Announcing: Data-driven Security Smashup, Aug. 3-5, Las Vegas, NV

Data-driven Security Smashup

A Hackathon + Supercollider of Talent, Ideas, & Resources

Las Vegas, NV; Saturday - Monday August 3-5, 2019

  • Venue: rented house*, well off the Strip (we have secured the venue)
  • Timing: just before B-Sides LV/Black Hat/Defcon
  • Organizers: Me, Jon Hawkes, plus 2-4 others to be named (interested? Contact me)
  • On-site capacity: ~30
  • Remote/virtual participation? Yes. Details TBD
  • Call for Participation: coming soon, maybe mid-May
  • Call for Sponsorship: coming soon, maybe mid-May
  • Other locations: if this first Smashup goes well, we'd like to 'step-and-repeat' it soon in the EU, UK, Switzerland, elsewhere in US, and maybe more
* But it's just a working space.  Everyone should plan on getting a hotel room or other overnight lodging.


The Data-driven Security Smashup (DDS Smashup) is a combination of hackathon and ‘supercollider’ of talent, ideas, and resources, aiming for breakthrough innovations in data-driven cyber security, especially solutions to problems that span domains of people, process, technology, institutions, and culture.  

Theory of the Case

Why a “Smashup” rather than a conventional hackathon or workshop?  Because we think it has a good chance of breaking through the conceptual and cognitive barriers to innovation in data-driven security.  

We aren’t short of creative ideas.  More “whacks on the side of the head” won’t make much difference.  Current and past approaches to innovation have been too simplistic. We also need something more than just ideas that bridge two different fields or methods. Example: quantitative risk methods and incentives from insurance adapted to security (incl. metrics).  People have been whacking away at this innovation for 10 to 15 years, hoping it would be revolutionary.  It hasn’t been.  Why? Because a revolutionary breakthrough probably requires simultaneous, coupled innovation in three, four, or more fields at the same time, across two or more levels of the socio-technical ecosystem.

This calls for a social invention process that is supercharged to force inventive activity in areas that seem almost impossible, especially from any single field or discipline.  That’s why we need a ‘supercollider’ of talent, ideas, and resources like the DDS Smashup.

Space of Possibilities

For purposes of discussing scope and interactions, the solutions could include one or more: 1) participatory games (real or virtual world, tabletop),  2) software tools, 3) data sets, analytics, or visualization, or 4) frameworks, taxonomy, or ontology. This diagram shows the space of possibilities, along with existing or potential ‘docking projects’ (a.k.a. accelerators).  (This is preliminary, and subject to much change.)
(click to enlarge)

It’s Like a Hackathon...

Hackathons are events where diverse people quickly “hack together” solutions in a concentrated setting (time and place), working in teams of people who they normally wouldn’t work with.  Each team will design and build one prototype solution to one specific problem.  “design and build” may involve conceptualization (visualization, animation, schematics) and/or realization (building a working prototype in software and/or hardware).  Teams then present their completed prototypes to a panel of judges who award prizes to the best designs.  Most hackathons are convened in a physical space, but some are virtual.  Often there are people who document the process, including live-action video, interviews, etc.

Hackathons mostly embrace “techno-optimism” as a philosophy and value system, with a strong bias toward pragmatic action. The focus is on ‘the art of the possible’, spurred by creativity and improvisation. Teams are free to base their solutions on their prefered value system as long as it is explicit and it is compatible with “techno-optimism”.

Teams own the rights to Intellectual Property they create during a hackathon, and thus could use it as a basis for commercial development afterward.  However, there is no presumption or favor for commercialization or proprietary control of IP.  IP sharing and open source are often the best path to further development of a prototype.

Hackathons are frequently sponsored by non-profit entities for community benefit, and sometimes by for-profit firms for either community benefit and/or proprietary interest.

The DDS Smashup will be a 3-day on-site and virtual event, hosted and facilitated in a specially designed venue.  The first DDS Smashup will be in Las Vegas, NV on Saturday - Monday August 3-5, just before B-Sides Las Vegas.  On-site capacity is limited to about 30 people.

Everyone who participates in DDS Smashup will be a “doer” and 100% committed for the duration, including days and evenings. We will recruit a diverse set of highly-qualified people, including people who may not have ever engaged with the information security community.

Hackathons are frequently sponsored by non-profit entities for community benefit, and sometimes by for-profit firms for either community benefit and/or proprietary interest.

...but Different from a Hackathon


Unlike a regular hackathon where anyone can attend, participation in DDS Smashup will be limited and selective following a diversity-oriented recruitment process. We aim to supercharge the talent pool.

Participants will not be equal in authority and power. There will be a core team of Organizers (about 3 - 5 people) who will “run the show” -- doing all the organizing and preparation, making major decisions, orchestrating and facilitating, vetting and selecting participants, etc.

The other 25 on-site participants will be selected based on what they can contribute to the event, including:
  • Commitment to and zeal for data-driven security innovation
  • Relevant ideas, approaches, tools, or methods (see Scope diagram)
  • Relevant talents, skills, and expertise
  • Diverse and divergent perspectives and experiences, especially “boundary spanning”
We haven’t set goals or limits on the number of remote participants, or whether we would support remote-only teams.  For this first event, our priority is on the on-site participants and process.  If we can recruit several organizers who will focus exclusively on managing and facilitating remote participation, then we can be more ambitious.

We will recruit participants from a wide range of communities and aim for a diverse set of participants (gender, age, ethnicity, culture, institutional affiliation, experience-level/seniority, …).  That said, nobody will be there solely to represent a group or point of view.  Everyone will be there to work, probably to the limits of their capability.  We hope to have sponsorship to help cover travel and other expenses for students and other limited income people. Diversity isn’t an end in itself, but instead serves the goal of breakthrough innovation.


