Analysis When Jeff Moss sold the Black Hat security conference to CMP a decade ago for around $13m (£8.3m), he faced a barrage of abuse from some members of the hacker community as a sellout. They were a little bit right, and a lot wrong, as this year's cons have shown.
Black Hat was always supposed to be a little bit corporate anyway. Moss held the first DEF CON in 1993 as an impromptu party and coding session for hackers he'd been conversing with online (and occasionally offline) for years. Four years later he set up Black Hat, and was frank that it was to pay the bills, but the conference has its uses.
More ReadingKaminsky: The internet is germ-ridden and it's time to sterilize itDan Kaminsky is an expert on DNS security – and he's saying: Patch right God damn nowBlacklists miss 90% of malware blogged IP loveTesla tech top dog downs slug, hikes bug bounty to $10kA close shave: How to destroy your hard drives without burning down the data centre
DEF CON, however, seems always likely to stick to its hacker roots. While there were certainly more corporate types circulating the villages and tracks at the show, there's no way that its users are going to allow it to lose its soul.
These days the two shows might run concurrently, but have very different paths. To put it another way: if you want to find out things that aren't in the user manual, go to Black Hat, but if you want to play with the source code, head to DEF CON.
The long sell that pays for the party
It's incredibly rare to meet any one who stays for the full Black Hat and DEF CON; nine 12-hour days and 16-hour nights leave most of us dribbling with exhaustion.
It used to be possible to do both, but since the sellout, Black Hat has expanded its scope and now the first four days are taken up with training sessions that cover the hacking techniques that have become popular over the last few years. It's useful stuff for IT security folk at the server coalface, but a bit yesterday's jam.
Day four also has the invite-only CISO summit, held in more salubrious surroundings (this year in the Four Seasons enclave) and from which press are barred. An attendee at this year's event described it as "TED talks with a security focus and a fuck of a lot of drunken networking."
This year's CISO summit saw more established security researchers like Dan Kaminsky – the man who could have broken DNS but fixed it instead – give talks, along with corporate CSOs, various government types, and speakers who fell into the lightweight-but-glib mold, like former ICANN boss Rod Beckstrom.
Days five and six are the Black Hat briefings, which used to be about the very latest hacking techniques but in recent years have become increasingly self-promoting and promoted. 2015 wasn't bad however, and while some of the more interesting talks had been leaked weeks before, some stood out – Chris Domas' Intel memory sinkhole was a notable example.
Each day's briefings include nine sessions every hour, from 0900 to 1800, so prior planning is essential. Jeff Moss still has the most influence on the keynote speaker however, and this year he picked a doozy – Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society.
The open internet is failing
Granick was at some of the first DEF CON meetings and is a geek and lawyer who is passionate about the possibilities of a connected society. But we're in deep trouble, she warned – a message echoed by her warm-up guy Moss.
When Granick first got online in the 1980s it was hoped that the internet would enable a global conversation where gender, race, and creed became unimportant compared to ideas, she said. Censorship would be routed round, governments would become more open, and the spread of information would benefit humanity, was the assumption.
Instead, she said, sexism, race relations, and religious intolerance had proved stronger than expected and the internet was increasingly being used to reinforce existing power structures rather than break them down.
A succession of internet laws, led by the 1996 Communications Decency Act, were forcing internet traffic into choke points that could be regulated, while law enforcement is playing an increasingly destructive role in stifling conversation.
The FBI is now asking service providers and internet companies to monitor traffic not only for criminal activity, but for indicators that the user might be considering breaking the law. Companies are, by in large, complying with this, and it's chilling free speech, she warned.
It was a theme echoed by some of the other speakers on the first day. Canada's Citizen Lab showed off a new technique for matching binaries in state-sponsored malware that identified candidates from 2002 that could be attributed to either the US, UK, China, or possibly Israel, which had been completely ignored by major antivirus firms.
