After its info-security conference started becoming a success, HITB decides to venture overseas
Its first attempt ends in a debacle that almost destroys everything the crew had achieved
THERE are hacker conferences, and then there are hacker conferences, where the difference between white hat and black (or genuine hacker and cracker, some would rightfully argue) is blurred.
Then there is Hack In The Box (HITB), which began as a virtual watering hole for hackers and developers, and its annual event, the HITB Security Conference (HITBSecConf), now in its 10th iteration and which has evolved over the years into a neutral zone for hackers and organizations with an interest in information security.
The idea of the conference was born at that nexus where HITB’s founder and chief executive officer Dhillon Andrew Kannabhiran’s altruism intersected with his solipsism – not being able to afford to attend US hacker conferences like Black Hat and DefCon, he figured, why not bring such a conference to Malaysia?
“It’s always about him,” his fellow enthusiasts and HITB Core Crew (Nucleus) members Amy Goh and Darryl ‘biatch0’ Yeoh tease him at a recent get-together with Digital News Asia. When the teasing has run its course however, they point out that there was a strong community drive to it as well.
“It’s not only about bringing such a conference to this part of the world, but making sure it is affordable to regular people – people like us,” says Amy (pic). “And to make sure the content is of a high quality … always.”
To do the first, HITB conducts training and technical workshops to make some money. While its target is merely to break even with every conference, any extra revenue is pumped into making the next iteration bigger and even better.
The bigger part is easy – more money means more things can be done, on a larger scale. The real trick is in the “better” part.
One big difference with HITBSecConf is that Dhillon and his team decided that a line must be drawn when it comes to sponsors.
“If you look at most conferences in Asia, if you’re a sponsor, you’re guaranteed a speaking slot. We made it a point to say ‘no’ to this practice from the start,” says Dhillon.
“If you’re a sponsor, you get your logo play and your booth, and that’s what you get; that’s your marketing. You don’t automatically get a speaking slot, and though you may submit a presentation, it must have merit on its own account.
“Speaking slots come with lots of terms and conditions. No product or sales pitches. It must be technical, it must be in keeping with HTB themes, and most importantly, it must be approved,” he says.
In the early days, there was a lot of resistance to this from sponsors, but now it’s no longer an issue, Dhillon says. “Many have realized that if they try a sale pitch, HITBSecConf attendees are going to exercise their right to get up and leave – best save yourself the embarrassment and do a proper job. You get the return on your sponsorship investment through your booth and the networking you can do.”
“We have made sure the quality of the content is always a priority, and over the years we have actually raised our standards in this area,” says Amy. “Not too long ago, Dhillon decided that all content must be approved by a community of peers before it is allowed to be presented at HITBSecConf.”
“Our conference is now known as for having one of the most demanding and exacting of peer reviews,” she adds.
All this seems to have paid off, despite the fact that HITBSecConf got off to a bad start with its first conference when its joint organizer and partner played HITB out in terms of media exposure, taking all the credit for itself. When it went solo with its second conference, it ended up RM20,000 in debt, as DNA reported in the first part of our series on HITB.
But the HITB crew persevered, and within a couple years, plus a certain degree of good fortune, the annual info-security conference began to get noticed. Established companies started coming in as sponsors, including US software giant Microsoft Corp, as we detailed in the second part of our series. HITBSecConf had established itself with the international info-security and hacker communities.
HITBSecConf was riding high, and it was now time to spread its wings and soar. And that’s when HITB made its second big mistake, one that almost destroyed everything it had gained in the last few years.
International venture, Bahrain misadventure
In a way, venturing overseas was always part of the plan. To generate enough revenue to keep the cost of its conference affordable for attendees, the crew knew it needed to hold more than one conference a year.
“You can’t hold two such conferences in Kuala Lumpur in one year,” says Dhillon (pic). “It would have been the same problem holding a second conference in Singapore or any neighboring country. It would have been too close to home.’
“We knew we had to go farther afield,” he adds.
