Hello, everybody. Welcome to DEF CON 30's DEF CON Groups VR. I'm your next presenter, X-Ray,
and I'll be presenting how to start and run a group. So if you've ever wanted to start and
run your own group, whether it's a DEF CON group or any other kind of group,
we're going to give you the secret sauce. So let me get to my slides here and I'll be right back.
Okay. Can you all hear me okay? I assume so. If you're in the back,
raise your hand if you can't hear me. Yeah, that always works. Okay. My name is X-Ray.
I run DEF CON Group DC404 in Atlanta, Georgia. I've been running that since 2013.
I'm one of the co-founders of Atlanta Lock Sport. I've also been an affiliates director of the
International Jugglers Association, which is in charge of all the affiliate chapters around the
world, kind of like DEF CON groups for juggling. I've also been assistant director of the Tampa
Jugglers Club down in Tampa Bay, Florida. Great club if you ever want to go there.
I'm also a member of the Atlanta Jugglers Association. We hold an annual juggling
festival. Now, you're probably wondering what has juggling got to do with DEF CON groups?
Well, the secret sauce is all groups work the same because all groups have a common denominator.
It's called people. So while working at Georgia Tech, I was head of cybersecurity for the College
of Computing. I sponsored the student hacking and cybersecurity organization called Grayhat
and their CTF team, the Mad Hatters. I'm also a regular presenter at security and hacking
conferences and co-developer of Network King of the Hill CTF, which, by the way, is a fabulous
way of getting your numbers up in your meetings is to host a CTF. So if any of you would like
to learn how to do that, contact me on Discord. I'll be happy to walk you through it. It's quite
simple. Network King of the Hill CTF is designed for a lazy administrator. As the original
developer, that's exactly what he said about it. And it's really easy to set up. Thank you,
Charmander. Charmander is one of the people I showed how to do it. And if you talk to him later,
he'll tell you just how easy it was to do. Okay, so what we're going to cover in this presentation
are the fundamental rules for any group. And these are things that apply regardless of the topic.
One of the basic issues is who's in charge of the group. That's something that you have to
understand in order to understand the dynamics of the group. Because if you don't handle that,
it can cause a group to fall apart rather quickly. Another thing we'll discuss is why to meet,
what you're meeting about, and how you figure out what that is, and who your target audience is.
And one of the biggest problems that most groups face is finding a place to meet and ironing out
that situation. Another issue you'll run into as you start putting a group together is what
equipment you're going to use. Should I buy the equipment myself? Should the group own the
equipment? Can we borrow the equipment? We'll talk about those issues. Do we do presentations?
Some groups have presenters come in. DC404, every month we have a presenter come in
and do presentations for us to the group. Hold on a second.
Sorry, I had a spam call. You've got to love spammers, they're so persistent.
So presentations, is your group going to have presentations or not? It's not required.
Are they going to be formal? They don't have to be formal. We'll discuss all of that.
Are there going to be any activities in your meetings? Those are things like, are you going
to have a lockpick village? You're going to have capture the flag, soldering station for people
who are desoldered. Those are some of those ideas. What about governance? This is one that people
commonly want to know about is, should we be a 5013C? We'll get into that and what that entails
and why you would or would not want to do that. And one of the biggest issues you're going to
stumble across is money. What happens if we start getting donations? We have dues,
we have things like that. How do we deal with money? We'll talk about that. Swag, that's things
like t-shirts, cups, all those sorts of things with your logo on it. We'll talk about getting
your logo, creating swag, how you can do that, ways you can do that. We'll also talk about
advertising your group, where to advertise it and the most effective ways to advertise it.
So let's see. Next slide here is fundamental rules. Now, these are rules that apply across
all groups regardless. And one of them is the most important rule you could ever have in any group.
And it's something that nobody ever expects. So one is you do not have to be the most skilled
expert in the room, in the group to run it. But there are things you have to do to hold the group
together. And that's the thing that's actually important. And you don't even have to be the
best at that. You just have to show up and do the number one thing, and that's be consistent.
I cannot stress being consistent enough. That means if you have a meeting space,
you're the first one to get there, the last one to leave. You're going to have to get there early
because there's going to be people who show up five minutes before the meeting time,
no one's there, they leave. So if you're there, they'll stay. Or they'll show up and say,
oh, I just wanted to know there's a meeting. I can't really come today, but I'll try back
next time. So if they see that somebody is there, they'll show up again. They'll also
show up five minutes after the event is over and say, oh, you guys are still, you guys are really
here. Oh, I didn't know if you'd really be here. And I waited to the last minute. I'm sorry I'm
late. And you're there and you talk to them. Be consistent. If no one shows up to the meeting,
fine, watch Netflix on your phone. But be consistent, show up early, leave late. If you
can't make it, absolutely make sure somebody is there to cover for you or notify everybody that
you're not going to be able to make it. But if you can at all help it, always be there or make
sure somebody is there. Being consistent is the absolute number one rule, hands down.
The other thing is when you're starting a group, you have to be patient. It doesn't happen
overnight. Now to quote something out of a movie we've probably all seen, the code is more of what
you'd call guidelines than actual rules. So that means none of this is hard and fast. It's a matter
of who shows up, how compliant they are as far as showing up. Some people won't show up on time.
You can set them on fire, they won't show up on time. It depends on what kind of group you get
as to how hard and fast you have to hold these basic rules. But they're true in any group. Number
one, always remember, be consistent. Now the second one is who's in charge. Since you started the
group, you think you're in charge. Yeah, that's not true. What I'm going to cover next are the
basics. I'll get into governance of the group, which is not the same thing as who is in charge
later in the talk. The group is owned by the members. It's not by the person running the group.
That's a hard thing to swallow, but that's the way it is. The purpose of the group is for the
group. It's not for me. So although I kind of facilitate DC404, I see myself as more of a host
and a servant than I do as somebody who's running the group, because it's not my group.
