In the 13 years since its inception, Black Hat has emerged as one of the premier conferences in the security industry. Each year, it attracts thousands of security researchers, security practitioners and government types to its annual events in Las Vegas, Tokyo, Amsterdam and Washington. On the eve of the annual conference in Las Vegas, Black Hat founder Jeff Moss talked about the show and how it has evolved.
This is the biggest Black Hat so far. What's driving interest in the conference? I don't know if it's a rebound. People held off last year because of the economic downturn, and now there's a hunger to bounce back. I don't know if it has to do with that, or if it is more of an awareness issue. US Cyber Command is hiring, the [Department of Homeland Security] is hiring, the federal government is hiring, all the defense contractors are hiring like mad. I don't know if it's a reflection of that.
How has it evolved since you first launched it? As we grew, I never ever wanted to downplay the researcher part. Nothing is going to impact that. Every year, something surprises us about what's new and which directions the researchers are going in. But as we have grown, we have gotten access to lots of space. You just can't have 10 tracks of pure researchers. It's hard to find that many good talks. So now I am trying to focus on business and policy implications as well.
So, what has surprised you this year? Some of the talks that have gotten interest are surprising. I wouldn't have thought the Robin Sage talk was going to get a lot of interest. That is just an illustration of the dangers of social networking, which pretty much everyone gets.
It goes back to my belief that a lot of people don't believe it until they see it. They can intellectualise it, they can visualise it. But until they can actually see it happen, it's not real. So I was really surprised by the attention that's getting. Not so surprising is the interest in a talk on ATM hacking.
How has the security landscape changed since you launched Black Hat? There was no money in any of this. Back then, it was a hobby. You did this because you loved it. You couldn't get a job in information security unless maybe you worked for a Sun or an IBM, a bank, the military, a hospital or something. Everything was pretty ad hoc. There were no real rules, there was no secure software development life cycle, there were no rules for disclosure or notification, and no collaborative bug-finding.
Then in the fourth of fifth year of Black Hat, the dot-com bubble started growing and everybody was getting a job in security. Once it became a profession, once it became a career, everything changed. We have seen everything grow at a very rapid rate.
Do events such as Black Hat close or widen the communication gap that seems to persist between security practitioners and enterprise decision-makers? My contention is, if decision-makers don't know what is actually technically possible, how can they make an informed decision? If business people who make decisions don't have accurate information, they are bound to make inaccurate decisions. So, number one, we have to show them what the art of the possible is and what they can expect in future. We really try to focus on the practical and applied effects.
But are you succeeding in closing the communication gap? Yeah, I think so. We are breaking out of the pure security researcher community to a wider audience of people who now realize that security is one of their concerns. We are getting more [people from] telcos, more enterprise, and a little more financial services. We have seen growth. We want to see where these people are coming from, but there has been a definite broadening of the base.
There's always some new vulnerability or the other disclosed at Black Hat. In general, how should vulnerability disclosures be handled? I have always believed in the responsible disclosure model. You inform the vendors [of a flaw's] discovery. It is responsible for you to turn over enough information so they can reproduce the bug and go seek a solution. But it is not your job as a researcher to hold the hands of every vendor you find a bug for and to walk them through everything.
It can consume a whole lot of time, and they don't pay you for that. I don't think it is reasonable for the researcher to have to wait for a year for a patch. I would advocate never being totally beholden to the vendor, never being on their timetable. But on the other hand, it is irresponsible for the researcher to tell the vendor on Monday and on Tuesday tell the whole world.
What do you think about vendors paying bounties to bug hunters to find vulnerabilities in their software? It's as if companies hired their own researchers to go find bugs. That's fine. The part that bothers me though is, what's going on underground, what's going in the market we can't see? People are getting all bent out of shape about [public vulnerability disclosures].
But what is really happening in the underground marketplace, where criminals are buying and selling vulnerabilities? [With legitimate disclosures] the vendors get informed, and hopefully we'll all have better software and hopefully better processes. In the underground marketplace, it never makes it to the vendor, so the software never gets improved.
You are a member of the Homeland Security Advisory Council. When you started this whole thing, did you ever envision yourself advising Washington on security issues? I always assumed that was impossible for me because of my running DefCon and Black Hat and not having the right academic credentials. There was no PhD in computer security or anything back when I was in college, so I didn't have all the checkboxes. So I was very surprised when I was named and sworn in.
But for now, just like everything else, it's a challenge, and I want to be as helpful as I can to help information security. I have this belief that you don't get to bitch about the system until you try and fix the system. So I figure this gives me plenty of room to bitch because I am trying really hard to make a difference.