In a normal hackathon, all ideation happens on-site and arises spontaneously from the teams. Pre-work is discouraged.  DDS Smashup will be different. We aim to supercharge both the pool of ideas and also energy that can use ideas together.

At the DDS Smashup, teams will mostly work by building on, adapting, to connecting to one or more “docking projects” (a.k.a. accelerators) (see “Space of Possibilities” diagram, above).  We won’t stop anyone who passionately wants to work from scratch, but they will be at a disadvantage in terms of getting something done in three days and also recruiting support for follow-on projects.

These “docking projects” have been developed, developed to some degree, tested and sometimes applied to practice.  While they could all be improved in the usual sense, the biggest potential for innovation is to extend design and development in completely new directions, perhaps connecting several docking projects together.


In normal hackathons, teams are self-organized when the event starts, possibly by joining people who pitch ideas. DDS Smashup will be different.

Due to capacity limitations (30 people on-site, and maybe 30 to 100 virtually), we will probably limit the number of teams to 6.  We will probably have most of the teams identified and partially formed before the event starts.  (This is part of pre-work.)  But we won’t lock in team membership until after the event starts.

We will also be flexible about participation on multiple teams, or merger of teams, teams splitting apart, and temporary multi-team collaborations.  A huge benefit for having a small venue with relatively small number of participants is we can improvise like crazy this way.


In normal hackathons there is no pre-work. It’s often discouraged. DDS Smashup will be different.

All participants will need to do pre-work.  We estimate this could be 5 to 30 hours of work over four to six weeks leading up to the DDS Smashup.  The pre-work may involve learning a tool stack (e.g. NetLogo and extensions API for Agent-based Modeling), or learning about one or more of the docking projects, or doing background reading on Data-driven Security (incl. risk, economics, metrics, etc.).

We will be strict about this.  Any participant who shows up without doing adequate pre-work will be turned away. It’s just not fair to everyone else.

Work Schedule

In a normal hackathon, both the schedule and venue often promote extreme work schedules, including ‘all-nighters’. DDS Smashup will be different.

DDS Smashup will be 3 days rather than 2.  Quite a bit of work will be done prior to the event, and also many team members may be virtual participants, including in other time zones.  Therefore all participants should be able to get 8 hours sleep per 24 period.  Participants should be prepared to work 10 to 16 hours per day for the three days.
Food and Drink
Most hackathons provide food, and some only pizza and soda. DDS Smashup will be different.

DDS Smashup will have healthy, good quality catered food and drinks, including coffee, tea, and soft drinks, but no alcohol.  But, to set expectations, it won’t be fancy gourmet food.
Judging and Prizes
In a normal hackathon, judges evaluate team presentations and then award prizes to the best teams.  Participants are often motivated to win prizes and a competitive atmosphere can develop.  DDS Smashup will be different.

On Tuesday evening, August 6, we hope to have all teams present at a dinner event for CISOs at the B-Sides Las Vegas.  (B-Sides LV has a CISO track, limited to 50 participants).  While this might be viewed as judging, the real purpose of the presentations is feedback and to stimulate further ideas for projects and research.  Thus, even a ‘failed’ prototype might be fruitful for future work because of what was learned in the process of the project.

We might have a second round of presentations to a general B-Sides audience on August 7 if we can find a proper setting.


In some normal hackathons, one or more sponsors have a proprietary interest in the process or products.  Sometimes they want to promote their products or services (e.g. “build a public health app using XYZ’s API and tools…”), or they are hoping to commercialize one or more prototypes, or maybe they want to recruit new employees.

By contrast, in the DDS Smashup all sponsorships will be for community benefit and for research goals. There will be no marketing sponsors and no formal job recruiting.

All sponsor money will be handled through the B-Sides LV non-profit organization (or similar).

All sponsor money will go for direct expenses for the venue, equipment, networking services, food, office supplies, etc.  No money will go to Organizers or Participants in the form of salaries or consulting fees.  Students and other limited income Participants may receive travel and expense stipends.

Fine Print

Sorry if the following sounds harsh, but we aren't messing around.
Unlike other Information Security conferences in Las Vegas that include a lot of non-work activity -- networking, socializing, partying, drinking, pranking, and rampaging -- the DDS Smashup will be all work and only work.  This excludes alcohol and drugs, but also friends, partners, pets, diversionary games or media, etc. Obviously, it also excludes sales and marketing activity by vendors or consultants. 
Also: no "rock stars".  Nobody participates just because they are famous or have a cool reputation.  Nobody participates without doing necessary pre-work. Sponsors can't buy participation slots, either.
All Organizers and all participants are collectively responsible to make this a productive, inclusive event. Because how we treat each other matters and we want everyone to be on the same page, we will have a simple code of conduct. We are creating something new and thus we can't assume that existing set of norms or other Codes of Conduct are sufficient or universally understood.

This will be strenuous work. On-site participation is not appropriate for people who are feeling sick or are in frail health. Through remote/virtual participation, we can probably accommodate anyone who can be productive regardless of health or disability.
We might have a few sociologists or anthropologists documenting our process, including video and interviews.  We'll get signed permission from everyone, with options to opt-out.  Otherwise, nobody will be there to "just watch" or "hangout". 
Like other hackathons, DDS Smashup is not an appropriate venue to explore the outer reaches of free speech and free expression, nor for debates on meta-issues like social justice, value systems, or the validity of the problem statements. Likewise, DDS Smashup is not appropriate for social process work such as discourse critiques, deconstruction, or consciousness raising. These are best done in other venues and settings. 

Article Link: