LAS VEGAS -- Last weekend, more than 9,000 hackers, freaks, feds and geeks gathered for the 16th annual DefCon, the world's largest computer security convention.

Wired.com brought you live coverage of the most newsworthy events at DefCon 16. Here are some photos from the lighter side of the conference.

Left: South Korean hackers compete in the Capture the Flag competition. The goal is to hack into and keep control of targeted servers.

Mr. Sinister and Dragon Cracker battle it out in a round of Guitar Hero -- one of DefCon's newest competitions.

Bringing-your-own-booze supply ensures optimal buzz at DefCon. Shortly after this picture was taken, hotel security escorted this backpack-hacker to his room.

Computer geeks from the National Institute of Standards and Technology set up a network secured with quantum encryption in a conference room at DefCon. The quantum-entangled photons are being used to encrypt a video stream across a line-of-site network.

A compact optical bench and an atomic clock (left) are used to secure a network with quantum encryption.

In the Lock Pick Pavilion, DefCon attendees Dustin, Jennalynn and Kunfoozball practice their lock-picking skills.

DefCon founder and organizer Jeff Moss, aka Dark Tangent, at the conference's closing ceremony Sunday.

A collection of black badges awaits the winners of the various competitions. These badges give their holders lifetime entry to DefCon.

One of DefCon's logos, the smiley-faced skull and crossbones, is welded inside a yellow sphere. The sphere is the primary stage of one of the most difficult competitions at DefCon: The Mystery Challenge.

Unbeknownst to attendees, this laptop is sniffing RFID tags and taking photos of their owners when they pass in front of the detectors. RFID tags are used in everything from building access to some credit cards.

At the closing ceremony, DefCon organizers turn off the lights while the attendees wave their high-tech badges back and forth.

Thursday was a little different, I got up early and got a few ‘real’ work things done (you know, those things) before heading off to meet Mike Fratto for a project he’s working on. More on that later.

I made it back to the show around lunch-ish but didn’t stop for lunch yet, since the show floor was closing at 4:00pm- I still had some browsing and chatting to do. Starting around 3:45, I took a ‘Last 15 on the Floor’ series of shots from the expo floor.

At some point Thursday or Wednesday, I did stop by the Security Smackdown challenge they had running- pretty neato- bunch of hackers beatin’ each other down for the ultimate Smackdown Title. WWCF: World Wide Crypto Fighting…. or… something like that. There was a guy sporting an overtly over-sized gold WWF-style belt… hence the joke… nevermind.

Anyway, I also stopped by the ‘official’ RSA Bookstore and picked up a little book on 802.1X. When I say little, I mean little… and it was $60. Yes, seriously. To top it off, it’s probably the most poorly-written book I’ve ever read. You’ll see a book review on that later. I want to give it a fair shake and read the whole thing, but I’m not entirely sure I can submit myself to much more of the torture… we’ll see.

Thursday evening was the big RSA Codebreakers Bash and they really did it up right! There were several rooms full of fun, regardless of your taste. One room had a really good cover band and lots of music and dancing, another room had a huge bar area and light display I could have watched for hours. In one area, they had Guitar Hero full band playoffs, and in another yet bubble-head karaoke. Across the hall was a little more subdued, with more quiet sitting areas, perfect for chatting over a glass of wine. They also had crazy looking costumed ladies applying barcode tattoos to whomever was drunk enough to let them paste them on their forehead or face…. yeah… I have no clue about that one. I stopped in for about an hour before calling it a night. Thursday was day 6 in San Fran for me and I was exhausted. I did get some photos for you to try and capture the chaos. View photos from the Bash.

That pretty much sums up my day, and I left the hooplah on a Friday morning flight back to the East Coast. That’s about all I have from RSA 2008, but you’ll be hearing about some fun new projects and events that have grown out of this trip.

Next stop: Interop Las Vegas (yee-haw!)

# # #

So, we have a glut in the market of companies that have raised 25 to 40 million dollars or more, have revenue of between 5 and 20 million dollars and are borderline profitable at best.  As my uncle used to say about me, to heavy for light work, too light for heavy work.  What are these companies to do? 

I think the possibilities fall into just a few choices:

1. Earn your way out of it - This is totally dependant on the ability of the company increase their year over year revenue. The problem is most of the companies in this predicament are only growing 10 to 20% a year.  That is just not enough, especially if they are not profitable.  The biggest issue is not breathing your own exhaust here.  Too many companies announce fantastic quarters, but being private don't give out the actual numbers.  I think any exec team has to ask themselves the hard question of what it will take and how realistic is it to make that growth rate real. The cold hard fact is that most security companies in this category are not having organic growth rates at the levels required.

