The Dark Side of B-Sides; Mike Dahn

Tue Dec 20 19:18:42 CST 2011

Brian Martin


[Dec 22, 2011 Update - Mike Dahn has published a response to this article and outlines the steps he and B-Sides are taking to help ensure a more open and community driven leadership. We sincerely appreciate the commitment to the new direction and hope that it lasts, while B-Sides continues to prosper as an organization.]


Introduction

B-Sides describes itself as a "community-driven framework for building events for and by information security community members." In essence, B-Sides is an ongoing series of information security conferences that coincide with other security conferences that are typically higher profile or longer running. The first B-Sides event was "born out of [a] number of rejections to the CFP for Black Hat USA 2009" and took place July 29-30, 2009 to coincide with Black Hat USA 2009. Each B-Sides event is free for attendees, but is subject to limited numbers due to the venue. During each event, food and beverages (including alcohol) are free for those attending as well, the costs of which are covered by various sponsors. B-Sides as a whole is an extremely positive influence on the security industry, and brings a much-needed dose of high-quality, timely, and technical presentations.

According to Mike Dahn in a recent public letter, he says that B-Sides was created largely by him and two others:

In 2009, I reached out to Mike Murray and Jennifer Leggio and sat down with them for dinner to map out the details of how to create Security B-Sides. Originally, I wanted to call it Security Fringe but based on their good advice we went with B-Sides. Mike and Jennifer didn't have the time to commit back then and bowed out for the time being. I moved forward planning the first B-Sides event in Las Vegas. Chris Nickerson offered the use of a house he rented. Jack Daniel was onboard to help from the beginning.

According to Chris Nickerson, a founder, the idea was born on Twitter with many people contributing ideas and pushing the concept forward. Involved from nearly the beginning, both Chris Nickerson and Jack Daniel are considered to be the other two founders.

A handful of B-Sides conferences draw large crowds, some 250 people or more. Many B-Sides conferences, primarily in the United States, are also being organized as independent conferences that do not coincide with another event, bringing a new gathering to areas that otherwise have no large security gatherings. To facilitate these conferences, B-Sides looks for sponsors, either for one event or "globally". The conference encourages sponsors to take care of a specific aspect such as "Capital, Marketing, People power, Food, or Organizers".

For the last two years, B-Sides has been viewed as an incredibly positive contribution to the industry, and it has been. This conference series has given thousands of professionals the chance to listen to discuss current issues and enjoy the bright sides of the security industry. Tragically, it has recently come to public attention that some things about the organization are not as positive as the rest. One of the founders, Mike Dahn, seems to have repeatedly lied about the conferences and organization for what appears to be his own gain, as you will see in this article. Dahn does not seem to embrace the idea of openness like he claims, tarnishing the image of the community built B-Sides. Until Dahn does what has been requested of him for two years by another founding member, be more open about finances and organization, the information below paints a grim picture of Dahn's behavior. This alleged unethical activity and deception is not acceptable by any standards, especially in an industry that preaches (and sells) integrity.

Not For Profit vs LLC vs Personal Account

One of the biggest controversies surrounding Mike Dahn and B-Sides is the status of the organization and how its finances are handled. This aspect should be the biggest concern to B-Sides volunteers, supporters, and most importantly, donors.

As the Facebook page and the B-Sides Web Page (before edits sometime between January and June), B-Sides is supposedly a "not for profit" endeavor. The process of becoming a Not For Profit (NFP) varies state by state, but ultimately ends up under the purview of the Internal Revenue Service 501(c)(3) Code for tax-exemption status.

The process for filing for NFP status in California (called a "public charity nonprofit corporation"), where Mike Dahn is located, is outlined by the Citizen Media Law Project. The first two steps are general planning and research. The third step, long before applying to the IRS, requires incorporating in California. According to California Secretary of State Business Search, that was done on March 4, 2011, almost 2 years after B-Sides formed. Not only did Dahn wait almost two years, but as of May 7, 2011, the B-Sides page was still telling people that it was a "pending non-profit incorporation". More telling, the March 4 filing with California specifically says B-Sides was incorporated for charitable activity to qualify for 501(c)(3) status:

This deceptive wording implies the "pending" part was due to the government approval, not the fact that Dahn simply had not even begun the process of incorporating, let alone requesting tax-exempt status. Only after all this time did Jack Daniel, not Mike Dahn, change the page to remove this wording.

