On Social Hacking Groups, Meetings, and AHA!

Since the early ’90s, when I first really started getting into information security and the hacking scene, I’ve always found immense value in social hacker meetings. Back then all I had was my local 2600 meeting, however today, depending on your place of residence, there may be many different types of meetings available to you ranging from black to white-hat orientations such as 2600, local-area DefCon groups, the regional *Sec groups like NoVASec and SeaSec, various security user groups like NTSUG, and independent groups like AHA!

The groups that I’ve participated in over the years which include both Dallas and Ft. Worth 2600 meetings, dc214, and AHA! have vastly contributed to my personal experience and continued success in my career and have definitely helped to get me to where I am today. Nowadays I simply won’t do without them.

When I moved to the Austin area from Dallas about a year ago, other than the local 2600 meeting, which I still haven’t attended due to usually being in Dallas on the first Friday of the month and attending 2600 there, there didn’t seem to be any other security or hacking groups actively meeting in the area; at least not that I could dig up. In an attempt to fill the void left in my social activities that leaving Dallas had left me with, I began to scheme on creating a DefCon group for the area, dc512. When I asked some colleagues around the office if they would be interested in attending, a few of them suggested that I wait a few months because HD Moore had something similar up his sleeve. So I waited, and sure enough HD shortly announced the creation of the AHA! group and set up a mailing list. Unfortunately all that came from that for the next 4 months or so were Sushi lunches and poker games, which wasn’t exactly what I was looking for. Finally, fed up with the lack of technical discussion in AHA!’s diet, I organized a meeting location, briefly discussed with HD and decided on a meeting format, and prompted the mailing list to come to AHA!’s first technical meeting. I’m happy to say that we’ve been going strong every month since that first meeting, 8 months ago, and it’s honestly the most valuable and most productive social hacker meeting that I’ve ever had the honor of being a part of. The signal-to-noise ratio at AHA! meetings is simply off the chart.

The format of the AHA! meeting is also vastly different than any other meeting I’ve ever attended. Unlike 2600, which is extremely informal, through DefCon groups which vary in format but usually contain both some informal chat time as well as a speaker for an hour or so, through the *Sec meetings and user groups which may go so far as to have parliamentary structure with official opening and closing, minutes, and whatnot, our decided upon structure was directly resultant of what we wanted our meetings to provide, which was a forum for members to talk about what they’ve been up to for the last month or so and solicit feedback from everyone else. As such, we decided to provide anyone that attended with five to fifteen minutes within which to speak, a short Q&A afterward as the projector, if slides were used, changed hands, and continuing with the next speaker until we either ran out of speakers or ran out of time.

Unfortunately this format has created some issues with various people that attend, or people that have subscribed to the email list but haven’t yet attended due to the format. We place a large emphasis on presenting something if you attend the meetings, and if you don’t attend the meetings or attend but don’t participate you will eventually be unsubscribed from the email list due to non-participation. Thus, if you don’t intend to come to the meetings and speak, you may feel unwelcome. Concern for this has recently been voiced on the mailing list, suggesting that it promotes an elitist or discriminatory feeling towards those less experienced who may feel that what they have to talk about isn’t valuable or worthy of presenting. That may seem to be the case, if you don’t really understand the entire point of AHA! meetings.

For me, all of these types of meetings have been more about learning something new and/or getting feedback on my own work than “strutting your stuff” or trying to prove something, regardless of what the meeting organizers actually state that the meeting’s purpose is. With AHA!, we’ve stated repeatedly that speaking about what you’re currently working on, getting feedback, and learning from it all is the entire point; to get feedback from other people about what you’re missing or what you haven’t thought of due to your own inexperience with the subject or your experience with it being in a completely different area of expertise. At AHA!, you’re not trying to tell everyone else how to do something, or necessarily educate them, you’re describing your approach to a problem and seeing if anyone else has anything to contribute that might help you, and thus improving your own work or research via more sets of eyes, ears, and brains.

Fortunately for AHA!, some of the people that attend and speak about what they’re up to really are at the top of their game and everyone else there may not actually have any useful feedback for them. Unfortunately I can see how this fact may have perpetuated the misconception noted above that people attending for the first time or just subscribing to the email list may get about the purpose of the meetings. However, with the number of extremely intelligent, experienced, and talented security people that attend and participate in the meetings, it would seem to me the ideal place for someone new to the InfoSec game to come and speak about what they’re doing and solicit feedback.

Regardless of the stated purpose of any given meeting, what it really comes down to is this: Everyone has their own agenda, and the only one that should really matter to you is yours. The question is, what do you want to get out of these types of meetings, and is it worth attending for?

Leave a Reply