My Blackhat Experience

Dave G. | August 14th, 2007 | Filed Under: Gatherings, Industry Punditry, Navel Gazing

First of all, I loved blackhat this year. I know it was quiet and relatively drama free compared to previous years, but it was just good to see a lot of old friends. For us, Blackhat was crazy busy. We had 3 talks and 1 panel. Plus we had a panel at DEFCON as well (making it the first DEFCON I had been to in many years).

THE TALKS

For those of you that haven’t spoken at Blackhat, it is a process by which things invariably go wrong and you find yourself pulling out your hair. I think it is a combination of busy season for our business, plus having to write talks, plus travel logistics, plus having to rewrite talks at the last minute just makes things super stressful. And, oh yeah, your business doesn’t disappear just because you go to Vegas.

Eric Monti spoke about DLP systems along with Thomas Ptacek. The research was awesome, and we are definitely not done talking about that space.

Tom spoke along with Nate Lawson and Pete Ferrie on Virtualized Rootkits. The hub bub was covered by the press, in articles like this one.

Jeremy and I spoke about FIX and how to assess FIX based applications. That talk was a lot of fun to build and deliver. We have been doing a lot of work in that arena, and it was great to get up on stage and talk about it. It was a shame we only had 20 minutes to give the talk. I expected this talk to be more contentious, but there was a lot of nodding in the crowd.

THE PANEL

This year I was asked to do the sisphean Vulnerability Disclosure and Ethics panel, moderated by David Mortman and Paul Proctor. The panel included Rob Graham/Errata, Window Snyder/Mozilla, Jon Stewart/Cisco, Ian Robertson/RIM, Steve Lipner/Microsoft and myself. These were the parts of the panel I enjoyed:

1. When asked the dreaded “Would you hire a hacker?”, neither Lipner nor Stewart touted a party line like “We don’t hire hackers! EVIL!”. Instead they spoke about how they hire people, and gave a war story or two.

2. Someone asked Window how Mozilla balance profit motive against developing secure software. Ok, they asked all the other vendors that too, but it was still funny to see someone ask a non-profit the corporate greed question.

3. The discussion on ethics around zero day signatures ala TippingPoint. I wrote about the risks of this in 2005. Maynor and Graham proved that this something we need to be thinking about.

4. The discussion of vulnerability markets came up, and should researchers get paid for finding and reporting vulnerabilities to vendors. I wish we had more time to talk about this.

5. I got to do this panel twice. In and of itself, this wasn’t that interesting. But doing it once at DEFCON and once a Blackhat reminded me about how different the views were between the two conferences attendees. On a related note, I’m old.

6. My dislike of panels is only surpassed by my desire to talk.

The biggest problems with this panel are:

1. Agreement. We all agreed way too much. Need differing opinions or at least devil’s advocate.

2. Committing to Something It is difficult for people to really take a stand on any topic. It is hard to say something meaningful when you can’t necessarilt speak for your organization on every topic.

These, by the way, are challenges for every panel on Earth.

THE PWNIES

Finally, the Pwnies happened this year, for which I was really excited about. It came together last minute, but was a lot of fun. Mad props to Alex S., Dave A., HD Moore, and Dino Dai Zovi for not only being some of the most talented folks in computer security, but also the funniest. Also, to Jeff Moss for giving the Pwnie awards a home. It got a shocking amount of coverage.