As Defcon goes virtual, organizers step up efforts to prevent online harassment

Privacy is an essential component of Defcon. The annual hacker conference in Las Vegas has policies against taking photos of people's faces and against names on badges for the tens of thousands of people who come every year. The event, attended by FBI agents and criminals alike, values privacy so much that it doesn't even want your money unless it's cash. 

But that anonymity is a double-edged sword for its organizers: Defcon has a history of complaints about sexual harassment and racist behavior. 

In 2017, Defcon released its first transparency report, and it's gone through that same process at the close of every conference since then. Each year has brought reports of incidents of sexual harassment, and the conference banned two people for life for harassing women in 2017.

With Defcon going virtual this summer, it's open to anyone with an internet connection, meaning organizers will have to brace themselves for a new challenge: moderating a conference of thousands of hackers who have the technical skills to disrupt an online event. 

The hacking that goes on at Defcon is primarily for educational purposes -- taking over a voting machine to show how easily it can be done, or the conference itself creating badges with Easter eggs you can only unlock if you have the technical chops.

But it's also paved with high-tech hijinks, like hundreds of fake Wi-Fi networks intended to trick people into connecting to them and a fake ATM machine in 2009 that could steal card data from unsuspecting victims.

While Defcon isn't the first conference to go virtual. Apple's Worldwide Developer Conference and various gaming events have gone the digital route as a result of the coronavirus pandemic -- Defcon's move exponentially increases the opportunity for harassment -- an issue it's long struggled with. The broader shift to go remote, from weddings to schools, has invited trouble, such as hackers hijacking synagogue services to spam anti-Semitic slurs and interrupting virtual classes with pornography.  

Now imagine what happens when a convention for hackers goes online. 

To deal with a potential flood of issues, Defcon's organizers set up tiers of privileges for the online event, so that the more potential you have to cause harm, the easier it is for you to be caught. It marks a stark contrast with Defcon's usual privacy-first ethos, just another example of our surreal times. 

"Hosting a public event on the internet always carries a responsibility to prepare for bad actors," Melanie Ensign, Defcon's press lead, said in a statement.  

Privacy shift

Rather than using its own livestreaming service like Apple did for its WWDC or a video chat tool like Zoom, Defcon is happening on Discord, an online chat platform that most hackers are familiar with. The server will open up on Aug. 6 and run through Aug. 9, with different channels set for the different "villages" happening at Defcon. 

The ability to interact and participate in Defcon will be determined by how much information you provide. For the majority of users who choose to remain anonymous, they'll remain in a "read-only" mode unless they provide more information. 

Other requirements include having a verified email account with your Discord, or a phone number associated with the account. 

While the entire conference is free to attend and watch, if you want to post images and links, or to use the voice and video chat functions, you'll need to pay $20 for a "Human Plus" badge through PayPal. This process makes it easier for the conference to identify bad actors who post illegal content on Discord.

See also: What is Tor? Your guide to using the private browser

Defcon organizers created the badge as a way for supporters to provide funding for the conference, but it also allows them to turn over evidence to law enforcement officials if any illegal content pops up from those users. 

It's a far cry from past Defcons, which had a strict cash-only policy out of privacy concerns for its attendees. An FAQ for Defcon said this about credit card payments in 2019: "Do we take credit cards? Are you JOKING? No, we only accept cash -- no checks, no money orders, no travelers checks. We don't want to be a target of any State or Federal fishing expeditions."

The change in stance, however, was necessary given the shift in format. 

"Historically DEF CON has been cash only, but moving to a digital platform for Safe Mode introduced practical requirements for accepting payments virtually, and provided an important verification mechanism to aid anti-abuse efforts," Ensign said.

The code of conduct

The conference has its main talks, but also has breakout sections called villages for different topics in security, like encryption and the internet of things. Each village will have its own moderators, who will enforce the rules set up by Defcon and can also establish their own rules for their specific channel.

