Rethinking Black Hat: Building, Rather Than Breaking, Security

By Andrew Storms

No doubt breaking things is fun. I remember back when I was 10 years old when I took apart a squirrel cage fan, flipped some wires and so forth, and then attempted to plug it back in. Good thing my mom stopped me seconds before I was about to get a literal jolt of reality. These days, I still keep that same inquisitive and maniacal mentality. Yes, I was the guy wearing an assortment of makezine t-shirts at Black Hat, but I also often wore collared shirts and a belt. Because I keep a foot in both of these worlds, I¹d like to propose an adjustment to the security community.

The enjoyment of scrutinizing and tinkering is what draws me and thousands of others to Black Hat each year. Let¹s be honest with ourselves: we find joy in watching Charlie Miller theoretically explode a laptop battery or Dino Dai Zovi ripping apart Apple iOS at every level. We have to thank
everyone presenting for interesting insights in how they found holes, broke things or just otherwise discovered flaws in just about every computing technology known. This is why Black Hat always keeps me interested.

Last Thursday, though, I started thinking about our collective mind set a little differently.

The information security industry is characterized by 80% destruction and 20% construction. This is not to say that 80% of information security is about breaking something, but it is clear that the world views of infosec people come from the fact that they are people that break things.

Don¹t believe me? Take a look at the major media coverage from Black Hat and Def Con. We are presented as a group of people hell bent on breaking things, finding flaws and otherwise focused on to highlighting failures. While the attention of being perceived as a harbinger of doom can be enjoyable, we cannot live like this forever, and it¹s time for a change.

Think back to the talks you attended and ask yourself how many of them promoted constructive ideas? I'm glad to know that just about every mobile device platform is broken at some level. It¹s no big surprise that there are problems with crypto, networking, every OS and even the smart grid.

However, at the end of Black Hat, I had an opportunity to reflect with some colleagues about the week.

While Katie Moussouris' announcement about a $250,000 BlueHat prize seemed to have fallen flat on the audience, this was an honest attempt to stir innovation. Microsoft put their neck on the line in hopes of motivating a large, intelligent community to come up with new, defensive runtime
mitigation technologies.

Then on Thursday, Moxie Marlinspike proposed a fix to problems with the central control of certificate authorities. Not only did he propose a theory, he also produced a free implementation. We have to applaud Moxie for understanding the problem and presenting a novel fix.

Having been a part of Black Hat for years, I understand the purpose and the description of the community and the conference named after the moniker. But I also believe that our community and the people reading about us in the press would find a lot of value in thinking constructively about solutions.

I am thankful to researchers who find bugs because, in the end, it makes us all a little bit more secure. But let¹s push ourselves to take that extra step forward and think about how we can also fix what¹s broke. Wouldn't it be interesting if future Black Hat briefings also had to include one or more ideas on how to fix the root of the problems being shown?

Commenting on this Article is closed.