If you make changes to what the group is going to do or how you're going to do things,
you do that through consensus. You have to get everybody's input. Now, in the end, people are
going to look at you to make the final decision. That's just the way human nature works. They'll
make what they want known, and then you can say, well, the consensus of the group seems to be this.
You all concur, and they'll say, yeah, some will answer, some won't, and then that becomes the
decision. But decisions are not set in stone. You can always change something. The whole idea is
we're hackers. We try things. The things that work, we keep. The things that don't work,
we get rid of. Feel free to throw away things that don't work. It's okay.
Now, one thing that is really hard to swallow, and this happens from time to time,
is you're going to start a group that has a particular culture to it. And that group's
culture will change and go in a direction that you're not willing to follow. And when that
happens, you're just going to have to gracefully bow out, leave it to somebody else to run,
do a nice turnover, be friendly, and do a nice turnover, turn the group over to somebody else,
and go start another group or join a different group. That happens occasionally. It's not often,
but it does happen. So don't be surprised if it does. It's not the end of the world. If you
started one group, you can start another. It's not that big a deal. Okay, now the next thing is
why meet? Well, the reason you meet is very simple. We want to talk to other people,
just like we're here. We want to talk and hang out with other people who are like-minded into
similar things. When we say like-minded, hacking covers a lot of things. Hacking is actually the
art of discovering what something is capable of that the designer did not intend, and determining
whether that's helping me or hurting me. And if it's hurting me, I have to defend against it,
or help others defend against it. And if it's help, well, then we're going to tell everybody.
Now, as an example of that, if there's anybody here, because we allow all skill levels at
DEF CON meetings, if anybody here is new and doesn't think that they're a hacker,
I beg to differ, because you've probably opened a can of paint using a screwdriver.
That's not the intended purpose of a screwdriver. They actually make a tool
specifically for opening cans of paint. You can get it at Home Depot and Lowe's.
But you don't have one. You use a screwdriver like the rest of us. That's hacking. Hacking
is a mindset that applies to all disciplines, from golf, to playing in a concert, to hacking
networks and security systems, and social engineering, which we were talking about earlier.
So one of the key things, as the person who's hosting the group, is be approachable. A lot
people are going to see about the group online. And when they get there, they're going to want to
talk to you. So be available and talk to people. Be friendly. Engage with them. If you ask them
what they're interested in and point out other people in the room who might be interested.
Also point out, and this is so important, that all the people are at the meeting because they
want to talk to other people. So they should not feel bashful or shy about just walking up to a
table, sitting down, and just start talking to people. It's okay. That's what we're there for.
But people forget that and assume that they're not good enough. They're not skilled enough. I'm
a noob. Yeah, well, I got to break it to you. I've been doing this since the dawn of the abacus.
And no matter whose backyard I go into, I'm an idiot. So no matter where you go, there's always
something you don't know. So that's just the way it is. And explain to them that just being a noob
means they're a noob in my area of expertise, or that guy's area of expertise, but in their area
of expertise, I'm an idiot. Just remind them of that. So be excited. Now, when I say excited,
I don't mean you're jumping around like a crazy person at a kid's party. Okay, that's not what I
mean by be excited. You show your excitement by your enthusiasm for the subject you're talking
about. You don't even have to talk fast. You don't have to talk excitedly. You don't have to wave
your hands around. But you'll find that that excitement translates to others, and they like
being around excited people. And more importantly, get them excited about what they're excited about,
not necessarily what you're excited about. That's one of the other key factors of getting a group
to work. Encourage people to ask the group questions for help. So for instance, if somebody's got a
project they're working on, or something they're working on, they're stuck, they don't know where
to go, or, hey, I just want to get started hacking, or I want, how do I get, how do I start
a group or any question like that? Encourage them to ask the question. And the more cross
communications and networking you do, the better it works out. The group is going to act like a
springboard for members to participate in events outside of the organization. Examples of that are
we had this discussion within DC404. I believe the DEF CON group in Vegas, or one of the DEF CON
groups, actually has their own hacker space. And that's where they hold their DEF CON meeting,
their DEF CON group meetings, and they run a hacker space. We discussed that within DC404
and decided that no, DC404, we wanted to encourage our members to go out into the world and do things
as a DC404 person in the world. So some of the DC404 members went off and started a hacker space
called Freeside Atlanta, still going strong. Many of the members have since moved away,
but that group is still continuing because it wasn't a DC404 thing. It was a hacker space,
and it works really well. I go, for instance, I go to the hacker and maker spaces here in Atlanta
and teach them basic capture the flag techniques. I'll do a day of training on how to do web
application security and using an attack proxy and all sorts of things. And the next day we'll
run a CTF forum. And that introduces them to these concepts and encourages them to do that.
And then we help them set up their own permanent CTF infrastructure.
Okay. So now, who's your target audience? First off, be specific. If you just say,
we hang out and talk about stuff, you won't get people. You have to tell them what you're about,
and you have to give a description of it. That can be kind of difficult.
Why is this not working? Okay. There we go. Sorry for that interruption. Be flexible.
Okay. Post requirements about your membership, whatever it is. For instance, DC404 group,
we're a DEF CON group. The DEF CON group, we have a webpage where we have
our information and our charter on it. And one of the things it specifically says
in our meeting post about our meetings is that anybody, any age, any skill level is
allowed to come. So we highly encourage that attendance. And then when they get there,
we tell them what our group's about at every meeting and encourage that kind of sharing.
Now, let's talk about the DEF CON groups for a minute, specifically, since we are... hopefully,
you're going to go out and start a DEF CON group. Specifically in the DEF CON charter,
it's any age and any skill level. Also, DEF CON frowns on calling yourself a hacking group. Now,
despite what was said today, we are hackers. We hack in the sense of the traditional idea
of discovering what something's capable of as opposed to what it was designed to do.
