Thursday, August 9, 2007

Black Hat retrospective

My mind and body are now partly recovered from the madness that is Vegas, and I've pieced together as many recollections as I'm able to.

First off, the webappsec training went really well, with some great feedback from the ~70 participants, and the customary job offer made to the CTF winner. It's pretty hard work standing up and talking for four days, but I met some great people and got lots of good ideas to make the course even better next time.

Once the training and jet lag were out of the way, the partying ratcheted up a few notches, and we saw plenty of the nocturnal delights that Vegas has to offer. As well as Caesars, we spent a fair bit of time at Luxor, Venetian and other hotels.

shadow bar

The WASC/OWASP party in the Shadow Bar was great, with much of the webappsec world in attendance, and an opportunity to meet people face to face whom I'd previously only corresponded with.

The Microsoft party took over the top floor of Pure, and drew a wider crowd, with seemingly half of the con getting an invitation, or maybe I was just seeing double by that point.

I also staggered into the iDefense party, and even blagged a VIP wristband, as did several others to the bemusement of some senior iDefense folks who wanted to talk about our contributions to the vulnerability programme. The Hard Rock cafe is a cool venue, although I don't think the crew of assembled geeks did it full justice.

Unsurprisingly, with all of the opportunities for imbibation, our attendance at the actual conference was patchy during the mornings. I was sorry to miss a few good talks, but I have the slides and was able to catch up with many interesting people during the evenings.

RSnake and PortSwigger

I made it to Billy Hoffman's Ajax talk, which was entertaining as usual but didn't contain anything new for me.

I also caught Joanna's update on virtualisation-based rootkits, and her attempts to avoid detection. Like most of areas security, this is an asymmetric problem - while she is sticking her fingers in as many dykes as she can, people only need to find one hole that can't be plugged. In terms of detection of some kind of unexpected virtualisation at least, it appears that timing attacks in particular aren't going to go away any time soon.

Defcon provided some early excitement with this year's badge. J-Lo and I spent the first few minutes struggling through our hangovers figuring out how to reprogram them to make rude words appear.

defcon badge

The Defcon talks were a bit more offbeat, and I caught ones on malicious toasters, video games and various rants. In general, I thought the more mainstream technical talks were a bit disappointing - fairly introductory with little in terms of new ideas. There is definitely room for some easy talks for people who are unfamiliar with a particular area, but it would be good to know in advance what is "for dummies" and what is more innovative.

All in all, it was a fantastic week, but it's good to be home. Vegas messes you up, physically and mentally. I'm nearly back to normal now. It will be great to go back next year.