Rethinking Black Hat: Building, Rather Than Breaking, Security

By Andrew StormsNo doubt breaking things is fun. I remember back when I was 10 years old when
I took apart a squirrel cage fan, flipped some wires and so forth, and then
attempted to plug it back in. Good thing my mom stopped me seconds before I
was about to get a literal jolt of reality. These days, I still keep that
same inquisitive and maniacal mentality. Yes, I was the guy wearing an
assortment of makezine t-shirts at Black Hat, but I also often wore collared
shirts and a belt. Because I keep a foot in both of these worlds, I¹d
like to propose an adjustment to the security community.

No doubt breaking things is fun. I remember back when I was 10 years old when
I took apart a squirrel cage fan, flipped some wires and so forth, and then
attempted to plug it back in. Good thing my mom stopped me seconds before I
was about to get a literal jolt of reality. These days, I still keep that
same inquisitive and maniacal mentality. Yes, I was the guy wearing an
assortment of makezine t-shirts at Black Hat, but I also often wore collared
shirts and a belt. Because I keep a foot in both of these worlds, I¹d
like to propose an adjustment to the security community.

The
enjoyment of scrutinizing and tinkering is what draws me and thousands of
others to Black Hat each year. Let¹s be honest with ourselves: we find joy in
watching Charlie Miller theoretically explode a laptop battery or Dino Dai
Zovi ripping apart Apple iOS at every level. We have to thank
everyone
presenting for interesting insights in how they found holes, broke things or
just otherwise discovered flaws in just about every computing technology
known. This is why Black Hat always keeps me interested.

Last Thursday,
though, I started thinking about our collective mind set a little
differently.

The information security industry is characterized by 80%
destruction and 20% construction. This is not to say that 80% of information
security is about breaking something, but it is clear that the world views of
infosec people come from the fact that they are people that break
things.

Don¹t believe me? Take a look at the major media coverage from
Black Hat and Def Con. We are presented as a group of people hell bent on
breaking things, finding flaws and otherwise focused on to highlighting
failures. While the attention of being perceived as a harbinger of doom can
be enjoyable, we cannot live like this forever, and it¹s time for a
change.

Think back to the talks you attended and ask yourself how many
of them promoted constructive ideas? I’m glad to know that just about every
mobile device platform is broken at some level. It¹s no big surprise that
there are problems with crypto, networking, every OS and even the smart
grid.

However, at the end of Black Hat, I had an opportunity to reflect
with some colleagues about the week.

While Katie Moussouris’
announcement about a $250,000 BlueHat prize seemed to have fallen flat on the
audience, this was an honest attempt to stir innovation. Microsoft put their
neck on the line in hopes of motivating a large, intelligent community to
come up with new, defensive runtime
mitigation technologies.

Then on
Thursday, Moxie Marlinspike proposed a fix to problems with the central
control of certificate authorities. Not only did he propose a theory, he also
produced a free implementation. We have to applaud Moxie for understanding
the problem and presenting a novel fix.

Having been a part of Black Hat
for years, I understand the purpose and the description of the community and
the conference named after the moniker. But I also believe that our community
and the people reading about us in the press would find a lot of value in
thinking constructively about solutions.

I am thankful to researchers
who find bugs because, in the end, it makes us all a little bit more secure.
But let¹s push ourselves to take that extra step forward and think about how
we can also fix what¹s broke. Wouldn’t it be interesting if future Black Hat
briefings also had to include one or more ideas on how to fix the root of the
problems being shown?

Suggested articles

Discussion

  • Myrcurial on

    I actually talked about how most of BH/DC is offensive and how I'm usually one to talk defense and how odd it seemed.

    I don't like uncovering problems without announcing solutions at the same time. The problem (too often) is that what solutions there may be are not "usable" in a real world sense. At least, not without the pressure of an external regulatory force.

     

    Sigh.

     

    You're right.

     

    Maybe next year, I'll only advance solutions and see if that talk gets accepted.

     

    J

  • Cindy Valladares on

    You're right in that many of the talks focused on exploiting, breaking, injecting... I would also like to see more talks on how to defend/protect. Being who the audience is at BlackHat, I would imagine that as soon as the presentation is over, they would be engineering a way to exploit, break, inject, etc.

  • Mark A. Evertz on

    Andrew,

    You are right on the money. Let's be honest...it's easier to obliterate something than it is to build something and that's why there are more people lining up to  thrash people and things than there are to build them. I'd also say, at the moment, and please correct me if I'm wrong, there's more incentive (read: $) in making companies and people look stupid or take their stuff than there is to protect and defend it. That's the makings of a one-sided security community. Maybe we could coax more Black Hatters --- if we haven't already -- into becoming professional cyber mercenaries who get paid big bucks to just beat the living crap out of people who attack critical infrastructure, major financial systems et al. With what I've read about the darling of cyber warfare (Stuxnet) seems like using powers of evil for preservation has some recent success. Welcome CyberSeal6! OK...enough rambling for now. Bottom line...agree with the premise of building v. breaking.

    Cheers.
    Mark

    @MarkAEvertz

     

  • Zix on

    Perhaps I look naive but I believe one of the major problems is that the security business hasn't have much attention. So like any kid suffering from the lack of attention,  the security industry realized that it attracts much more attention from the management and big industry by breaking things than by repairing them. Perhaps, this is time for this kid to become adult!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.