Def Con Banned a Social Engineering Star - Now He's Suing

Several readers have shared this report: In February, when the Def Con hacker conference released its annual transparency report, the public learned that one of the most prominent figures in the field of social engineering had been permanently banned from attending. For years, Chris Hadnagy had enjoyed a high-profile role as the leader of the conference's social engineering village. But Def Con's transparency report stated that there had been multiple reports of him violating the conference's code of conduct. In response, Def Con banned Hadnagy from the conference for life; in 2022, the social engineering village would be run by an entirely new team. Now, Hadnagy has filed a lawsuit against the conference alleging defamation and infringement of contractual relations. The lawsuit was filed in the United States District Court for the Eastern District of Pennsylvania on August 3rd and names Hadnagy as the plaintiff, with Def Con Communications and the conference founder, Jeff Moss, also known as "The Dark Tangent," as defendants. Moss was reportedly served papers in Las Vegas while coordinating the conference this year.

There are few public details about the incidents that caused Hadnagy's ban, as is common in harassment cases. In the transparency report announcing the permanent ban, Def Con organizers were deliberately vague about the reported behavior. "After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON," organizers wrote in their post-conference transparency report following the previous year's conference. Def Con's Code of Conduct is minimal, focusing almost entirely on a "no-harassment" policy. "Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid," the text reads. "Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate."

Time to spill all the details

[Anonymous Coward]

So Defcon tried to keep it relatively hush hush, but now all the details have to be spilled out for the court case? Sounds like a losing situation for both sides. Great popcorn fodder tho.

Re:Time to spill all the details

[Sebby]

Great popcorn fodder tho.

Indeed! My investments in popcorn, rather than scammy cryptocurrencies, is totally paying off!

Re:

[hdyoung]

Defcon will come out on top. That conference has been running since 1993, which means it’s got an extended leadership structure and many parts of running the conference are being outsourced to professional organizers. For a prominent member of the community to be banned means that it went through multiple levels of leadership and got vetted by at least 3 lawyers. In other words, whatever this guy did is probably well beyond acceptable behavior.

The guy is entitled to his day in court just like any

Re:

[Anonymous Coward]

>For a prominent member of the community to be banned means that it went through multiple levels of leadership and got vetted by at least 3 lawyers. In other words, whatever this guy did is probably well beyond acceptable behavior.
This sounds like a very reasonable assumption that you just made up, but the same sort of thing can be said about any reaction: "they wouldn't have done it this way if they didn't have a good reason!" Sometimes the "reason" really is just pettiness and frivolity.
Counterpoint: h

Re:Time to spill all the details

[hdyoung]

Unlikely just petty behavior. Outside certain circles of politics nowadays, conference organizing is a thoroughly professionalized field. This is something that I actually know things about. Anything is possible, but extremely unlikely that multiple levels of vetting and professional assessment in a well-run national-level conference would all go insane at once. Too much liability and very little chance of covering something up.

Re:

[rahmrh]

And way more likely the one guy suing did go crazy and thinks whatever he did was perfectly acceptable.

Re:

[Paradise Pete]

And way more likely the one guy suing did go crazy and thinks whatever he did was perfectly acceptable.

Especially when your skillset is "social engineering" i.e. manipulating people into doing things they didn't want to do.

Re:

[Zeratul2k]

This, definitely. Cancel culture, anyone?

I, for one, will place BOTH parties in the "innocent until proven guilty" categories and see where the suit ends up. Something tells me it'll be settled before it goes anywhere, though.

Re:

[way2trivial]

"By tomorrow I'll have forgotten."
Thank you goldfish memory man, this is why /. is so resplendently filled with dupes.
just so you don't forget.
 

Re:

[Opportunist]

Not only that, but you can bet your rear that any "hacking" related conference by now has a kick-ass team of lawyers.

They pretty much have to, if they still exist...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[SethJohnson]

Federal agents don't enforce state laws. You may have seen FBI arrest someone, but it wasn't for the state statute violation cited.

Re:

[ThurstonMoore]

Wouldn't this be federal since the communication was across state lines?

Re:

[SethJohnson]

It would be if there was a federal law prohibiting recording a phone conversation. There isn't one.

Kinda like the new challenge with state abortion bans. People will be crossing state lines to get abortions, but the feds aren't going to chase them for violating some extremist Texas law.

Re:

[Opportunist]

Some of the rules of security conferences are certainly "I'm curious why they exist" material. Like "the appearance and disappearance of ATMs must be reported immediately".

