We're on the ground in Las Vegas for the Black Hat conference this week, bringing you the latest news and notes from the information security field. In today's keynote, we heard from the founder of the conference, Jeff Moss, as well as Facebook's Chief Security Officer, Alex Stamos.
This is the 20th annual Black Hat conference and while, as Moss pointed out, the first conference was little more than a group of people sitting in a room chatting about interesting topics, the show itself has grown exponentially, bringing in over 9,000 attendees from more than 80 countries this year. More importantly, Moss noted that the industry is still in its infancy: The conference isn't even old enough to drink in Las Vegas yet. It's going to be critical to find ways to grow the community over the next 20 years, including mentoring new folks who are interested in the field but don't know how to start.
Next, Alex Stamos took the stage and made two very important observations related to information security. The first is that the field spends most of its time paying attention to complex problems, but ignores actual human harm. According to Stamos, "Adversaries will do the simplest thing they need to get the results they want, but we focus on the really sexy difficult problems. It's cool to see someone bypass a hard problem [on stage], but that's not something you'll probably see in the real world." He went on to highlight the fact that traditional information security focuses on the tip of a pyramid, working on things like 0-day attacks, phishing, patching, and password reuse, while ignoring generic system abuses like doxxing, spam, and sexual exploitation on social media. It's this abuse that, while not exploiting system flaws, cause the most harm to individual users.
The second observation is that people in the industry "punish imperfect solutions in an imperfect world." Professionals frequently make comments like, "security would be easy if not for the users," and "PEBKAC: Problem exists between keyboard and chair." However information security professionals often have unreasonable expectations and lack empathy for the users they're trying to protect. We tell users not to click links or open attachments, but it's difficult to know what's legit and what's not. We tell users to ensure they're using HTTPS and that they have the proper TLS encryption, but most people don't understand the technical details and it's not realistic to expect them to.
Stamos went on to talk about the concept of "Security Nihilism," which in his words, "is an overlapping set of beliefs that include the assumption that all attackers are perfect, that everybody faces the worst possible threat scenario or that any compromise to make a security feature more widespread should be considered a bug." He brought up some complaints people had about WhatsApp's end-to-end encryption design decisions. Instead of commending the company for providing encryption to its one billion users, many claimed it was an intentional backdoor.
Later in the keynote, Stamos brought up the fact that we celebrate breaking into systems far more than defending them. Read any newspaper headline, and you'll hear about data breaches and system vulnerabilities, but when an organization successfully defends against an attack, nobody notices. To help combat this, Facebook is earmarking $1M this year for the best defense research as presented by USENIX papers. Some topics they're hoping to see revolve around the cause of patch lag, account lifecycle management, security/safety issues with the real smartphone ecosystem from developing countries, and account recovery which is always a potential backdoor.
Finally, circling back to the issue of addressing abuse of normal system functions, it was highlighted that most of this falls outside of what is typically considered "normal" information security. However there's no conferences where people can talk about those types of issues, so for now, our industry is the best equipped to address these topics.
There were a few other topics of interest presented at the keynote, and if you want to see it all yourself, check out the video that Facebook posted.