2. Merge - I think this is going to be a common theme in the years to come.  With the public markets not an option and more VC money expensive and hard to come by, combining companies is a viable option to achieve the size necessary.  The key is the merger has to be accretive financially and complimentary from a technology point of view. 

The idea here is that in a merger you can get some economies of scale, take some cost out of the equation, have technologies that just don't roll up into one product, but are still complimentary.  What I mean by that last one is that if I already sell a product for a dollar, adding another technology to it and still selling it for a dollar is not enough.  Most importantly, the combined revenue allows the merged companies to have enough size and market to compete on better footing with the larger companies in the market.  I think 35 to 70 million dollars in revenue is the range for the merged companies.

The hard part is who manages the new company and how do you value each component company.  Often times these two details will make these deals really hard to get done.

3. Lower your expectations and settle - Like a 39 year old never married person, maybe lowering your standards and "settling" will help. No one wants to hear this, but faced with the reality of your options, this may be the right choice. Get out with your skin on and live to fight another day. I am sure we are going to see lots of these kinds of deals that will represent real bargains to the acquiring companies.

4. Just keep limping along, praying for a miracle - There is always the chance that either the market "discovers" something new about your products or you come up with something new that explodes.  The company that did Guitar Hero was around for years and years, until they came upon Guitar Hero.  The problem is most investors don't have that kind of return horizon.  There will be some who do this, but is it really dead men walking?

Well that about sums up the options.  My view is that too many companies will take option one. Only when they have exhausted themselves will they honestly look at option 2.  By then they may have worked themselves out of an optimum time for a merger at good terms.  Ultimately, they may have to settle. 

Someone asked what about StillSecure.  Fair question since I do work here.  Actually, we are still in the rapid growth phase.  With our current revenue growth rate, we should have the velocity to break out of the pack. However, if we don't continue along that growth curve, you can bet I would urge my fellow StillSecure execs to consider merger options

So, we have a glut in the market of companies that have raised 25 to 40 million dollars or more, have revenue of between 5 and 20 million dollars and are borderline profitable at best.  As my uncle used to say about me, to heavy for light work, too light for heavy work.  What are these companies to do? 

I think the possibilities fall into just a few choices:

1. Earn your way out of it - This is totally dependant on the ability of the company increase their year over year revenue. The problem is most of the companies in this predicament are only growing 10 to 20% a year.  That is just not enough, especially if they are not profitable.  The biggest issue is not breathing your own exhaust here.  Too many companies announce fantastic quarters, but being private don't give out the actual numbers.  I think any exec team has to ask themselves the hard question of what it will take and how realistic is it to make that growth rate real. The cold hard fact is that most security companies in this category are not having organic growth rates at the levels required.

2. Merge - I think this is going to be a common theme in the years to come.  With the public markets not an option and more VC money expensive and hard to come by, combining companies is a viable option to achieve the size necessary.  The key is the merger has to be accretive financially and complimentary from a technology point of view. 

The idea here is that in a merger you can get some economies of scale, take some cost out of the equation, have technologies that just don't roll up into one product, but are still complimentary.  What I mean by that last one is that if I already sell a product for a dollar, adding another technology to it and still selling it for a dollar is not enough.  Most importantly, the combined revenue allows the merged companies to have enough size and market to compete on better footing with the larger companies in the market.  I think 35 to 70 million dollars in revenue is the range for the merged companies.

The hard part is who manages the new company and how do you value each component company.  Often times these two details will make these deals really hard to get done.

3. Lower your expectations and settle - Like a 39 year old never married person, maybe lowering your standards and "settling" will help. No one wants to hear this, but faced with the reality of your options, this may be the right choice. Get out with your skin on and live to fight another day. I am sure we are going to see lots of these kinds of deals that will represent real bargains to the acquiring companies.

4. Just keep limping along, praying for a miracle - There is always the chance that either the market "discovers" something new about your products or you come up with something new that explodes.  The company that did Guitar Hero was around for years and years, until they came upon Guitar Hero.  The problem is most investors don't have that kind of return horizon.  There will be some who do this, but is it really dead men walking?

Well that about sums up the options.  My view is that too many companies will take option one. Only when they have exhausted themselves will they honestly look at option 2.  By then they may have worked themselves out of an optimum time for a merger at good terms.  Ultimately, they may have to settle. 

Someone asked what about StillSecure.  Fair question since I do work here.  Actually, we are still in the rapid growth phase.  With our current revenue growth rate, we should have the velocity to break out of the pack. However, if we don't continue along that growth curve, you can bet I would urge my fellow StillSecure execs to consider merger options

I also went by the speaker lounge to check in and meet up with my co-speaker for my Wednesday session and we were able to make some good progress on slides (yes, they were due weeks ago, but we'll be tweaking them up to the last minute, not doubt).  We also requested permission to film our session with my camera - this is apparently something that is possible, but you have to ask ahead of time - luckily, we got good guidance on this from the good Mandy Schu, our speaker manager.

