The Black Hat evolution

When the Black Hat conference moved to the Mandalay Bay hotel, I was curious as to what would be different. Over the years, Black Hat has evolved into something very different than how it started. Whether it has been a good or bad evolution depends on your perspective.

As background, I have the honor of being the first keynote speaker at the first Black Hat conference. The original event was an add on to the Defcon conference. At the time, Back Hat was the idea of one of the Jeff Moss’ friends who noticed that more and more corporate people were attending Defcon. The thought was to put on a more upscale event with similar content, and without the havoc of Defcon. The first year, at the soon to demolished Aladdin hotel, held all attendees in a relatively small conference room that sat less than 100 people.

[A practical survival guide to Black Hat and DEF CON]

The most memorable session, of course except for my own, involved hackers talking about how they had no guilt in releasing vulnerabilities. Those vulnerabilities inevitably caused damages, not to the vendors of the products, but to the end users of the systems who were left unprepared to fix the vulnerabilities, before suffering an inevitable attack.

Over the next few years, the Black Hat hype grew, which continued to grow Black Hat attendance. Through those years, I tended to speak on Social Engineering and related topics, and as such, I had packed audiences. Black Hat sessions tended to be on some highly technical subjects that the typical “suits”, looking very out of place, did not understand.

Over time, as the number of tracks grew, more sessions were added, and the technical depth sometimes seems shallow. There are just so many Zero Day vulnerabilities to go around. Every year though, a few notable Zero Day attacks make great press. The top headlines however come from the sessions that are cancelled. Cancelling a session makes more news than the story itself.

What is notable is that the cancelled sessions are usually due to employers having policies that forbid the release of information. The reasons are due to the work either being proprietary, found under some non-disclosure agreement, or more frequently that the employers have policies against releasing Zero Day vulnerabilities. 

As Black Hat started attracting more sponsors, the number of vendor-sponsored parties started to grow. The parties became bigger attractions than the event itself. Also, it seemed that more people were going not because of the event, but because everyone else was going. For lack of a better term, Black Hat turned into the RSA Conference, but in Las Vegas.

However, Black Hat still strives to release Zero Day vulnerabilities. As important, Black Hat has attracted a robust B-Sides event. Defcon is still as iconic as ever. The combination of all three of those events means that a large number of new exploits might be released.

The ironic part is however that the reason why people are attending is not because they want to learn about how the vulnerability came about from some collegial perspective, but because they have to figure how to deal with the potential damage that will come when the vulnerability is released.

I know several senior security executives who attended the events solely to attend a few sessions that were anticipated to put their organizations at serious risk. Ironically none of these people were from vendor organizations, but from organizations who were users of the products in question.

These people are left very vulnerable, depending on the scope of the vulnerability to be released. While they have very strong security programs, they know that their architectures can crumble depending upon the nature of the vulnerability. They are not going to get rid of the products in question, or stop using the vendor in question, as rarely is a vendor negligent. It is not possible for any vendor to write perfect software, so the goal of shaming the vendor doesn’t work.

With the lack of any pre-disclosure of information, these security executives have to attend the presentations and quickly determine whether or not the potential vulnerability represents a threat to their organization. If there is a threat, then they have to figure out how to temporarily mitigate the problem until the vendor can release a patch.

However as a significant number of Black Hat attendees see little value in the sessions, and just want to attend the parties and catch up with their friends, a Business Pass was created. This allowed for expo and keynote attendance.  It is clearly a business decision to attract revenue from those people who are skipping the conference itself and just attending the surrounding events. The decision worked, and there were approximately 9,000 attendees this year.

While I would normally recommend that if they have to create a pass for people who are not interested in the sessions, but want to attend their events, that they reevaluate their programming and consider having sessions that attract a wider variety of people. That would increase their revenue. Again though, as I previously stated, Black Hat is becoming much more like RSA, which has an Expo Plus pass, which is basically the same as the Black Hat Business pass.

[Black Hat presentation on TOR suddenly cancelled] 

It is fascinating how Black Hat evolved since a comparatively dingy conference room, in a dying hotel, to now the top venue in Las Vegas. Black Hat has made its name by being notorious. Unfortunately, that creates problems for many of the people who made it successful.  While I realize that the pre-releasing vulnerabilities goes against what makes Black Hat notable, it will serve its attendees well. Maybe that is an area that should evolve along with the other aspects of the conference. It will be interesting to see where the conference ends up in another decade or so.