The first week of August marks an annual pilgrimage of security professionals to Las Vegas for the Black Hat, DEF CON and BSides conferences. I’ve personally been making the annual trek for over a decade. It’s a set of events I simultaneously look forward to and dread more than any other week of the year.
I look forward to being in Vegas because of the crowd of security minds that gather to talk, share ideas and catch up on the goings-on of the previous year. And I dread it because a week in Las Vegas listening to talks, being social and interviewing people is one of the most exhausting experiences of my life. Here are some of the most interesting talks and conversations I experienced.
Hot Topics at Black Hat and BSides
I attended all three Las Vegas events: Black Hat, DEF CON and BSides. If you’re not familiar with BSides, it’s a type of counter-counter-counterculture event that’s put on purely thanks to the efforts of volunteers, and it’s free as long as passes last. It kicks off the week and features dozens of interesting speakers (including yours truly, on a panel about stress in the security industry).
One of the most important tracks at the conference was organized by a group called I Am The Cavalry and concentrated on the challenges posed by the Internet of Things (IoT). This track had many interesting talks, but my favorite was “Hack the Future,” given by Keren Elazari. While she mentioned many of the threats posed by the IoT, her main point was that the security and hacking communities can actually shape the future of the IoT by getting involved in creating the protections that this new wave of technologies will need.
Another important talk at BSides was given by Jen Ellis, called “Barely Legal: The Hacker’s Guide to Cybersecurity Legislation.” There’s a long history of the legislature like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA) being used to stop research and to intervene with presentations at events, and then there’s potential changes to the Wassenaar Arrangement that are currently being discussed. Now that computer security has become part of the international conversation and something the public has become full aware of, legislators worldwide are paying more attention to the laws about security. This talk was an effort to educate security professionals about legislature we can’t afford to ignore and must make an effort to influence.
While not a track, one of the discussions I had many times at Black Hat was about the U.S. Office of Personnel Management (OPM) hack. The OPM attack from earlier this year has caught the public’s attention, leaks from the White House suggest that some sort of retaliation is brewing and public opinion seems to support targeting the supposed perpetrator. Most of the security professionals I talked to expressed the opinion that this is a bad idea, primarily because attribution is always a dicey proposition in the best of situations.
The Future of the Internet
Along the same lines as BSides, Black Hat hosted a number of talks on legislature and the future of the Internet. Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, gave a keynote called “The Lifecycle of a Revolution.” She talked about the dying dreams of a free and open Internet. With cries from lawmakers and law enforcement agencies around the globe to weaken encryption and tighten the reins of control on traffic flowing through the digital pipes, Jennifer’s talk is especially timely and pointed.
In contrast, Leonard Bailey from the U.S. Department of Justice (DoJ) gave a talk called “Take a Hacker to Work Day,” explaining how the DoJ uses the CFAA to prosecute only a small number of cases each year rather than the hundreds that might be imagined by researchers and security professionals. My personal opinion is that while only a relative handful might actually get prosecuted each year, the threat of such prosecution is often enough to stop research from happening or talks from being given.
A Curious Absence
A perfect example of my last point was the ProxyHam talk, which was canceled under mysterious circumstances. A talk on a project supporting privacy using ham radio equipment to hide the physical location of the user was pulled a month before DEF CON. Except this action didn’t actually stop the talk from happening: Robert Graham and Dave Maynor from Errata Security created an equivalent device, HamSammich, on their own. This follows in a long tradition at DEF CON of making talks happen, no matter how uncomfortable some organizations might be with them.
Looking back at the week, it’s easy to see that legislature and legal concerns consumed a lot of my attention. While these are not subjects that every security professional really wants to be looking at, as our lawmakers and the public become more aware of what goes on in the world of security, they are subjects we need to pay attention to. The fact that there were so many talks about the legal landscape is an indication that our industry is growing up and getting the attention we’ve asked for. Now we just need to make sure we make the best of that attention.