Shostack + Friends Blog Archive

 

Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics [link to http://www.lse.ac.uk/people/i.angell@lse.ac.uk/ no longer works] gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways.

An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid in crime fighting and whatever. This will work until criminals start collecting DNA samples and scatter them at a crime scene creating confusion.

Angell didn’t mention a counter-measure, and I have one that I’m sure the politicos will want to use: make the possession of DNA a crime. There’s the obvious exemption for your own DNA, but this brings new and important expansions of the old standby of “inappropriate contact.”

This brings me to a complaint and irony about the “improvements” to Black Hat this year. The ironies occurred to me as Angell was speaking, talking about the ways added complexity brings new ways to fail.

One of the Black Hat improvements is that Black Hat is adopting a number of cool web-isms. There’s a Twitter feed, for example. They’re encouraging blogging by handing out blogging credentials for Defcon. This good and cool.

However, one of the other improvements is to move The Wall of Sheep from Defcon to Blackhat. Professor Angell’s cat Oscar would have a thing or two to say about that. However, Nick Matthewson of Tor said it best, I think.

If you are not familiar with The Wall of Sheep, it is a project in which the shepherds run a protocol analyzer on the network looking people using insecure protocols, plaintext passwords, and the lot. They quasi-anonymize them and then offer them up for what in Puritan days would be a pillory.

Nick’s comment about this, was that it’s a very 1990s thing. Here we are in the late aughties, and you have assume that if someone is at a security conference and using a non-secure protocol, that it is a lot like not wearing pants. If you’re at a conference in Vegas and someone there is not wearing pants, it’s probably wise to assume that they know they’re not wearing pants, and that they are not wearing pants for some reason.

I was paying enough attention at the time to note that Nick was wearing a kilt when he said that.

The Wall of Sheep is the Pants Police. They run a Pants Panopticon in which they rush around madly looking for people with no pants and posting them up on the Wall of No Pants. They’ve decided on their own that a lack of pants is a ridiculable offense, even for people who know they’re not wearing pants, and don’t care what you can see. Even moreso, they also post the mere rumor of pantslessness. I have heard tell that some people enjoy hacking the Pants Police by telnetting to some service and typing in usernames and passwords to be sniffed. I would never do that myself, but I’ve heard stories. They’re actually more the Pants TSA than the Pants Police, but Pants TSA doesn’t alliterate.

The Angell-quality irony here is that all these new communications systems that on the one hand we’re being encouraged to use are — questionable. Twitter looks a lot like knickers to me. And let’s face it, WordPress won a Pwnie award for the incredible number of vulns they’ve coded.

In short, you’d be a fool to use Twitter at Black Hat, or to blog, or — well, use DNS. For Pete’s sake, we’re being told to set up manual arp entries. (Yes, I know. You can use a VPN, or you mobile, or something else. That’s all very good, but once the Pants Police decide your Bermudas look like Speedos to them….)

The message of Black Hat that people should take away is that nothing is safe. That’s not necessarily bad. If we wanted houses to be safe as houses, we’d take out the windows and turn off the electricity. Technology is risk, as Angell said eloquently and entertainingly.

This is just more of the security wags naming, shaming, and blaming the victims. Is the message that one should take away from Black Hat is not to use a computer there? Even Professor Angell isn’t that pessimistic. He thinks that four ounces in an eight-ounce tumbler means you have too much glass.

Which is it at Black Hat? Web or no web? Pick one. Either Black Hat is (like Defcon) an open free-for-all in which griefing is just another way to spell 1337 and you’re a fool to bring electronics, or it’s an information exchange between smart people who blog, Tweet, and Plurk. Is a handshake a greeting, or a way to get a DNA sample? Are we using cutting edge or trailing edge technologies? If the former, remember that their security is going to suck until they get beat up — cutting edge techs can make you bleed. To phrase it another way, pick a century we’re in — 20 or 21. It matters less which one you pick than that you pick.

I hope it’s 21. I think Twitter is twee, but I’ve been using it and I smile when I do. (Plurk is much cooler, but I can hear The Good, The Bad, and The Ugly theme every time I go there.) I truly believe that blogging is just journalism in the cheapest free press civilization has ever had. AJAX is scary, but it’s scary in the way that driving a go-cart is scary. I don’t want to have to worry about the Pants Police, too, to make fun of me if I’ve misconfigured something I’m not as adept at as IRC. I’d like to deliver a live blog about the opening keynote on the day it was given, as opposed to while I’m still alive.

I think Black Hat is moving in a very good direction to make information flow better, more interesting, and more fun. Let’s just leave the old school hectoring back in dot.com era, and find out how to fix the new things by using them.

2 comments on "Black Hat (Live) Blog: Keynote"

  • Matt says:

    Nice post, sir. If we claim that there’s no such thing as a perfectly secure system, where we draw the line between suitable and unsuitable levels of security is pretty arbitrary. Also, I believe that “Pants Panopticon” is a phrase that has rarely, if ever, previously been constructed in the history of the English language.
    PS: s/paying enough attention/sober enough/… drink! 😉

  • Mordaxus says:

    Thanks, Matt. I just googled on “pants panopticon” and if you allow quoting in a Google Whack, I got one. 🙂

Comments are closed.