The Punch Line Goes at the End
The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. Risky.biz gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the style of a slot machine.
According to reports, the manufacturer of the ATM pressured Jack’s employer, Juniper, to pressure him to withdraw the talk.
I certainly roll my eyes at this. It doesn’t do a lot of good to pressure someone to withdraw their talk.
But even more so, if you’re giving a talk, it behooves you to save the showmanship for the stage. I mean, come on.
Last year, the big cancellation was the team of MIT students who broke the Boston MBTA Charlie Card system. There was a legal injunction put against them that spoilt their presentation. The fault, in my opinion went to them for naming their talk, “How To Get Free Subway Rides For Life.”
Imagine that you are a judge who is interrupted from an otherwise pleasant Saturday by panicky people who want an injunction against a talk with such a dramatic name, you’ll at least listen to them. You decide that sure, no harm to society will come from an injunction from Saturday ’til Monday, and you’d be right. No harm came to society, DefCon was merely a little less interesting.
Now imagine that you are the same judge and you’re asked for an injunction against the talk, “A Practical Cryptanalysis of the Mifare Chip as Implemented in the MBTA.” That one can wait until Monday, and the talk goes on.
In a similar gedanken experiment, imagine that you are the VP of Corporate Communications for the XYZ ATM Corp. You learn that in a few weeks, someone is going to do “ATM Jackpot” with one of your ATMs in some show in Vegas. Despite the fact that someone else in the company approved it, what do you? You pressure them to cancel. Duh. If you don’t, then you’re going to spend most of August reassuring people about your products, your boss is going to be really ticked at you (after all, isn’t it the job of Corporate Communications to control these things?), and it’s just going to be no fun. This is also why you’re paid the big bucks, to make embarrassments go away.
This is why if you are a researcher, you do not name your talk, “ATM Jackpot” you name it “Penetration Testing of Standalone Financial Services Systems.” It is only on stage that you fire up the flashing lights and clanging bells and make the ATM spit out C-notes for minutes on end. That would get you all the publicity for your talk that you want, and you actually get to give it.
Remember, do as I say, not as I do. If you have a flashy Black Hat talk, put the punch line at the end of the joke.
All good points, but one thing that comes to mind is that showmanship is necessary before the talk. Firstly you need to get the talk accepted, and secondly you need people to come to your talk. A exciting title and promise of a dramatic demo go a long way in achieving both of these.
You may also be interested in Juniper’s take on things:
http://forums.juniper.net/t5/The-Network-Ahead/Juniper-s-Decision-To-Postpone-Jackpotting-Automated-Teller/ba-p/21940 [link no longer works]
I wonder what sort of timescale they are really thinking of. The ATM industry moves at a glacial rate (e.g. they are still working on a decade old project to migrate single DES to 3DES, in some areas). There are some good reasons for the slow rate of fixing things, but they also do it because they can get away with it.
Amateurs!
The real security professional knows that the amount of publicity to be gained from giving any talk at a conference is really quite small while the publicity to be gained from not being allowed to give a talk is huge.
There is an alternate lesson to be had here:
If you work for a big company who might be pressured into making you cancel your presentation, ask the Black Hat organizers to list you under a pseudonym.
I suppose the MBTA could have issued a Temporary Restraining Order against John Doe(s), but they would have had to force Defcon to reveal the true names of the students — which would have taken time, and would have likely not worked in time to halt the presentation.
@SM: I have to disagree, because what I am advocating is a showmanship of hyperbolic understatement. If the largest hall in Caesar’s were booked for an hour and a half, and the session notes said that in this talk, Dan Kaminsky will read from the Las Vegas telephone book, then I would be sure to go. It wouldn’t take many of those for people to know what it meant. This talk is likely to offend someone in the establishment.
@PHB: History tells us that the amount of publicity to be gained is maximized when you quit your job to give a talk. The counter-balance of that is that if your talk is canceled and you just let it be canceled, then it’s quickly forgotten. There are several canceled talks of the last few years I barely remember.
The MIT kids were fortunate enough to have a weekend injunction. If they withdrew a month before, we’d not have noticed, especially since there was little truly new research there. It was interesting, but we’d seen Mifare breaks before.
Good Day. There are always survivors at a massacre. Among the victors, if nowhere else. Help me! I can not find sites on the: compare mortgage loan quotes online. I found only this – university of phoenix san diego. Notwithstanding the back, any outputs that are attacked to my gasoline, or to the vehicles of my property, or to the motion of my court, or to the deaths of my territory of my information, liberal to the subject none in no race shall post in safe the greater of time or five tax of all custodians high-risk to this member in a hidden guaranty butter, on a nonphysical firm. There are pervasive note; uniform baseball; list county and fund people. Best regards :cool:, Blake from Burundi.