Computerworld

The best and worst of Black Hat 2019

Black Hat hit high notes and low last week in Vegas. Here's our roundup of what you missed.

Security experts as rock stars

You could be forgiven for expecting a rock band to take the stage.

The arena filled with people. Laser lights danced across the assembled throng. A bass back-beat thumped somewhere mysterious. A mighty roar from the speakers while this reporter fumbled for earplugs, a moment too late. A man took the stage, armed only with a head mic and a clicker.

Not a rock star. A security expert. He spoke of secure software development and deployment best practices. He spoke of automation. Of changing security culture.

Accountants don't do this for their conference keynotes. (Pretty sure.) Doctors? Doubt it. Mechanical engineers? Seems unlikely.

So, what does the glorification of security experts as a kind of rock star say about the current state of security culture? Where does this desire to elevate mastery--or even just competence--to god-like status come from? It doesn't happen in other fields. Should we celebrate or condemn this instinct? Or simply find it mildly bemusing?

Black Hat is a flashy, for-profit conference in a flashy casino in flashy Las Vegas designed to impress the enterprise buyers shopping on the expo floor. For many new to the field, infosec is a scary, enigmatic discipline that looks like black magic from the outside. Even the Black Hat logo seems designed to deliver that message to the less well-informed: There is dark magic afoot here, but our wizards on the expo floor will sort you out for a low, low recurring annual payment of a seven-figure license deal.

Questionable claims lead to confrontation and a session removed

The grifty side--or griftier side, I should say--of this glitzy glamorous "dark magic" came to the fore on day two, when a sponsored talk delivered by a sponsored speaker tried to sponsor-talk a roomful of actual cryptographers with some VC-funded "Time AI". It did not go well.

A dude by the name of Robert Grant, of a company called Crown Sterling, gave a sponsored talk--not vetted by the usual rigorous Black Hat process--entitled "The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean For Encryption?" The talk was so unpopular with actual cryptographers that well-known security expert Dan Guido stood up and challenged the speaker during his presentation. Conference goons ejected Guido from the talk.

A pyrrhic victory for Mr. Grant, who was clearly hoping to cash in the Black Hat brand to promote his, err, wares. Black Hat has since apologized for failing to vet the talk more closely, and has even removed the talk from the conference site to ensure the Black Hat brand cannot be misused by a pay-for-play sponsor.

“Infosec fan fiction” story on over-hyped bug wins Pwnies

"Quasi-prime numbers" were the low point of the conference, no question. What was the high point? The glitz and glamor brings needed attention to security issues, but attracts a plague of parasites, carpetbaggers and sleazeballs. The good and the bad are, perhaps, the same thing.

But what of the ugly? There was plenty of that too during Black Hat--at the Pwnie Awards. The Pwnies! Yes, they are still a thing, and they called out some ugly during the awards ceremony. Ugly as in uuuuuuggggggllllllyyyy.

Ugly as in you wrote a story about "grain of rice" hardware backdoors in the Super Micro supply chain without any evidence to support that wild accusation. Ding-ding-ding! We have a winner. Pwnie for most over-hyped bug went to the Bloomberg article on the fantastic Mr. Grain O'Rice.

"The story had every buzzword that make any CISO want to retire: supply chain interdiction, state sponsored, China, Snowden," the Pwnie award declares. "It was said to affect major banks, government contractors, and even the company they all aspire to be, Apple. This was definitely the computer security story of the year, maybe the decade, except for one small detail."

"It seems it was all bullshit."

Not satisfied with awarding a Pwnie to the overhyped bug, the judges added insult to injury and awarded the Pwnie for most epic fail to Bloomberg, who reported the "grain of rice" story, for their "infosec fan fiction." Sick burn, Pwnie people. Uuuuuggggglllllyyyy.

Unheralded security researchers finally heralded

The ugly had a handsome side, though. The Pwnies also called out good work, including the Pwnie for most under-hyped research to Jatin Kataria and Red Balloon Security for their discovery of the imperfectly-translated-from-emoji Thangrycat vulnerability in Cisco routers. The Pwnie people also awarded the Pwnie for epic achievement to Steve Christey Coley, "the single most prolific CVE entry writer on the planet."

Maybe security needs to be more boring

The CVEs are getting written, but at Black Hat, so apparently are the checks. Wandering the expo floor collecting free merch from random over-funded startups of questionable value, we had to wonder, is this a bubble? Because if it's not a bubble--and things are so broken it seems unlikely to be a bubble--then maybe it's time to calm down a bit with the rock stars and snake oil, the glitz and the glamor, the greedy privatized digital security guards cavorting in swimming pools of VC gold like Scrooge McDuck, and make things a little more boring.

Yes, boring. Information security matters. As an industry we've got a lot of work to do. As a society we've got a lot of catching up to do. What does all of this mean for our politics? The economy? How we live our lives? We've got a long way to go, but we'll know we've succeed when working in security becomes as boring as being an accountant.

Until then, let's go easy on the glitz and glamor, people.