According to the IRS, there are no Charities & Non-Profits matching "bsides" or "b-sides" as of December 16, 2011. For two years, anyone donating to B-Sides was misled into thinking it was a Not For Profit organization, when in reality, it wasn't. This means that donors who contributed assuming that their donation was eligible for a tax deduction were mislead. Any person or company that filed taxes with a donation to B-Sides as a claim is now potentially liable for that error on their filing, as you cannot write off a donation to a "pending" NFP.


(B-Sides 2010 Las Vegas Shirt with "Non-Profit Organization" on it.)

Follow the Money

As a Limited Liability Company (LLC), Dahn does not have to create a board of directors or advisors. Further, with the other B-Sides founders not listed as directors or employees, and not on the B-Sides bank account (Dahn and his wife are), he is not obligated to share financial information with anyone. As of this article, Dahn has not published any information about B-Sides financials, income, or expenditures despite maintaining the illusion of being a Not For Profit organization for two years.

According to the B-Sides Sponsoring page, donations are taken via a PayPal account listed as "Security B-Sides San Francisco". It is interesting that the account used is named after a specific B-Sides event, the one in Dahn's home city. While the Sponsoring page says "please reference the event you are sponsoring: #BSidesLV, #BSidesBOS, #BSidesSF, etc.", the PayPal screen does not indicate that. Given the name "Security B-Sides San Francisco", we don't even know if the account is for B-Sides (the company) or Mike Dahn's personal account; that is, until you donate to it. After donating to B-Sides and specifying the event I want my donation to go, PayPal sent me the confirmation mail which clearly shows it is the personal account of Mike Dahn (who lists himself as "Donation Coordinator", not an account maintained by "Security B-Sides", the California registered company. A business account lists the recipient as "Merchant", not "Donation Coordinator".

One B-Sides volunteer was told by Dahn that the Not For Profit paperwork "keeps bouncing back for dumb reasons" several times, suggesting that he did try to file with the IRS at some point. If that is true, Dahn should be able to easily provide a dated letter from the IRS supporting these claims. Another volunteer was told that Dahn has filed in California, but it took many months for a response and refiling before finally being approved by the state. After this process, Dahn apparently reconsidered saying that he would rather avoid another tedious process with a federal filing, and that some B-Sides events were outside the US. According to another source, money has run through the organization (Dahn's PayPal) for the three core events: Las Vegas, San Francisco, and Austin. To a lesser degree, money for other events has also gone through the organization, but B-Sides has been pushing organizers to encourage sponsors to directly pay for event requirements such as chair rentals, meals, or venue. The curious part about all of this, is that the entire process of incorporating, filing, and then applying for NFP status generally takes one year under the worst of circumstances (e.g., filer is busy and slow to submit paperwork, difficult to coordinate with IRS). I know this because I am an officer in a registered 501(c)(3), and our filing procedure was far from optimal (incorporated 2004-04-20, granted Non-Profit status 2005-04-09).

With the intended model moving to having sponsors pay for specific aspects of a conference, one has to wonder how it has worked to date. Consider that a B-Sides event has no standard for designated sponsors. For example, at B-Sides St. Paul, MN there are four 'Made' sponsors, five 'Associate' sponsors, and three 'Global' sponsors. Looking at B-Sides Chicago, we see Global, 'Engage the Audience', 'Above & Beyond', and 'Core' supporters. Taking B-Sides St. Paul, MN as the example, there are 12 sponsors for the event. What did each pay for exactly? How many donated cash directly to B-Sides, donated cash to the organizer, and which paid for tangible items to support the conference? Are there records of this anywhere? Did any leftover money get folded back into the B-Sides organization or was it retained locally for a subsequent B-Sides in the same city? The idea of a framework for conferences is nice, but it reminds us that when each event is done locally, it is not necessarily done in the same spirt as another B-Sides event.

One of the founders pushed for B-Sides to stay local, with each individual organizer running the conference; an idea that two years later became a push, after Dahn had received scrutiny and heat for his management of the organization. That same founder suggested that global sponsors donate money that would be used to seed conferences in different areas. According to the founder, Dahn liked the idea, but ultimately did not end up distributing the money. When those ideas fell apart, Dahn pushed to use the B-Sides names to get any sponsors possible for local events, yet still took global sponsors for the larger events such as B-Sides Las Vegas and B-Sides San Francisco. When Dahn was asked for any form of accounting by another founder, the only thing produced was an account balance, never a ledger of donations and expenditures. Considering Dahn's heavy involvement in PCI, an initiative born in auditing, the fact he does not have or will not produce his own audit trail is telling.

