During DEF CON, computer hackers from all over the world descend on Las Vegas to show off their skills in an environment where “radical viewpoints” are welcomed and rules are few.
So how did a University of Arizona professor receive a lifetime ban from such a proudly permissive conference?
Christopher Hadnagy insists he still doesn’t know.
In February, DEF CON organizers announced they had received “multiple” reports about Hadnagy for violations of the convention’s code of conduct against harassment.
“After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON,” organizers said in a statement on the convention’s website.
But Hadnagy says he was never told what he was accused of, and he denies doing anything wrong.
Now the adjunct professor in the UA’s College of Applied Science and Technology is suing the convention and its founding hacker, Jeff Moss, aka the Dark Tangent.
The defamation lawsuit filed Aug. 3 in a Pennsylvania federal court accuses Moss and DEF CON of ruining Hadnagy’s reputation and damaging his security consulting business with “vague yet scathing statements” that “falsely accuse him of what could only be despicable conduct.”
Hadnagy is seeking at least $375,000, plus punitive damages and legal fees.
Moss could not be reached. His attorney did not respond to a request for comment.
When contacted by email, Hadnagy professed his innocence and made several references to his lawsuit.
“My company and I consistently deny and continue to deny any and all allegations of misconduct,” he said in an email.
He referred all further questions to his lawyers, who declined to discuss the ongoing litigation.
Not many rules
Jeff Moss was just 18 when he organized the first DEF CON in 1993 as an excuse to party in Las Vegas with a few dozen of his hacker friends.
The event has grown into one of the world’s largest and best-known gatherings of information security professionals and amateur key punchers.
Hackers go to see what they can get away with. IT managers and government agents go to see what hackers are trying to get away with and how to defend against it.
There are the usual convention staples like mixers, group outings, panel discussions and industry speakers.
Then there is the other stuff: lock-picking lessons, a law-enforcement-identification game called “I spotted the fed,” and hacking how-tos for everything from seizing control of a decommissioned commercial satellite to playing Doom on the control screen of a John Deere tractor.
In recent years, the conference has devoted a whole “village” — sort of a target-specific breakout session — to cracking open voting equipment.
One of the most popular attractions is a days-long game of capture the flag, in which teams of tech workers, government contractors and students try to break into each other’s systems and steal virtual flags without losing their own. Some have called it the “Super Bowl of hacking.”
DEF CON touts itself as an open forum “where radical viewpoints are welcome and a high degree of skepticism is expected.” The conference’s code of conduct, last updated in 2015, covers a single topic: “harassment against any participant, for any reason.”
“Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid,” the code states.
Potential responses to such behavior include “expulsion without refund and referral to the relevant authorities.”
As organizers say elsewhere on the DEF CON site, “We don’t have a ton of rules, but we take the ones we have very seriously.”
Since 2017, the conference has posted “transparency reports” at the end of each convention, listing any notable incidents.
Hadnagy’s ban was announced in a special report published on DEF CON’s website on Feb. 9, and it soon made headlines on several news sites that cover tech.
He quickly took to Twitter to defend himself, pleading with his followers to “wait for details and facts before jumping to conclusions.”
Hadnagy followed that up with a lengthy statement on the website of his consulting firm, Social-Engineer, LLC, in which he identified one possible source of the complaints against him.
“From what I have seen and heard, many of the criticisms of me concern my training courses and, specifically, responses to bad reviews from 2015 and 2017,” he writes. “Those criticisms are fair. I could have handled situations like these a lot better. I take full ownership of my past mistakes, and I believe that I have grown since then and I commit to doing better.”
‘Cancel culture’
According to the lawsuit, his company has lost a number of existing and potential clients since early February, including several that specifically cited DEF CON’s announcement as the reason for terminating their relationships with him.
Hadnagy claims the allegations have also damaged the Innocent Lives Foundation, a nonprofit he launched — with an announcement at DEF CON — in 2017 to unmask anonymous child predators online and report their identities to authorities.
“As a result of (the defendants’) statements, plaintiff Hadnagy has become a victim of ‘cancel culture’ in the tech industry,” the lawsuit argues.
Another security conference called BSides Cleveland faced an online backlash in June, when it scheduled Hadnagy as a surprise guest, prompting a handful of speakers to walk out in protest when they learned he had been added to the slate.
The event organizer later apologized for what he called an oversight on his part, then resigned from his leadership position.
Hadnagy is an author and expert in the field of social engineering, also known as “human hacking.” In the world of online security, that usually involves tricking people into divulging confidential information or engaging in other potentially damaging behavior.
His expansive knowledge of the subject has meant a long affiliation with DEF CON, where he headed up the conference’s crowd-pleasing social engineering village for a decade.
In his lawsuit, Hadnagy accuses Moss and company of cooking up the false code-of-conduct violations so they could replace his village with something similar hosted by someone else.
Attorneys for Moss and DEF CON have yet to file their response to the lawsuit.
