What do you get when you combine 17,500 people, no one you can trust, and temperatures well above 100 degrees? Those factors might remind you of Mad Max: Fury Road, but they’re also accurate descriptors of Black Hat 2017. I traveled to Las Vegas, Nevada to spend a week brushing shoulders with a mixture of corporate chief information security officers (CISOs), researchers, engineers, and yes, black hat hackers at the world’s largest gathering of security geeks.
Live from the Mandalay Bay Convention Center, this is a description of what I experienced in almost real-time. If you weren’t lucky enough to attend Black Hat USA 2017, there’s a lot of smart lessons I learned that you can apply to any other conference on the tech circuit in the months to come.
In case you were wondering, I was definitely not hacked. My banking information appears to be intact, and I didn’t even bring a burner phone or build a Frankenstein-laptop just for the event. Here’s what I gleaned:
Out of the 17,500 people at Black Hat, at least 17,498 were dressed in polo shirts or, more commonly, t-shirts. I’ve been to suit-and-tie conferences in the past, but this was not one of them. You can blame it on the fact that temperatures here in Vegas are well over 100 degrees, even early in the morning—but it could also just be a tech thing. Regardless, any fear you may have that you’ll be underdressed at a security conference is unfounded; cargo shorts and polos are the unofficial uniform in these parts.
Paranoia: Your mileage may vary
Unlike your average convention in the MarTech space, there weren’t a lot of laptops out at any given time. I saw less than a dozen people working on their computers the entire time. Attendees took notes with literal pens and paper or just sat back and soaked it all in.
Jesse Meadors, a cybersecurity recruiter, admitted he considered bringing a burner phone to the event but ultimately decided to keep his electronics powered down on-site. Another attendee who works for the government, speaking on the condition of anonymity, explained her simple approach to not getting hacked: “I don’t bring anything other than pen, paper, and my badge.”
Security n00bs and dangerous nerds, come as you are
If you’ve ever wondered whether you’re too much of a n00b to attend an event like Black Hat, the answer is most likely no. While I can’t speak definitively for Defcon—Black Hat’s less-corporate cousin that’s all about the hacking—the tone in presentations and conversations at this show was open and educational.
In fact, in one presentation held by HP’s Dr. Kimberlee Brannock, only two out of the dozens of attendees believed their printers were not a vulnerability. No one laughed at that fact. As long as you’re not bringing your vulnerable printer to the conference, it’s not a bad place to learn, and you certainly won’t be shamed for showing up to do just that.
Make time to see the speakers
At a conference like Black Hat 2017 or anything on a similar scale, there’s a lot to see. Two hours in the business hall of sponsors netted me less than 25 percent exposure to the vendor booths, which were a lot cooler than I expected. There were people in polo shirts handing out branded pens, but there were also vendors with full-on catering, photo opportunities with The Wolf himself and a group of Kiss rocker look-alikes, plenty of claw machines filled with gift cards, and an overwhelming amount of prizes. I’ll never need to buy another t-shirt.
That said, while there’s loads of value in walking the business hall, the real value at these events comes from the speaking sessions. Michael Howard’s talk on endpoint security, Dr. Brannock’s insights into compliance and governance, and RIT profs Chaim Sanders’s and Rob Olson’s talk on the current information security education crisis were three absolutely life-changing events.
Hackers are getting slippery
Daniele Lain of University of Padua presented a talk that revealed that hackers can guess with 80 percent accuracy on the first try what you’re typing through Skype based on sound alone. That figure goes up to 100 percent with five tries. For the curious, the typing sound decryption source code is available on GitHub.
Other research findings were even more wild—and sometimes frightening. Did you know that the IoT system used to power car washes has a critical security flaw that allows a hacker armed with a laptop to smash you and your car? Bleak.
Will the good guys win?
A conference survey of leadership revealed that 60 percent of top execs believe the US national infrastructure will be successfully breached in the next two years. Steve Wylie, general manager of the conference, admitted, “I don’t think that enterprises have the tools necessary to handle [cyber attacks].” The message here is pretty depressing, but it’s not hopeless.
Despite the dismal outlook of the surveyed attendees, there were a lot of smiles for more reasons than the fact that Christian Slater was on-site representing The Wolf (and some of the sponsors threw some pretty swag VIP events). Vendors are working to embed security, as Brannock demonstrated, and while changing the default password on your printer won’t protect you from being crushed in a car wash, it can mitigate a lot of security risk for your office. It’s the vendors working hard to improve security, introduce self-healing tech, and stay one step ahead that give us hope that the good guys really will win.
As he was scooping up popcorn, a staff member with one vendor group warned me with a smile that “whatever happens in Vegas goes on Facebook.” He may be right, but I definitely recommend using your mobile device’s data with encryption instead of hopping on the convention center network to upload any pictures.
And speaking of pictures, Star-Lord says hello.
Continue the Black Hat 2017 journey on Tektonika with “Black Hat 2017: Can you have compliance AND innovation?” and “Black Hat 2017: Michael Howard talks sheep, hackers, and urgency,” featuring more of our on-the-ground coverage!
Featured image courtesy of Black Hat