A common phrase among investigators is "follow the money", meaning that a money trail will frequently help tell the story of who is in control, who is profiting, and who was financially involved to some degree. Unfortunately, without open books, there is limited information to go on. The public has a few basic facts to go on. After electronic conversations with several people affiliated with B-Sides to some degree, including one of the founders, I have first-hand reports of additional information that I have validated by seeing the related invoices. While I don't know how each invoice was paid (e.g., PayPal, Check to Dahn, Check to Security B-Sides), it is enough information to create a mock ledger for one of the bigger events. The timeline involved is not complete, there are certainly some gaps and information that would help better explain what happened. If Dahn opens the B-Sides books, it will answer those questions.

The following table was created with help from a B-Sides founder, Chris Nickerson, who shared some financial details to help illustrate the fundamental problem, and to better explain why an increasing number of volunteers are getting frustrated with the organization. Dollar amounts and time frames are exact unless noted with a ~ to represent "approximate". Approximate values are based on previous events, communications regarding the money, or Nickerson's memory, and should be fairly accurate. Rather than a straight ledger of transactions, additional points and events are included to better represent the timeframe, as well as tell the story of how B-Sides Las Vegas #3 almost got cancelled last minute. All commentary on this timeline are my own summary and observations based on available information. It is understood that a sponsor may have agreed on a total but did not sent payment until some time later, possibly after the event. Regardless, this ledger serves to demonstrate the problem with B-Sides financials.

Date Description Amount Balance
~ May 3, 2011 Amount in B-Sides Bank Account, as told to Nickerson by Dahn ~ $55,000
~ June 3, 2011 Nickerson goes to Vegas to scout locations. B-Sides sends Angela (B-Sides paid consultant) to "supervise and understand". B-Sides pays for her trip, not Nickerson's. ~ $500 $54,500
~ June 1, 2011 Sponsor: AlienVault (Global, $4,500 earmarked for Vegas 3) $15,000 $69,500
~ June 1, 2011 Sponsor: NetWitness (Global, $4,500 earmarked for Vegas 3) $15,000 $84,500
~ June 1, 2011 Sponsor: Tripwire (Global, $4,500 earmarked for Vegas 3) $15,000 $99,500
~ June 1, 2011 Sponsor: Trustwave (Global, $4,500 earmarked for Vegas 3) $15,000 $114,500
June 2, 2011 Sponsor: Core Security $3,000 $117,500
June 15, 2011 Nickerson goes to reserve hotel, Dahn tells him to front the money because B-Sides has no funds, despite having plenty months before. --
June 23, 2011 Executed agreement with Artisan Hotel for B-Sides event $30,480 $87,020
~ June 23, 2011 Badges (Covered by XeroBank, not listed as sponsor for some reason) --
~ June 23, 2011 Shirts (Covered by B-Sides, but profitable. Proceeds donated to EFF) --
June 29, 2011 Sponsor: Expliot Hub $2,000 $89,020
~ July 1, 2011 Sponsor: Astaro (Global, $4,500 earmarked for Vegas 3) $15,000 $104,020
July 20, 2011 Sponsor: Tenable Network Security $4,500 $108,520
July 21, 2011 Sponsor: TorreyPoint $2,000 $110,520
July 21, 2011 Shuttle buses reserved $3,834 $106,686
July 31, 2011 Sponsor: Trace (covered $10k bar tab + $3k as sponsor) $3,000 $109,686
July 31, 2011 Sponsor: Qualys (covered $3,000 bar tab) -- $109,686
August 1, 2011 Nickerson arrives early. Hotel says over $10,000 balance unpaid. --
August 1, 2011 According to Angela, B-Sides has received $33,750 to cover Vegas 3 expenses, and only includes $4,500 from one Global Sponsor. --
August 1, 2011 According to Amber (Dahn's wife), B-Sides account does not have $23,796 in it to cover 4 planned meals after "paying $30k" already. Does not explain how an oustanding balance of over $10k is present. --
August 1, 2011 Sponsor: Milton $750 $110,436
August 1, 2011 Sponsor: Barracuda $5,000 $115,436
August 2, 2011 Due to unpaid balance and no help from Dahn, Nickerson tells him "I am shutting this down." Lead to "blowout" with Amber, Dahn refused to talk to him any more. Nickerson told there is no money in B-Sides account. --
August 2, 2011 Night before B-Sides, one hour after Nickerson says he is cancelling the event, Artisan receives personal credit card from Amber to cover some outstanding balance of $7,780. Given relation of Amber and Mike, assume she was paid back. --
August 2, 2011 According to Angela, B-Sides is 3,693.60 in the green. --
August 3, 2011 Morning of B-Sides, Nickerson goes to bank to get check to cover remainder of balance, $4,942. He is never reimbursed for this amount. $4,942 $120,378
August 3, 2011 Buffet Breakfast, 2 Days (Original quote for $7,780. Opted not to go with it.) --
August 3, 2011 10x10 Registration Tent Fee, 2 Days $150 $120,228
August 3, 2011 Buffet Lunch, 2 Days (Original quote. Actual price lower, unsure of final total.) $16,106 $104,122
August 3, 2011 Hotel Room Incidentals (Original quote $9600. Individual guests required to cover.) --
August 15, 2011 Sponsor: Google $4,500 $108,622
~ September 15, 2011 Most sponsors should have been paid up by this point. $108,622


