August 4, 2007

Now it’s time to return to those thrilling days of yesterday. Defcon is to Black Hat as Beaver is to Wally. Or, looking at it the other way, as Scarlett Johansen is to Julia Roberts. It plays either a lot younger, or a lot purer to concept, depending. Take registration. Tony and I walked up and found we weren’t on the press list. The DefCon guy looked at our Black Hat stuff, wrote us onto the list and gave us our badges, just like that. It took us an hour to register at the Black Hat machine, with its 15 stations and dozens of registration elves. DefCon was moving people through at amazing speed, with no hassles. I guess that’s what an all-cash, no pre-registration will do. Although DefCon plays younger brother, the Riviera, site of DefCon definitely has a bit of “old Vegas” look and feel over the slick Cesar’s Black Hat venue. In this case, the absence of offered amenities precluded a direct comparison, but Cesar’s facilities were a cut above.

I went to the first session, which was a repeat of the Black Hat VC panel. Tony and I wanted to re-introduce ourselves to Maria Cirino, General Partner of .406 Ventures in Boston. I scored big points the day before by knowing what .406 was named for (any guesses?), so we wanted to see if we could set up a meeting. Now the DefCon logistics turned its ugly side up. She was told the panel started at, first 11:30, then Noon. Wrong, it was actually 11:00, so everyone scrambled to locate the panel members and they arrived late, leaving us time for only a wave and a phone call later next week. Beaver giveth and also taketh away.

The vendor scene was also another example of the Beaver/Wally scenario. Black Hat had Microsoft, Cisco, Symantic. DefCon? Not exactly. However, there were Jinx and CyberPunk University selling gear (panties with clever sayings like “The only Bush I trust is my own “ for $10). Meco and Unix Surplus were selling used lappers and radio stuff, No Starch Press had books and our favorite, the University of Advancing Technology was selling gear and courses on their on-line university (hey, they gave us a free shirt!). The point was, the vendor big leagues are still a while away at DefCon.

And, that’s OK. It’s just not that kind of get together. Jeff Moss built Black Hat from a renegade group to a semi-corporate, just ready for prime time convention, able to attract major sponsors and major vendor support. He sold it high and good for him. It’s evolving into a predictable ever-growing revenue stream, like the IT security industry. The same thing happened to Comdex and ISPCon. But, DefCon is Jeff’s baby, and he kept it and is keeping it true to its origins. That’s a good thing. Don’t forget that you have a real friend in Mr. Moss.

I attended a session that had particular interest to Tony and me, called “Greater than 1”. It dealt with vulnerabilities in the financial industry’s new, more sophisticated authentication software. Brandon O’Connor, the presenter, gave an excellent, in depth review of what he has found to be exploitable vulnerabilities in several key programs. We got to talk to Brandon, who works at a large financial institution and had a good discussion about our experiences with our banking clients implementation of the two factor authentication software and the FDIC and FFIEC examinations covering security in general. He shares our concern that the examiners and many of the bankers are mainly concerned with getting a checkmark for the exam, rather than actually looking at the real security issues. He demonstrated several ways to hack into some of the more universal two factor front ends. We took away a lot of good information to use for our bank clients.

Both Black Hat and DefCon were successful, both demonstrated different ends of the spectrum. Tony and I came away from Black Hat with a lot of free gear, good food and some information. We came away from DefCon with a lot of information. Both were as they should.