I was lucky enough to attend the 6th Annual Hacker2Hacker Conference this weekend in Sao Paulo, Brazil as a speaker sent by Sourcefire. As it was my first time in South America, the trip was an enlightening one - not only did I learn all about the awesomeness that are caipirinhas, the "unofficial official" drink of Brazil, I picked up a thing or two of interest about the network security community down in our largest neighbor to the south.

From a purely technical perspective, Brazil isn't much different from the United States - the people down there who make up the security community are professionals who know what they're doing, and they're working on interesting new web fuzzers, shellcode creation techniques, etc. Even though I speak only very minimal Portuguese, sitting in on some of the technical talks without translation still gave me the clear impression that these guys have the skills, and that anyone who might think otherwise because Brazil isn't a first-world country is sorely mistaken.

Where Brazil diverges from the US, though, is the perception surrounding the information security community. Heading down there is like taking a step back in time: the business community is extremely distrustful of the entire security industry, and the term "hacker" is nearly 100% synonymous with "criminal". The perception of anyone dealing with computer security in Brazil is so bad that Graça Sermoud of Decision Report, who led a panel discussion entitled H2CSO, or "Hackers 2 Chief Security Officers" at the conference, praised the bravery of those who joined the panel, given the potential risk to their reputations for doing so. The concept of White Hats vs. Black Hats is completely foreign to the Brazilian business community - and to most of the IT industry as well, according to many of the local conference attendees I spoke to.

That's not to say that the US is purely a bastion of enlightenment and forward-thinking people, of course; five minutes spent listening to CNN's coverage of anything computer security-related will show you that's clearly not the case. The difference is that here in the States, a substantial portion of the people making business decisions about computer security realize that just because you understand how to break into a network doesn't necessarily mean that you're doing so (at least not without the invitation of a company asking you to test its defenses), and that sometimes it takes someone with knowledge of how to be evil to stop truly evil people.

I'm sure this attitude won't persist forever; the fact that over 600 business professionals were watching the H2CSO panel live during the conference Saturday suggests that perceptions may be starting to shift in a positive direction already. In the meantime, though, if you want to talk IT security with someone in Brazil, you'd do well to keep in mind that your audience may not be as friendly as you'd think.