I’m writing this week from the Black Hat Briefings in Las Vegas, so naturally I’m traveling the blogosphere with the conference in mind. What I’m seeing is plenty of amusement but little surprise over what the hacking community has brought to the table this year.
And that’s not necessarily a bad thing.
Black Hat 2007 hasn’t seen the kind of controversy that erupted in past years, most notably the firestorm two years ago over researcher Michael Lynn’s demonstration of a Cisco router exploit, which Cisco tried to block with legal action. Black Hat and Cisco settled a lawsuit over the Lynn affair after conference organizers promised not to proliferate Lynn’s findings.
Here’s a look at what other attendees are saying about Black Hat in the blogosphere…
Security luminary Bruce Schneier delivered Thursday’s keynote, and while some attendees may not have heard anything new, Dean Takahashi loved his talk about the psychology of security.
He wrote in his Tech Talk blog that Schneier delivered “a wonderful assessment of how people perceive security and how we behave. He had a whole list of how people put too much weight on certain kinds of risks. We fear risks that are spectacular and downplay risks that are pedestrian. The same goes for rare versus common, personified versus anonymous, beyond our control versus within our control, immediate versus long term, sudden versus slowly evolving and so on.”
He agreed with Schneier’s assessment that people don’t behave rationally.
“You can deal with that in a good way or a bad way,” he said, echoing Schneier’s verbiage. “In a good way, you can educate people about it and allow them to make rational decisions. The bad way is that you can exploit them. Schneier says he sees the bad way happening in politics and advertising. He recommends reading books such as ‘Persuasion’ and ‘Moral Minds’ to gain some awareness of this issue.”
Black Hat attendee Will O’Brien was equally happy with a presentation from another well-known member of the security community, Johnny Long.
O’Brien wrote in the Hack a Day blog that Long’s presentation on no-tech hacking was a “fun talk that boils down to this: Loads of information can be gathered using low-tech methods. A small digital (or film) camera is ideal for shoulder surfing, identifying weaknesses, and assessing strengths … The commentary on the example shots is priceless.”
Mike Rothman, president and principal analyst of Security Incite, said in his Daily Incite blog that he “saw a few good sessions, met up with some old friends and made some new ones.” Given the significant growth of Black Hat, he offered some tips to survive the show. They include wearing cushy shoes.
“You don’t realize how friggin’ big Vegas is until you need to go between a few hotels for a meeting or just between some of the session rooms,” he wrote. “Some of my friends were giving me some angst about wearing Crocs on Tuesday night, but at least I was comfortable. Them in their alligator skin fancy footwear? Not so much.”
He also recommended attendees prep their livers. “Black Hat is all about the parties … Your liver will get some exercise this week and if you are as out of drinking shape as I am, it kind of hurts. ” He noted that the Mozilla folks tried to buck the trend by having a milk and cookies party on the first night. “I opted to skip that because I can get milk and cookies at home,” he said.
He also suggested attendees bring a translator. “Much of the security research happening now is being done outside of the US. Security truly plays on a global stage,” he wrote. “Unfortunately, that does create some language barriers when non-English speaking researchers present their findings in their native tongues.”
I think his best advice was for attendees to brace themselves for reams of technical detail.
“Some of the sessions are technically deep and make you think. A lot. Until your head hurts,” he wrote.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at email@example.com.