Researchers decide ‘Hacker Summer Camp’ is too risky as Covid-19 cases spike
Every summer for decades, thousands of hackers have made the pilgrimage to Las Vegas for Black Hat and DEF CON—back-to-back security conferences affectionately known as by attendees as “Hacker Summer Camp.”
Well, almost every summer.
The Covid-19 pandemic pushed both conferences online last year. This year, the conferences bet on the virus being contained enough to allow for safe in-person events while also planning for virtual versions. But the gamble on live events is now too much risk for many individual security researchers and some large vendors, who have pulled out of in-person attendance as Vegas became a hotspot of the highly transmissible Delta variant of the virus.
Both conferences have contingency plans for cancelling in-person events. As of Monday night, DEF CON press lead Melanie Ensign told The Record that the plan remains to move ahead, but that organizers are monitoring the situation “day-to-day.”
Jeff Moss, the founder of both conferences also known by his handle Dark Tangent or DT, has also posted publicly about the difficulty of planning for the in-person events amidst the ongoing crisis.
“I can’t remember any year as complex and stressful as this one,” he tweeted in late July. Days later he tweeted again—this time flagging that many logistics were still up in the air, even as the conferences are set to happen this week.
Normally I’d be really chatty right before #DEFCON and Black Hat but this year is, well, different. So many things behind the scenes happening that would normally have been sorted out weeks ago.
— Jeff Moss (@thedarktangent) August 1, 2021
Some companies have radically simplified their approach in light of the evolving situation: Trend Micro pulled out of in-person Black Hat, specifically citing the Delta variant and sharing the decision on July 28 along with a video from COO Kevin Simzer on Twitter.
We're constantly assessing risk for our employees, customers, partners and the industry.
— Trend Micro (@TrendMicro) July 28, 2021
We're the first security vendor to withdraw our in-person presence at Black Hat in light of rising COVID-19 cases in Las Vegas and it being a hot spot for the COVID-19 Delta variant.#BHUSA pic.twitter.com/hQZcWQeCwu
Altitude Networks followed suit on July 30.
We've made the decision @Altitude to pull out of #BlackHatUSA in-person events. The risks have changed dramatically over the past weeks. We'd love to see everyone in person, but it's an easy decision to prioritize the health and well-being of our employees and community. Be safe.
— Michael Coates (@_mwc) July 30, 2021
And at least one security consultancy, Atredis Partners, made the call to stay away all the way back in March.
We were the first to say this in 2020, and we're sad to say it again, but the Atredis team won't be at BlackHat and DefCon this year.
— Atredis Partners (@Atredis) March 30, 2021
Our policy here is no travel until there are no cases (or at least herd immunity), and it's just too soon.
We miss y'all! ♡ #BHUSA #DEFCON pic.twitter.com/v4WmSr2Q8N
(Disclosure: Recorded Future, which owns The Record, is planning a limited in-person presence and an event that adheres to local restrictions in conjunction with Black Hat.)
Black Hat is among the biggest deal-making conferences of the year for the cybersecurity industry—a place where business agreements are often forged through in-person networking in hallways or over drinks at the conference’s many, many afterparties.
By pulling out of attending in-person, vendors are making a few different calculations. One is that the potential risk to human health is not worth more than the dollar amount they might lose out on from that in-person networking. But another is that potential customers will recognize their decision as a sign of responsible risk-management behavior that could win over others similarly wary of the situation on the ground in Las Vegas.
And the risks in Las Vegas are significant: cases are skyrocketing around the city, where masks are now required for indoor public places regardless of vaccination status—a change that followed recently updated Centers for Disease Control and Prevention guidance. Social distancing and the masking requirements were poorly enforced at McCarran International Airport, which many attendees will travel through before even making it to the conference sites, when this reporter traveled on Monday: trams in the airport and shuttles to rental car sites were packed full, with some travelers hostile to or seemingly unaware of the current masking rules.
Trend Micro’s Simzer is feeling good about his bet.
"We are hearing from customers that they appreciate and respect our people-first approach,” Simzer told The Record in an emailed statement. Although he believes Black Hat will be “as safe as possible” the company “wanted to remove the risk on behalf of” employees, he added.
Plus, he wrote, the pandemic had taught the company it could meet customers’ needs from almost anywhere in the world.
Several individual prominent researchers have also pulled out of planned trips to Las Vegas, including Tarah Wheeler, a fellow at Harvard's Belfer Center and the New American Foundation, as well as Matt Blaze, the longtime cryptography specialist and Georgetown Professor.
“Although I'm fully vaccinated, I've decided to participate online this year,” Blaze told The Record. The layout of the venues will make it “effectively impossible to avoid crowds of random tourists” he said, adding that the “risk of picking up a breakthrough infection” he might unwittingly pass on to others “just seems too great to ignore right now.”
Both conferences have taken steps to address the health situation.
After the local masking mandate was announced, Black Hat messaged attendees about the requirement at the event and said it would provide masks. When asked if the conference was considering additional safety measures such as requiring vaccination or canceling the event, the Black Hat media team declined to comment other than to refer The Record to the conference's website FAQ. The FAQ outlines a number of additional steps, such as enhancing cleaning procedures—and notes that the conference resort is offering in-room Covid testing for $140 to $230.
The site also says that if the live event is cancelled, in-person badges will be converted to virtual-only access with the remainder being applied as a credit for the in-person 2022 conference, or full or partial refunds can be requested instead.
The conference also declined to comment on the number of talks originally scheduled to be in-person that are now being held exclusively online.
Kendra Albert, a clinical instructor at Harvard Berkman Klein Center's Cyberlaw Clinic whose Black Hat panel on the legal risks of research on public-facing machine learning systems was originally scheduled to be in-person and will now only be virtual, is among the speakers to change travel plans based on the health and safety concerns.
“Although I would love to attend in person, the City of Las Vegas's belated adoption of an indoor mask mandate, as well as the recent news about Delta variant's infection of vaccinated people make it untenable to travel and be near that many people,” they told The Record. “It's also upsetting that Blackhat is not requiring proof of vaccination or a medical excuse,” Albert added.
DEF CON took the risks more seriously, requiring masks as well as original proof of vaccination for in-person attendance from the start—and organizers told The Record that the conference, which is largely volunteer organized, is trying to remain flexible.
“The uncertainty of the situation means it’s always an option to cancel & DT has stressed the need to be flexible & prepare contingency plans to all our teams, including issuing refunds for folks who no longer plan to attend in person,” Ensign, the DEF CON press lead, told The Record in an emailed statement.
Ensign also said that she personally was surprised by how many people remained eager to attend, given the situation.
“It’s a lot more than I expected & for those who are making the trip, I’m glad vaccines & masks will be mandatory, even for the hotel & union staff working in the conference area,” she wrote.
Correction: A p
Andrea Peterson
(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.