During DEF CON, computer hackers from all over the world descend on Las Vegas to show off their skills in an environment where “radical viewpoints” are welcomed and rules are few.
So how did a University of Arizona professor receive a lifetime ban from such a proudly permissive conference?
Christopher Hadnagy insists he still doesn’t know.
In February, DEF CON organizers announced they had received “multiple” reports about Hadnagy for violations of the convention’s code of conduct against harassment.
“After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON,” organizers said in a statement on the convention’s website.
But Hadnagy says he was never told what he was accused of, and he denies doing anything wrong.
Now the adjunct professor in the UA’s College of Applied Science and Technology is suing the convention and its founding hacker, Jeff Moss, aka the Dark Tangent.
The defamation lawsuit filed Aug. 3 in a Pennsylvania federal court accuses Moss and DEF CON of ruining Hadnagy’s reputation and damaging his security consulting business with “vague yet scathing statements” that “falsely accuse him of what could only be despicable conduct.”
Hadnagy is seeking at least $375,000, plus punitive damages and legal fees.
Moss could not be reached. His attorney did not respond to a request for comment.
When contacted by email, Hadnagy professed his innocence and made several references to his lawsuit.
“My company and I consistently deny and continue to deny any and all allegations of misconduct,” he said in an email.
He referred all further questions to his lawyers, who declined to discuss the ongoing litigation.
Not many rules
Jeff Moss was just 18 when he organized the first DEF CON in 1993 as an excuse to party in Las Vegas with a few dozen of his hacker friends.
The event has grown into one of the world’s largest and best-known gatherings of information security professionals and amateur key punchers.
Hackers go to see what they can get away with. IT managers and government agents go to see what hackers are trying to get away with and how to defend against it.
There are the usual convention staples like mixers, group outings, panel discussions and industry speakers.
Then there is the other stuff: lock-picking lessons, a law-enforcement-identification game called “I spotted the fed,” and hacking how-tos for everything from seizing control of a decommissioned commercial satellite to playing Doom on the control screen of a John Deere tractor.
In recent years, the conference has devoted a whole “village” — sort of a target-specific breakout session — to cracking open voting equipment.
One of the most popular attractions is a days-long game of capture the flag, in which teams of tech workers, government contractors and students try to break into each other’s systems and steal virtual flags without losing their own. Some have called it the “Super Bowl of hacking.”
DEF CON touts itself as an open forum “where radical viewpoints are welcome and a high degree of skepticism is expected.” The conference’s code of conduct, last updated in 2015, covers a single topic: “harassment against any participant, for any reason.”
“Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid,” the code states.
Potential responses to such behavior include “expulsion without refund and referral to the relevant authorities.”
As organizers say elsewhere on the DEF CON site, “We don’t have a ton of rules, but we take the ones we have very seriously.”
Since 2017, the conference has posted “transparency reports” at the end of each convention, listing any notable incidents.
Hadnagy’s ban was announced in a special report published on DEF CON’s website on Feb. 9, and it soon made headlines on several news sites that cover tech.
He quickly took to Twitter to defend himself, pleading with his followers to “wait for details and facts before jumping to conclusions.”
Hadnagy followed that up with a lengthy statement on the website of his consulting firm, Social-Engineer, LLC, in which he identified one possible source of the complaints against him.
“From what I have seen and heard, many of the criticisms of me concern my training courses and, specifically, responses to bad reviews from 2015 and 2017,” he writes. “Those criticisms are fair. I could have handled situations like these a lot better. I take full ownership of my past mistakes, and I believe that I have grown since then and I commit to doing better.”
‘Cancel culture’
According to the lawsuit, his company has lost a number of existing and potential clients since early February, including several that specifically cited DEF CON’s announcement as the reason for terminating their relationships with him.
Hadnagy claims the allegations have also damaged the Innocent Lives Foundation, a nonprofit he launched — with an announcement at DEF CON — in 2017 to unmask anonymous child predators online and report their identities to authorities.
“As a result of (the defendants’) statements, plaintiff Hadnagy has become a victim of ‘cancel culture’ in the tech industry,” the lawsuit argues.
Another security conference called BSides Cleveland faced an online backlash in June, when it scheduled Hadnagy as a surprise guest, prompting a handful of speakers to walk out in protest when they learned he had been added to the slate.
The event organizer later apologized for what he called an oversight on his part, then resigned from his leadership position.
Hadnagy is an author and expert in the field of social engineering, also known as “human hacking.” In the world of online security, that usually involves tricking people into divulging confidential information or engaging in other potentially damaging behavior.
His expansive knowledge of the subject has meant a long affiliation with DEF CON, where he headed up the conference’s crowd-pleasing social engineering village for a decade.
In his lawsuit, Hadnagy accuses Moss and company of cooking up the false code-of-conduct violations so they could replace his village with something similar hosted by someone else.
Attorneys for Moss and DEF CON have yet to file their response to the lawsuit.
Hadnagy hasn’t been working for the UA for long. University spokeswoman Pam Scott said he has taught a “popular and highly rated class” in social engineering attacks and defenses three times since 2021, and he is scheduled to teach it again in the spring.
She said university officials were not familiar with his lawsuit or the conference ban, and she declined to comment about either topic.
DEF CON just celebrated its 30th year with four days of panels, parties, pranks and “ethical” cyberattacks on sanctioned targets looking to improve their security. The announced attendance in Las Vegas topped 30,000 this year, and it included the usual mix of so-called “white hats,” “black hats” and at least a few people carrying law enforcement badges.
Hadnagy wasn’t there, but he did send a representative.
According to court records, a process server stopped by the Caesar’s Forum Convention Center on Aug. 11, the first day of the conference, and delivered a copy of the lawsuit to Moss’ attorney.