But we do not tolerate illegal practices. We regularly give talks on ethics. And one of the
things that we found is a great benefit with CTFs and teaching people how to build their own
training lab at home with little or no resources, very low resources, usually with thrown away
computers that somebody set at the curb, so that they can train in a safe environment and do the
things that a black cat would do, but do it in a way that doesn't get them arrested. And then they
can come back and demonstrate it and share with the rest of the group. So it's a whole lot of fun.
Of course, then we run a CTF so they can practice it in real time. I can't stress having a CTF,
it's so much fun. Now, another thing about DEF CON groups, if you go read the DEF CON charter
on the FAQ right now, there used to be something in there that DEF CON groups are not allowed to
require any kind of fees or dues to attend the meetings, that the meetings must be free and
open to the public. So that's missing from the FAQ. In putting this presentation together,
we found that missing and notified them. So they'll be adding it back to the FAQ.
Okay, now, now you've got an idea, you got a target audience, you know what you want to do,
you know, you got an idea, you're excited about it, you've got a few friends are going to help
you out even. What do you mean? That is a huge problem. So let me give you a list of some of
the things that are the most common things people look for. One is free meeting space and parking.
Now, that's not an absolute rule. For a while, DC 404 met in a comedy club. And the only parking
was there that was nearby was across the street and there was a pay parking, you could park a
couple of blocks away for free on the street and then walk there. But free parking was not readily
available. We now meet at manuals tavern. Thank you, manuals, for hosting us for free.
In parking, they give us free meeting space. That's a big bonus.
I recommend you if you look for a space, it's going to handle 20 to 50.
Now, you're probably not going to start out that big. So it's okay to find a place that's smaller
than that to start with. But don't be surprised, you have to start finding bigger places. If you
follow what we're telling you today, it'll grow. And it may take a while, but it will grow.
Find a place that's centrally located to the audience that you want to meet. Now, that's a
problem in the Atlanta area. Because the metro area is so large, we have roughly five DC groups
in our area, scattered all over the place. Now, what's really interesting is people would think
that that's competition. It's not. It actually generates more excitement because people go to
multiple meetings because they're just so excited about it. So that's not really a problem. And we
all communicate on the same Discord server. We each have our own channel, but we all communicate
together. And so there's a lot of excitement for DEF CON group activity in the area. And we all
help each other out with what they're doing. So they have centrally located in the area of the
city that they're trying to make it easier for people to travel to.
Okay. Wow, we're having some fun today with some social engineering. Hey, that's to be expected,
right? We're a hacking conference. Centrally located to the group that you're trying to meet
with. Now, that can be a challenge. Like here in Atlanta, during rush hour, and especially when we
meet at Manuel's Tavern, that's down in the central part of the city. It's not uncommon for
them to have some major citywide event that makes getting to Manuel's Tavern rather difficult at
times. So that becomes an issue in picking where your location is. But for us, that worked out
actually pretty well for a majority of the people in Atlanta. But for the other groups, they're far
outlying. Some of them are an hour's drive from where we are. And at rush hour, you just can't
get there from here type of problem. So find something that's located centrally in your group,
preferably not too noisy. Because if you want to do presentations, you're going to need someplace
quiet. However, that's not necessarily hard. They have two different rooms. One is kind of
off by itself. And it's rather quiet. And we can do presentations with no problem.
The other one is called the Eagle's Nest. And it is extremely noisy, because it's right next
to their main dining area. And they have, quote, a soundproofing curtain that they pull across
that does absolutely nothing to the sound. But that was supposedly the intent when they remodeled.
Hey, it's free space. We make the best of it. We improvise. We adapt to overcome.
But that could be a bit of a challenge sometimes. That's why we use a PA system,
so that we can talk over that. Another one that's kind of important, depending on what you intend to
what kind of activities you're going to have at your meetings is free internet. If they have Wi-Fi,
that's highly advisable, especially if you want to run something like Capture the Flag.
Now, another thing you're going to want to look for is, do they have any facilities for doing
presentations, assuming you want to do them? Not all of our DC groups do presentations at
their meetings. A lot of them just get together and hang out and talk about whatever they're
working on. Ours, DC404, we promote people doing presentations. In fact, DC404 members
regularly present at DEF CON and other conferences. So we always want to have a live presentation.
So we make sure that wherever we meet has a PA system. And if not, we provide our own. We have
one of the members who will bring one with him, and we can use their PA system. Look for a free
projector and a screen, or a large screen TV also works rather well. Some cases, we found places that
they have a projector, but they charge for the use of the projector. But the use of the screen
was free. No problem. We brought our own projector. Now, I know what you're thinking. I
remember thinking this, too. I can't afford to buy a projector. Well, WARC would let me check
one out. I told them what it was for, and they said, oh, yes, we're supported doing that. Sure,
check one out. And so I was able to check out a projector from WARC and bring it with me, and we
can do presentations that way. Or if you are a member of a church, a lot of times a church has
a projector, and you can borrow it from your church. That's an example. So ask your friends,
ask around, see what you can find. You don't always have to buy it in order to provide it.
Oops. Okay. Another thing you look for is whether or not they have food and adult beverages,
meaning beer, wine, that sort of thing. If they have food and they have beer and wine,
that goes a whole long ways to helping the group congeal together and work together.
People can come, they can have lunch, or depending on what time of day you're doing it,
they can have lunch, have a beer, talk to their friends. It really makes a huge difference.
So DC404 always looks for a place that has food and adult beverages.
One of the big issues is will they provide separate checks? Ask first, up front. What
you don't want is having a meeting where people come and go, and at the end of the meeting,
they walk up with one big bill. You don't know who ordered what, half the people have already left.