Re:

[fuzzyfuzzyfungus]

It seems like his case has to walk a fairly tight line to even be plausible as-claimed(even if we ignore the question of whether it's true or not):

The Defcon code of conduct is broad and not particularly specific, either about exactly what harassment is or exactly how much you need to do to get a ban rather than a talking to or no action; so claiming that "After conversations with the reporting parties and Chris, we are confident the severity of the transgressions merits a ban from DEF CON." amounts to d

Re:

[cosmo154]

"Capn Crunch still after the young boys...".

Having had personal experience with that piece of shit, I can't wait for him to die so I can go piss on his grave.

That bastard groomed me on my late night radio show (circa 1982) for months before I agreed to meet him in person, that was a huge mistake.

To this very day, whenever I see his name it sets off my damn PTSD.

If I ever see him in public, I'll punch that asshole and take the legal punishment, it would be worth it.

Re:

[ThurstonMoore]

I'm guessing he tried to "exercise" with you?

Maybe Social Engineering Backfire?

[Guy Smiley]

It is also possible that some unhappy people he social-engineered out of their wallets or jobs got together to use his own tricks against him for Payback in an ironic twist of fate, as the Scientologists were known to do, but that is purely speculation...

Re:Maybe Social Engineering Backfire?

[Eunomion]

Doubtful. If it were part of the event's purpose, he would be saying so now to undermine the credibility of its organizers. And if it were about him dragging his own dirt into the event from outside, the defendants would be saying so to make him lose credibility among his peers.

What it sounds like is much less interesting: Being so used to manipulating others that you forget when to turn it off. Or, more specifically, being so highly praised for manipulating others that you lose touch with reality and think it's a right, normal, and proper way to behave, even toward peers who aren't playing a particular game.

Re:

[cayenne8]

Being so used to manipulating others that you forget when to turn it off.

I dunno, manipulating others is pretty much what life is all about when you get down to it.

You want something for whatever reason (job, wealth, safety for family, privilege, etc)....you do what it takes to get others to bend to your will so you succeed.

The best way to do it...is to make them think it was their idea in the first place...etc.

Re:

[ThurstonMoore]

"You want something for whatever reason (job, wealth, safety for family, privilege, etc)....you do what it takes to get others to bend to your will so you succeed."

I don't.

Re:

[Eunomion]

Manipulation and persuasion are distinct concepts, and arguably mutually exclusive.

Even when the tactics overlap, the targets and objectives don't.

A predatory or parasitic mindset opts for manipulation because of its one-sidedness, and that kind of mindset tends to use it destructively against others. Persuasion is communicative and functions on a two-way street, aiming for and often achieving mutual benefit.

Re:

[tlhIngan]

What it sounds like is much less interesting: Being so used to manipulating others that you forget when to turn it off. Or, more specifically, being so highly praised for manipulating others that you lose touch with reality and think it's a right, normal, and proper way to behave, even toward peers who aren't playing a particular game.

That's what I was thinking. It's a very fine line to thread between social engineering and harassment - because social engineering attempts to basically get the target to do s

Re:

[stonecypher]

] but that is purely speculation...

That's pronounced "disgusting victim blaming by someone with delusions that their guesswork is something other than lying for attention"

Re:

[skovnymfe]

When it involves a dumb rule like

Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid,

at a fucking social engineering event, it sounds more like some pronouned blue-haired bi-gender self-identified hackxer had their gender-feelings hurt.

Re:

[ArchieBunker]

I see you couldn’t even make it to the second paragraph.

Re:

[ArchieBunker]

Def Con's Code of Conduct is minimal, focusing almost entirely on a "no-harassment" policy. "Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid," the text reads. "Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate."

Pretty straight forward. They asked him to stop and he apparently didn’t.

Re:

[Entrope]

That doesn't say that the guy deserved a ban, or what he did. It just says that they reserve the right to be draconian -- and that they reserve the right to be draconian about any harassment, not only if the person continues.

Re:

[Entrope]

Yes, people have a right to be intolerant jerks. That doesn't mean it's a good idea to exercise that right, which was the whole question here: What justified their decision? Were they doing something that most people would think is reasonable, or were they being arbitrary?

Jumping to "well, the language of the contract gives them sole discretion" and "they have the right!" is a way to avoid those questions that suggests the decision was arbitrary.

Re:

[blackomegax]

The discussion is meaningless. They had the right and power, and did it. It's done. If you disagree, don't attend.

Re:

[Entrope]

Do you agree with their decision? On what basis? The whole point of this discussion is that the process was opaque, and nobody else can't understand why this decision was made. It's exactly why the US has a strong presumption of public access to court filings, orders and decisions: so that we don't need to have blind faith in the system.

Re:

[blackomegax]

I don't agree nor disagree with their decision, nor do I care. It was their move to make, they have more information than you or I do, and they made it, likely in the best interest in the safety and security of their conference, as bound by their legal liability agreements with Caesars. Caring what DEFCON does as a corporation is useless. If you care, volunteer, get in their ranks, and raise your voice. If not, don't go. Not much to it.

Re:

[Anonymous Coward]

Your posting to slashdot is making me feel uncomfortable. Please stop posting.

Re:Harassment can now mean a lot of things, some f

[sfcat]

Pretty straight forward. They asked him to stop and he apparently didn’t.

Um no it isn't. I have no idea if the conference organizers made the right decision here. But there are plenty of possible situations here where even if we had video tape of the incident, different folks would see the events differently. That's why someone's feelings are a bad standard with high potential for abuse. Emotions are irrational things.

feel uncomfortable, unwelcome, or afraid,

This type of standard (which is common now) is meaningless and open for abuse. People feel all sorts of ways for all sorts of reasons and emotions are just not rational things. Now, I am not arguing that people should be able to treat others like shit for no reason, but what does it mean to feel unwelcome? Any number of silly and unintentional slights can trigger this. And there are quite a few folks these days who spend their life looking to feel offended. Couple that with a conference full of social awkward and introverted folks who maybe aren't the best at reading social queues and its surprising this doesn't happen more often. Add money into the mix and someone who is professionally manipulative and well I have run out of superlatives to use to describe how likely abuse of such a vaguely worded policy is. Your intent is good but you are expecting nobody to ever abuse such a policy is just plain naive. Sociopaths exist and I feel confident there are more than a few at DefCon and probably a few of them are involved in operating the conference (just statistically it is likely). So either come up with wording that is more clear than how someone feels but still bars unacceptable behavior, or drop this stuff entirely. Otherwise, it is likely that someday someone who wants something you have will have no problem with abusing such polices to take it from you. All it takes sometimes is the ability to cry on queue (or some other manipulative behavior).

Re:

[Chelloveck]

So either come up with wording that is more clear than how someone feels but still bars unacceptable behavior, or drop this stuff entirely.

Much easier said than done. If you list a number of clearly delineated acts as outlawed, you get asshole rules lawyers who come right up to the line but know they can't be punished for it. This is identical to your kid brother holding a finger an inch from your face and repeating "I'm not touching you! I'm not touching you!" You also end up with situations in which th

Harassment can now mean a lot of things, most bad

[nsbfikwjuunkifjqhm]

Unfortunately, with recent efforts by regressives to downplay abusive and bigoted behavior, we no longer can assume that harassment is something mundane (like offensive jokes) because it could be as easily just be a serious offense like rape or something.

Re:Harassment can now mean a lot of things, some f

[DRJlaw]

Unfortunately, with recent efforts by progressives to rewrite social norms, we no longer can assume that harassment is something serious (like stalking) because it could be as easily just be mundane offense like joking about furries or something.

That doesn't matter. Freedom of association [umkc.edu] means that an organization can reject members for almost any reason absent discrimination against a protected class. People joking about furries are not a protected class.

You may not think that it's a good idea, but then you can start your own organization (with blackjack, and hookers) which only implements good ideas. And I can start my own organization in which members can only say "waffles." [youtube.com]

Seems logical...

[irving47]

Every time I've ever read about social engineering, in the end, its core, base "philosophy" ends up being some kind of lie, fraud, or identity theft. I find it shocking. SHOCKING. that someone teaching or endorsing these acts could earn a less-than-stellar reputation.

Re:

[drinkypoo]

Every time I've ever read about social engineering, in the end, its core, base "philosophy" ends up being some kind of lie, fraud, or identity theft.

Uh yeah, fundamentally the idea is to get someone to do something they don't want to do. At best you're letting them sucker themselves for your benefit. And at there's at least one villain in the story.

Re: Seems logical...

[IdanceNmyCar]

I think this will be the basis of his defense. All social engineering requires getting under someone's skin. Playing the pity card or similar. To do this, there is always an aggressive pressure which is the definition of harassment.

I suspect consent to be part of these interactions was not clear to all parties and in his village he did do his "job". The leadership complained, he laughed that you're fucking kidding me, and they banned him for his demeanor in regards to his reaction...

Unlike others, I wouldn'

Re:

[drinkypoo]

My assumption is that the leadership would take that into account. This isn't their first rodeo. This guy probably can't turn it off, and manipulates people all the time. Most of the most successful manipulators I've known have been like that. They work people even when they don't have to.

Re:

[cayenne8]

Most of the most successful manipulators I've known have been like that. They work people even when they don't have to.

Well, like with any valuable skill, you have practice, practice, practice....to stay in shape.

Re:

[drinkypoo]

Well, like with any valuable skill, you have practice, practice, practice....to stay in shape.

