My Black Hat experience this year started off on a positive note. While waiting in a very long line to check in at the hotel I was wearing one of my favorite Linux t-shirts, which I got from the Linux Journal booth at LWCE San Francisco several years ago. It says "Geek by nature" on the front, and "Linux by choice" on the back.
Two ladies in front of me in line admired my t-shirt, at least the front of it, and asked if there was a punch line on the back. I turned to show them and they both laughed, saying that was great. Then one of them told me she had a license plate frame which read "Avoid the Gates of Hell, run Linux." I could instantly tell I was in the company of two very astute computer pros. We exchanged business cards, and before Black Hat was over, the three of us had enjoyed a wonderful dinner and I had recorded an interview with them both on their geek history.
I had been looking forward to a panel led by Black Hat founder Jeff Moss, made up of "researchers," end users, vendors, and customers, all brought together to cuss and discuss their views on the public disclosure of vulnerabilities. Moss got tied up elsewhere and didn't make it, which was a shame, because I had planned to ask him about the "disclosure" the first day of the show which has received so much play in the media.
Who benefits, I wondered, from a staged, pre-recorded, demo of an alleged hack of an Apple laptop, which was victimized by the presenters who ignored its own built-in wireless device in favor of a PCMCIA wireless network card, simply to cause embarrassment to Apple users, when the manufacturer and model of the card allegedly being exploited wasn't even revealed?
Not Black Hat; they will never be able to top Microsoft's record in the staged demo category. Not attendees; they learned nothing at all of value from the circus act. Most certainly not the consumers using the cards, which are allegedly at risk of a non-disclosed hardware-based hack. The press? Yeah, it could bring a few more eyeballs to some websites. The presenters? Sure, they got their 15 minutes of fame. The vendor? I don't know. Maybe.
To my mind, the panel was as rigged and phony as the Apple laptop hack. I asked who on the panel was in favor of full disclosure. Nobody came any closer than saying "It depends." The Microsoft rep remained silent, of course, as did the man from Sun, and the gentleman from Cisco.
The moderator -- sorry, I missed his name in my disappointment that it wasn't to be Moss -- asked the same question of the audience, then followed it by asking who was opposed to full disclosure. Both extremes came in at about 20% of the crowd.
I got the impression that the people on the panel simply viewed vulnerabilities as another form of intellectual capital, and all of them wanted to control it in ways that were most nurturing for their own bottom lines. Words like ethics, trust, honesty, came out of their mouths as they tiptoed around the issue. Who, I wondered, would trust Microsoft and Cisco and Sun to do anything at all but look out for their own best interests?
The "researchers" wanted to hold on to the information as long as possible because it gave them some sort of power over the vendors. Others simply sell the vulnerabilities, though I don't believe any on the panel fell into that category.
The moderator said he was shocked that nobody in the audience was protesting the public disclosure of vulnerabilities before a patch was ready, because of the damage it would harm when the wrong people learned of it. So someone finally stood up and said that for him. If he had called on me, I would have told him that if the vendor was having a problem coming up with a patch or a workaround for the problem, public disclosure might produce the cure for the ill rather than exacerbate it. But I never got the chance.
Thank baud for free software. I would hate to live in a world where I was at the mercy of the people on that panel. That was the end of this year's Black Hat Briefings for me.
Now onward to DEFCON.