Black Hat USA 2007 was fast-paced, fun, and informative. It demonstrated that security is big business. The halls were lined with vendors, some new, some old, and the smell of money was everywhere. Still, I'm left thinking this year's show had a different tone to it than last year's.
Maybe the Pwnie Awards on Thursday night were responsible. Or maybe it was the crowds in the halls between sessions. Or it may have been the cossack from Hackistan, without a doubt the most popular booth magnet at the event, working the crowd passing by Fortify Software's stand and doing a great impression of Borat as a fast-talking hacker, offering free maps of Hackistan -- the white folder he passed out contained nothing at all -- in exchange for the attendee's Social Security number, camera, or laptop.
The Third Annual Black Hat No Limit Hold 'Em Poker Tournament -- hosted by Arbor Security and offering a $500 top prize -- had a waiting list for entries a week before the show. I stopped by as the action was getting started and saw there was not a seat to be had at any of the tables.
Almost every session I attended was packed to overflowing. H. D. Moore and Valsmith's presentation on Tactical Exploitation was one example. Tony Sager's talk on the NSA was full, too, but not impossibly packed like Moore and Valsmith's. So many people were talking about attending the Iron Chef Black Hat presentation at the end of day two -- with two hackers competing to see how many vulnerabilities they could find in a single application -- that I didn't even try to get into that room. One interesting session I sat in on was about hardware hacking, as Luis Miras described how to do it and then demonstrated taking over a presentation with his hack of a Kensington Wireless Presenter.
Find hacking such devices boring? Not concerned about someone hacking your wireless presenter? Think about this: wireless keyboards can be hacked in much the same way, and ditto all sorts of home security devices. The physical details may vary, but the concepts are the same -- and sometimes the security of such devices matters very much.
There were more journalists this year than I've seen at previous Black Hats, and the press room was generally a busy place. Ovie Carroll -- a.k.a. Fuzzy Gopher and cohost of "The CyberSpeak Podcast" -- was sitting next to me at one of the tables in the press room Thursday morning. I overheard bits and pieces of his conversation with Phil Zimmermann, who did a presentation on Z-Phone at the show. Ovie is an ex-OSI agent who has worked everything from murder to cyber attacks on the Pentagon.
At lunch on the second day of the conference I sat at a table with Tammy, a Distinguished Engineer with Novell working as a security architect across both Netware and SUSE Linux, Ryan; a senior program manager with Microsoft whose focus is networking; a security architect from EMC; and a manager from Computer Associates who is involved with network security.
The conversation centered on security first, then on software development in general. We talked about the notion of a super programmer, a Buddha, someone whose code was respected for no reason other than the respect of the author's name. We also talked about the problems of generating quality code in a world focused not on security and quality, but on time to market. Ryan pointed out that functional code, quickly developed by a super coder, is probably not of the quality that will last in a production environment. We also considered the invisible line dividing maintenance coders from those who work only on new development, along with the problems associated with giving those on both sides of the line a real career path. Everyone contributed interesting points and experiences, and as we left the table, long after the patient wait-staff thought we should have, I felt like I had been immersed in a one-hour seminar on the perils and pleasures of programming in the corporate world.
I had one particular question in mind when I came to Black Hat this year: who does the the black hat ops for the United States? Unfortunately, I still don't have a good answer for that, though I probably have a better understanding than when I arrived. Black Hat and Defcon are crawling with feds each year, but all the feds who are willing to talk even in general terms about what they do say they are involved in keeping the bad guys out of our computers, not breaking into the Department of Defense systems in Hackistan, or wherever.
I'm pretty sure that the NSA breaks into computer systems to gather intelligence on a regular basis, but my guess is that a number of different agencies are outsourcing similar work to consultants around the globe, much like the DoD's use of such firms as Blackwater for military and psuedo-military operations. If you have thoughts on this question, drop me a note, I'd like to hear them.
Black Hat 2007 is done. Time to get ready for Defcon.