Wednesday, 24 February 2016

Its double-sided™

Save your time, this is going to be long with high chances of rantiness drizzle throughout it. It seems once a year or so I ended up blogging about something that's more of a reaction piece than anything of any real value. My guess is, this is no different. As many of you may have noticed my engagement with the InfoSec-Community™ has been winding down for awhile. I can't quite put my finger on what the issue is, but I know whatever it is makes me uneasy. Either I have changed (which I have, I hope for the better) or InfoSec-Community™ has. When I started getting involved in community events, it was Security-BSides London, and i'd dare to say that if I hadn't gone my life may have been very different. I made life-long friends at the conference, I learned a lot, and I realised from that moment, we're better community when we can meet and exchange. Since then I’ve always held BSides close to my heart, and as I’ve grown and changed my involvement in BSides events has too. I went from attendee/speaker to organiser (one of them) of the Rookie-Track to organiser of 3 BSides conferences. I tell you what though, for large parts, its a thankless task. For me though, there is a moment that I look out at the event we created and see all the participants and I know in my heart of hearts we did something worth doing. That in some small way we did make a difference.

I guess this is why today's news to Security-BSides organisers is that we have a Board of Directors (BoD) that decided it would be trademarking Security-BSides was blunt knock to the feels. The TL;DR is that a BSides event in Germany (anywhere) will need to be rubber-stamped by one of a few people in America, and an American contract will need to be signed. This contract's jurisdiction (and recourse) will be in California. Apparently there was a discussion on a Google Group and now as an organiser of a German BSides I now need to ask and agree to terms with a Board of Directors that I had no idea owned BSides. I kinda assumed it was all of us that owned it, which yes makes me one of the dumbest freetards on the planet. “But finux, someone needs to protect the global brand” I imagine some of you are saying, and you know what, I think you're wrong. Not just a little wrong, but a whole slice of pie, wrong. BSides events are great because they're a representation of the communities that host them, because no two of them are the same. As a BSides organiser in Europe I can assure you that the sponsors we're getting are from our organisers own networks of contacts and not from some global franchise owners. Our sponsors are interested in what we offer them, not what a Californian judge agrees.

Those that follow the talks I’ve been giving at BSides events (irony is not just a friend of wrinkly it seems) is that building weapons to protect yourself from future perceived attacks is a slippery slope. I really wonder how having a trademark infringement case, by a community against its own community will bare anything other than lose/lose situation. Can we imagine our new Global BoD shutting down a community BSides event. Let that sink in. Filing an injunction in a Californian court, against any BSides event, anywhere, because one of a handful of people decided that “no you can't be a BSides event”. Of course, they can opt not to do that, and not to file an injunction but it sort of precludes you from doing at all. “Oh, you didn't do that against BSidesFFM but you're doing against us”. The problem with developing a structure to shut BSides's events down, is you might have to shut a BSides event down. The reality of it is, all BSides now seem to have a centralised Government. I can assure you all, I had no idea about any discussion about having this until I was told we had it. I've spoken to two of the global BoD less than two months ago, it didn't come up then.

Lets not forget that sponsors, and organisers and the BoD are only a small part of the BSides ecosystem, but did anyone discuss this with the attendees/participants? I mean if there is a global brand, that needs to be protected, then surely they're the stakeholders that give that brand value. I've not asked any participants, but I wonder how our attendees feel about our event happening because a BoD in the United States of Security-BSides™ says we're permitted. Then again, I’m pretty sure most don't care. Apathy is a wonderful thing sometimes.

I'm at a loss for what this really means. Has BSides just became a brand that is to be shaped and governed by a few, and if so, why did we agree to that? What do we get for losing control over our own destiny as events? Will those that are protecting our events from those events organisers actually be adding any benefit to those events? I worry if the next thing we need to do is start paying a stipend to be allowed to use the word BSides, you know because there is costs. Will part of an events sponsorship money been siphoned off to fund shutting down other BSides events on other parts of the world? Who is going to protect us from our BoD's, today, tomorrow, next week, next year, next decade? Everyone on that BoD are good people, and all of my ranting isn't a reflection on those wonderful human-beings, I hope I can say that for the next Directors and their successors.

I know i'm not helping on first glance, but we need to ask ourselves are we just a brand? Are we losing our way? Do bigger BSides events have influence now over how events are managed, and who manages them? But the biggest question is, which one of you made things so that our global BoD feels they need to have control over events they don't organise?

Many BSides events in many different non-US colonies will need to discuss amongst themselves if running with the just the ideals of BSides but without the Security-BSides™ endorsement is an option. I know at BSidesHH we're going to be discussing if we're going to become HamburgSides, or stay the same. The real question is do we fork-off?

Arron 'finux' Finnon