Defcon volunteers, called "goons," are usually tasked with making sure the conference runs smoothly. They run the gamut from handling security to making sure screens are set up properly for presentations or just telling people where certain talks are happening. 

With Defcon happening mostly online this year, nearly every goon will be tasked with moderating the Discord server and ensuring that people are following the conference's rules. 

The conference will have about 500 goons working as moderators, as well as a formal review process for any issues that get raised. Any permanent ban would require approval from senior Defcon staff, and Ensign said moderating actions are logged to review for potential abuse from goons. 

Defcon's organizers said they had been working on the code of conduct since May, when they decided to host the virtual event.

Here's what a draft of the rules for Defcon's online edition said:    

• Please follow directions from Moderators and Goons.
• Please don't harass people, use hateful language, or personally attack other attendees. If you do you could get your one and only warning to be civil.
• Try to keep discussions on-topic in channels that have designated topics.
• We don't want you to get into trouble, don't do anything to draw the attention of law enforcement by committing crimes or conspiring to commit crimes.
• Don't expect people to do your homework. Attendees are unlikely to tell you step by step how to hack the Gibson, but are more likely to collaborate in learning with you.
• Unauthorized promotion of your commercial enterprise or business is not allowed.
• Frequent spamming to channels with repeat posts is not allowed.
• Posting links to other Discord servers is not allowed. Do it in a PM.
• Unless otherwise specified, the default language for channels is English.

People who violate the rules can be kicked off or banned, and Defcon's Discord server will also have a list of hate speech terms that are automatically muted. Villages can kick people out of their own specific channels. When someone is muted, a ticket is automatically created for review by a Defcon moderator to decide whether or not to ban the person. 

The Discord server will also have a channel specifically for reporting abuse that might not be picked up by the AI or by a moderator watching for misconduct.

"We are very confident that we will not be interrupted by trolls. DEF CON staff as well as IoT Village staff will be closely monitoring our channels," Rachael Tubbs, the events coordinator for the IoT Village, said in an email. "We know that they exist and will try their hardest to interfere, but we successfully avoided trolls interrupting us during our first virtual event in May, and feel well prepared."

Discord's role 

If you're planning on attending Defcon's virtual event, there's a good chance you're familiar with Discord. 

The chat app, initially built for gamers, also has a budding hacker community on its platform. Last month's infamous Twitter hack, when hackers took over high-profile accounts belonging to people like Barack Obama and Jeff Bezos, had originated through messages on Discord. A series of hacks on Ring video doorbells was organized for a live show hosted on Discord, and hackers frequently use the platform to sell stolen data.   

Discord is no stranger to the hackers using its platform, and said it's taken measures to prevent illegal activities from happening on the chat app. 

Watch this: Hackers take on new voting machines at Defcon

01:41

That can include actions like banning users, but also more drastic measures like shutting down the server entirely. Because Discord does not have end-to-end encryption and its users aren't anonymous, any illegal activities would also be easier for the company to report to law enforcement. 

Defcon is expected to be one of the larger conferences held on Discord, and the chat service said it's prepared for the event by training Defcon staff on best practices for online moderating. A company spokesman said Discord could step in and take action if the situation calls for it, but the majority of moderation will fall on Defcon's staff. 

Discord's security team is also working to make sure that any attendees banned from Defcon's servers stay off the platform. Conference administrators will be able to ban people from its server for violating the code of conduct, and Discord will help by making sure that they can't just make another account and log right back on. 

"DEF CON is an important event that brings together some of the brightest minds in cybersecurity. While we are not officially partnering with DEF CON we are proud that they are choosing to host their conference on Discord," the messaging platform said in a statement. "More broadly, Discord has a zero-tolerance policy for illegal activity, and this will apply to all DEF CON attendees as well. We use a mix of proactive and reactive tools to keep it off of our service."

Defcon's organizers plan to release a transparency report for this year too, despite its unique format. Whatever the results may be, it's likely this year's results will show how feasible it is to keep an online hacker conference harassment-free.