The Black Hat Conference in Vegas
Black Hat was heavily visited, but it's not only the numbers that count. Not all the feedback from the attendees has been positive, as some people present didn't feel they got their money's worth (people paid almost $1000). One frustrated visitor told me, "Last year they had more and better quality content. Most talks were so general that I just could read one article and know the same. No tricks, no tools, no nothing". For example, a talk on WIN2K and the SQL Server described one exploit and that was basically it. The talk lasted less than half an hour, and the main point was that you should have the correct patch in. One journalist said that the food was always the same and not of great quality, causing some people to cheer. The entire event struck people as chaotic. For people that arrived somewhat late, like me, the press desk was closed, and no more binders and other conference goodies were available.
On a more positive note, the network infrastructure was basically cool. For people with 802.11b the conference was great, since one's own laptop worked. Mine, running 2.4.5 and WLAN-NG, worked instantly. Funny that at a security conference many people are using WLAN (nonencrypted) together with Windows and Outlook.
Bruce Schneier, who was going to testify before the US Senate on Monday July 16th, gave a good speech. His Senate testimony lasted five minutes, but he gave us a 30-minute version.
He talked about how people look at computing as something mystical that should be treated so. But for many tasks it is the same as normal life, and total security cannot be reached. This is a concept we accept in real life and so should we in computing. For example, a normal store can take action to reduce shoplifting but cannot fully prevent it. Depending on the situation you decide what to do. The same goes for the on-line world. A bug that can be exploited on a web site doesn't automatically mean you should shut it down. For instance, an on-line store should not close the week before Christmas. Of course one should spend energy on prevention, but a certain amount of risk should always be accepted. People should also work on forensics and increasing the chances of catching intruders, Schneier said. Intrusion detection isn't getting enough attention.
Another interesting story came from attrition.org. They told their story to a packed room with at least 400 people present. attrition.org consider themselves to be a hobby site and think that is the only thing that actually works. That way, people don't feel you are earning money on them. With sometimes over 300 reports coming in per day, they had to do a lot of work. After verifying the defacements, a procedure automatically mailed several parties. One of those parties was CERT, which asked attrition to stop sending the bulletins. After pointing out that this ought to be of concern to CERT, CERT made a special mailbox for attrition. Since no response was ever made by CERT, however, nor did any advisories come out, attrition.org thinks that mail is redirected to /dev/null.
Recently Michelle Delio wrote an article for WIRED about the Chinese war, which didn't exist until the article came out. The next day the amount of reports of it went up dramatically. The Chinese CERT bounced e-mail to attrition with the notification MAILBOX FULL. So, slowly attrition has turned into a security site. During its years of operation, it has been forced twice to deliver information to the FBI. Both times attrition sent a $28 invoice, which was promptly paid by check. Throughout the entire story it appeared that most scriptkiddies are too stupid to realize what they are doing. Sometimes the attacker delivers all the information on who he is, how he broke in, etc., in the e-mail. That is information that legally has to be delivered to the authorities. Maybe this session educated them a little bit.
In one of the final sessions, a "Meet the Press" panel, it appeared that security experts are annoyed Microsoft gets so much attention and other security issues are regularly overlooked. Alex Wellen of Tech TV recognizes that sensational reporting is a big issue. "TV is the worst medium", he said. The general opinion was that one ought to be objective, but it is nearly impossible, especially when the subject is security. Automatically, objectivity can be steered by deciding which response is broadcasted and which isn't. On the question of whether companies like Microsoft or Oracle change the way the news is presented, the panel (including Bob Sullivan from MSNBC) denied that companies pressure journalists. Rob Lemos from ZDNet/CNET, though, added that Microsoft talks with the press after publication (not on record) and will try to change their mindset.
Upon leaving the Black Hat conference, most people were on their way to the Alexis Park resort to attend DEFCON.