This year's Black Hat USA conference is over and as usual the show received mixed reviews from attendees. Windows IT Pro magazine's Tony Howlett weighs in with his opinion (see the URL below). Among other anecdotes, Howlett thinks that the conference might be growing too big. I had similar thoughts: This year there were somewhere around 90 speakers--that's a lot of presentations. But Black Hat USA 2008 pales in comparison to DEFCON 16, which has roughly twice as many speakers! The issue comes down to quality of the content juxtaposed against what you personally want to learn at either conference.

http://windowsitpro.com/article/articleid/99981/a-blackhat-glass-half-full.html

 

Which brings us to the speakers and their presentations. As you know, in the past some presenters have found themselves in very hot water over legal threats due to the content of their presentations. IOActive suffered that experience last year over RFID technology (see the first URL below), as did Mike Lynn in 2005 over vulnerabilities in Cisco router hardware (see the second URL below). At least one presenter, Halvar Flake, was barred from entering the United States to deliver his presentation at last year's conference, on what appears to have been a "technicality" (see the third URL below).

http://www.ioactive.com/pressreleases.php

http://www.wired.com/politics/security/news/2005/08/68365

http://addxorrol.blogspot.com/2007/07/ive-been-denied-entry-to-us-essentially.html

 

Indirectly related, but interesting nevertheless, is that according to the Washington Post and News.com, this year Charles Edge decided to discuss a serious vulnerability in Apple's FileVault technology, but he withdrew the presentation on his own. As it turns out Apple is one of his biggest customers and he's under a non-disclosure agreement. Apple itself also withdrew from the conference, having been previously slated to hold a discussion panel regarding the company's security practices. According to Computerworld, Apple's marketing department didn't approve of such public discourse.

 

This year, Electronic Frontier Foundation (EFF) stepped more directly into the legal implications of security research and disclosure by setting up a booth at Black Hat USA. EFF established what it calls The Coder's Rights Project, and according to the foundation the purpose of EFF's presence at Black Hat is to "provide legal information on reverse engineering, vulnerability reporting, and copyright law, as well as patent, trade secret, and free speech issues."

 

EFF thinks that legal threats put a damper on vital research and better security. In a press release the foundation wrote: "Those of us doing research on computer security and privacy need to be able to discuss and publish our work without fear of legal threats," said EFF Board Member Edward W. Felten, a security researcher and Princeton University professor who challenged provisions of the DMCA with EFF in 2001. "The Coders' Rights Project will give critical legal help to programmers and developers who do the hard work in keeping technology robust and users safe."

 

I think any security administrator can see that without reasonable disclosure we'd all have systems and networks chock full of holes and none of us would be aware of the risks to any considerable extent unless we each did our own research. Not many people have the time or ability to do that kind of hard work. After years of observation I'm still at a partial loss as to why some vendors still cannot see how such research is incredibly beneficial to both them and their customers.

 

EFF's Coder's Rights Project site (at the URL below) has some good information for anyone interested in being able to reverse engineer products. The site also has good information for those of you who might find yourselves in a position of wanting to report a vulnerability that you discovered--without reverse engineering. Have a look at the content and read it over carefully before you decide to spontaneously post a message to the world that says "I discovered a security hole and here's demonstration code to prove it." My point is that there's often a very fine line to walk, and some companies are more than willing to pounce on you with their multi-million dollar legal strength.

http://www.eff.org/issues/coders