Network News

X My Profile
View More Activity

Letter From Hackerdom: Not the Same Old DEF CON, Black Hat

LAS VEGAS -- What a difference a year makes.

Like I did the past two years, I am currently blogging from Sin City, which plays host once a year to the back-to-back Black Hat and DEF CON hacker conferences.

In the past, these gatherings have been sort of a Wild West of hacking, with researchers unveiling previously unknown security holes in widely used software and hardware. That's largely missing this time around.

After chatting this year with a number of speakers and attendees, something of a theme emerged: Namely, that the mainstream security research community appears to be maturing, perhaps borne out of a complex interplay of corporate acquisitions and a general realization that publishing unpatched software exploits has real and quantifiable social and economic costs. These costs are felt not only by affected software vendors and the researchers themselves (more on that in a bit), but also by the millions of average computer users who stand to suffer real, quantifiable financial losses that stem from the publication of software flaws that bad guys can use to steal passwords, credit card numbers and more.

Maybe I am prematurely giving too much credit to the security research community as a whole: DEF CON lasts two more days, and there are rumors that at least one major, previously unknown software flaw will be detailed today. But on the surface at least, it does seem as though the community is evolving to a realization that publicizing software holes mainly serves to line the pockets of watchful cyber criminals who would like nothing more than to use the demonstrated exploit code to infiltrate vulnerable PCs.

Andrew Fried, a special agent with the U.S. Treasury Department who has been to these gatherings for the better part of a decade, observed that many of the people who attended these conferences as wide-eyed teens five to seven years ago or so have since grown up, and are now gainfully employed by hugely profitable companies.

"Now, what these guys do, they do for financial gain, not bragging rights. And it's become a big business," Fried said. "Many people here are some of the same people who were here five years ago, but now they're in a different role in life."

A fair number of the talks I've attended so far have been highly technical, and some have covered novel concepts for attacking security holes in hardware and software and computer networks. While this is more or less par for the course, it seems that speakers here are dedicating more of their time to talking about ways to fix or mitigate the threats, as opposed to merely hyping software vulnerabilities and claiming that the virtual sky is falling.

"The industry as a whole is recognizing that the level of skill needed to find flaws in software is substantially less than the skill needed to fix those flaws," said one senior executive at a major software company that has a heavy presence at Black Hat and DEF CON, but who asked to remain anonymous. "I think there is also a general realization that if all you do is break things, you're part of the problem."

Another factor that may be influencing the tenor of these gatherings is that many of the companies that employed researchers who used to publicize information on high-profile, unpatched security holes have been bought up by some of the more established companies in the technology industry, such as IBM and HP.

There may be other, less altruistic factors contributing to the relative lack of presentations that detail previously unknown software security bugs. A growing number of companies now pay many thousands of dollars to quietly purchase this information. A serious security flaw in Microsoft Windows or any other widely used software can fetch a pretty penny through any of these companies, or alternatively via the Internet black market.

Bruce Potter, a senior associate with consulting giant Booz Allen Hamilton and the founder of the a security research outfit known as the Shmoo Group, said the abundance of entities that are now buying up information about unpatched software security vulnerabilities are largely responsible for the paucity of research being presented this year on unknown software holes.

In a frenetic but hilariously engaging talk at DEF CON on Friday titled "Dirty Secrets of the Security Industry," Potter said such services have fundamentally warped the landscape of "full disclosure," or the practice of publicly releasing exploit code for unpatched software flaws as a lever to force the affected vendor into more quickly fixing a given problem.

"We are an ad hoc community that has grown and lived by sharing information publicly. And we can do so in a way to exert pressure on vendors to fix their software and hardware." The debate, he said, used to be, "What disclosure method should I inflict? Now it's just like, should I disclose or should I make money off of it?"

By Brian Krebs  |  August 4, 2007; 11:45 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: iPhone Exploits Revealed
Next: Access Card Systems -- Trivially Vulnerable?


Good stuff. Nice to see someone with wisdom and intelligence observe the scene. Thank you.

Posted by: Brendon | August 4, 2007 2:39 PM | Report abuse

Thanks for this excellent article. Keep up the great work.

Posted by: Jim | August 4, 2007 4:01 PM | Report abuse

Good article, Brian. I wish I could have made it to the conference. I think if I didn't work for a vendor on the "other side" of disclosure, I'd be selling my exploits instead of dropping them. The best part about the vulnerability-buying outfits is that they standardize the disclosure process, from what used to be totally different for each researcher.

Posted by: Anonymous | August 4, 2007 5:37 PM | Report abuse

Article very interesting and I'm sure the conference was equally good. Keep up. Thanks.

Posted by: Felix | August 4, 2007 7:19 PM | Report abuse

@Felix, @pay per click:
Other slime ball spammers have automated tools to ruin things for the rest of us. Here you two losers are doing everything by hand.

Somehow the rest of us can find great joy in that.

Posted by: Brendon | August 5, 2007 2:03 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company