You don't want that. You want separate checks. Also make sure to make an announcement to the
group. Don't forget to pay your tab. We don't want to hunt you down later. It's just a friendly
reminder. It also helps if they accept reservations for your meeting space. We've had
places where we said, hey, we'd like to reserve this room. They said, well, we really don't do
reservations. And we get there and our big room had three people and having a conversation,
and we were kicked off to some side room where there wasn't enough room. So make sure that they
accept reservations if you want to make sure you get a space. Places you can go look for a meeting
place are things like public libraries. Now, public libraries are a good place to start.
Problems are they don't typically allow food or drinks. They usually require that meetings be
open to the public. Now, for DC 404 meetings, that's not a problem for F-Con meetings because
they are supposed to be open to the public. But if your group wants to have a closed meeting,
that's not going to work for you because it has to be open to the public. Another place that people
often don't think about are churches. Churches often provide free parking and meeting space.
So if any of the members of your group are a member of a church, talk to them and see if
they've got meeting space at their church. Quite often, they even have Wi-Fi as well
and a projector and a screen. Works out really good. In some cases, they have a kitchen,
and as long as you're willing to clean the kitchen up afterwards, you can make or bring
your own food or have your pizza brought in, whatever. Works out pretty well.
Pubs and restaurants. Those are another good place to look for. Quite often, they do support
meeting space and they try to host events. Now, places that I don't recommend going are things
like sports bars. We've had instances in the past where a sports bar had a space that would work
perfectly. We told them that we can make sure that that room is completely full and that they
have standing room only with our group being large enough and easily meet any requirements
for the amount of money they want you to spend to use their space. However, they said that no,
primary clientele is the people coming here for sports and if our room is tied up and they can't
get in, well, then it gives us a bad name and they won't come back. So we said, oh, sorry,
we can't use your space then. That's the way it goes. Some places are going to want to charge you
rent for the space and they want a guaranteed amount on the bill. In other words, they want
you to spend so much money and if not, there's a fixed amount you're going to have to pay if you
don't if you don't order enough food and beer and that sort of thing. I would try to avoid those
places. It's hard. When Manuals Tavern closed for renovations, it took us a great deal of time
to find another place that could host us and it wasn't free, but because we were a group
open to the public, they gave us a discount and one of the members went to his company and the
company paid for a year's worth of meeting space for us until Manuals finished the renovations. So
you can find ways. Be inventive. Be hackers, basically. Another place to look, and this is
one that people often forget, are universities, schools, and community centers, especially
community centers. Quite often they have free space to use or go to another organization and
ask them if you can use their space. An example is the Atlanta Junglers Association has a space
in the Little Five Points Community Center that we pay rent on and that's where we have our
meetings. Well, they'll make that space available to other groups and the parking's free.
Now, in those cases, we usually charge the groups, but depending on what the group is and
when they want to meet and what it's for, especially if members of the AJA want to be
present, the Atlanta Junglers Association, like myself, want to be present, they'll often waive
the fee. So that's a place you can look. Local high schools and elementary schools can sometimes
have a space available to have meetings, especially if they're open to the public,
and especially if the kids can come, which DEFCON groups can. Universities, usually at a university,
depends on the university, you're going to have to have somebody who's at the university
sponsor the event. Now, sponsor doesn't mean they pay for anything. It just means they say,
yeah, I vouch for them. And then you'll be able to have a meeting in one of their meeting spaces.
Now, meeting spaces quite often allow food and drink, but you'll have to provide it yourself.
But they will allow that. And they'll have all the stuff like projectors and parking and all that.
Now, some schools charge for parking. Georgia Tech, there's no free parking anywhere on the
campus. Other schools, like Kennesaw State, they have free parking everywhere. So those are some
examples. Now, one of the things you really have to learn to do is be flexible, okay? You can,
for instance, look for, if everything else fails, see if any of the members of your group,
if their company can provide meeting space. That happens quite often where a company wants
to sponsor a meeting space. And we've had companies, for some of the groups I'm a member of,
we've had the company provide the meeting space and pay for pizza for all the meetings.
In the case of 768, I think it is, DC group up in Hartersville, their meetings up there,
there's a member who comes and pays for the first $100 of the bill for whatever they get,
just pays for every meeting. And they got free space in the basement of a restaurant they go to.
So that is a great benefit if you can get a sponsor, but it's not required.
Now, one thing I cannot stress enough about meeting spaces is you're going to have to be
flexible with the people who provide the space. For instance, because of COVID,
we're doing hybrid meetings. We have some online and some in person. And as a result of that,
we've had the problem of not enough people showing up to merit the larger space that
they have there. So they moved us to the EagleSense, which is smaller, but a lot noisier.
Now, we could try to get upset about that, but no, what we do is a vendor has been extraordinarily
gracious to us in providing free space and helping us and working with us with our group
through thick and thin. They've been there for us all the way through COVID, in fact. So we really,
really are flexible with them and work with them as ever possible. They'll come to us and say,
hey, I know you reserved that space, but we've got this wedding coming in. Could you guys,
could you stop right at four? I say, sure, no problem. Or even stop early,
whatever their requirements are, we try to be as flexible as possible with them.
By doing that and being nice, it's amazing what the vendors will do or the people who provide
the space will do to help you out and become the preferential person that they'll deal with.
You have a question? Somebody raised their hand over there. Oh, guess not. Okay.
Okay, now, where do you get the equipment, things like projectors and things like that? Well,
one we already talked about, you can buy, borrow or buy it. Now, one of the questions you're going
to have to answer if you buy equipment, things like projectors, screens, PA systems, wireless
microphones, is who owns it? In my case, I paid for it all personally out of my pocket. It's my
equipment because I wanted to have a meeting and the people who started DC404, which is Dr. Chaos
and Beth, went on the road and gave me the bag of holding and said, here, hold this. And I ended up
being the host for DC404 meetings. Well, when they left, they were the ones who brought projectors
and screens and mics and that sort of thing. So I said, oh, I guess that's me now. Well,
at first, I started borrowing stuff. I signed it out from work. I told them what I wanted it for.
