Ten years after the sellout, Black Hat is solidly corporate and that’s fine

DEF CON is hopefully never going to change


The open internet is failing

Granick was at some of the first DEF CON meetings and is a geek and lawyer who is passionate about the possibilities of a connected society. But we're in deep trouble, she warned – a message echoed by her warm-up guy Moss.

When Granick first got online in the 1980s it was hoped that the internet would enable a global conversation where gender, race, and creed became unimportant compared to ideas, she said. Censorship would be routed round, governments would become more open, and the spread of information would benefit humanity, was the assumption.

Instead, she said, sexism, race relations, and religious intolerance had proved stronger than expected and the internet was increasingly being used to reinforce existing power structures rather than break them down.

A succession of internet laws, led by the 1996 Communications Decency Act, were forcing internet traffic into choke points that could be regulated, while law enforcement is playing an increasingly destructive role in stifling conversation.

The FBI is now asking service providers and internet companies to monitor traffic not only for criminal activity, but for indicators that the user might be considering breaking the law. Companies are, by in large, complying with this, and it's chilling free speech, she warned.

It was a theme echoed by some of the other speakers on the first day. Canada's Citizen Lab showed off a new technique for matching binaries in state-sponsored malware that identified candidates from 2002 that could be attributed to either the US, UK, China, or possibly Israel, which had been completely ignored by major antivirus firms.

Frames, phones, and automobiles

In terms of hacking it was a very mixed bag. Frame exploits are always popular here, and there were the usual software and mainframe exploits. But this year's show had a lot more non-standard device hacks than previous conferences.

Phones were very high on the agenda, and the weeks preceding the show had been full of attacks against Android and a few iOS cracks as well. Windows Phone and BlackBerry didn't get much of a mention, with one speaker pointing out it was only worth investing time cracking operating systems people actually used.

Google was at the conference in force to give its response (Apple tried Black Hat, didn't like it, and hasn't come back yet), and Adrian Ludwig, lead engineer for Android security at the Chocolate Factory, came along to announce the firm was upping its game.

The Stagefright bug was being patched he said, and all the major handset vendors would be pushing down fixes and doing monthly updates from now on. Whether or not all the telcos will play ball or not remains to be seen, but it's clear Google has had a similar moment internally that Microsoft went through in 2002.

Android needs to get this issue fixed, and the view from the show floor was that Google has done a pretty good job at reassuring people. It's tricky for the Chocolate Factory, since its code base is open for all – it's possible that there are large holes in iOS too, but people have a much tougher job finding them.

The other rising star is the automotive sector. Chrysler hackers Charlie Miller and Chris Valasek had possibly the best-attended talk at Black Hat, and also packed out their hall at DEF CON, but there were other car hacks out there as well.

Interestingly, Miller and Valasek told the press conference after the talk that if it hadn't been presented at Black Hat then Chrysler wouldn't have fixed it. The company moved fast once they had been told a presentation was planned – and at least a fix is better than trying to sue the researchers to shut them up.

As cars get more computationally complex, these kinds of hacks are going to become increasingly important, but it's clear that the car manufacturers haven't really put the time and effort into making their vehicles even remotely secure. In computer terms they are about at the Windows 98 level of security awareness, which doesn't bode well.

There's another reason why hackers are targeting cars – it's a very sexy hack. Tell someone they might lose a database and they'll be concerned. Tell 'em you can crash their car with them in it and people get scared, and that brings lots of headlines and kudos.

Next page: Opsec and on sex

Biting the hand that feeds IT © 1998–2021