[Update: A B-Sides volunteer informs us that four Global Sponsors likely came in earlier in the year and are part of the ~ $55k starting balance. That would seriously reduce the $108k figure mentioned in the following paragraph, but still calls into question where the original $55k balance went before Las Vegas, and general issues surrounding the accounts and handling of the money.]

Over $108,000 should have been in the B-Sides account at some point after Las Vegas. Even if the original $55,000 balance was incorrect, that means B-Sides took in approximately $104,692 for the event, while paying out $51,070 if not less. Regardless, at no point should the B-Sides account have been empty and the organization unable to pay for expenses. Where did the money go?

Once again, so many questions and no answers, due to a lack of openness from Dahn. For the sake of B-Sides and the community, he must provide the records to show that the money was used appropriately. If he was planning on applying for tax-exempt status, or filing taxes for the LLC, he would have kept all of the receipts and a ledger of financial activity. Simply open it up for the world to see, Mike. That will remove any doubt from the concerned individuals that volunteer their valuable time to support the organization.

Claiming Not For Profit; Fraud and Deceit

The question of money will remain until Dahn opens the B-Sides books. As for Dahn's intent and culpability, we don't need to know the ledger details. A source close to one of the B-Sides gatherings, who helped organize and arrange for sponsors, has provided details that call Mike Dahn's ethics and integrity into question.

During the planning stages of a B-Sides conference held in the U.S., the organizers were looking for vendors that would handle the food and catering. One vendor said they would help, and could get a better deal and not charge taxes if B-Sides could provide paperwork showing Non-Profit status. The organizer contacted Mike Dahn and asked for the Federal Tax ID (TID) number (aka Employer Identification Number (EIN)) or whatever proof would be needed to show that B-Sides was a registered NFP organization. Rather than provide this, Dahn emailed the articles of incorporation for Security B-Sides to use as proof. While this is technically part of the process in becoming an approved NFP, it is also the main step in becoming a for-profit company. Incorporating, by itself, does not mean paperwork has been filed federally or that the IRS has approved the application.

When the organizer replied back pressing for a Federal TID, Dahn stopped e-mailing and changed to text messages, then called the organizer on the phone later that day. While Dahn frequently praises phone communication as more personal, it is also convenient for not leaving a paper trail, although it does not prevent one party from relaying pieces of the conversation. During the call, Dahn stated that he had only filed in California at that point, and was "still waiting on the federal filing to complete". That implies that Dahn had already begun the process with filing paperwork to the IRS. In a conversation to a different volunteer almost 10 months after this phone call, Dahn said that he was reconsidering filing federally at all, implying he never initiated the paperwork.

On the phone, Dahn continued saying that other events had used the paperwork (i.e., articles of incorporation) to show that B-Sides was in the process of filing for NFP status, and it has previously worked with other sponsors and vendors to make them believe B-Sides was a legitimate NFP entity. Dahn trying to convince a volunteer to offer articles of incorporation that state intent to file NFP status as proof of 501(c)(3) status is unethical. Presenting paperwork declaring intent to file federally is not proof of NFP status. As we now know, Dahn never ended up filing federally and B-Sides is not a registered NFP entity. Asking a volunteer to lie about NFP status is deceptive at best, criminally fraudulent at the worst.

