Tragedy marked this year’s Black Hat Conference even before it began, with the passing of famed security researcher Barnaby Jack, who was due to give a presentation on hacking medical devices at the annual Las Vegas confab. But, Jack or no, the show went on, bigger and better than ever. Trade shows trappings like vendor booths, swag and company sponsored shindigs were nowhere to be seen at Black Hat five years ago. This year, many attendees commented that the hacker con looked more and more like straight lace relatives like The RSA Conference.
For some perspective, I sat down with three gentlemen who have seen their share of Black Hats: CA Veracode executives Chris Wysopal, Christian Rioux and Chris Eng. We talked about their perspectives on this year’s show, how Black Hat has changed over the years, and about the significance of Barnaby Jack’s death to the security community.
Paul Roberts: What was your first Black Hat?
Chris Eng: I think the first time I came to Black Hat was 2004.
Chris Wysopal: Yeah. Mine was about the same. Maybe 2003.
Chris Rioux: I went to the first Black Hat, briefly, which was here. My first DEFCON was DEFCON 4 in 1996.
Paul Roberts: And what changes have you noticed?
Chris Wysopal: Well, just for full disclosure, I’m on the Black Hat review board, so I have some insight.
Chris Rioux: All those years, I’ve lost my hair and he’s kept his. That’s the biggest change.
Chris Wysopal: Obviously, over time the talks have increased. There are three tracks over three days. There is something like 800 submissions. I think the quality of the talks has stayed. From the early days where you had a single track with names like Jennifer Grannick and Bruce Schneier and Mudge to today, where nobody can know who all these people are, but I think the quality has stayed. Which is an interesting thing to think about.
On the other hand: the most obvious change is the expo floor which went from nothing to two or three booths to a small room to now where its almost feels like RSA. It’s almost become like to two conferences. The technical track hasn’t diminished, really. If you want to come and learn the technical stuff you can still get that, but if you want to come and buy products, you can come and find out about them.
Paul Roberts: And there are all these small, regional cons that have sprung up.
Chris Wysopal: Right. And then…what? This the third year for B-Sides (Las Vegas)? So now you’ve got two cons (conferences) going on at the same time, and then followed by DEFCON, of course.
Chris Rioux: I just got back from (B-Sides) and they’ve grown quite a bit. They’re up to around 1,000 people. Big enough. They’ve overflowed the Artisan Hotel and now they’re at the Tuscany. So it’s good. These things grow.
Chris Wysopal: I think it shows that the security field is just totally booming. This just mirrors that.
Chris Eng: I think a couple things. Other than the fact that Black Hat is becoming more commercial and that the expo hall has quadrupled in size over the past couple years. But to me, looking at the schedule, it seems as if the talks have started to tend towards the more pragmatic. Not completely. There are still the very sensational and headline grabbing stories, which you want to have at a deeply technical conference. But there are talks that have been accepted that are much more practical – kind of take home and use. There’s one, for example, by Steve Christie and Jericho are doing one on CVEs. That’s not “Oh, I’ve found a zero day in something. “But “here’s something that we learned that you might take back to your organization and improve the way you do things.” That’s a good shift, because it’s a way for practitioners to justify coming here – not to learn about some cool new stuff but to bring something home and improve what they’re doing.
Paul Roberts: It seems as if Black Hat was a slightly less irreverent version of DEFCON with more emphasis on defense than offense. It seems now it seems as if that gulf has grown, where Black Hat is becoming a very professional, corporate…
Chris Eng: Chris and I are wearing suits.
Paul Roberts: With a tie, actually.
Chris Eng: That’s one thing that has changed.
Chris Wysopal: We joke that we’re in stealth mode because nobody would recognize us.
Paul Roberts: (Laughing.) Right. Someone’s going to call you a “FED.”
Chris Wysopal: Yeah, well we would not wear this at DEFCON. I think what Chris says is true. And its additive. The biggest hacks of the year like Barnaby’s talk on pace makers, the SIM card hack, the FEMTO cell hack…the car hacking.
Chris Rioux: For nontraditional platforms, like embedded systems and things like that, people are starting to notice that, by the way, stuff like that is never patched or updated, so if you find a vulnerability in a platform like that it will be there forever. (Laughs.)
Chris Wysopal: But for most researchers, its still the place to get the biggest stage for your research.
Paul Roberts: What presentations did you circle in black on your program – saying ‘I have to make this session’?
Chris Eng: I want to go to the SIM card talk – Karsten Nohl’s talk. The RFID talk from some of the Bishop Fox guys sounded interesting. Alex Stamos and a couple other guys are doing a talk called Cryptopocalypse that I don’t know much about, but which sounds interesting.
Chris Wysopal: I want to go to that also. I got a bit of a preview from Alex. It’s really interesting. Basically, they’re saying ‘look at the data points out there on the RSA algorithm and how, steadily, over 30 years of research it has gotten weaker and weaker and weaker. Their prediction is that there’s a 20 % chance that in the next five years that the RSA algorithm will be broken. They’re like “this would be like an asteroid hitting the earth, because every single Internet transaction is secured with this.” What if all of a sudden it’s broken? What would we do? Their point is: if we thought there was a 20 percent chance of an asteroid hitting the earth, we’d do something to plan for that, we wouldn’t just say “well, maybe it won’t!”
Paul Roberts: Well…there’s an 80% chance that it won’t! ;-)
Chris Wysopal: Right. There’s an 80% chance that it won’t, but its eventually going to happen. Right? That’s the thing. They think eventually it will happen. And they came out with some interesting data points to show the trends. One of the most telling was that when the NSA came up with their B Suite of approved algorithms in 2006, RSA wasn’t on it. And the Russians came out with their list in 2010, RSA wasn’t on it. So, I don’t know, maybe the NSA knows something we don’t.
Paul Roberts: Chris (Rioux)?
Chris Rioux: In general, I don’t come to Black Hat for the talks. I really use this show for building my network. I love a good speaker and good topics, but usually, out of a slide deck, there are three slides of new material. They might be game changers - a huge deal. But I’ll spend a day after Black Hat going through the slides.
Paul Roberts: Final thoughts: Barnaby Jack’s passing? A huge loss for the community and for this show in particular, where he was scheduled to speak.
Chris Wysopal: He always had the presentation that everyone wanted to see. He had a knack for doing stuff that could show how vulnerabilities were interesting to the average person. It translated to the mainstream.
Paul Roberts: He was a showman in addition to being an amazingly talented researcher.
Chris Eng: He was very good at getting the message out to people. But he was also the most kind and genuine person. I’ve never heard anyone say a bad word about him. He was always very welcoming.
Chris Rioux: He was a rock star but didn’t act like it. Of all the people I know who had the temptation or the opportunity, he was always a gentleman about it.
Chris Eng: It was a huge loss for the industry.
Paul Roberts: Hey – Chris, Chris and Chris: thanks for taking the time to talk to me!