As an Armenian genius explains how the HTML5 WebSockets that enable video streams on mobile devices can also enable sophisticated hacking frameworks, the first image that pops into my head is of me chucking my phone into Siren’s Cove at TI. The second is of Lee Van Cleef—the spaghetti Western’s favorite villain—doing his signature squint while typing malicious code.
Van Cleef’s characters almost always wear a black hat, a bad-guy icon that became a cuter term for hacker. Hence Black Hat, the 15-year-old information security conference that brings geeks from government, big business, academia and the underground to “the intersection of network security and hacker ingenuity.” Some are white hats dedicated to defending against the more injurious element of DEFCON. Both conferences were founded by Jeff Moss, though Black Hat has grown into something of a corporate foil to its impish predecessor.
That doesn’t mean it’s devoid of personality. Seminar titles range from “Practicing Safe Dex” to “My Arduino Can Beat Up Your Hotel Room Lock” to “Hookin’ Ain’t Easy: Beef Injection with MITM,” and the Pwnie Awards (unicorn toys with pink hair) for epic security innovations and failures provide some comic relief. But Black Hat’s discount Iron Man posing for pictures can’t compete with DEFCON’s ninja presenter, mohawk station and “Wall of Sheep” displaying the names and partial passwords of users who’ve just been compromised.
No doubt there are black hats at this buttoned-up party at Caesars Palace, just as there are federal agents down the street at DEFCON, celebrating its 19th year at the Rio. The lines are more than blurred—a guy might hack an ATM at Black Hat one year and show up on its roster of speakers the next.
“You have to be an attacker in order to know how to best defend,” says Solomon Sonya, a network security engineer working on two master’s degrees and open-source methods of mitigating vulnerabilities in the technology we depend on and desperately want to trust.
Sonya and Dan Guntner, another programmer and over-achieving grad student, are presenting a tool they’ve created, SNSCat. In 60 minutes they teach us how it can parasitize the files of unwitting social networkers to hide and transport data. Some of the bytes composing that Twitter photo of LeAnn Rimes in a donkey head could be turned to the dark side, loaded with the secret recipe for Coca-Cola and told where to carry the goods. Rimes and her followers would never know because the file would look and function exactly the same. And security protocols would be hard-pressed to catch such cleverly disguised covert-channel activity.
Sonya and Guntner aren’t trying to give black hats ideas. In fact, the algorithms they’re using were cracked 20 years ago (though Sonya says they remain nearly invisible to current data loss prevention technology). Rather, they want white hats to face and understand the gaps in the wall in hopes the organizations they serve will focus more on preventing attacks than scrambling to clean up the mess.
I ask Sonya whether it’s safe to use my smart phone for, well, anything, especially considering that the once “impervious” Apple officially attended and presented at Black Hat for the first time this year. He chuckles and tells me he doesn’t even check email on his. And his computer has virtual silos such that he never banks and surfs on the same system.
“A lot of applications treat security as an afterthought, meaning, ‘Let me just get the product done as fast as possible,’ … versus, ‘Let me make it secure.’ Because to make it secure means you have to invest more time—now you have to stress test it; now you have to go back and reprogram it—whereas the other company already released four updates out there that people are buying.”
Suddenly I don’t feel so silly about my Siren’s Cove idea, though I can’t forget a conversation I once had with badass security technologist and author Bruce Schneier, who’s also presenting at Black Hat. I asked this world-renowned cryptographer, who’s written reams on the psychology of fear, how scared I should be. We chatted about probability, the math behind terrorism and lightning bolts and Daewoos driven by surly teens. He helped me realize that the average person often perceives the greatest risk in the slimmest possibility because it grabs headlines and tugs heartstrings. Whatever the threat, Schneier says, security is both a feeling and a reality. And they’re not the same. “The notion of ‘If you buy my widget you will be safe’ was never true,” Infosecurity reported him saying in his Black Hat talk. Wolves will always have the advantage, and there’s no silver bullet. That doesn’t mean sheep should stop shopping for shoes online, but they should know the actual risks and behave accordingly. One odd comfort is Schneier’s suggestion that: “Society needs defectors—more security isn’t always better.”
Riding the escalator back to reality, I scan faces, trying to guess who might be wearing which hat. Or both. I feel as though any second, anyone could turn from the woman in red into Agent Smith with a Desert Eagle semi-auto pointed at my head. It’s unnerving, but the casino floor makes me smile. At the roulette table, everybody gets screwed.