News Stay informed about the latest enterprise technology news and product updates.

Defcon organizers mishandled outing of NBC reporter

Bill BrennerThere’s been a lot of back and forth in the blogosphere this past week about the outing of a Dateline NBC reporter at Defcon, and some of the more interesting reaction has been among various journalists who covered the spectacle.

Some think the reporter deserved to be booted the way she was, while others think the affair was mishandled by Defcon organizers.

I fall into the latter camp, but before I explain why a little background is in order:

Security Blog LogMichelle Madigan, a producer for Dateline NBC, decided to go undercover at the hacker gathering with a hidden video-camera to see if she could out an undercover federal agent at Defcon and make a story out of the perceived shady deeds that transpire there. Defcon organizers were tipped off to what she was up to and repeatedly asked her to get a press pass. She declined and was outed when Defcon organizer Jeff Moss decided to initiate a “spot the undercover reporter” game in the ballroom. Madigan fled the ballroom and walked briskly to her car with a gang of camera-toting journalists and other attendees in tow. A YouTube video of the Defcon-Madigan affair has gotten plenty of hits since then.

While all this was going on, I was at the Las Vegas airport waiting for the flight home from Black Hat. But I’ve since read a variety of perspectives from other journalists who were there.

CNET Senior Editor Robert Vamosi sympathized with Defcon’s organizers in his blog post:

“Defcon requires members of the press to sign a lengthy document barring the use of photography except when all parties within the shot agree,” he noted. “But Defcon, unlike Black Hat, uses anonymous badges, and even when, as a member of the press, I wanted to talk to someone, I would often learn only their alias, not their real names.”

That NBC’s Dateline showed up hoping to reward its audience with an image of a real hacker doing something illegal on camera is downright sleazy, Vamosi wrote, adding, “There are rules for the attending press, and they chose to flaunt them.”

He concluded: “NBC should realize that the real criminals are not at Black Hat or Defcon; they’re out making money in St. Petersburg, Russia; or in Guangdong province, China; or in Kansas. Maybe Dateline’s Madigan should take her pinhole cameras there instead.”

ZDNet blogger George Ou agreed, pointing out that Madigan was given every opportunity to get a press pass and get access to any of the speakers and attendees above board.”Even after the secret videotaping she was offered a chance cover the rest of the conference with an official press badge,” Ou wrote. “This is my second year covering Defcon and I’ve never had any problems getting photos or video from willing attendees and speakers but that’s not what Madigan was going after. She wanted to paint a picture that would shock ‘people in Kansas’ about Defcon and that’s not what Defcon is about. The Feds, press, and hacker community have built up a level of mutual trust at Defcon so that we have a place to talk openly and honestly. After taking an unofficial poll in the press room here, not one person appreciated Madigan’s antics.”

But fellow ZDNet blogger Ryan Naraine took the opposite view, saying he thought the whole affair was childish, over the top and just plain unnecessary.

“There’s the irony of underground hackers preaching about rules and trust. Please. What’s so criminal about going undercover to get a news story?” he asked. “Hackers at this conference take great pride in doing man-in-the-middle password hijacks for Wall of Sheep giggles. Defcon folks routinely commandeer Las Vegas television displays, ATM screens and hotel TV networks. Suddenly, OMG, a female TV reporter with a camera rigged into her handbag is a terrorist on wheels.”

Naraine noted that Defcon represents an entire subculture built on breaking rules, just as Madigan was trying to do. “This is an industry that celebrates the ignoring of EULAs, encourages social-engineering (pretexting) and basks in the glory of sticking it to the man,” he wrote. “Yes, law-breaking in the hacking world is romanticized.”

With that, he wondered if it was truly necessary for Moss to trigger a mob frenzy to get Madigan tossed from his conference. His conclusion is that it wasn’t.

Vamosi and Ou are right to take Madigan to task for trying to flaunt the rules they so diligently follow. The Defcon organizers had every right to kick her out for refusing a press badge.

But I’m with Naraine on the larger point that this was handled in a way that reeked of hypocrisy. It was silly for the Defcon folks to make the big public display, and I particularly disliked the way they set Madigan up for a media feeding frenzy.

It’s been well documented that reporters were, as Ou put it, “well briefed” on what was about to happen so they could cover it. All staffers had to do was take her aside and escort her out without a crowd of taunters in tow.

The reason the whole situation was wrong is that Black Hat and Defcon, in my opinion, are supposed to be about exposing security threats and giving IT security pros some defensive measures they can take back to their offices and use for the greater good.

True, a lot of the anonymity that goes with the territory, especially at Defcon, is designed to make researchers and government agents more comfortable and protected so a frank exchange of information can take place. But if the goal is to enlighten security pros about the dangers they face, spectacles like the Madigan affair are a distraction that keeps a lot of people from paying attention to some of the threats they are there to learn about.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Having attended the past 6 Black Hats and Defcons, I found the Dateline reporter to be out of line. This smacked of the "To Catch a Predator" programs that air about real criminals. Attendees at both these conferences are professionals - be they fed, contractors, observers, press or members of the so called "hacker" community. The freedom to speak anonymously and freely is a way of learning and exchanging ideas as well as watching and learning methods and technologies used today. We learn by example and education - not by trickery and subversion. With the changing world, we all need to be educated in the threats that exist so we can better prepare to defend ourselves in cyberspace.
Your points are well taken, Wolfiroc, and I agree with most of it. My biggest gripe is in how the Defcon organizers set the reporter up for the public outing. It should have been enough for them to boot her from the conference the moment she refused a press pass the first time. Instead, they built the situation into a silly public drama that distracted the rest of the media from other Defcon events they were there to cover.