Shostack + Friends Blog Archive


Hacking Humans at BlackHat

Hacking humans is an important step in today’s exploitation chains. From “2011 Recruitment plan.xls” to instant messenger URL delivery at the start of Aurora, the human in the loop is being exploited just as much as the machine. In fact, with the right story, you might not even need an exploit at all.

So I’m looking to be able to put together an awesome track on hacking humans for Black Hat USA 2013. I’d love work on things like:

  • Unusable security or privacy (preferably with user studies)
  • The cognitive science of attention
  • Conditioned-safe ceremonies
  • Measuring the effects of security awareness training
  • Human compliance budgets
  • Threat modeling techniques for user interfaces
  • What any of these attacks might teach defenders about user interface design.
  • Engineering for real world human error
  • New ceremony analytic techniques
  • New frameworks for thinking about hacking humans, or defending against attacks on people
  • This list is incomplete

At BlackHat we like talks about hacking stuff. We like technical talks. We don’t like pure theory, without demonstrated application. We don’t have talks about getting a UPS uniform.

If you have such content, I encourage you to check out the Black Hat Call for Papers and consider submitting by April 15th.