And they said, sure, no problem. And I'd borrow from work. And over time, I collected enough
equipment and got stuff together to do that. Now, if you do buy equipment, you're going to
have to decide, is it owned personally or is it owned by the group? If it's owned by the group,
where do you store it? How do you make sure it ends up at every meeting? You'll have someone
who says, oh, I'll store it at my house. And then they go on vacation and don't tell you. And you
go to the meeting, you don't have equipment, you can't get it, it's locked in their garage.
So you have to make plans for that sort of problem. And you have to handle them in advance.
Usually, whoever the host of the meeting is, is going to have to iron those issues out and make
sure that gets handled. Quite often, you're going to find that the only person who cares that much
about the meeting is the host. You started the group, you should care. However, over time,
you're going to have more people come along and help out. Charmander is here today. He's
there in the back left corner of the stands. He has been a great help. Commager is another one
that comes along. We've got about eight people who are our core group who come up all the time
and help out. Smokin' T-Bird is another one. They'll step in at a moment's notice. I don't
even have to ask them. It's more like, get out of the way, let me help. It's awesome when people
start coming along. It'll take time, but you'll get there. Now, if you get a projector, I recommend
a short throw projector. That's one that can sit like two, three feet from the wall and project
a full screen on the wall. Sometimes you're limited in space and you won't be able to set
your projector 15, 20 feet back so you can get an image big enough. So I recommend a short throw
projector. Another thing you can look at is in order to set the projector on something, it's
quite often you get to the room, the tables have got people on them, there's condiments, there's
plates of food, there's water, there's coffee, no place to put your projector. So the solution
for that is make a flat mounting plate for your projector that the projector bolts, it's just a
piece of wood, your projector bolts to it, and it's got a quarter 20 screw mount on it to screw onto
the top of a tripod. That allows you to just set a tripod on the floor, set a couple of chairs around
so people trip over the chairs on your projector, and set it up so it projects on the screen and
aligns. It's totally portable, you can put it in any space, just works. And if you don't need it,
you can put it on a table, you just put it on a table. If you need a portable projector screen,
one that's excellent, gives you a wide screen, it's very small, very light and portable,
is made by Epson called the Alc-Acolade Duet. I have one of those, I actually saw it because
I needed to borrow one for a conference, I borrowed it from work, and I was so impressed
by this piece of equipment, I went and bought one. They're absolutely awesome portable screen.
Okay, wireless microphones. If you get wireless mics, you're going to need a handheld and a
lavalier for the speaker. Handhelds for the host, and also walking around having people ask questions,
lavaliers for the speaker. You can get PA speakers that have a built-in amplifier,
so it's an all-in-one unit. You can just take the two speakers apart, set them up,
either stand or set them on the ground, or put them on stands, sometimes they come with stands,
and connect your wife, your microphones to it, and go to town. It'll have a mixer built into the
back. That's the cheapest way to go if you buy your own PA. Now for us, Manuals has a built-in
PA system, so we don't have to have it, but when we were meeting at our alternate location,
it's the 57th Fighter Squadron, when they were doing renovations, we provided our own PA,
one of our members brought it. For now, is equipment required? Absolutely not. DC-770,
which meets the basements of Jefferson's, doesn't have any equipment, they don't have any speakers,
sometimes I'll have a speaker, but they're grouped so long, if he just stands up and talks,
no slides, nothing. Now that's highly encouraged, because that's the whole point of being there,
we get together and talk about stuff. Well, let's talk about presenters and speakers.
They're not required, and it depends on your group mission and your audience whether you
want to have speakers. DC-404 members speak at hacking and information security conferences,
so we use our meetings so that they can do beta runs of their presentations. When we do that,
we don't record them or anything, so if you want to stay, you have to be there,
but we do those beta runs there. We also use our meetings to encourage new members
to learn speaking skills, so they can stand up in front of everybody and um and on, oh my gosh, and
all the usual things that they have to learn to get around in public speaking. We give them that
opportunity to practice those skills there in front of a friendly audience, and also to learn
this as a skill that they can use in their profession, whatever that may be. It's a valuable
skill, so we encourage everybody to learn how to present at our meetings, but it's not required,
but you can decide whether you want to do that or not.
Okay, what kind of activities do you have at your meeting? What is it that gets people excited? Well,
this is where it gets a little interesting, because we discovered this kind of by accident
in DC-404. At juggling groups, we have juggling. We're there to juggle. Everybody brings their
own props, usually enough props for them and somebody else to juggle together, at least them
and one other person. That's typically people who want to pass objects at the juggling club
will bring enough objects for them and one other person, because the other person might not have
brought enough of the right kind or anything at all for that matter. So, plan with that in mind.
If, for instance, we host a Network King of the Hill CTF. Now, this is a CTF that's very,
GitHub.com, NetCoff. That's November Echo Tango, Kilo Oscar Tango Hotel. Net,
N-E-T-K-O-T-H, Network King of the Hill. If you go to that GitHub page, it explains what it's about.
And if you also go to NetCoff.org, there's more information there as well. It'll explain how to
set up and run the CTF. If anybody's interested in doing one of these, feel free to contact me.
My contact information is the end of the presentation. I'll go over it. I'm on the
Discord for the DEF CON groups. You can also get a hold of me there. You can also go to
DC404.org and connect through the mailing list or our DEF CON groups. There's an invite there
on the email to our DEF CON, our Discord for Atlanta Cybersecurity Engineers, where DC404
has a channel. So, connect with me and I'll happily help you get set up and working your own
capture the flag. I cannot stress enough how exciting this was for the group.
