« Quick Note... | Main | Tokenization: Someone Else Gets It »

Black Hat / Security B-Sides / Defcon Thoughts (finally)

Bugger me, I'm still exhausted from 6 days in Vegas. :) It doesn't help that I caught some sort of ugly nasty cold bug there (along with 100s of my closest friends it seems). Normally I'd call it a good exhaustion, and generally this is true, but being sick (not just "confluenza" as Niki7a termed it) certainly has taken some of the wind out of my sails.

Overall, for my first trip to BH/DC/etc, I was actually pleasantly surprised, despite thinking that my worst fears had been realized about half-way through things. In general, I hope that I didn't make too complete a fool of myself (I certainly did act foolish at times). This event certainly was positive enough to warrant adding it to my ever-increasing list of "must attend" events.

Things are increasingly hazy now, so I figure it's time I hit some of the aesthetic points that made this conference extremely valuable and worthwhile to me. Hopefully my breakdown here is logical, at least in certain dimensions of the multiverse. :)

Black Hat

I'm annoyed and perturbed to say that I missed it almost completely. It's mostly my own fault, but in general I just couldn't make the trip back and forth between Security B-Sides and Caesars quickly enough to catch everything. In particular, I really wanted to hear Schneier's "Reconceptualizing Security" talk, the Hutton/Mortman Model talk (which was sadly opposite Schneier), and a few other talks on breaks, such as Kaminsky's SSL/X.509 talk and the iPhone attacks.

As usual, BH did not disappoint with interesting, if not overhyped, breaks. Overall, though, the content seemed to be generally fine from what I've heard.

About the only thing I did manage to do was spend a little time wandering through the vendor expo, small though it was, just to see who had bothered to pony-up for the show. Of the (maximum) couple dozen booths, I was surprised to see a handful unstaffed some or all of the time (including Cisco when I walked by). That seemed rather odd to me. Why bother paying good money for a booth if there's nobody there to talk you up. Yes, I realize, BH is not RSA, but it is certainly more corporate than the other cons. I'm just sayin', it struck me as odd...

Security BSides

Hands-down the most amazing success of the week was Mike Dahn pulling off the rapid setup and execution of the Security BSides mini-con. This event was launched in conjunction with Neighborcon through the generous support of the 303 crew, without whom none of it would have been successful. It came about as a result of reaching a tipping point where so many quality speakers had their presentations rejected that the humble masses made sure they could still see the speakers they desired.

The crowning jewel of BSides, imo, was the standing-room-only "Feathers will fly Panel" that saw 7 successful women in infosec discuss professional image and gender issues as faced in this historically boyz-oriented industry. What I found particularly remarkable was the spectrum of opinion within the panel itself. 7 women, all of whom could be termed feminists in their own right, each had nuanced opinions that, while not necessarily in discord, certainly were not carbon copies either. In speaking with some of the panelists later, as well as other audience members, it became clear that this topic was of great significance and importance, benefiting the industry as a whole. I personally look forward to seeing more in this area.

Beyond the panel, there were several very good talks from key industry luminaries as Jen Jabbusch, Mike Kershaw, Val Smith, and HD Moore. This doesn't even get into the Neighborcon talks and all the other amazing goodness that I missed over the course of the day.

Of course, talking about the success of BSides would be futile without a special call-out and major thank you to Jack Daniel for taking up the reigns and seeing things through when Mike got called away. Jack's efforts, combined with those of key 303'ers like Chris and Jeff, made this event successful through sheer brute force effort. If you know any of these guys, be sure to thank them heartily, because they've helped chart a course for an entirely new style of conference going forward.


Of all the cons happening during the week, I was most concerned about Defcon. And by concerned, I mean I was pretty much terrified. I'm just a boring white guy with normal colored hair and generic, if not outright boring, clothes. I don't even have any cool claims to fame such as being able to legally carry a gun and badge. My worst nightmare was that I would go to the daytime events and then sit alone in my hotel room all night because I just didn't fit in. Thankfully, this did not come to pass. It turns out that there are lots of nice people to hang out with. *whew*

In retrospect, I didn't end up attending nearly as many talks at Defcon as I'd hoped. I honestly don't know where the time went. It seems like the con flew by faster than one would have expected. Or maybe I was just too exhausted from the long nights. At any rate, what I did attend was fascinating, and what I observed was even more interesting.

First and foremost, despite the presence of many kiddie posers and other wannabe oddballs, I found this crowd remarkably normal. Maybe I've just been in the security community long enough now to not be thrown by much, but I thought everything was fairly mature and interesting.