Frames, phones, and automobiles
In terms of hacking it was a very mixed bag. Frame exploits are always popular here, and there were the usual software and mainframe exploits. But this year's show had a lot more non-standard device hacks than previous conferences.
Phones were very high on the agenda, and the weeks preceding the show had been full of attacks against Android and a few iOS cracks as well. Windows Phone and BlackBerry didn't get much of a mention, with one speaker pointing out it was only worth investing time cracking operating systems people actually used.
Google was at the conference in force to give its response (Apple tried Black Hat, didn't like it, and hasn't come back yet), and Adrian Ludwig, lead engineer for Android security at the Chocolate Factory, came along to announce the firm was upping its game.
The Stagefright bug was being patched he said, and all the major handset vendors would be pushing down fixes and doing monthly updates from now on. Whether or not all the telcos will play ball or not remains to be seen, but it's clear Google has had a similar moment internally that Microsoft went through in 2002.
Android needs to get this issue fixed, and the view from the show floor was that Google has done a pretty good job at reassuring people. It's tricky for the Chocolate Factory, since its code base is open for all – it's possible that there are large holes in iOS too, but people have a much tougher job finding them.
The other rising star is the automotive sector. Chrysler hackers Charlie Miller and Chris Valasek had possibly the best-attended talk at Black Hat, and also packed out their hall at DEF CON, but there were other car hacks out there as well.
Interestingly, Miller and Valasek told the press conference after the talk that if it hadn't been presented at Black Hat then Chrysler wouldn't have fixed it. The company moved fast once they had been told a presentation was planned – and at least a fix is better than trying to sue the researchers to shut them up.
As cars get more computationally complex, these kinds of hacks are going to become increasingly important, but it's clear that the car manufacturers haven't really put the time and effort into making their vehicles even remotely secure. In computer terms they are about at the Windows 98 level of security awareness, which doesn't bode well.
There's another reason why hackers are targeting cars – it's a very sexy hack. Tell someone they might lose a database and they'll be concerned. Tell 'em you can crash their car with them in it and people get scared, and that brings lots of headlines and kudos.
Opsec and on sex
It used to be the case that going to Black Hat required visitors to practice extreme operational security with their systems for fear of hacking, but that's not really the case anymore.
Sure, you take basic measures for security – disabling Wi-Fi and Bluetooth on laptops and phones, always keeping an eye on your kit, cancelling autorun on USB ports if it isn't already. But it doesn't seem like anyone's trying to get in any more.
Part of this is down to a harder line against hackers. The last case I can remember in seven years of attendance was a couple of journalists hacking fellow hacks' systems for a laugh. They were stripped of their badges and sent home for that offense.
The same is certainly not true for DEF CON. There, hacking other people's systems is a matter of pride and fun, and the stolen credentials are displayed on the wall of sheep. And to the hacker who briefly associated my Gmail account to another email address – I will find you, if I'm lucky.
Black Hat this year was also noticeable for the increasing number of women in evidence at the show. Computer conferences are always a bit of a sausagefest, and Black Hat used to be worse than most. But the gender imbalance, although still stupidly high, isn't as bad as it was, at least in the venue as a whole.
While you'll see slightly fewer women at DEF CON, that's in part down to job roles. At Black Hat, companies bring their PR people, exhibition staff, and assistants with them and while there are a fair few women in the training tracks themselves, not as many as you'd expect given the sex mix on the floor.
DEF CON doesn't really like having non-coders in the venue, and what women you do see are hardcore geeks here to learn and produce. It was also noticeable that DEF CON has a much higher number of ethnic groupings than the usually whiter-than-white Black Hat.
DEF CON – where diversity is de rigeur
As Black Hat winds down so DEF CON begins, usually at a cheaper hotel that reflects individual budgets. Last year it was the Rio, but a Star Trek convention had bagged that spot this year, so we all trooped down to Bally's and Paris.
