Hat of Darkness


Last week, I had the incredible fortune to be invited to volunteer for the BlackHat DC 2009 conference, held in Crystal City. I’ve read about the BlackHat conferences for years, of course; they’re some of the premier security conferences in the world, differentiated from other great security conferences (e.g., USENIX) by their focus on systems in the real world and how specifically to break them, rather than how to create new countermeasures, or study what hackers are doing. In other words, these are the hackers, in the most traditional sense; these are the people who see systems, and seek to understand how they work– especially if they might work in ways their designers didn’t intend.

So I spent two long days (I got up at 4:30AM each morning to get to the conference early enough to help set up) among some of the coolest people around. One of the neatest things about BlackHat DC particularly is that while it’s filled with great people, it’s very small– just a few hundred attendees– meaning there’s lots of opportunity to interact both with other attendees, and with the invited speakers. As a room proctor, one of my jobs was to take many of the speakers up to the breakout rooms, where people who had more in-depth questions than could be accommodated in the lecture could ask and debate to their heart’s content. This meant that I got to sit and talk with these speakers, as well– which was quite fun, with some of them.

I got to meet Paul Syverson, who developed the Onion Routing protocol, and listen to his defense of its security (and his critique of Xinwen Fu, who had just presented an attack that turned out to be neither new nor interesting). I got to eat lunch with Dan Kaminsky, who in addition to being a rising security star, is an incredibly nice guy– and a very emphatic (would be one word) lecturer. I got to help another rising star, Duc Nguyen, set up his four-laptop demonstration of how easy it is to fake “high-security” facial authorization (one laptop for each manufacturer that does it, plus one for his notes).

I also watched an insane and wonderful presentation entitled Satellite Hacking For Fun And Profit, where the presenter, Adam Laurie, not only set up a TCP/IP route from his friendly neighborhood TV satellite, but for an encore, demonstrated a Man-in-the-Middle attack against a passport, live. Wonderful stuff.

In addition, of course, it helps out my nerd cred immensely to be at a conference that’s getting Slashdotted so often. This led to several conversations on Friday and Saturday of the form “Did you see that article about Joanna Rutkowska hacking TXT again?” “No, but I watched her deliver the presentation.” :-)

Now, of course, I have to return to the real world, where not everyone I meet is an accomplished hacker. Some people are, of course, including one of my professors this semester, which makes things more interesting. I’m getting some neat things done, though; more on that in a subsequent post.