Part of the reason, as you think about it, we come to DEF CON, we hear about all these wonderful
things you can do and things you can try, but most of them, if practiced in the wild,
would unfortunately get you arrested. We teach you how to set up. The CTF gives you an avenue
to practice these skills in a competitive environment. And when I say competitive,
it's a friendly competitive environment because of the way King of the Hill works. I'm not going
to go into the mechanics of King of the Hill right now, but it's a really, really fun thing.
In fact, ask some of the people here who are from DC404. I see Charmander over there,
for instance. Ask some of our members what Network King of the Hill is like.
They'll tell you how exciting it is. And it is whoever hosts the capture the flag is actually
a live admin of the event. So, you're acting as a live blue team against people who are part of
the challenge. It's a whole lot of fun to both admin it as well as participate in it.
We also have a lockpicking village. That also happened by accident. Here's the thing. I like
lockpicking. I learned it in the Navy way back in the seventies, when you couldn't buy picks,
you had to make your own. And I just liked it. So, I went to a B-Sides and at the B-Sides was
a lockpick village run by Tool. And they had a lockpick workstation, which was nothing more
than two pieces of two by six with some deadbolts that you mount in your front door of your house,
mounted in it, and you could try to pick them. And I went, this is awesome. And Tool was selling
this very rudimentary set of lockpick tools. And I said, oh my goodness, my lockpick's broken.
This is great. I can buy a set. I bought it. I was very excited. So, I went home and made my
own lockpick workstation, started getting a DC 404 means because I'm interested in lockpicking.
Lo and behold, other people tried it. Then all of a sudden people said, oh, there's people here
interested in lockpicking. I'm interested in lockpicking too. Next thing we know,
Spoken Keyboard shows up and he is... I thought I was into lockpicking until I met him.
He shows up with an entire village of equipment and sets up a village every time. So, he and I
together co-founded Atlanta Locksport. And now Atlanta Locksport has their meetings inside the
404 meetings and hosts Electric Village at our meetings. This has spilled out all over the place
because people who come to the DC 404 meetings also hear about the other DEF CON groups in the
area. They also hear about Atlanta 2600. So, all of a sudden, we said, the guy who runs 2600 is
the DC 404 member. He starts running the cap to the flag at 2600. All of a sudden, we'd go from
five people sitting in the food court to 35 to 40 people sitting in the food court. And,
oh, what do you know, they start bringing their locks too. So, now we're sitting in the middle
of the food court at Lenox Mall, running a CTF and having a lockpick village. So, yes,
it will explode like crazy if you give people some way to vent all this experience and knowledge
you're getting, especially in DEF CON groups going online and listening to these talks. They
can actually do it for real in a safe, legal environment. That's really important because,
you know, I kind of get to like you guys and it's really a bummer when I try to send you
cookies in jail and they come through just a box of crumbs. That's terrible. Okay. So,
I'd rather just sit down and eat dinner with you and drink a beer or something. That's a
whole lot more fun. Another thing that started was one of the members came in to DC 404 and said,
I've got a bunch of stuff that I no longer need. They upgraded some stuff in their home lab.
They have some technical books that they no longer need because that was the first edition. They
have a second edition now. They said, could we bring that and give it away at the meeting?
We said, yeah, sure. So, they brought a big plastic bin with this stuff. Well, then everybody
else started bringing in stuff and putting it in the bin. And then people would go from all
meetings in Atlanta, all the other DC groups, they'll bring the bin, the giveaway bin to all
the other groups. And you put stuff in, you don't want, you take stuff out. You want things like
swag, stickers, you don't know what to do with it. You got from some other conference, you don't
really want, you put them in the bin. All kinds of fun stuff comes out of there. I've seen people
give away Raspberry Pis because they upgraded, got a new one, they put a Raspberry Pi in there.
All kinds of fun stuff. That's another thing. But posters, books, hardware. I've had people put
computers in the bin, laptops, all kinds of stuff. Now, another thing you can do is when you go to a
conference, say like DEF CON for instance, there's a bunch of DC404 people at DEF CON. Well, actually,
there's a bunch of people from all the DEF CON groups in Atlanta at DEF CON. So, DC404 set up a
Google chat channel. And if you want to coordinate with other people at the event to go out to dinner,
to go to talks as a group, those sort of things, everybody can chat, they can use it on their phone,
they can use it on their computer. And what's really fun about that is people like myself who
can't actually make it to the meeting, I can follow along with my friends that are at DEF CON
and hear what's going on and be excited with them. So, that's one way you can keep the excitement
going when people aren't even there. Another thing, and this is one of our members brought this,
is he wanted to teach people how to solder. So, he brings a soldering station with him
and sits down and teaches people how to do soldering. Another member designs,
if you're familiar with the shitty add-ons that go on the badge, like the DEF CON badge,
that has a little connector on it. So, a lot of cons have, it's a standard now, this little
connector, you can plug on an additional daughter card onto the main board. And those are called
shitty add-ons. There's an actual standard for that interface now, well, the standards, I guess,
with hackers. And there's people in our group who design and build those and bring in prototypes for
people to try out and play with. DC404 is part of SWAG. One of the members went out and had made
some add-on with the DC404 logo and everything else. And we sold them to people and they were
able to take them with them to DEF CON and trade them for other add-ons. A whole lot of fun. So,
those are the kind of activities you can have that just gets everybody excited and gets everybody on
board. Now, let's talk about governance. Governance is where it gets serious. That's
the overarching plan of how we're going to govern how people meet. Whenever you get people together,
they automatically start forming hierarchies and forming ways of organizing the situation.
