All Around My (Black) Hat
A report on the proceedings at the Black Hat security conference 2009
by Wendy M. Grossman
Bruce Schneier has often said that ethics are the only thing that separates a good security professional from a good criminal. The habit of mind, which he remembers having even as a young child, is the same: whenever he saw a system he wanted to figure out how he could break it.
This is what goes on at Black Hat: a bunch of (mostly) guys with that habit-of-mind do their best to impress each other by thinking up new and clever ways to break systems in front of several more thousand guys who also have that habit-of-mind. Which may explain why when you can't connect to the Wi-Fi the first 15 people you ask say they haven't tried it and that they've left their laptops safely turned off in their hotel rooms, or maybe even back home for added safety. A few waved mobile phones and said those were the only things they'd consider turning on in a dangerous crowd like this.
A few hours later, they were probably frantically turning them off again: one of the big trends this year was finding ways to hack mobile networks and phones, now that they're serious computers, too. Of course, everyone's favourite was the SMS that can kill your iPhone stone dead, but there were plenty of other scary demos to be had: the phishing SMS that looks like it's from customer service – but isn't, for example.
Source: Uli Ries That lock-down-everything-tight response is understandable, especially since one of the speakers, Dan Kaminsky, finder of last year's DNS bug and this year's SSL flaw, had his Web server hacked, allegedly by Anti-Sec, and personal information published on the eve of the conference. (His site was taken off-line for repairs.)
It does seem unreasonable to apply Anti-Sec's complaint that "Full disclosure" only empowers the security industry to this year's Black Hat. Many presenters noted that they had responsibly disclosed the vulnerabilities they found to the appropriate vendors and trade associations, before any public release, and several – notably Joe Grand, Jacob Applebaum, and Chris Tarnovsky's dissection of smart parking meters and F-Secure's Mikko Hypponen's explication of the Conficker Worm - redacted details that might have otherwise have given prospective attackers a little too much help.
Besides, locking stuff down is only appealing when you're the one doing the locking down. In a long-ago experiment, the WELL established that people typically want anonymity banned for others, but not for themselves. Yet here was Robert Lentz, the Deputy Assistant Secretary of Defense for Information and Identity Assurance, in his keynote speech, repeating several times how important it is to get rid of anonymity on the Net.
"We need real world and cyber identities to converge," he said. He wants real-world identities with everything and multi-factor authentication with biometrics both off-line and on. Lentz also wants more cyberczars than the one Obama intends to appoint.
"In my opinion there needs to be a cyberczar just for identity because without that we're going to be done." Later, he added that another is needed for education and training.
Ultimately, Lentz believes that what's needed is a movement with the passion and commitment of the green movement around cyberspace. It was tempting to observe that he was soaking in it; but that probably most of the security folks present understood that anonymity has its benefits. Otherwise, why complain that existing darknets are too hard to use and create a browser-based darknet to solve that problem?