FUD Watch | Black Hat and the Hype Machine

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com.

Fellow NAISG board member Jack Daniel, a sharp security mind who does blacksmithing for fun and inspired me to write a story on how folks in our industry blow off steam, has gotten my brain spinning once again.

The inspiration this time is an item he wrote in his Uncommon Sense Security blog about the Black Hat and Defcon events that’ll have Las Vegas crawling with hackers next month. He notes how he’ll be attending and how he will point out the disconnect between “real” security types and much of the real world.

“So if these events are just a bunch of security geeks and hackers getting together, where’s the relevance?” he asks. “Isn’t it really just preaching to the choir? What’s the point in that when the people who need to get the message aren’t there or listening? Why go through the torment and degradation that defines modern air travel just to stress-test your liver?”

He ultimately concludes that there’s still a very good reason to attend these gatherings, because “as ‘the choir’ it is our responsibility to spread the word to the rest of the world. If we need to hang out with a few thousand other security and hacker types and sacrifice some brain and liver cells to keep up with the latest news so that we can spread the word, I am willing to make that sacrifice for the good of the world,” he writes.

Since Black Hat falls on the same week as my tenth wedding anniversary I won’t be going to Vegas this time around. But I did make the trek last year and the year before, and I’ve often found myself wondering if the hype surrounding what happens on the upper floors of Caesars Palace squares with what security pros need to be focusing on.

Some say events like these are nothing more than an ego fest for vulnerability researchers. Though there’s some truth to the ego fest part, I agree with Jack that Black Hat and Defcon are ultimately worth the time and money.

At the same time, things happen there that sometimes get in the way of the big picture.

In 2005, a lot of presentations were overshadowed by a big stink Cisco made over researcher Michael Lynn’s plans to unveil a vulnerability in Cisco’s routers that, if exploited, could have theoretically done serious harm to the Internet. That one controversy was practically all the tech media would focus on, and, nearly three years later, the digital underground has yet to bring down the Internet with that particular flaw.

At last year’s Defcon event, which takes place in a different Vegas venue after Black Hat, all else was overshadowed by the public outing of a Dateline NBC reporter who was undercover at the hacker gathering with a hidden video-camera to see if she could out an undercover federal agent at Defcon and make a story out of the perceived sinister deeds that transpire there.

There is always a lot of coverage leading up to the events, especially the buzz about one big flaw or another that will be revealed there. Sometimes, the buzz is justified.

This time, for example, a lot of the focus is on a Domain Name System (DNS) flaw researcher Dan Kaminsky will present on in technical detail. The flaw, one of the genuine big ones that prompted a variety of vendors to collectively release software updates to patch it this week, is worth the hype because it affects one of the Internet’s underlying protocols.

Has all the hype diminished the relevance of these events? I don’t think so. It will always be human nature to stop and glare at high drama, but those who pay attention to the rest of the agenda are bound to come out of it with some wisdom they can take back to their jobs.

The trick is for security pros to go there with eyes and ears at attention, taking note of the dramatic moments but not being consumed by them. It’s up to the professional to see through the hoopla and focus on presentations that just might have an impact on their individual security program.