This past week I was in Las Vegas covering the 11th annual Black Hat security conference, followed by the 15th annual Defcon. It was my 8th year covering these. Although I stayed only for the training and briefing events at Black Hat this year, I was aware in advance of an attempt by the producers of NBC's Dateline to sneak an undercover camera into the conference at Defcon over the weekend. The blacklash on this particular NBC reporter has been swift and harsh. And I should say, rightly so.
When I first attended Black Hat in 2000, the security conference was spawning itself from its more famous parent, Defcon, a unique gathering of elite computer hackers ("hackers" in the positive sense of the word, not the criminal sense). At that time, Black Hat was to be a more mature conference, with government officials, academics, and even corporate types. Back in 2000, when there were maybe 1,000 attendees, there was no press room. Even so, I have always felt welcomed.
My lunch with elite hackers
That first year, I remember having lunch at a table with Cult of the Dead Cow member Mudge and another elite hacker. Later that same year, Mudge went to Washington to consult with President Clinton about denial-of-service attacks. But at that Black Hat lunch, though there was an initial ripple of whispers around the table as it was learned I was a member of the press, Mudge smiled and continued talking with me. At the time, Mudge was gainfully employed by @stake; he has since left and today is involved with other security companies. In fact, many of the people I met that first year are now working in the lucrative security business. Take Dark Tangent--aka Jeff Moss--who is Director of Black Hat, and who last year sold his interests in the conferences to CMP Media for around $10 million dollars.
That NBC's Dateline came into the Defcon conference with the hopes of rewarding its viewers with an image of a true hacker doing something illegal on camera is downright sleazy. There are rules for the attending press, and they chose to flout them.
This year, whether it was the influence of CMP or just a general, overriding awareness of security, Black Hat's attendance officially topped 4,000 for the first time and may have, when all is tallied, reached 5,000. The Black Hat staff responded gracefully and professionally. Anticipating growth, Black Hat this year used larger conference rooms
, simulcast the keynotes to auxiliary rooms, and generally kept everyone happy, even though it got a bit claustrophobic at times.
No buzz this year, however
But unlike previous Black Hats, there were relatively few controversies. One presenter was blocked at the U.S. border and thus prevented from attending, but no vendors attempted to sue the presenters who did attend to prevent them from speaking. In fact, vendors were more proactive this year. On the eve of this year's presentations, both Mozilla and Apple released security patches, the latter more or less taking the thunder out of Charles Miller's presentation on the iPhone vulnerabilities. Then again, Miller did share his vulnerability data with Apple before the conference.
In past years, though, I saw an early version of the MSBlast worm make the rounds at Black Hat and Defcon, then, two weeks later, on August 11, 2003, the real worm was released to the world. In contrast, this year Black Hat was...quiet. The only notable moment was when Errata Security's CEO Robert Graham hacked an audience member's live gMail account to demonstrate how the cookies of popular Web 2.0 sites are vulnerability to a new kind of man-in-the-middle attacks. (Let that be a warning to anyone reading e-mail during his presentations in the future.) That live demo produced the only applause I heard all week, and spontaneous applause doesn't happen often enough at Black Hat these days. Worse, a few of this year's Black Hat presenters were repeats of talks given at security conferences held earlier this year.
On the second day of the briefings, a Black Hat official asked me about the legality of using a concealed video camera at Defcon. Defcon requires members of the press to sign a lengthy document barring the use of photography except when all parties within the shot agree. But Defcon, unlike Black Hat, uses anonymous badges, and even when, as a member of the press, I wanted to talk to someone, I would often learn only their alias, not their real names. That NBC's Dateline came into Defcon with the hopes of rewarding its viewers with an image of a true hacker doing something illegal on camera is downright sleazy. There are rules for the attending press, and they chose to flout them.
NBC should realize that the real criminals are not at Black Hat or Defcon; they're out making money in St. Petersburg, Russia; or in Guangdong province, China; or in Kansas.
Black Hat/Defcon organizers had advance word; they even knew the name of the reporter. Before the conference, they were working with NBC to trying and convince Dateline
's associate producer Michelle Madigan to sign up as press, rather than as a general attendee. She refused several times. My colleague at ZDNet, George Ou, provides the most thorough coverage of what happened next
. George writes, "When a Defcon staffer spoke to Madigan posing as regular attendee, Madigan commented that people in Kansas (reference to middle America) would be very interested in what was 'really' going on in Defcon."
What's really going on at Defcon
If Black Hat is four to six days of college-level seminars, then Defcon is the three-day frat party afterward. At both conferences, you have the rare chance for federal agents, academics, hackers, script kiddies, and interested parties to talk amid some cutting-edge security presentations. At Defcon, one of the activities is called "spot the fed" where attendees inform Defcon staffers who they think is likely to be working for the government. If correct, the attendee gets a t-shirt reading "I spotted the fed" while the fed in question gets a shirt emblazoned "I am the fed." All in good fun.
However, on Friday, Black Hat and Defcon Director Jeff Moss announced at the opening of Defcon that there was an undercover reporter without press credentials among the attendees; he further announced that this year there would be a new game, "spot the undercover reporter." After asking the audience what should be done with an undercover reporter without press credentials, Moss then said "well, the reporter's in this room, and I think we'll be escorting her out of the room for false pretenses and misrepresentation." NBC's Madigan was escorted out by Defcon staffers, then trailed and taunted by attendees. You can see a YouTube video of the expulsion here. It was covered in great detail, because the legitimate media had been tipped off in the press room shortly before.
Not everyone agrees
Another ZDNet colleague, Ryan Naraine, disagrees. He wonders whether Moss should have behaved differently, and not triggered a "burn-the-witch" mob at the conference. He concludes by stating "Today it's Madigan; tomorrow it may be you."
I don't agree. As a member of the press I've always been treated well by the organizers and attendees of both Black Hat and Defcon. As Moss said shortly before outing the undercover reporter, "this conference is about openness." Yes, people hide behind silly nicknames, but you can still sit down and talk with them; they know you're press, and you know they may be doing stuff that isn't precisely defined as legal or illegal. The point is, they're there talking with you. They're trying to get the word out about what's wrong with computer security today.
Where the hackers really are
I'm also glad that the mainstream media is covering Black Hat and Defcon. The Washington Post came last year and returned this year. The same with USA Today. But I'm really offended that NBC would view the conference as an easy way to spot a criminal hacker in the act or, as it was suggested to Black Hat organizers, as part of a story about companies hiring hackers to work for them.
Let's not misinform the people in Kansas with made-up stories, shall we? There are plenty of great stories to be had if you come to these conferences with an open mind and a willingness to learn what's being said and done. NBC should realize that the real criminals are not at Black Hat or Defcon; they're out making money in St. Petersburg, Russia; or in Guangdong province, China; or in Kansas. Maybe Dateline's Madigan should take her pinhole cameras there instead.
Should the mainstream media be making a spectacle out of security conferences like Black Hat and Defcon?