Tech by VICE

We Asked Def Con Attendees Why People Are Still Getting Hacked

The cybersecurity industry is worth billions of dollars, and tens of thousands of people attend Black Hat and Def Con every year. So, are we getting any safer?

by Samantha Cole, Lorenzo Franceshi-Bicchierai, Joseph Cox, and Ben Makuch
19 August 2019, 8:40am

Image via pinguino k on Flickr

This article originally appeared on VICE US.

This year's Def Con—the world's biggest hacking conference—was more sprawling than ever. Held annually in Las Vegas, the conference has grown over the last 27 years from a small gathering of hackers huddled into the Alexis Park hotel to a nearly 30,000-person swarm spread across multiple hotels on the Strip.

At Def Con 27, Motherboard saw Lightning chargers that could instantly hack a device, shirts that defy the surveillance state, superhuman game cheats, and attendees who bought their conference tickets by selling nudes. Between Def Con and Black Hat, its more corporate cousin, Vegas became full of people working in an industry that feels like it’s at a pivotal moment: There’s more money pouring into cybersecurity than ever, but we continue to see high-profile (and devastating) hacks. At the same time, cybersecurity as an industry is no longer made up of lone coders and small, grey-hat hacking groups; it’s a gigantic industry with startups worth billions of dollars. As the industry matures, it’s becoming clear that it must be held accountable for a lack of diversity and a sometimes toxic and misogynistic culture.

Motherboard sent four reporters to Def Con. We spoke on panels, gave talks, and reported on what we saw there, but we also asked about two-dozen attendees two simple questions:

Why are people still getting hacked?

What is one thing the cybersecurity community needs to do better?

The responses people gave us were as varied as their expertise—some people we spoke to are red team hackers, others work in public relations for sex toy companies. But taken together, they revealed a pattern of opinions across the infosec community. People are hacked because they're human, and we need to be more inclusive of the diversity of humanity to solve these problems.

Answers are edited for length and clarify. Some respondents spoke on the condition of anonymity because of the sensitive nature of their work.

Why are people still getting hacked?

"I think the first question, put like this, is the modern equivalent to: why are things still getting stolen? People will always get hacked, the question is whether we can reduce the amount of hacks without causing too much external pain. I actually think hacks in general are mitigated relatively well but there are exceptions of course. (US local government networks are an obvious one.)" - Martijn Grooten, editor of Virus Bulletin

"I think people still get hacked because most hacks these days that the public encounters work to exploit the human side of the equation and are not all that technically sophisticated, and we haven't prepared people for that reality. We need to help people not treat all threats as equally likely, and remind them that hackers aren't magic wizards; they use a logic on how hard they want to work to hack you that you can use to make decisions... I think because our mental vision of a hacker is still a guy in a hoodie doing very complicated, high computing power-required cracking of very secure systems, and not a person copying and pasting a bunch of passwords to see which ones work." - Kate Rose, digital security professional and maker of Adversarial Fashions

"Because we don't concentrate on the easy stuff. People need to use password managers. People need to you know segment there they are their social media profiles their email accounts and stop mixing everything together and just concentrate on the basics. Because you don't want to be low hanging fruit." - a Red Team operator at iiNet

"Because they don't update their shit. And they use [passwords] like ‘1234’ and really basic stuff. It's really bad." - anonymous

"It’s lack of understanding and education around cybersecurity. Seems like populations are vulnerable because of lack of access to information due to resources, or generational differences in access to technology (I.e. vulnerable seniors). Beyond that, I wonder if people have a nonchalant attitude when it comes to their personal security because it seems so inevitable that you’ll be at risk. It isn’t clear how you can prevent it, and everything is getting hacked or your personal info is at risk all the time." - Rachel Johnston, communications professional for sex toy company Lora DiCarlo

"There's too many bright people in the world for infosec to be dominated by any single group of people."

"If 'security' is the 'state of being free from danger or threat,' then cybersecurity is a fantasy. We don’t get to be free from danger. That’s not the world in which we live. We simply cannot find every problem. Many organizations can improve their defenses by focusing on basic fundamentals, but to make that happen, organizations need to not only identify failures, they need to either prove the real world risk and impact posed by the failure, or verify that existing controls provide sufficient risk reduction. Today, answering these two questions is incredibly difficult." - Evan Anderson, Randori Director of Offense

What is one thing the cybersecurity community needs to do better?

"There are two parts to this. The first part is to diversify. There's too many bright people in the world for infosec to be dominated by any single group of people. However, to do this the infosec community needs to get back to its roots of finding intelligent, curious people and training them in house instead of poaching experienced people from other firms. Does it take longer? Of course, but it has benefits such as company loyalty that can't be overlooked." - Brian Pendelton, professor and Def Con 27 goon

"I think that there's a huge disparity between African-American representation at a higher level. You see African-Americans from the help desk to the system admin level. But when you start to go up to CSO, CIO and all those levels—senior level positions you don't see large representations of African-Americans so I think that as an industry we could strive to do better as much as we're doing for women which is very great. I also think that we can make that same effort for African-Americans." - Brandon Robinson, senior sales engineer at Proofpoint

"Our community has a history of showing up like a bull in a china shop and not only does that turn people off to our message, it damages our credibility with the very people we’re trying to protect."

"Be less toxic, more inclusive. I try as much as possible but there are a couple of people in the industry who are big rock stars, who don't make anyone else [feel] welcome." - anonymous A/V company employee

"The cyber security community needs to educate in a way that is accessible to laymen folk. The resources should not be daunting or scary but realistic and honest. It’s hard to make a case for using increased security to someone who feels they would never be a target but the reality is everyone is a target to indiscriminate attacks." - Moheeb Zara, AWS

"Exercise finesse and learn to prioritize the needs of others, whether business leaders, consumers, or policy makers. Understanding what makes them tick and how they think is the only way we can build tools and teach skills that will stick. Our community has a history of showing up like a bull in a china shop and not only does that turn people off to our message, it damages our credibility with the very people we’re trying to protect." - Melanie Ensign, DEF CON press goon department lead

"Anyone with the power to make decisions on what authentication technologies the rest of humanity gets saddled with, need to watch people outside their peer group try to use what they build. Most will not successfully check all the marks for secure usage of anything because the thing they're logging into will not make it anywhere near what the vast majority of humankind would consider easy. Certain elements in the hacker community have long scoffed at everyone else for not having the time, money, or experience to personally deal with working around bad design in the patchwork of the poorly maintained, disjointed systems they depend on. The responsibility should instead shift to technology makers to design authentication mechanisms and other security features in a way that everyone else can actually use." - David Huerta, Freedom of the Press Foundation

"They need to engage better with the people around them. There's something very insular about people who work in cybersecurity. There's maybe not a huge overlap between cybersecurity and people with an overabundance of social graces.... [but] cyber security is everywhere and it applies to everyone. And that means that people in tech need to be able to relate better to people who aren't in tech and explain why it's important. If there's anything I would wish I could convey to everyone here it would be like this is important. This is fun. This is awesome. Convince other people to care about it." - anonymous