Monday, June 23, 2008

Why isn't Satan invited to Oreilly conferences?

Since we are talking about Ruby vulnerabilities, Blackhat, and other such things, I thought I would take this as an opportunity to respond to something I have read lately over on Oreilly Radar. In a post entitled “Satan on my friends list” a blogger named Jim Stogdill draws a comparison between Oreilly conferences and Blackhat with a quip that he “can't recall Satan making a single appearance in an O'Reilly conference program.”

Now let me start by saying I am a huge Oreilly fan. Almost every time I need to learn something new I grab the Oreilly book on the subject and in recent months I have found that Safari is indispensable as I have been navigating the world of C#, ASP.NET, and Windows Form Development. I even have Oreilly Radar as a subscription on my Kindle, which is how I read this post the first time.

My first reaction is to blast him with something like “The real difference between Oreilly Conferences and Blackhat is that nobody I know who speaks at Blackhat would try to write a post like that." I waited though. I let the topic roll around in my mind. I even read the Blackhat response to it.

I love Blackhat, I have spoken at many of them. I love the people that run the show, and I love the attendees. I have made lifelong friends while attending the shows but most importantly, I have learned as much from audience members as I much as I have taught.

I know how hard it is for speakers to write good presentations. With so many tracks, so little time, most conference attendees have a few minutes to pick the next talk to attend and will often go with the best sounding title. If you look at a few of my presentation titles:

Device Drivers – Don’t Build a House on a Shaky Foundation
Trust No-one, Not Even you self OR the weak link might be your build tools
Data Seepage: How to Give Attackers a Roadmap to Your Network
NX: How Well Does It Say NO to Attacker’s eXecution Attempts?
SCADA Security and Terrorism: We're Not Crying Wolf!

They all seem sensationalist but you have 30 seconds to grab someone’s attention and convince them you are worthy of 50 minutes of their time. Could you imagine college is students could choose any class they like and professors were judged on not just course content but how they are rated by students and how many people attend? Professors would have class titles like “Intro to Physics: The study on bodies in motion” or “Calculus: a primer for understanding and making money stock market” or “18th Century Romantic Literature: how to read porn without looking like a pervert”.

The part that irks me the most about Jim’s blog entry is the last paragraph where he summarizes the Blackhat spectacle with the standard fare of tattooed people, brief thrills, low moral values, and every security researcher just waiting for a big payday to switch sides and become evil.

I wonder if this is how he really sees Blackhat and other such conferences. While Defcon does attack a wide range of Geeks, it seems that Blackhat is far more kosher for the business crowd. You have the vendors with their snazzy little booths, you have every facet of Enterprise security represented from the make it happen engineers to the long pontificating strategy based CTOs. The keynotes are always interesting and the lineup is mostly relevant to people working in the trenches today. I remember the first Blackhat I ever attended, I saw Dan Kaminsky speak about his Paketto Keiretsu tools that included scanrand, a high speed portscanner. I was working at a large university at the time and immediately implanted this tool as a way to scan 3 and a half class B networks for open ports we are interested in. Using this we could easily track down malware that listened on a port as soon as possible. It would take less than 10 minutes to do as opposed to several hours with nmap (note: I am not knocking nmap, it’s a great tool).

In my last post, I mentioned that although the current Ruby vulnerabilities are new, I first saw material covering flaws in interpreted languages, Ruby to be specific, at Blackhat Tokyo in 2005. Although even my, and the original man in blue Mr. Johnny Cache, Apple Macbook hack presentation was controversial and hashed rehashed into the ground the result was that a number of flaws in wireless drivers are closed. Some of these were as simple as setting the SSID of a wifi beacon packet to greater than 100 bytes.

As far as every “white hat” just waiting for a payday to make a switch, I find that personally insulting, I think it is insulting to the largest group of creative and intelligent people I have ever been a part of (the Blackhat speaker alumni). The people who speak at Blackhat go from poor college kids (Johnny was in college when we presented in 2006) to former presidential advisors like Richard A. Clarke. This group of people is dedicated to combating security problems and providing the good guys ammo in the continuing arms race that is security. I, like many other security professionals, have received unsolicited offers for to purchase 0day, to write worms, or even requests to help crack a girlfriends gmail account. None of these offers are entertained let alone offer any temptation.

Blackhat has a long and distinguished history of getting information into the hands of people that can make use of it and actually doing something about it. So in response to Jim’ post I offer this thought: maybe it is time for Satan make an appearance at an Oreilly conference.

1 comment:

Jim said...

Hey David,

Thanks for not slamming me! I sure didn't mean to irk anyone in the security realm. I'm sure you could tell my post was tongue in cheek and I was poking fun at both sides of the "features" vs. "security" equation. Like I said in the post, I've attended events from both and I appreciate Blackhat for the technical depth at the presentations (which is why I wrote here a follow up post to something I first learned about at Blackhat DC

The post was mostly just a metaphor for the tension between expansion and innovation on the web and the security issues that stem from unchecked innovation (and also a little bit of fun).