Black Hat 2017 Takeaways

I returned recently from attending the briefings at the Black Hat USA conference. Compliments and congratulations to the Black Hat team on an outstanding conference. The content was engaging and interesting - so much so, that it was challenging to schedule. Most time slots had at least two sessions of interest to me, and those I attended did not disappoint.

In particular, the keynote by Alex Stamos of Facebook resonated with me. This was a pleasant surprise. In general, I find conference keynotes (especially when the show is from a single vendor) to be a waste of time. They’re often thinly-veiled sales pitches that are bought through sponsorship, are self-serving or have poor speakers. In other words, selected not by value of content or skills of the speaker.

Alex spoke very well and hit upon a number of themes that rang true for me. One was where he said “Our field punishes imperfect solutions in an imperfect world.” That brought me back to earlier in my career when I was working on online payments security, and my eyes were really opened about the difficulties of creating a solution that can be applied broadly for average users. Getting that deployed meant balancing the concerns of credit card companies, banks, merchants, and software vendors, while trying to keep the solution usable for any shopper. As a result, we made tradeoffs that were not always “perfect” from the security perspective. Some of those decisions were criticized by reviewers who had no context about how they were made; and who (I suspected) had no practical experience with consumer-scale software. But the criticisms were often phrased as “this isn’t perfect, so it’s useless.”

One way to look at this, mentioned by Alex, is as an empathy problem. I agree, but I also think we need to look at the sort of hyper-competitive attitude that infects, and maybe drives, the tech industry. How does it influence behavior? Suppose an engineer finds a bug in a vendor’s security product. He might get a bug bounty by reporting it. But what if he works for a competitor? Then there’s an economic incentive not to report it; in fact to leverage it for competitive advantage. While that helps the competitor win, it creates collateral damage by leaving the vendor’s customers vulnerable. In the long run does the overall industry become more secure by one vendor succeeding to the exclusion of others, or through a diverse community of vendors? In the security space, what should the relationship be between collaboration and competition?

Black Hat is all about attacks. Many of the sessions are descriptions of found vulnerabilities and interesting ways to crack into systems. A session is more interesting if it affects more people, can cause greater damage, or is a particularly clever attack. So it is with disclosure in general. The most famous bugs have at least potentially dire consequences affecting large numbers of people, usually have cute names, and get a lot of press. Unfortunately in the fog of all the attention it can often be difficult to get a realistic assessment of the actual likelihood of the bug. Is the problem trivially usable by any remote attacker with no access? Or are there a complex set of hurdles he must already have to overcome before the bug comes into play?

Alex touched on this with his comments about how many common attack vectors (such as phishing, password reuse, and unpatched systems) have been around a long time and we still don't have good solutions. Many attack descriptions start with one of these, e.g. “Suppose you phish into a system, then you can…” That’s interesting and useful, but it’s sad that we don’t seem to be making much progress on the first problem. Much of my security background is in user authentication. The fact that phishing is still common (and if anything, increasing in sophistication) is a symptom of our failure to solve the user authentication problem. Some of the other sessions covered promising research. For example, work attempting to analyze phishing both from the attack side (understanding the attackers and their methods) as well as the human behavior side (why people remain susceptible.)

So overall a great show; it gave me a lot to think about. I look forward to next year.