Vegas, baby! Black Hat, glitter, and pwnies

The first of a two-part series on the Black Hat USA 2008 security conference.

Image of Caeser's Palace from Black Hat site

Vegas, baby!

Continuing my tradition, I was in Las Vegas for Black Hat but didn’t attend the conference proper. My brother was able to come up from LA to meet me, so I decided to hang out with him instead — Vegas, baby!

This meant my Black Hat “attendance” was mostly networking at a couple of parties. Which certainly gives an interesting perspective on the conference ... in these more social settings, discussions are wide-ranging and informal, and there are opportunities for all kinds of different connections. Sites like Infoworld, Wired’sThreat Level , and Microsoft’s Ecostrat blog have great coverage of what happened during the sessions at Black Hat and Defcon, and are well worth checking out. Here’s my idiosyncratic view.

Kevin McLaughlin’s Learn From Lincoln, Says U.S. Cyber Chief on ChannelWeb is a particularly interesting lens for Black Hat, describing a talk by Rod Beckstrom (Director of the National Cyber Security Center in the U.S. Department of Homeland Security).

The article starts with Lincoln/fork-the-source and Bill of Rights/open source analogies and ends with

The rising tide of cybercrime dictates a need for stronger security, but privacy must also be preserved, and the IT security industry will play a central role in striking the proper balance between the two, according to Beckstrom.

“We can have more privacy and still have security. It’s about finding the right set of balances,” he said.

Wow. “Balances” always make me nervous, but I really like starting with the premise that more privacy can mean more security. I met Ori Brafman and Rod at lunch before their Microsoft Research Visiting Lecture on The Starfish and The Spider: The unstoppable power of leaderless organizations and came away impressed. The networked organizational principles they discuss worked well for us on with Ad Astra (Analysis and Development of Awesome STRAtegies) at Microsoft and more recently with the Get FISA Right movement. Props to DHS for putting him in a role like that. Let’s hope he’s given the support and resources he needs to succeed.

I think of Beckstrom’s appearance as a lens because it highlights the importance of computer security and Black Hat/Defcon. I mean, for heavens sake, this is somebody who reports directly to Michael Chertoff, the Secretary of DHS. The feds are taking Black Hat seriously. In fact they’re taking the computer security and privacy community as a whole a lot more seriously these days, as Ryan Singel’s lengthy interview with Chertoff in Wired’s Threat Level shows …

Dan Kaminsky’s animation of DNS patch installation

And well they might: with reports of cyberwarfare between Georgia and Russia, and involvement from Estonia, and the potential Olympics/Tibet/Darfur cybertinderbox, the stakes are once again high. Kim Zetter’s DNS Flaw Much Worse Than Previously Reported and Kaminsky’s Grandmother Bakes Session Cookies for Black Hat and Bryan Krebs’ Kaminsky Details DNS Flaw at Black Hat Talk give complementary perspectives on the major major DNS vulnerabilities (with Bryan helpfully linking off to Dan’s detailed presentation). A month after Dan went public with information about the exploitability, 15% of the Fortune 500 computers still haven’t patched their computers (the animation above is a visualization that’s been watched by about 100,000 people) — and the patch itself is vulnerable. Death of Internet, film at 11? Probably not, but still: eeeg. Scary.

DHS Secretary Chertoff’s rather chilling statement in the Wired interview that the false positives, people that are on the multi-million person watchlists by mistake, “are not that large a number” is a reminder that stakes are high on the civil rights front as well. EFF’s Coders’ Rights launch proved particularly timely. The headlines in Kim Zetter’s DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks — Update: Restraining Order Issued; Talk Cancelled and Federal Judge in DefCon Case Equates Speech with Hacking — Updated with Recording from Hearing tell the story … from EFF’s press release:

“The court’s order is an illegal prior restraint on legitimate academic research in violation of the First Amendment,” said EFF Civil Liberties Director Jennifer Granick. “The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion. Security and the public interest benefit immensely from the free flow of ideas and information on vulnerabilities. More importantly, squelching research and scientific discussion won’t stop the attackers. It will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes.”

In other words, the court’s interpretation flying in the face of the Constitution and public interests, decreasing security, and only benefitting corporate interests. Kinda like telecom immunity, just with a different branch of the government.* Eeeg. Scary.

Not to make it sound like doom and gloom though … Black Hat in Vegas also features plenty of good clean fun …a pwnie!

And pwnies!!!! (Pronounced “ponie”, etymologically linked to pwn2own.)

Eliot Philips’ Pwnie Award Ceremony on hackaday is an information-rich summary of the awards and also has great links to the “windows igmp kernel bug”, the “Debian epic fail OpenSSL bug”, and all the rest. The Debian bug is a real slap in the face for the people who cling to “with many eyes all bugs are shallow” without thinking about it: a superficially-plausible-but-clearly-wrong “bad fix” got checked in and nobody noticed it for two years. Oops.

Speaking of oops, the Wall of Sheep was particularly entertaining this year, as Jordan Robertson’s AP story Reporters booted from conference for hacking and Davey Winder’s The hypocrisy of Black Hat hackers exposed as reporters are expelled for hacking describe. I’m not kidding when I say I don’t check my email when I’m in Caesar’s during Black Hat.

And if all that’s not enough, there’s the Iron Chef Black Hat faceoff between fuzzing and static analysis.

More about that coming soon in Vegas, baby! Iron Chef Black Hat.

Vegas baby!


* speaking of FISA … Black Hat was also a good chance to explore something I had mentioned in Towards a rebirth of freedom: the recent anti-FISA activism largely failed to engage the technical community. A lot of Black Hat attendees had heard of “the group of FISA protesters on” and some even of Get FISA Right by name, and reactions were generally very positive. However, nobody I talked to had gotten involved. It can’t be lack of awareness; the story was in Wired and Slashdot (twice each) as well as NPR, Time, the New York Times, etc. So maybe it’s that this crowd doesn’t hang out on or Facebook, which is where our biggest membership bases are; and they’re not in general likely to give over their email address. Looking forward to the upcoming battles next year, this really seems like something to address.