Under Pressure, Dahn Scrambles

On December 9, after still not receiving the information despite repeated requests, Chris Nickerson began to speak out publicly against Mike Dahn, challenging him on some of the issues outlined in this article. This, and presumably other comments either public or private, lead Mike Dahn to start announcing changes to B-Sides administration and post a public letter of appeal to the community on December 10, 2011, requesting his friends "take action" over Nickerson's "defatory [sic] post". While some of Nickerson's accusations may or may not be defamatory, some of them certainly appear true. Dahn's response only reinforces the accusations, it does not refute them.

I've been involved in information security for 12 years. Before Security B-Sides ever existed I was the global PCI standards trainer for Visa and the PCI Council. I sat on the National Board of Directors for InfraGard. I blogged and participated in the industry with the goal of providing transparency and educating others about nuance and detail that often times are misunderstood.

Dahn's claim of promoting transparency certainly seems to contradict his behavior with regards to B-Sides. Not providing open books to another founding member is the opposite of transparency.

Here is my favor to you. If you hear someone say something negative about me please reply with your pesonal [sic] experiences and interractions [sic] you've had with me. Please feel free to blog, tweet, whatever about the impact I have personally had on you through our interractions [sic].

I'm asking that you stand up *publicly* for those you like, trust, and respect.

It is no secret that Dahn and I have our differences. My personal experience with him has been negative, so per his request, I will briefly share my experience. After a podcast panel where I asked pressing questions to three PCI supporters (at the time) about the value of the PCI standard, I took additional conversation to email. Two of the three panelists were open minded and gave serious consideration to my points, as I did to theirs. It was a professional and educational experience with both. For Mike Dahn, he was less forthcoming and more resistant to discussion when it came to my points. When I mailed all three a week later asking one of them (not Dahn) to explain an analogy they used, because I did not understand or hear it all, Dahn replied to me saying "I will not engage you or anyone else who so blatantly does not want to have an actual discussion and learn from each other." Given I mailed them asking for more information, his response was peculiar and hypocritical. This was the first of several cases where he was short with me, avoided open discussion, and would only offer to speak to me over the phone. My entire impression of Dahn is that he will do anything and everything to avoid accountability. Email, Twitter DMs, and instant messaging can be trivially published; I believe Dahn feels that a phone call is less likely to be recorded and published, so that is his preferred medium. As I told him in email on February 8, 2010, "you have a really shifty nature about you". My biggest problem with Dahn has been his complete desire for lack of accountability.

Chris Nickerson has chosen to bully me and throw dirt regardless of the truth. Many of you may know that I've been bullied other times in my life and so understand the pattern. One thing about bullies is that others don't like to stand up to them for fear of being targeted themselves. I'm asking you to stand up for me.

[..]

I'm asking that you don't sit idly by as bullies take out their aggression on those around them.

The notion that Chris Nickerson is "bullying" Mike Dahn is absurd. Comparing a few accusatory tweets to getting shoved in a locker back in high school is overblown to say the least. While Nickerson's tweets may be abrupt and born out of frustration, his intention is clearly not to bully; rather, it is to warn the security community of Dahn's suspicious activity. Trying to shift the premise of the entire situation to "being bullied", whether he is or not, is a desperate attempt to change topics and avoid the pressing questions.

If you have ANY questions about anything please feel free to call or email me directly.

This is another peculiar offer, since this entire situation was born out of the frustrations Chris Nickerson had when Dahn would not answer questions put to him.

Conclusion

In the interest of being open and fair to the community that helped build B-Sides, Mike Dahn needs to be more transparent in the operations and specifically the financial aspects of the conferences. Collectively, the industry needs to ask Dahn the obvious questions suggested by this article. Why aren't the B-Sides books open? Why hasn't the Not For Profit status been openly and honestly dealt with? Why were volunteers told to lie to vendors about NFP status to receive discounts? Why are we in this situation to begin with instead of having open dialogue with the community? These are but a few of the questions that Dahn needs to answer. Further, he needs to make an official statement regarding Not For Profit status, so that companies that donated under that premise can file amended tax returns if they wrote them off as charitable donations. This should all be done openly, in writing, to the community.

B-Sides is a great framework for conferences and should certainly push forward. However, in doing so, B-Sides needs new leadership that will keep the communities' interest first, their own second.