At 6:00PM, we went down to the reception and, I must say, my first impression for this year was very good.  The show seems bigger and better than ever.  I saw lots of familiar brands and we meandered over by the Microsoft booth, where I ran into Kai Axford, Austin Wilson and a bunch of other Microsoft folks.  After a bit of smalltalk, I set out to accomplish my goals for the evening:

• enjoy the free food and drinks
• work on identifying the common "theme" for RSA this year

Shortly later, as I'm walking by a booth, my ear caught a familiar tune - " naaa   na na    na na... story of my life, story of my life..."  I look over, and yes, there are two security geeks rocking out on Guitar Hero.  Hmm, interesting idea, it definitely seemed to be drawing a crowd.  I wonder why nobody else thought of that.  Five minutes later, after passing 3 Guitar Hero sets, I realized that a lot of people had thought of it.  Play, get high score and win a game system!

So, there it is, the theme of RSA 2008:  Guitar Hero III.

Okay, so that may not be the security theme for the show, but it certainly seemed to be a hit with the attendees, judging by the many people stopping to show off their mad (or not so mad) Guitar Skillz.

I'll be checking back in with you midday tomorrow to give my feedback of how the morning keynote sessions go, but if I get some free time, you may see me on the show floor working my way through "Slow Ride" or "Barracuda."

Q: Prior to 1870, street corner fire alarm pull boxes were kept locked. Why were they kept locked and how did a person gain access to 'pull the box?'

A: They were kept locked due to false alarms. Nearby shopkeepers or beat cops carried the keys.

Here's Robert Cromie, writing in The Great Chicago Fire (Thomas Nelson: 1994), page 33:

William Lee, the O'Leary's neighbor, rushed into Goll's drugstore, and gasped out a request for the key to the alarm box. The new boxes were attached to the walls of stores or other convenient locations. To prevent false alarms and crank calls, the boxes were locked, and the keys given to trustworthy citizens nearby.

What happened when Lee made his request is not clear. Only one fact emerges from the confusion: No alarm was registered from any box in the vicinity of the fire until it was too late to do any good.

Apparently, Lee said that Goll refused to give him the key because he'd already seen a fire engine go past; Goll said he actually did pull the alarm, twice, but if so it must not have worked.

(There's more about what sounds like a really bad communications failure, but it's a little too hard for me to read on the Amazon website.)

Here's more:

But did you know that the fire burned for over half an hour before an alarm was ever sounded? Alarm boxes were actually kept locked in those days, to prevent false alarms!

When the first alarm box was finally opened and the lever pulled, the alarm somehow did not get through. The fire dispatcher was playing a guitar for a couple of girls at the time and he kept on serenely strumming, completely unawares. After the fire had been growing and blazing for nearly an hour a watchman screamed at the dispatcher to sound an alarm, which he did, and the first three engines, two hose wagons, and two hook and ladders were sent out -- but in the wrong direction!

At first the dispatcher refused to sound another alarm, hoping to avoid further confusion.

Compare this with a proposed law in New York City that will require people to get a license before they can buy chemical, biological, or radiological attack detectors:

The legislation — which was proposed by the Bloomberg administration and would be the first of its kind in the nation — would empower the police commissioner to decide whether to grant a free five-year permit to individuals and companies seeking to "possess or deploy such detectors." Common smoke alarms and carbon monoxide detectors would not be covered by the law, the Police Department said. Violations of the law would be considered a misdemeanor.

Why does the administration think such a law is necessary? Richard A. Falkenrath, the Police Department’s deputy commissioner for counterterrorism, told the Council’s Public Safety Committee at a hearing today, "Our mutual goal is to prevent false alarms and unnecessary public concern by making sure that we know where these detectors are located and that they conform to standards of quality and reliability."

The law would also require anyone using such a detector -- regardless of whether they have obtained the required permit -- to notify the Police Department if the detector alerted them to a biological, chemical or radiological agent. “In this way, emergency response personnel will be able to assess threats and take appropriate action based on the maximum information available,” Dr. Falkenrath said.

False positives are a problem with any detection system, and certainly putting Geiger counters in the hands of everyone will mean a lot of amateurs calling false alarms into the police. But the way to handle that isn't to ban Geiger counters. (Just as the way to deal with false fire alarms 100 yeras ago wasn't to lock the alarm boxes.) The way to deal with it is by 1) putting a system in place to quickly separate the real alarms from the false alarms, and 2) prosecuting those who maliciously sound false alarms.