Cleveland BSides takes heat for Chris Hadnagy appearance

Organizers of the recent BSides Cleveland 2022 conference will step down after booking a banned security researcher as a surprise keynote speaker.

The BSides Cleveland conference organizers apologized for failing to tell its participants that Christopher Hadnagy, who was banned from DEF CON in February 2022 for misconduct, would be a keynote speaker.

"We own our poor decision making and again apologize to the community for not communicating the final lineup," the organizers said on Twitter. "Should BSides Cleveland continue again, this will not happen again."

The organization later said its leadership will step down.

BSides is a security community that builds events for infosec professionals. As of June 2022, there have been more than 740 BSides events around the world, hosted in 198 cities spanning 56 countries, including Cleveland.

The decision to host Hadnagy as a surprise speaker outraged many attendees and other speakers, who publicly said they would have pulled out of the conference had they known Hadnagy would be one of the speakers.

BSides Cleveland had intentionally kept the identity of its speakers a secret. Its conference website said keynotes would include "Just Some Friends," with the statement "you won't want to miss this."

As it turns out, a great many of those involved in the event did, in fact, want to miss it. The event was immediately and heavily criticized by speakers, attendees and information security professionals who were not at the conference.

Among those to pull their planned conference talks was TrustedSec, an Ohio-based security provider that sponsored the keynote. CEO Dave Kennedy, who was due to give the presentation, was quick to condemn the decision to host Hadnagy.

"I pulled my talk because it was the right thing to do … after discussing with other speakers at the event," Kennedy posted to Twitter. "The organizers should have at a minimum announced the speaker well ahead of the conference and published clearly on site for folks to make their own decision."

Fellow speaker John Strand of Black Hills Information Security also cancelled his presentation, noting that he and other speakers were not given any advance warning of Hadnagy's participation. Strand said he plans to release his talk online.

The BSides organization has distanced itself from the incident, condemning the decision to host Hadnagy.

"Scheduling a presentation from a person who makes many feel unsafe has seriously damaged the trust the InfoSec community places in the hands of the people who organize our global events," the group said on Twitter.

Local BSides events, such as the conference in Cleveland, organize and book events on their own, sharing little more than a conference name with the larger BSides community.

A prominent figure in the pentesting and social engineering fields, Hadnagy has become something of a pariah in the months since organizers of DEF CON banned him from participating due to misconduct against fellow attendees.

DEF CON has declined to disclose any details on the misconduct, citing a need to protect the privacy of those involved. Aside from the trauma of public exposure, there is concern that accusing a powerful community member of misconduct could also hurt the whistleblowers' career prospects.

Hadnagy, meanwhile, has maintained that he did not receive any details of the accusations and said in a public statement he cannot recall any possible incidents of misconduct on his part.