I don't volunteer to be anyone's social engineering practice subject, and if I feel that's what's happening, I will elect to do something else. Consequently these people either have to have a pool of friends who they don't treat that way, which is a tacit acknowledgement that it's harmful behavior, or they have to not have friends.

Re:

[cayenne8]

I don't volunteer to be anyone's social engineering practice subject, and if I feel that's what's happening, I will elect to do something else. Consequently these people either have to have a pool of friends who they don't treat that way, which is a tacit acknowledgement that it's harmful behavior, or they have to not have friends.

If you're doing it right....the subjects don't realize it's being done.

Re:

[drinkypoo]

If you're doing it right....the subjects don't realize it's being done.

If you're surrounding yourself with people you can con all the time, you're doing it wrong. It's somewhat fun being the smartest person in the room, but it's lonely.

Re:

[fuzzyfuzzyfungus]

It's definitely very low on the list of surprises; but the one aspect you'd like to think might actually help as a reminder to some is the fact that 'social engineering' is explicitly presented as a class of adversarial techniques: red-team at best; overt hostility in cases where it's not an agreed-upon exercise.

It's not like there aren't plenty of people who either just don't care; or who actively enjoy hunting for soft targets and see weakness as downright deserving of exploitation for its own sake, al

I no longer go to these conferences

[azjxgu2817]

That is why I don't go to these conferences anymore, social justice warriors have taken over the entire community. The guy probably used the wrong pronouns or said something that offended some politically correct radical feminist.

We had EMF Camp just down the road from where I live earlier this year and I did NOT attend because of this shit. All that I saw of it was the laser show from the hills, that's it. I don't want some busybody censoring my speech and risking being publicly defamed should I say som

Re:

[gweihir]

That is why I don't go to these conferences anymore, social justice warriors have taken over the entire community.

Yep. That is usually also the end of any competent work a bit later.

Re:

[ArchieBunker]

Snowflake.

Re:

[azjxgu2817]

And it takes a decade to recover from the nightmarish PTSD and realise it was all a hysterical moral panic, hyped up by the media's yellow journalism. Here in the UK it was the Sun, Mirror and News of the World to blame for this nonsense.

https://en.wikipedia.org/wiki/Moral_panic [wikipedia.org]
"A moral panic is a widespread feeling of fear, often an irrational one, that some evil person or thing threatens the values, interests, or well-being of a community or society. It is "the process of arousing social concern over

Re:

[gweihir]

Yep, that is pretty much how it goes. The FOSS community should have never let these toxic, typically non-contributing, cretins in.

Re:

[ISayWeOnlyToBePolite]

That is why I don't go to these conferences anymore, social justice warriors have taken over the entire community. The guy probably used the wrong pronouns or said something that offended some politically correct radical feminist.

We had EMF Camp just down the road from where I live earlier this year and I did NOT attend because of this shit. All that I saw of it was the laser show from the hills, that's it. I don't want some busybody censoring my speech and risking being publicly defamed should I say something they find "inappropriate". It's too risky, because it could have potentially career ending consequences, with HR departments googling your name all the time.

And today you created a slashdot account! C'mon azjxgu2817...

Re:I no longer go to these conferences

[ArchieBunker]

tl;dr I can’t behave by the rules of society.

Re:

[drinkypoo]

I don't know this guy, I haven't been to this thing. I've known some people who have, and I've known some of them to be pretty great people, and some of them to have certain control issues, and for there to be some overlap there. I don't know anything about anything really so I fundamentally can't be defending anything. With that said, the society in question has often been pretty weird and fringey. Literally all of the people I've known who have been involved, even the relatively [in]famous ones, have been

Kicked out of the club?

[Fly Swatter]

I don't know how these things work, but if it is by invitation or even public access being disallowed by the hosts is the host's right, is it not?

Re:

[rgmoore]

The hosts are allowed to ban someone for whatever reason they choose, but the ban is at least potentially defamatory. If the hosts ban someone, people who hear about the ban are likely to assume it's because the person did something wrong. If they know the official policy for banning someone, they can make a reasonable inference about what that thing is. If it turns out the ban was for some other reason, like a dispute with the organizers, it might be considered defamatory because it makes people assume

Re:

[Penguinoflight]

Yep, and Hagnagy has already been banned or dis-invited from other security conferences. BHIS even pulled out of a conference they had confirmed attendance on, citing the fact that Hadnagy had been sneaked onto the schedule.

There's a strange line that these entities are straddling where they won't reveal any details of a complaint, but will cite the policy which a partner has allegedly violated. If defcon just said "We won't be working with Chris any more do to creative differences" or the like, it would

So now he is becoming...

[LordHighExecutioner]

...an asocial engineering star!