You may or may not notice (or care) that I'm not in Vegas this week for the annual BlackHat/DefCon hacker love fest. I've been in the past, and certainly had fun, but overall it's just not my thing. I view myself more as a "builder" than a "breaker," and I just don't enjoy sitting through 5-6 days of presentations on how everything under the sun is hackable and how we're all inevitably foobar. From a risk management perspective, I save myself a lot of time and hassle and just assume that everything is hackable, on a varying degree of difficulty, and move on to other concerns.
The thought, however, occurs to me this morning that there is an amusing, almost hypocritical aspect to all the hoopla over BlackHat/DefCon (BH/DC). The same people who decry FUD the 51 other weeks of the year seem to fall into the trap of glorifying FUD for a week in the Nevada desert. This highlights the fine line we have to walk - especially those in security research - between publicizing useful, factual information, and fanning the flames of hysteria over yet another technical exploit. Moreover, reveling in all this research without much-needed business context and perspective is tantamount to rejecting our own guidance on risk management.
This wraps back to one of the main reasons I'm not in Vegas this year, and particularly why I'm not there for the day job. Plain and simple, there's really not much market for GRC in the BH/DC environment. For the most part, the presenters and attendees are focused on threats and vulnerabilities, on security research for the sake of security research, and on banging the FUD drum over the latest incarnation of scary badness (e.g., "advanced persistent threat," SCADA attacks and back doors, PII breaches and identity theft, ATM skimming, mobile device hacking and MITMs). While it is good and useful to know this information, to know it sans business context does a disservice to industry at large, and society as a whole.
To me, the overhyped promotion of various threats and vulnerabilities in a manner that does not provide a reasonable risk management context is nothing short of FUD. I find it nothing short of ironic that many of the same people who decry FUD in media, business, and government, don't seem to see that much of this week is about that very same thing. Perhaps in another 15-20 years (BH turns 15 this year, DC 20) we'll find a different environment, though somehow I doubt that. After all, there is fun to be had in perpetuating FUD, especially when it includes many, many hours of overtime partying. :)
To those attending BH/DC this week: Have fun, practice good risk management, and see you on the other side! :)