Second, I found the relaxed quality of most talks to be most enjoyable. It was not too dissimilar from the effect achieved with BSides, but in a much, much larger venue. The Def Jam panel on FAIL was particularly amusing, while the turbo talk on abusing the credit reporting agencies revealed just how much time and effort people are willing to put into reverse-engineering processes for gain. That talk, in particular, showed me just how screwed we are, really, in the current security model. Any technology, any control, and reaction can be foreseen and side-stepped. The security industry as we know it is broken on many levels, not the least of which in thinking that this is truly a winnable zero-sum game.


Perhaps the best aspect of all of these cons were not the formal presentations themselves, but the side conversations that happened all over the place. Whether it be at lunch, dinner, breakfast, in the hallway, in the recovery rooms, etc., there were simply too many outstanding people not to meet, hang with, and just simply enjoy being around.

I cannot understate the inherent value in the social networking aspects of all conferences. This is an aspect that I long overlooked and missed in my early days attending conferences (as far back as 99/00). Sure, it's worthwhile to focus on the training and education opportunities, especially early in one's career, but overall it's the people you meet who will help you be successful in the long run.

The week of BH/BSides/Defcon was certainly no exception to the above rule. I met so many amazing people that I absolutely will not name names for fear of leaving someone out. I will say that I did finally meet a few "big names" whom I'd been hoping to meet over the years. More importantly, I met new faces who I wish I'd known years ago. Bloody wonderful that was.


In addition to the daytime Hallwaycon activities one cannot mention Black Hat or Defcon without talking about the parties. Sooooo many parties, and so much generally better (and different) from RSA. Good stuff. As usual, I had very few formal invites to much of anything, but that didn't seem to matter. Heck, I was even admitted to the 303 party after willingly being flogged (true story).

I've found over the years that Partycon is often an even more important social networking venue than Hallwaycon. There's just something about lubricated conversation that seems so much more enjoyable and collegial than the hungover conversations during the day. Don't drink? No worries, I'm sure you'll do ok anyway. In fact, I met at least one groovy person who doesn't drink and look forward to developing the friendship going forward. How often can you say that about life?

Ups, Downs, and General Commentary

So, to say the least, the week was filled with many ups and downs. Ever the self-analyst, I figure there's value in reflecting on some of these thoughts...
* Up: Meeting amazing people. Nowhere else would I ever have the wonderful experience that I did in Vegas.
* Up: Getting into cool parties and Jet. HUGE thank you to Michelle Schafer for letting me follow her around to the Jet nightclub, in particular. That was a truly unique experience that I will not forget.
* Down: Pillow Fight fail. Lots of planning and support went into the EFF fundraiser pillow fight, out of which grew the "Feathers will fly Panel" at BSides. In the end, fate conspired against the organizer and the event simply failed to execute. The good news is that $600 was raised for EFF.
* Down: "Early" nights. Ok, I somewhat exaggerate here, but I was rather disappointed that many nights ended by 2am, and probably could have been ended sooner (if I'd been smart). Apparently we're all getting old or something? D'oh... :)
* General: I so do not fit in with the hacker crews. Seriously. I'm just not a breaker, at least not at that level. I'm more of a Layer 8 breaker, and from an institutional perspective. Maybe some day people will understand and accept that as having a legitimate place at the table. Until then, I can only aspire to being cool enough to join a crew.
* Down: Adam Savage press conference cancelled. I refused to waste half my day Saturday at Defcon standing in line to see him talk. Instead I went to other talks. Why would I do this? Mainly because he'd been scheduled to give a press conference afterwards. Which was subsequently cancelled, which, frankly, really made me mad. I mean, I'm sorry, but you can't spend time with new media (who dominated the press)?!? Bad form... I even had a very good, legit question to ask him... but oh well, screw him...
* General: We are all definitely getting older. Ironically, while this is true, we 30 and 40 somethings still represent the up-n-coming generation of security professionals. How weird is that? I hope never to be like the older generation, which balked (hard) at BSides and the under-current of change that they were seeing. I always find it intriguing when the original revolutionaries become mainstream and then get upset over the next wave of revolutionaries. The more things change, the more they stay the same. :)
* Down: The Vegas cold bug. I'm always worn out and sick'ish after most cons, but this bug was special and wiped out many people. I'm finally feeling closer to normal nearly a week later, but this was not helpful. Too much work, too little time, and in particular too many deadlines looming in the next week (eep!!!). Yes, RSA USA 2010, I'm talking about you!
* Up: Change in the industry is not only possible, but extremely likely. To what? No idea. What's painfully obvious is that we're currently playing a losing game. Something's gotta give. A complete change of the rules is needed.


TrackBack URL for this entry:

Comments (2)

This is an awesome summary, dude. I soo need to steal some of the stuff from it - or at least link to it :-)


I publish under a creative commons license, so you're welcome to use what you want, with attribution. :)

Post a comment


This page contains a single entry from the blog posted on August 10, 2009 2:06 PM.

The previous post in this blog was Quick Note....

The next post in this blog is Tokenization: Someone Else Gets It.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.