It all depends on what it is your group needs in order to meet that is going to determine
what kind of governance you're going to use. Now, the first type we'll talk about is what's
called anarchistic. There's no leader. There's no one who's officially even a host. There's the
people who tend to have been going there the longest and people will ask them questions
simply because they've been going there the longest. Think of this as people who show up
at the same location based on a history of the meeting. An example would be a pickup basketball
game at the city public court. It's only every Saturday you go out there, there's people playing
basketball on the court. You walk on, there's nobody in charge. You want to play, you play.
If you don't want to play, you sit by the sidelines, talk, chat, whatever. It's just completely
anarchistic. There's nothing formal, just show up, hang out, and talk. Think of the rules as like
kids agreeing on how to play a game. There's no rules on how to do that. You just kind of sit down
and kind of give and take and figure out what you're going to do just by who showed up.
That's how that kind of works. Now, you'd think that a long term that would never ever work.
I beg to differ. The MIT Juggling Club, which is one of the oldest clubs probably in our country,
has been meeting that way since their inception. Basically, their organizational principle is this.
There's juggling outside this one building, and if it's raining, we go inside to the atrium inside.
Those are the rules. And it happens like every Tuesday or something, whatever the day of the
meeting is. Why is it like that? Because that's the way it's always been. And people just show up.
And it's been one of the longest running groups in the country. It's amazing. I marvel at their
ability to organize despite doing nothing to organize. It's crazy. That's what happens when
you show up and you're excited. The next type is loose. Now, loose is what DC 404 does.
That means you only need one person to be consistent, at a minimum. You have to have
one person who's consistent and dedicated to make things going. Decisions are by consensus.
Remember, kids playing together, right? But there is one person who's kind of in charge.
They don't tell people what to do, but they facilitate the conversation. They act as the
moderator of the conversation. You'll end up eventually with a core group that just shows up
regularly and helps. You won't be able to tell them no. They'll show up and help whether you
want them to or not. They'll help you set up chairs. They'll help you take stuff down. They'll
help you load your car. They'll do whatever you need. They'll beg you to help out and try to help
out. And if you don't let them, they'll do it anyway. They'll just show up because they're
excited. They'll show up with things like Lock Pit Villages or they'll show up with things like
Capture the Flags or soldering stations. And we do a lot more than that at our meetings.
Those are just some of the highlights. You may or may not have an official charter.
It's not required. Now, if you're a DEF CON group, there is a charter that you have to
abide by in order to be a DEF CON group. It's very minor. It's not very difficult to do.
I'll give the link at the end of the presentation. I'll tell you what it is.
And you can always go to... if you look at this URL here that's hanging in mid-space here,
you can get a copy of my presentation, which has all the links at the end of it.
Uh, there's no formal rules in the sense of how we do things. It's just a matter of kind
of like an artistic. It's like, well, we get together, we have a presenter, we always give
feedback to the presenter on how they can help improve their presentation if they need any help
with that. We ask them if they want that kind of feedback and if they do, we give it to them.
And we give them a great round of applause. We ask them questions and
we make them feel wanted and thank them for their presentation.
And we also make time open for people to just share whatever it is they're working on. Nothing
formal, no presentation required. You want to get up and ask the question of the group,
I'm stuck on something, or, hey, I want to know, is anybody here interested in this? Raise your
hand. Okay, I'm going to come talk to you. And then they put down the mic and they go over there.
We open it to the floor for people just to share whatever they're working on.
For instance, when we get back after this DEF CON, our first meeting is the Saturday after
we get back from DEF CON. We don't have a presenter. It's all about people debriefing,
what did they see and hear while they were at DEF CON that really impressed them that they'd
like to share with the group. And that's what the meeting is about. Okay. DC-404 is a prime
example of a loose governance system. Whoa, I'm in the wrong window. Let me try that.
Okay. Now, the next one's formal. Now, you probably, I don't, you may actually have been
part of a formal organization, but most of us probably haven't. Okay. A formal organization
runs like a business. They have elected officers. Regular meetings of the officers is separate from
the group meetings. The meetings run, when they have meetings of the officers, they're run
according to Robert's Rules of Order. They take minutes. They publish the minutes. They have
published policies, procedures, and membership requirements. And some organizations will decide
to be a 501-3C charitable organization. Now, whenever you do that, if you want to be a 501-3C,
remember, this is a legal entity. This means there's legal requirements to go along with those.
If you fail to live up to those requirements, there are legal repercussions like fines and
possibly prison. So, if you're going to be a 501-3C, make sure you understand what you're
getting into. There's no doing it like it's a hobby. If you're a loose organization like DC404,
it's more like a hobby. If you're doing it formally, it's more like a business. You can't
just decide as the CEO of a business, I'm not going to do that anymore and just not show up.
That's not a cool thing to do. So, you have to realize that when you do that,
it impacts the other members of the business. I can have legal repercussions if you're a 501-3C.
Now, the next one, and this is the last one, is what's called hybrid.
Hybrid is rather interesting. It's a combination of loose and formal.
Now, this example, if somebody asked me if this would work, I'd tell them no.
Unfortunately, I've seen it work far more than once in practice. Atlanta Jugglers Association
is a prime example of this. They are a 501-3C3 charitable organization. They do have formal
business meetings. There are loose minutes that are published as to the results of that meeting.
At that meeting, they vote for the business officers. That's the president, vice president,
secretary, treasurer, that sort of thing. You have to have members of the core group who are
willing to fill those roles. And we jokingly do things like El Presidente for life and things
like that. But they might be the president for 20-some years in a row simply because they're
doing a good job. Nobody wants to have a coup or a takeover. Although, one year we did have a coup,
but it was kind of a funny thing because the guy wanted to step down. So, we said,
we're going to prop up Charles as president. He didn't want it, so Jay ended up doing it.