Hadnagy hasn’t been working for the UA for long. University spokeswoman Pam Scott said he has taught a “popular and highly rated class” in social engineering attacks and defenses three times since 2021, and he is scheduled to teach it again in the spring.
She said university officials were not familiar with his lawsuit or the conference ban, and she declined to comment about either topic.
DEF CON just celebrated its 30th year with four days of panels, parties, pranks and “ethical” cyberattacks on sanctioned targets looking to improve their security. The announced attendance in Las Vegas topped 30,000 this year, and it included the usual mix of so-called “white hats,” “black hats” and at least a few people carrying law enforcement badges.
Hadnagy wasn’t there, but he did send a representative.
According to court records, a process server stopped by the Caesar’s Forum Convention Center on Aug. 11, the first day of the conference, and delivered a copy of the lawsuit to Moss’ attorney.
ICYMI: Watch the Star's top videos from the past week
New Javelina Statue unveiled along River path
Updateda new art sculpture was unveiled along the river path near Campbell Avenue. The statue features a javelina on a bike with an extra seat behind for the community to interact and sit on. Video by Pascal Albright/ Arizona Daily Star
Student led rally about school safety at the University of Arizona
UpdatedAbout 40 students and supporters showed up in front of Old Main to rally for change in school policies and administration on the University of Arizona campus, May 4. Video by Pascal Albright / Arizona Daily Star
New Mural highlights wildlife along River Walk
UpdatedA new mural is bringing color to the river walk. The new mural located near country club features vibrant depictions of Arizona wildlife. Video by Pascal Albright / Arizona Daily Star
Pima County Board of Supervisors discusses end of Title 42
UpdatedWatch now: Pima County is preparing to receive an increased number of asylum seekers when Title 42 ends on May 11. Video courtesy of Pima County
ChronicCon is canceled
UpdatedChronicCon, which had been scheduled for May 20th out at Cocoroque Ranch and Pavilion, has been canceled due to a reorganization of the Arizona Daily Star.
Forest Service officials looking for suspect in wildfire on Mount Lemmon
UpdatedForest Service Fire Investigators are trying to identify a man seen on video shooting a gun where the Molino basin wildfire started April 30. Officials are asking anyone with information to call 520-388-8343 or email the Coronado National Forest at Mailroom_R3_Coronado@usda.gov. Video courtesy of the U.S. Forest Service.
A trip to Tucson's year-round farmers market at Rillito Park
UpdatedHeirloom Farmer Markets' weekly offerings at Rillito Park near the Chuck Huckelberry Loop can be found every Sunday morning. The market's current hours are 8 a.m. to noon.
Tucson police release video of fatal March 3 shootout
UpdatedAaron Martinka, 28, was shot and killed by Tucson police after firing at them during a traffic stop near North Campbell Avenue and East Grant Road, authorities say. Video courtesy of the Pima Regional Critical Incident Team.
Take a tour of the Blue Moon Community Garden
UpdatedBlue Moon Community Garden is one of 17 gardens overseen by the nonprofit Community Gardens of Tucson. Through regular events for gardeners and neighbors, CGT aims to bring people together to grow not only healthy foods, but also relationships. Video by Caitlin Schmidt / Arizona Daily Star
Rep. Stahl Hamilton apologizes for hiding copies of the Bible
UpdatedRep. Stephanie Stahl Hamilton, D-Tucson, apologized Wednesday to colleagues for moving and hiding copies of the Bible in the House members’ lounge, saying she was trying to make a “playful” point about the separation of church and state. Video courtesy of Arizona Capitol Television.
Arizona lawmakers propose bill to limit access to online pornography
UpdatedAfter being initially shot down, a new version of State Bill 1503, is being considered by Arizona lawmakers. Video courtesy of Arizona Capitol Television.
President of TUSD board voices support for LGBTQ+ students and staff
UpdatedTucson Unified School District's Governing Board President Ravi Shah spoke in support of LGBTQ+ students and district staff members during a board meeting Tuesday. Shah also showed support for an upcoming student-led drag show at Tucson High.
Footage shows Rep. Stahl Hamilton moving Bibles
UpdatedRep. Stephanie Stahl Hamilton, D-Tucson, was recently filmed hiding copies of the Bible inside a state Capitol lounge. Video courtesy of the Arizona House of Representatives.
Mountain lion caught on doorbell camera outside Bisbee home
UpdatedA mountain lion was recently seen in Bisbee on the porch of a home about 80 miles southeast of Tucson. The Arizona Game and Fish Department asks that sightings are reported at 623-236-7201 so officials can track the movement and behavior of wildlife. Video courtesy of AZGFD.
Time lapse: Northern Lights seen over Tucson
UpdatedThis footage showing the aurora borealis was captured by a camera belonging to the NASA-funded Catalina Sky Survey at Mount Bigelow on April 23 from sundown to about 10 p.m. Video courtesy of David Rankin.
Trail camera catches a busy beaver on the San Pedro River
UpdatedThe river's beaver population is hanging on almost 25 years after being reintroduced by wildlife officials.
