Reflections on DefCon and Black Hat

I had the opportunity to go to Las Vegas last week to attend the annual events surrounding DefCon and Black Hat.  DefCon is a 22-year old convention of hackers (a/k/a security researchers) and Black Hat is its more "corporate" adjunct.  It tells you almost everything you need to know about the difference between them that Black Hat attendees pay several thousand dollars in registration fees and more to be exhibitors, while the DefCon attendees pay a couple of hundred dollars and almost always in cash (with a few Bitcoins starting to make an appearance). The cultural differences between the security researchers at DefCon and the cyber warriors I meet at Ft. Meade is very overt -- but less complete than one might expect.  On the overt level, consider:  I attended a side meeting called "BSides" where the bar opened at 7 ... AM!  The venue abounded with oddities -- men in kilts and mohawks; a "capture the flag" game involving a cyber flag; etc.  I rather enjoyed learning that many computer hackers have a hobby of picking physical locks -- which seemed to fit quite well.  On the other hand, I really have no explanation for the piles of condoms on the break room tables -- especially since there were so few female attendees (I'd say the demographic was 95% male). On the other hand, I did see a great commonality of  ... focus, is the best word I can come up with.  Despite their quasi-libertarian bent, most of the researchers I met across the visit were very concentrated on their profession; took great pride in what they did; and were deeply concerned about the fundamental insecurity of the network.  In this regard they really seemed to me little different from the professionals I meet in Washington -- they just wear different clothes.  [Though it ought to be disturbing that in a recent war game, our reservists defeated our active duty military cyber warriors, apparently pretty handily.] Substantively, the week-long meeting had a few highlights.  Jack has already linked to the keynote by Dan Geer.   His most interesting idea was that the US should try and corner the market on cyber vulnerabilities by bidding for them and buying them all up.  The idea seems flawed to me for at least two reasons: (1) I fear that vulnerabilities are not as rare as he thinks they are; and (2) I doubt the Russians and Chinese would sell to us.  But it is a fascinating concept and his other insights are well worth musing on. For me, however, the major insight of the week was the growing vulnerability of the Internet of Things.  I watched a fascinating demonstration of the ease with which a medical device could be "cracked" and another on the poor structural design of cars (linking critical systems to non-critical ones).  One group of security researchers, I Am The Cavalry, ended the conference by issuing an open letter to the auto industry, defining a 5-Star program for cyber security of new cars, which seemed a sound attempt to get ahead of the cyber problem.  [Full Disclosure:  I sometimes advise the Cavalry on legal matters.] The other big news was the announcement that a Russian hacker group had stolen over a billion passwords from websites globally. Unlike most of the general public who were breathless over the extent of the breach, most of the researchers in Las Vegas were skeptical of the scope of the breach, its provenance, and its authenticity.  Rather, they thought that the large collection was mostly an amalgamation of older breaches repackaged in a new way.  As for me -- who can tell?  But the dispute did remind me always about the need for caution and humility in judging this domain.