Rethinking Black Hat: Building, Rather Than Breaking, Security

By Andrew StormsNo doubt breaking things is fun. I remember back when I was 10 years old when
I took apart a squirrel cage fan, flipped some wires and so forth, and then
attempted to plug it back in. Good thing my mom stopped me seconds before I
was about to get a literal jolt of reality. These days, I still keep that
same inquisitive and maniacal mentality. Yes, I was the guy wearing an
assortment of makezine t-shirts at Black Hat, but I also often wore collared
shirts and a belt. Because I keep a foot in both of these worlds, I¹d
like to propose an adjustment to the security community.

No doubt breaking things is fun. I remember back when I was 10 years old when
I took apart a squirrel cage fan, flipped some wires and so forth, and then
attempted to plug it back in. Good thing my mom stopped me seconds before I
was about to get a literal jolt of reality. These days, I still keep that
same inquisitive and maniacal mentality. Yes, I was the guy wearing an
assortment of makezine t-shirts at Black Hat, but I also often wore collared
shirts and a belt. Because I keep a foot in both of these worlds, I¹d
like to propose an adjustment to the security community.

The
enjoyment of scrutinizing and tinkering is what draws me and thousands of
others to Black Hat each year. Let¹s be honest with ourselves: we find joy in
watching Charlie Miller theoretically explode a laptop battery or Dino Dai
Zovi ripping apart Apple iOS at every level. We have to thank
everyone
presenting for interesting insights in how they found holes, broke things or
just otherwise discovered flaws in just about every computing technology
known. This is why Black Hat always keeps me interested.

Last Thursday,
though, I started thinking about our collective mind set a little
differently.

The information security industry is characterized by 80%
destruction and 20% construction. This is not to say that 80% of information
security is about breaking something, but it is clear that the world views of
infosec people come from the fact that they are people that break
things.

Don¹t believe me? Take a look at the major media coverage from
Black Hat and Def Con. We are presented as a group of people hell bent on
breaking things, finding flaws and otherwise focused on to highlighting
failures. While the attention of being perceived as a harbinger of doom can
be enjoyable, we cannot live like this forever, and it¹s time for a
change.

Think back to the talks you attended and ask yourself how many
of them promoted constructive ideas? I’m glad to know that just about every
mobile device platform is broken at some level. It¹s no big surprise that
there are problems with crypto, networking, every OS and even the smart
grid.

However, at the end of Black Hat, I had an opportunity to reflect
with some colleagues about the week.

While Katie Moussouris’
announcement about a $250,000 BlueHat prize seemed to have fallen flat on the
audience, this was an honest attempt to stir innovation. Microsoft put their
neck on the line in hopes of motivating a large, intelligent community to
come up with new, defensive runtime
mitigation technologies.

Then on
Thursday, Moxie Marlinspike proposed a fix to problems with the central
control of certificate authorities. Not only did he propose a theory, he also
produced a free implementation. We have to applaud Moxie for understanding
the problem and presenting a novel fix.

Having been a part of Black Hat
for years, I understand the purpose and the description of the community and
the conference named after the moniker. But I also believe that our community
and the people reading about us in the press would find a lot of value in
thinking constructively about solutions.

I am thankful to researchers
who find bugs because, in the end, it makes us all a little bit more secure.
But let¹s push ourselves to take that extra step forward and think about how
we can also fix what¹s broke. Wouldn’t it be interesting if future Black Hat
briefings also had to include one or more ideas on how to fix the root of the
problems being shown?

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business