Frankly, the extra space was needed as this week's show was utterly rammed. Even then, the long lines to get into popular sessions showed yet more space is needed – getting into the smaller sessions in Track Four of the conference was impossible unless you lined up 30 minutes early.
The three full days of briefings had five main tracks doing hourly (and sometime half-hour) demonstrations, with the occasional two hour group discussion sessions. But there are also lots of other talks and events going on in other zones – be it hardware hacking (where the sultry smell of solder is thick in the air), social engineering schools, or confabs devoted to the more esoteric ideas like bioengineering.
This is both a good and a bad thing. It's good in the sheer range of stuff on offer to learn from, but it's also frustrating because you're acutely aware that you're missing out on other talks every single minute of the day.
That diversity of learning opportunities is also reflected in the attendees. There are representatives from all of the hacking subgroups in large numbers, and the venue is full of people who some in corporate computing might find scary – both in dress, haircuts, and attitude.
But there's also an openness at DEF CON that Black Hat can't match. Everyone mixes and, with a few annoying exceptions, it doesn't really matter what you look like or are so long as you bring intelligence, keenness, and geek cred to the event.
As a case in point, I was crouched in a hallway juicing up from an open power socket, surrounded by fellow searchers for current. The chap next to me asked if I happened to have the latest iteration of Ubuntu on a USB stick. You've got to love a conference where someone can ask that with a reasonable expectation that the answer is yes – even though some would have shamed him for using such a mainstream build and for accepting a foreign memory device.
It's not perfect at DEF CON by any means. Last year's diversity panel broke down into insult trading and recrimination after a genuine attempt at an adult conversation, so much so that the organizers rather shamefully turned down an offer for another try at it this year. Technology might unite us, but it doesn't mean sexism, racism, and other forms of prejudice can't still tear us apart.
Another big difference with Black Hat is that DEF CON accepts – nay welcomes – children to the event. There were even sessions that you couldn't get into unless you were a child, or accompanying one.
Based on the number of really skilled youngsters around this year, the future of hacking is in good hands. There were teenage coders playing capture the flag with flying fingers and cunning plans, youngsters barely past toddler age whipping their elders in the network gaming sessions with huge grins on their faces, and both the hardware hacking village and lock picking center had a goodly smattering of youngsters showing off their stuff.
In general the quality of talks at DEF CON is much more technology focused and there are plenty of specialized meetups that would go over the head of many people with an MSCE qualification.
The presenters themselves aren't as polished as those at Black Hat, but they are a lot more human. At a Bluetooth session, the presenters showed a blurry video of their hack in action and apologized for the quality, explaining that they were very drunk when they'd filmed it the night before.
There's a lot more swearing on stage, and a fair bit of drinking, as every new person presenting at the show has their talk interrupted by the volunteer organizers of the show, called goons, and ordered to do a shot of whatever spirit is on hand.
But the presentations themselves are clearly labors of love. I lost count of the number of times you'd hear words to the effect of, "I solved this problem by checking my code base and finding a Python/Ruby/C++ script I'd been noodling around with and it fixed it."
There's a fair amount of alcohol (and other things) being consumed at the show – the bar opens when the doors do and it's not uncommon to see people having beer for breakfast. In the evenings the parties at DEF CON are rightly legendary – participants typically pregame in their hotel rooms before doing the round of sponsored and privately run parties once 9pm swings around.
This most primitive form of brain hacking is popular, but people are remarkably well behaved – by in large. Part of this is down to the rules of the show – politeness is demanded and enforced, pictures and video aren't allowed except by permission, and the goons keep everyone politely (mostly) and firmly within the rules.
The quality of these sessions, from a raw knowledge perspective, is very high indeed and you can learn an awful lot just from nattering in the Chill Out room. There's no doubt that if you want to be on the cutting edge of technical and social computing knowledge then DEF CON is the place to be.
Government still not welcome
There's a long tradition of police and governments sending staff to DEF CON to pick up the latest tricks of the trade. This used to be disliked, and led to the conference game of "Spot the Fed," where attendees would get kudos for outing the undercover officer.
