to share knowledge and have a chat, to learn new skills and they even offered something like camaraderie. And then there was a series of invite-only events that a friend of mine organized. They helped me find my place in the industry and in the general area of security. Later, after I’ve started working at scip AG, a lot of conventions followed: DEFCON, its commercial sibling BlackHat, various SOURCE-conferences – I was allowed to visit many and I could hold talks at some. That was something I always saw as a privilege.

Events like conventions were and partially still are the only real possibility to effectively get new information in our industry, which is notorious for its fast-paced development. They also helped me to get new inspiration. A few years ago, I found myself in the position of being one of the organizers of a convention. The convention which would become known as hashdays quickly rose to national as well as international fame. Today, in 2014, the event-series has a new name: Area41. It follows the footsteps of hashdays and its still just as successful.

I am part of the team that makes Area41 happen. The time this takes – and every minutes is subtracted from time spent with hobbies or family – is enormous. Just the choosing, coordinating and taking care of speakers that hail from all corners of the world takes dozens of working hours. Then there’s the finding of sponsors and the negotiation of contracts with them, which is probably the hardest part of any non-profit project. Not to mention the minute details such as creating a nice logo, putting information online, paying of small bills… they all add up too, but they’ve always been worth it considering the outcome. Despite all this, I am more critical of conventions than I was seven years ago. This might surprise some, given my position and experience.

But ask yourself this: What are conventions good for? This might sound like a polemic trick question, but is more relevant than ever. The motivation that leads to visiting a conference is something highly individual. Some come for the content: The presentations, the workshops, the little things you can learn from other people at the convention. For others, it’s the business aspect: A new job, the presenting of themselves as a business or a service to potential customers. And others value the social aspect more than anything. Their goal is it to have a cold beer or an equivalent of the non-alcoholic variety with people cut from the same cloth and talking about technology as well as private matters. In addition to that there are those who come because their motivation is a combination of the three factors as well as others that I am going to neglect in this article.

Today, in 2014, we are living in a world where information is as available as it has never been in the recorded history of man. The presentations held at the BSides in the United States are available as FullHD-videos not a day later. The slides, maybe even whitepapers with background information are quite probably online even before the speaker gets up on stage. If you’re just after the information, then there’s little reason to actually show up at a convention.

Even the business-aspect as well as the social component aren’t as motivating as they used to be. Today, there are so many recruiters and HR people are trying to find good workers, Job offers on Twitter have become an accepted standard. Customers are a rare find at conventions anyway seeing as the industry has come with less freaky sales events for people who can decide but are not as tech-savvy. Those events somehow manage to exist without 0-Days but they sport an impressive amount of suits and expensive finger food. The purely social aspect is also somewhat inconsequential seeing as the InfoSec-Community has reacted surprisingly well to Twitter and is represented there.

So the question stands: What use are conventions? I, as an organizer, had to ask myself this question often. The answer is something that came to me in form of comments on the feedback forms and the sign-ups for this year: The enthusiasm to be part of an experience. Not on-demand as an mkv-file or on YouTube, but live and on location. As an active participant with all the possibilities that come with it – to ask questions or to talk to people or have influence. The potential of security conferences lies in their inherently collaborative nature. It is not about any one aspect, but about the whole, which ultimately ends up being bigger than the sum of all parts. And that is the true and persisting value of conventions.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://www.ccc.de
• http://www.defcon.org