There's a lot to like, even admire, in the agenda of the Black Hat conference in Las Vegas. But Security Supersite Editor Larry Seltzer wonders if the sessions also help foster new security problems for us all?
While writing my column earlier this week I got mad at the organizers of this weeks Black Hat conference in Las Vegas.. After all, why try to train people to write the worst, most invasive and difficult to defend against attack software?
Their main argument is that security professionals need to understand attacks, even the worst ones, if they are to defend against them. Even if theres clearly something to it, Im not sure the argument completely works. I just dont like the idea of so openly spreading knowledge on such potentially destructive technologies.
At the same time, a more comprehensive look at Black Hats sessions shows a picture of useful, interesting and undeniably legitimate training. Theres a wealth of information covering computer forensic examination and how to secure your network against general and specific threats, as well as postmortems on recent security incidents and evaluations of prominent products. Speakers at the conferences have included representatives from Microsoft, law enforcement officials, and even the Special Advisor to the President for Cyberspace Security. For more information take a look at Black Hats archive of presentations notes and videos of past conferences.
Still, on the flip side, theres the rootkit class I mentioned earlier. And the session on how to exploit DCOM. And how to write Cisco IOS exploits. I would feel a lot more comfortable with exercises such as these if they were always accompanied by information on how to defend yourself against the attack.
For instance, theres the class "Attacking and Securing UNIX FTP Servers." This one-sided training reminds me of the people who publicly release exploit code for a vulnerability before it has been patched. Such people are part of the problem in spite of their puerile excuses. Just because people ought to look where theyre going doesnt make it right to throw banana peels on the sidewalk. If someone trips you are to blame.
When I was younger, there was a time when I wanted to become a locksmith, and I still like to tinker with locks. Im sure some percentage of the people who attend locksmith vocational and technical schools do so intending to use their knowledge in the pursuit of crime. Same thing for people who learn about alarm systems. Im sure everyone in the business just accepts this situation, since you cant read peoples minds when you train them. You have to hope they will be honest.
And even though a good locksmith must think like a burglar in order to make a building really secure, I really doubt that they teach "Breaking and Entering 101" and "Advanced Bank Robbery" in locksmith school. Or do they? Should they?
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.