Good fortune was running with HITB. A businessman from Bahrain who attended the 2004 edition of HITBSecConf and was impressed by it, approached the crew with the idea of bringing the conference to his city, where he ran an info-security company.
“He proposed a collaboration where he would take care of the logistics and sponsorships, while we handled the speakers and content,” says Dhillon.
“He even said all the revenue from the conference would be ours – he was going to make his money from networking with speakers and sponsors, and by having something like this in Bahrain, which would be good for his business,” he adds.
How does one decline such a win-win proposition? HITBSecConf would be exported overseas for the first time in 2005. Except ….
“So, one would think that after that debacle with our local partner in our first conference,” Dhillon says slowly, and carefully, “one would think we would have learned our lesson and come up with a thing called, you know, a contract, or some form of documentation … right?.
“Apparently no, we had not learned our lesson,” he adds. “We were just so excited that I went, ‘sure send me an email, bro’.”
What happened then was that, well, what was supposed to happen, didn’t.
HITB had reached out to potential speakers, and when they agreed, the Bahraini businessman was supposed to have made and paid for the flight and hotel arrangements. But in the run-up to the conference, this wasn’t happening – some of the speakers, as the date of the event drew ever nearer and based on their relationship with and regard for the HITB crew, made their own arrangements and paid for their own way.
“Everything was getting chaotic, and four of us from HITB decided to fly to Bahrain and see what was up,” says Dhillon. “We were there two days before the conference was supposed to take place, and there was nothing in the hotel. Nothing had been set up.”
The HITB crew had to scramble. Some speakers had already arrived, and there were about 30 to 50 attendees – not many, but enough to convince HITB that the conference had to go on.
“So, as with our first ever conference, we became coolies again – we set up the equipment, pulled in the cables from here to there, arranged everything and anything to make sure we had a conference,” says Dhillon.
It was disappointing, but the one good thing that came out of it was that the speakers did not blame the crew for anything – they knew what HITB was capable of, and HITBSecConf had already made its mark enough for the Bahrain event to be taken as an aberration.
“That was early in 2005, in March or April,” says Dhillon. “We came back and had to recover from the mental scarring we got from Bahrain to prepare for the KL conference.”
As is turned out, HITBSecConf 2005 in Kuala Lumpur was a turning point for the conference series – Microsoft not only came on board officially as a sponsor, but even chose the event for the first public debut of its new web browser, Internet Explorer 7.
Once bitten, twice … oh, what the heck
“For 2006, we decided to behave ourselves and stay put. It was also the year we started making a bit of money with our training,” says Amy.
“Every year, some great things happen at HITBSecConf, and great things happened in 2006 as well,” says Dhillon, laughing, “but I’ll be damned if I can remember anything from that year.”
HITB remained undaunted by the Bahrain debacle. The Middle East still looked promising for the conference to grow.
“Many speakers and sponsors were looking to penetrate the market there, so it also made sense for us to explore the idea of having an HITB conference in the region,” says Amy. “It was good for the stakeholders.”
So in 2007, HITB figured it was ready to venture overseas again, and this time decided on Dubai. And this time it took its first lesson to heart – when it realized that the only way to make sure the job is done properly, is to do it yourself.
“We decided that if we were going to do a conference in Dubai, WE were going to do it,” says Dhillon. “We flew the team there – in essence, we brought HITB over to Dubai.”
That brought its own set of problems. On the first day the HITB crew was there at the hotel, an officer from the state security organization was there to greet them.
“He told us, ‘How can you have a hacker’s conference in the UAE (United Arab Emirates) when hacking does not exist in the UAE? All hacking that happens, happens outside of the UAE. There’s no such thing as hacking in the UAE’,” Dhillon recalls.
HITB was asked to photocopy the passport or identification document of every single speaker and every single attendee, and hand it over to the state security, Amy says.
“They even wanted all the presentations – every single page had to be photocopied and faxed from the hotel to their office – at US$7 per page,” says Dhillon.