But anyway, the meetings themselves, however, are completely anarchistic,
just like MIT Juggling Pong. Jugglers are kind of that way because the idea is you want to just
show up and juggle with each other. And the only way to do that is just cooperate. And we've been
showing up and doing it for over 30 years at the same location. So, everybody just expects there's
jugglers out on the lawn. If it's not raining, if not, they're indoors in the kitchen area. And if
not there, they're up in their juggling space up by the theater. We meet at the... what do you call
it? Not Civic Center. I said it at the first slide. What was that? I can't remember what it is.
It's a civic center, like a civic center, local civic center that's there in Little Five Points,
and you can rent space in it, but it's also open to the public for free events. And so,
there's all kinds of stuff going on there. There's a lot of artistic groups there,
and there's even a theater group that meets there. And Atlanta Government Association runs
as a hybrid group. Even though they're a 501c3, they're a very loose organization.
They run mostly by consensus. They do have a Presidente Dictator for Lifetime title,
who's the official president. When somebody says, I need to speak to somebody official,
that's the person who answers that. They have all the legal requirements. They meet all the
legal requirements. They do all the bookkeeping that's required, all that sort of thing.
But as far as the meetings go, they're just anarchistic, just like the MIT Jugglers Club
goes. And it works. They're not the only organization that runs that way. That's
what's so amazing about it. Now, let's talk about money. Now, this is true regardless of
any kind of governance type. If you have money involved, you must be transparent.
Open a bank account from the group. You have to have multiple people able to access the account,
and you must have regular financial reports, and it must be made to the group.
Money and or resources can be donated. You can have dues or pass the hat at meetings.
Just remember that by charter, DC404, or not DC404, but DEFCON groups cannot have
dues or fees as their meeting. Now, it doesn't mean that people can't just decide to donate
money to your DEFCON group, okay? But if you do that, make sure that you do the formal accounting
so that people see transparently where the money is and what's being done with it, okay?
You can get a corporate or private sponsor for your group.
That's quite doable. We have a sponsor, Pay for Our Space, as an example, okay?
Swag. This is something I'll tell you. If you create a logo, do it as a work-for-hire,
or have somebody assign this copyright to you, because if you don't, it can get a little sticky
when you start selling swag. DC404 is kind of in that vein. We have a very famous local artist,
or more like infamous local artist, who was the progenitor of our logo. It was based on something
he did. And he gave us permission to use it as long as we only sold t-shirts and swag to DC404
members. That means I can give you something that has our swag on it that I paid for, but I can't
sell it to you. We can't sell it publicly. In order to do that, there's two ways you can do it. You
can either have somebody in your group know somebody who makes that kind of swag, go get a
pay up front with their own money, get a big order, and then try to sell it. We had a member
do that recently with our challenge coins, which by the way are primo. They look so good. Who just
bought them up front and is selling them to all the members of the group. The other is, we have
a Zazzle account where we go in and create things like cups and magnets and t-shirts and things for
conventions. And we make those available to DC404 members to buy, but those links are not open to
the public. So you can have all kinds of swag and you can go either bake it yourself with the money
up front, or use a service like Zazzle, and there's more than one, that's just an example one,
to make it available to anybody. Just buy them whenever they want. You just put them up there.
Okay, advertising. We're running out of time here, so let me get going.
You need to feed relevant content, encourage discussions on the topics and issues that your
site is about, or your group is about. Things that I would recommend, for instance, we have an email
list, we have a Discord channel, we have an IRC server, although there's myself and one other guy
in the IRC server, so it's kind of dying. There's a Twitter page, if you want somebody to have
somebody who admins that and responds to things. You can also have Facebook, Slack, and really,
this is the big one, is Meetup. Now, Meetup costs a lot of money, but every time I ask at a meeting,
who here is here the first time? A bunch of hands will go up, like five to ten hands will go up.
I'll say, how did you find out about us? And nine out of ten will say Meetup.
So, Meetup is where people seem to be going to find things of interest. The problem is,
Meetup is hideously expensive. It's like ridiculous money. Now, the way we got around
that is one of our members started a Meetup channel for doing some security training he was
and he moved. And he turned that over to us and said, here, you can have it until the thing runs
out. Well, one of our members took over paying for it. And instead of just being for DC404,
it's for all the groups in Atlanta that's on our Discord server have advertisement for their group
thing. So, we were able to advertise that across the entire thing. All of us kind of chip in money
to help the guy pay for it. So, I can't tell you how impactful Meetup has been. I hate to say that
because the service is so darned expensive. But man, do they pull people in like nobody's business.
Okay. That's pretty much a wrap-up. Sorry, I had to rush the last slide there.
If you want to contact me, I'm xray at NoBoxLabs.com. That's N-O-B-O-X-L-A-B-S.com.
That's actually at NoBoxLabs.com. You can also contact me at AtlantaLockSport.org or NetCost.org.
You can contact me through those. And if you're looking for resources, the link to my presentations
is right up there. And one of the things that's on my website is a thing on how to get started
hacking. There's also a connection to all the Atlanta Information Security resources in the
Atlanta area. There's links to Capture the Flag and Pentesting training tools, as well as a link
directly to... somebody raised their hand, had a question.
Oh, no. Okay. There's also a link to the DEF CON groups page. And that's
https://forum.defcon.org slash social-groups, all lowercase. So that's forum.defcon.org
slash social-groups. And that's where you can find out the information and sign up for a DEF CON group.
Now, if you have any questions, feel free to reach out to me. I'll be happy to help you.
And getting started, help work through finding a place to meet, whatever you need to help out,
you're getting your group started. Even if it's not a DEF CON group, give me a call. I'll be glad
to help you out. Or if you're interested in learning how to do Capture the Flag or starting a
lock group, Big Village, or whatever, in your group, give me a call. I'll be happy to help.
Any questions? Wow, I must have been a really good speaker. Okay. So, okay, let me...