BlackHat/DefCon: 50 Shades of FUD? :)


You may or may not notice (or care) that I'm not in Vegas this week for the annual BlackHat/DefCon hacker love fest. I've been in the past, and certainly had fun, but overall it's just not my thing. I view myself more as a "builder" than a "breaker," and I just don't enjoy sitting through 5-6 days of presentations on how everything under the sun is hackable and how we're all inevitably foobar. From a risk management perspective, I save myself a lot of time and hassle and just assume that everything is hackable, on a varying degree of difficulty, and move on to other concerns.

The thought, however, occurs to me this morning that there is an amusing, almost hypocritical aspect to all the hoopla over BlackHat/DefCon (BH/DC). The same people who decry FUD the 51 other weeks of the year seem to fall into the trap of glorifying FUD for a week in the Nevada desert. This highlights the fine line we have to walk - especially those in security research - between publicizing useful, factual information, and fanning the flames of hysteria over yet another technical exploit. Moreover, reveling in all this research without much-needed business context and perspective is tantamount to rejecting our own guidance on risk management.

This wraps back to one of the main reasons I'm not in Vegas this year, and particularly why I'm not there for the day job. Plain and simple, there's really not much market for GRC in the BH/DC environment. For the most part, the presenters and attendees are focused on threats and vulnerabilities, on security research for the sake of security research, and on banging the FUD drum over the latest incarnation of scary badness (e.g., "advanced persistent threat," SCADA attacks and back doors, PII breaches and identity theft, ATM skimming, mobile device hacking and MITMs). While it is good and useful to know this information, to know it sans business context does a disservice to industry at large, and society as a whole.

To me, the overhyped promotion of various threats and vulnerabilities in a manner that does not provide a reasonable risk management context is nothing short of FUD. I find it nothing short of ironic that many of the same people who decry FUD in media, business, and government, don't seem to see that much of this week is about that very same thing. Perhaps in another 15-20 years (BH turns 15 this year, DC 20) we'll find a different environment, though somehow I doubt that. After all, there is fun to be had in perpetuating FUD, especially when it includes many, many hours of overtime partying. :)

To those attending BH/DC this week: Have fun, practice good risk management, and see you on the other side! :)


Valid point from a business perspective, however from a security researchers perspective their talks are enlightening - new and epic ways in which you are about to get owned by someone willing to put time/effort into it.
Remember, FUD is what makes the security industry so marketable ;) "you are all f*cked now" sells more than "well, a well sponsored adversary could...".

Unfortunately much of the industry (first commercial software, now SCADA/ICS) gets stuck in the fail cycle. The fail cycle from my experience with the energy sector is:

10 Why Security
20 Why Would Someone Hack Us
30 Our System is Vulnerable? Prove It
40 ???
50 Profit
60 GOTO 10

Most never get out of step 30. If you prove it during whitebox testing (if you're lucky), the results are usually brushed off because of access/knowledge/unicorns. For better/worse, things like BH/DC are the few weapons we may have and like all weapons, they can be used wisely or poorly.

One would hope that the preponderance of real-world evidence (e.g., Stuxnet and its ilk) would make a lasting impression on people. From what I've seen in the energy sector of late, I think it is, in fact, getting through to people. As I've said in the past, I'm convinced that it will ultimately take a generation for attitudes to evolve (e.g.,

Perhaps because security research for the sake of security research is fun?

I gave a talk at BH&DC and one of the questions was, "What's your threat model for this?". Quite frankly, we did the research and presented it (along with a tool) because it was interesting and fun to make a particular set of technologies do what they weren't designed to do.

Some of us are still in this because we find it a fun hobby. Others are in it to pay the bills, or some combination of both. Different strokes for different folks.

There's certainly nothing wrong with enjoying one's work! :) I'm also appreciative of the need for, and benefit of, open-ended "theoretical" research, vs. research that is merely practical and pragmatic in nature. Some our greatest scientific discoveries have come from such theoretical origins. The key is in balancing the message, though, and not letting the FUD monsters get the best of everyone. :)

About this Entry

This page contains a single entry by Ben Tomhave published on July 24, 2012 8:59 AM.

Survival Thinking: How Much Is Enough? was the previous entry in this blog.

Treating Symptoms Rather Than Causes is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7