“It turned out that they were only interested in one particular presentation,” he adds. “They weren’t worried about exploits or information security, it was a presentation on lock-picking [which involves the physical security of IT systems].
“And despite all this, the day before the conference, we were summoned to the state security office to discuss, get this, whether the conference would be allowed to go on at all! I went ‘Are you f***ing kidding me?’ ”
The conference was allowed to go, and it was enough of a success that HITB ran it for four years there. “But we were always looking over our shoulders; and they were always breathing down our necks – it was stressful and we were never sure that we would be allowed to leave,” says Dhillon.
Any nods. “Dubai is what gave us all a lot of white hair – but while it was going on, the conference did well. It allowed us to make money that was used to improve the KL conference.”
Finally, a double-whammy in 2010 convinced the crew to make it their last year there. The main concern was the global economic downturn, which had affected turnout and enthusiasm.
“We depended a lot on foreign participation at HITBSecConf, and so many people were losing their jobs and business was going down,” Dhillon says. “Nobody in HITB team enjoyed going to Dubai anyway; it was just too stressful.”
But the final straw came in 2010 with the eruption of the volcano Eyjafjallajokull in Iceland, which disrupted air travel in a major way in Europe.
“Half our speakers could not turn up – one whole day’s worth of conference was wiped out. Half the speakers and half the attendees, which meant a lot of money in reimbursements,” says Dhillon. “But the point is the other half had made it, which meant we still had to do a conference. We could not just cancel it.”
“So we went ahead, and came out with some fix-its and get-arounds to do some presentations remotely,” he adds.
This required some creativity on HITB’s part, since Skype is officially illegal in the UAE, and the state security guys were there as usual. But these are hackers, right? ‘Nuff said.
The crew decided that enough was enough, but it was an especially busy and roller-coaster year for HITB in 2010 – it marked their last conference in Dubai and their first in Amsterdam.
“Yes, we had three conferences that year,” says Dhillon. “We were depending on the success of the Dubai conference to pay for the expenses of setting up in Amsterdam. It’s all euros there – you convert ringgit to euros, and you can’t buy s**t there.”
Still, despite signing off on Dubai, the Amsterdam venture was successful enough that it has become a regular event.
Sure, HITB needed to expand, but why Amsterdam?
“Because it’s a damned nice place,” says Dhillon with a laugh, adding that he has Dutch relatives, and so is not a complete stranger there. “When I suggested Amsterdam, nobody – not a single person in HITB said ‘no’,” he says with a wink.
“See what we mean?” quips Darryl (pic), the quiet one. “It’s always about him.”
“But it’s not always about what Dhillon wants,” says Amy, to the rescue. “We’ve always wanted to hold HITBSecConf in places where there aren’t any such conferences. The United States has such conferences, Germany and France as well.”
“The Netherlands had none, yet it has a very strong local community of hackers and security enthusiasts, and that was a community we could serve,” she adds.
Amsterdam is one of HITB’s high points, says Dhillon. “I think it’s great that a bunch of guys thought they could do Amsterdam, and then made it happen. The conference is not only doing well there, but we have set up HITB Netherlands there, and have started a volunteer exchange program.”
Amy explains, “Our Dutch volunteers come here and help out, while we send our Malaysian volunteers there as well. It’s a great way to forge friendships and share information.”
It has been an eventful journey for HITB. This year’s conference, HITBSecConf2012 (or HITB2012KUL), will bring back some of the series’ most popular speakers from the last 10 years, and will be held from Oct 8-11 at the Intercontinental Hotel in Kuala Lumpur. Digital News Asia is amongst the official media for HITBSecConf2012.
And it’s been worth it, says Dhillon. “We managed to do all this while staying true to the reasons why we started this in the first place. We wanted to bring in great speakers for security conferences, and make sure it’s affordable to the community.”
“And we get to go to Amsterdam.”
HITB: If the mountain cannot come to …
HITB finally breaks through into the mainstream