August 19, 2015 By Martin McKeay 3 min read

The first week of August marks an annual pilgrimage of security professionals to Las Vegas for the Black Hat, DEF CON and BSides conferences. I’ve personally been making the annual trek for over a decade. It’s a set of events I simultaneously look forward to and dread more than any other week of the year.

I look forward to being in Vegas because of the crowd of security minds that gather to talk, share ideas and catch up on the goings-on of the previous year. And I dread it because a week in Las Vegas listening to talks, being social and interviewing people is one of the most exhausting experiences of my life. Here are some of the most interesting talks and conversations I experienced.

Hot Topics at Black Hat and BSides

I attended all three Las Vegas events: Black Hat, DEF CON and BSides. If you’re not familiar with BSides, it’s a type of counter-counter-counterculture event that’s put on purely thanks to the efforts of volunteers, and it’s free as long as passes last. It kicks off the week and features dozens of interesting speakers (including yours truly, on a panel about stress in the security industry).

One of the most important tracks at the conference was organized by a group called I Am The Cavalry and concentrated on the challenges posed by the Internet of Things (IoT). This track had many interesting talks, but my favorite was “Hack the Future,” given by Keren Elazari. While she mentioned many of the threats posed by the IoT, her main point was that the security and hacking communities can actually shape the future of the IoT by getting involved in creating the protections that this new wave of technologies will need.

Another important talk at BSides was given by Jen Ellis, called “Barely Legal: The Hacker’s Guide to Cybersecurity Legislation.” There’s a long history of the legislature like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA) being used to stop research and to intervene with presentations at events, and then there’s potential changes to the Wassenaar Arrangement that are currently being discussed. Now that computer security has become part of the international conversation and something the public has become full aware of, legislators worldwide are paying more attention to the laws about security. This talk was an effort to educate security professionals about legislature we can’t afford to ignore and must make an effort to influence.

While not a track, one of the discussions I had many times at Black Hat was about the U.S. Office of Personnel Management (OPM) hack. The OPM attack from earlier this year has caught the public’s attention, leaks from the White House suggest that some sort of retaliation is brewing and public opinion seems to support targeting the supposed perpetrator. Most of the security professionals I talked to expressed the opinion that this is a bad idea, primarily because attribution is always a dicey proposition in the best of situations.

The Future of the Internet

Along the same lines as BSides, Black Hat hosted a number of talks on legislature and the future of the Internet. Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, gave a keynote called “The Lifecycle of a Revolution.” She talked about the dying dreams of a free and open Internet. With cries from lawmakers and law enforcement agencies around the globe to weaken encryption and tighten the reins of control on traffic flowing through the digital pipes, Jennifer’s talk is especially timely and pointed.

In contrast, Leonard Bailey from the U.S. Department of Justice (DoJ) gave a talk called “Take a Hacker to Work Day,” explaining how the DoJ uses the CFAA to prosecute only a small number of cases each year rather than the hundreds that might be imagined by researchers and security professionals. My personal opinion is that while only a relative handful might actually get prosecuted each year, the threat of such prosecution is often enough to stop research from happening or talks from being given.

A Curious Absence

A perfect example of my last point was the ProxyHam talk, which was canceled under mysterious circumstances. A talk on a project supporting privacy using ham radio equipment to hide the physical location of the user was pulled a month before DEF CON. Except this action didn’t actually stop the talk from happening: Robert Graham and Dave Maynor from Errata Security created an equivalent device, HamSammich, on their own. This follows in a long tradition at DEF CON of making talks happen, no matter how uncomfortable some organizations might be with them.

Looking back at the week, it’s easy to see that legislature and legal concerns consumed a lot of my attention. While these are not subjects that every security professional really wants to be looking at, as our lawmakers and the public become more aware of what goes on in the world of security, they are subjects we need to pay attention to. The fact that there were so many talks about the legal landscape is an indication that our industry is growing up and getting the attention we’ve asked for. Now we just need to make sure we make the best of that attention.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today