Thursday, September 12, 2013

Security BSides, stories and back-stories, part 1

I realize that I’m overdue on providing an update on all things Security BSides, so here is a start.  Usual disclaimers apply, I’m writing personally, not on behalf of BSides or any of the BSides event or organizations, etc..

Bsides_Logo_No City_SM

This weekend will be the 92nd Security BSides, in Augusta, Georgia, a new city for BSides.  That makes 92 events in just over four years, spanning 51 cities, 11 countries, and 5 continents.  And event 100 is just over a month away.  In reality, there will be three events on October 18, numbers 99-101, so let’s call it a three-way tie for 100th.  That three-way tie spans three countries, Poland, Canada, and the US.  Pretty damned amazing if you ask me.

But let’s back up- just what is this “BSides” thing anyway?  There is still some confusion, and a little misinformation floating around.  It started when a handful of people had some ideas, which coalesced and merged the different thoughts into an event in July of 2009, parallel with Black Hat USA and before DEF CON.  The semi-official history is on the Security BSides wiki.  The original idea was to offer a “B-side” to the “A-side” events.  For those unfamiliar with the term, back in Ye Olden Days we listened to music on spinning bits of plastic called “records”; on singles there was usually a mass-market appeal (at least the artists and producers hoped so) song on the A-side, and the B-side was generally more experimental, or more artistic instead of pop-centric.  When such things made it to the radio A-sides were on generally AM and B-sides were often on that fancy FM.  That’s what we imagined for BSides, a place for more experimental, niche-audience content, plus some things with wider appeal.

(To save you Googling it, “Baby Face” was the A-side to this Little Richard B-side, “I’ll never let you go”)

The first event was held in a rented house in west Las Vegas, a lot of folks came together and made it happen (I won’t try listing names, there are too many to list- besides, everyone who showed up helped make it happen in some way).  We had about 200 people through the house in the two day event, and it was a great success.  People wanted more, so several of us began discussing “next steps”.

There was demand for a BSides parallel with RSA in San Francisco, and the San Francisco-based BSides crew started working to make that happen.

Before the event in San Francisco, some people wanted to have an event by the Bay in Mountain View, but there was no “A-side” event.  General consensus was that BSides events didn’t need an A-side to be successful, or to be useful to the community- so BSides Bay happened in December of 2009.  That’s right, the second-ever BSides didn’t have an A-side.  In fact, most Security BSides events haven’t had an A-side event.  By my count, only 27 of the 91 BSides events held thus far have been adjacent to, or parallel with, another event- and it is becoming less common.  Only 8 out of the 41 BSides this year have an adjacent event.  The standalone events often provide underserved communities with a security/hacker event where none would otherwise happen, and that is a huge part of the value the BSides community brings to the greater security and hacker community.

BSides do not require an A-Side, and over two-thirds of Security BSides have been standalone events.  BSides offer a B-Side to the mainstream.

Many of those 27 were done in cooperation with the adjacent event, sometimes even co-branding and cross-promoting to increase value to all attendees and participants.  Sure, some tensions are happen, but the two big overlapping event pairs (RSA US/BSides San Francisco and Black Hat/BSides Las Vegas) now have open communications and cooperation between the events.  Also, some proposed BSides events never happen; the BSides community sometimes discourages ones which might fragment or stress adjacent community-driven events.  (Note that there has never been a BSides around Shmoocon, for example).

BSides strive to work with and respect adjacent events.

There is a lot more to tell, but that’s enough for this post.  I’ll follow up with more on BSides in coming posts- until then, check the front page of the BSides wiki for all of the upcoming events around the world.

Oh, and pencil in Tuesday and Wednesday, August 5-6 2014 for Security BSides Las Vegas.  That’s right, we’re changing the days of BSidesLV to reduce overlap with both Black Hat USA and DEF CON- many people in the community have responsibilities which span two or all three of the events of that week, and this move makes it easier to meet those responsibilities.  Or maybe just give people time sneak over to Frankie’s or Double Down to unwind a bit between duties.