Hacking the Stage: John Donovan on RSAC, BSides SF, and the Human Side of Cybersecurity
In this episode of Breaking Badness, we sit down with John Donovan of ZEDEDA to unpack the lighter and more profound sides of cybersecurity’s biggest gatherings. From RSA’s unexpected baby goats and vendor booth antics to BSides San Francisco’s community-driven keynote stage, John shares personal stories, industry insights, and valuable advice on how newcomers and veterans alike can navigate events like RSA, BSides, and DEF CON. You’ll hear how he “hacked” his way onto the main stage, what it means to wear a “No Purchasing Authority” pin, and why protecting your mom from scams might be more urgent than defending your enterprise.
John Donovan joined Breaking Badness to talk about edge computing, his journey into cybersecurity, and some very unexpected highlights from this year’s RSAC and BSides San Francisco conferences. What starts as a technical chat becomes an insightful look at how community, volunteering, and humor keep cybersecurity grounded and accessible.
From Engineering to AppSec: John’s Unlikely Security Origin
John began his career building things literally: “I got to build a Shockley transistor in a clean room one time.”
But his true foray into security started when a web application at Xilinx led him to question how URLs could be manipulated to reveal customer data.“I looked at this and I was like… what if I change that URL and put ‘customerID=002’ instead of ‘001’?”
That curiosity launched a career in application security at a time when the internet was just beginning to reshape enterprise software delivery.
AI, Romance Scams, and Securing Our Parents
When asked what keeps him up at night, John’s answer wasn’t corporate breaches or ransomware. It was his mom.
“I’m really concerned about my mom… someone can now more easily fake her out.”
John discusses how generative AI and scams like pig butchering (also known as romance scams) threaten everyday people, not just enterprise environments. He emphasizes that the security community must improve how it communicates threats to the general public.
RSAC Expo: Puppies, Goats, and Vendor Hall Satire
This year’s RSA Conference had some unexpected stars.
“Not only are there puppies on the floor of the RSAC Expo this year, there are baby goats.”
He gives a shoutout to Orca Security for their puppy booth and adoption initiative, noting that it’s an example of how cybersecurity can serve a broader purpose beyond software.
John also shares his love for the RSAC vendor floor’s social quirks, including his now-signature lapel pin: “I currently have no purchasing authority.”
The pin, originally from a t-shirt created by John Dixon, is a crowd-favorite among professionals who want to dodge hard sales pitches while still networking.
BSides SF: From Volunteer to Master of Ceremonies
One of the most memorable parts of this episode is John’s journey to becoming the MC of BSides SF’s keynote stage by accident.
“I just wanted to volunteer… A few days later they said, ‘You’re going to be the MC in the IMAX theater.’”
He fully embraced the moment by donning tails and a top hat, calling himself the ringmaster of the community conference. His commitment speaks to the heart of BSides culture: grassroots, inclusive, and creatively chaotic.
“You gotta bring your A game to BSides.”
He also highlights some must-watch talks from BSides SF, including:
- HD Moore on SSH fingerprinting and the “SSH Multiverse”
- Clint Gibler on “Human Vulnerability” in security
- Eva Galperin and her team on tracking cybercriminals (Electronic Frontier Foundation)
Videos from BSides SF are made publicly available after the event check their YouTube channel for recent uploads.
DEF CON and Hacker Summer Camp: More Than Just Vegas Heat
Donovan walks us through his memories of DEF CON, Black Hat, and BSides Las Vegas, the triad that makes up Hacker Summer Camp. His main advice for newcomers?
“Pick some areas to look at… everyone will be friendly, even though some of them look a little scary.”
From lock-picking villages to social engineering demos, he recommends first-timers focus on their interests and not be intimidated by the lore or reputation.
He also shares an emotional moment from a recent year: “Savannah International named me a distinguished fellow… my wife came to Vegas for the first time in over 20 years to see it.”
Volunteering as a Career Hack (Literally)
John offers some solid advice for anyone hoping to speak at a major security conference:
“If you want to speak at a conference, volunteer first.”
Not only can it lead to opportunities like his own accidental emcee gig, but it also helps build relationships and credibility within the security community.
John also gives a plug for his podcast, The Candid CISO, co-hosted with Steve Tout.
Check out The Candid CISO Podcast
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