After 2001 that changed slightly, and DEF CON went through a phase of being slightly more welcoming to law enforcement and government types. But after the Snowden revelations, Jeff Moss put his foot down and in 2013 told the Feds "You are not welcome."
That view has eased a little, but not by much. This year organizers said that the presence of Feds would be tolerated if they were here for something specific, but it's back to trying to dissuade people without a clear mission.
That's largely welcomed by most attendees, and there was noticeable friction in some sessions. One former military hacker presenting in the Social Engineering Village was lambasted by a questioner for his supposed military mindset in knocking back ISIS recruiters and there's still a very strong anti-authoritarian element at the show.
That's perfectly understandable, given how many hackers have been persecuted by law enforcement for very minor crimes. The hanging shadow of Aaron Swartz and his fate still gets people justifiably angry.
There's also a lot of resistance to corporate America. One Seattle recruiter bemoaned the fact that "these people" could get great jobs in industry if they would only straighten out their act a little, get a haircut, and try to sell themselves a little more.
What he missed is that for a lot of attendees, doing that kind of a career path isn't remotely interesting to them. As long as they have a place to crash, an internet connection, and enough money to keep the wolf from the door, they are perfectly happy doing what they love without having to worry about performance reviews or dress codes.
The EFF on the other hand...
If the Feds weren't welcome then the Electronic Frontier Foundation certainly is.
DEF CON donates a certain amount of conference revenues to the EFF, and this year the group got a $50,000 check from the organizers. In addition, its stall was crowded out with people willing to either give money outright or pay over the odds for EFF merchandise.
There was also an auction of rarish DEF CON and EFF gear to raise money for the group, which saw very high bids for what was ostensibly quite low-grade stuff. You could even get a mohawk haircut for a $10 donation to the group, although tipping the hairdressers was also considered polite.
Why is there such love for the EFF among the DEF CON crowd? Because the group is the nearest hackers have to a union; a body that fights for the rights of the tinkerer in the face of overwhelming odds.
The EFF got a shoutout in plenty of talks for the help it gives hackers. "Before presenting I checked in with the EFF for legal advice," was the reason many speakers gave. The EFF has a justified reputation for fighting for the right to hack responsibly, and it's an invaluable balancer to law enforcement overreach.
It's certainly true that the EFF isn't perfect – it takes a lot of money from corporate sponsors that some say make it ideologically corrupt. But the same is true for pretty much any lobbying group, political party, or religious organization.
Cory Doctorow's presentation on the EFF's fight to rid the world of DRM was an interesting case in point. While the crusade is going to be a difficult one (this hack thinks Satan will go to work on a snowplow before some businesses give up on DRM), you had to admire the spunk of the proposal.
Hackers are used to being on the margins, and some positively welcome the role. There are very few safety nets for them – no well-funded legal departments or political lobbying organization, apart from the EFF – and most attendees were happy to chuck in a few bucks for a group that has their back.
Let hackers be hackers
This individualistic streak, while frustrating for recruiters, is great news for computer security. These people don't do this primarily for a salary, they do it because they love it.
The type of attendee who is commonplace at DEF CON is all about the code, or the hardware, or understanding the brain and its motivation. Sure, a job pays the bills, but no one's going to work 20-hour days for months at a time just for a paycheck, outside of some of the more rabid startups.
They work because it isn't work; it's a labor of love and intellectual stimulation. The joy of finding out the unknown, the satisfaction of getting a really good hack sorted, or just the sheer pleasure of testing hardware and ideas to destruction.
It's an attitude typified by Jeff Moss, DEF CON's founder. Yes, he sold out Black Hat and retains a financial stake in the show, but not for the money. That just pays for all the other interesting things that can be done in the meantime.
That money will help ensure that DEF CON will remain the purest of mainstreamish tech conferences, and I suspect it will stay that way until Moss hangs up his hat. Long may the show continue. ®