If you had to select one symbol of cybersecurity industry, you’d be hard pressed to find a better choice than the pair of conferences, Black Hat Briefings (Black Hat) and DEF CON. The duo is known affectionately as Hacker Summer Camp by many conference goers. Much has changed since the first Black Hat in 1997 and DEF CON in 1993. Not only have the crowds swelled, but so has the very nature of digital technology.
Over the decades the conferences have expanded in both audience and content covered. Black Hat, for example, has shifted from its focus on enterprise security red teaming to include more defensive security work, security team management in addition to its staple of systems exploitation. The conference even added a CISO Summit to its schedule, which extended the length of the show by a day. With this year’s event starting today in Las Vegas, let’s look at how the pair of conferences have changed over the years.
Chris Wysopal, the seventh member of the hacker collective L0pht and the current CTO of software security firm Veracode attended many the early DEF CON and Black Hat conferences. Over time, as the number of events during the week expanded and the week grew longer, something had to give, and he took a not-so brief hiatus from DEF CON. “After Black Hat had added the CISO Summit, it became a four-day long event, and I decided to skip DEF CON,” recalls Wysopal. “It just grew to become too long of a grind.”
When DEF CON 20 rolled around, Wysopal grew curious about how the show changed. “It was DEF CON’s 20th anniversary, and I figured it’d be worth it to stay and check out,” he recalls. “I was just blown away. It had tripled in size. It didn't feel like a conference anymore. It felt like a festival,” he says. “Not only were there more activities, such as the lock-picking village, but the existing activities grew. “The Capture the Flag contest used to be five or six tables of people hacking, it grew to about 50 tables. Everything had just grown and grown,” he says.
Things had certainly changed and grown since the first Black Hat, as well. Presentations at the inaugural Black Hat included talks on local network security assessments, firewall management and attack techniques over the Internet. Renowned security researcher Mudge keynoted on secure coding practices and source code analysis, while Adam Shostack spoke on code reviews and deriving value from the effort. Sluggo focused on defending against denial-of-service attacks.
Richard Thieme, an author and professional speaker who has spoken at all but two DEF CONs from DEF CON 4 though DEF CON 25 and numerous Black Hat conferences recalls the Thursday keynote he gave at the very first Black Hat. “It was a bunch of guys and some gals who have been instrumental from the very beginning working to figure out how do we do this security thing,” says Thieme.
“In a way, these conferences are a moving image showing the maturation of the security community,” says Thieme. “In the first days, they got to see for themselves, firsthand, as having something valuable to offer to important people: how to protect assets,” he says. “In the beginning, they were finding their way.”
DEF CON certainly found its way. At the first DEF CON, held at the Sands Hotel & Casino, there were about 100 attendees. In 2016, about 22,000 attended DEF CON, and 15,000 attended Black Hat.
Black Hat certainly had its share of historical moments over those years. Most of those moments revolved around the release of high-impact security vulnerabilities released from edgy security research. Such incidents included David Litchfield’s making known a proof-of-concept attack against SQL Server that shortly after that resulted in the infamous 2003 SQL Slammer worm.
Security researcher Michael Lynn felt it necessary to quit his job at Internet Security Systems (the vendor was put under pressure from Cisco to squelch the talk) to release information regarding flaws he uncovered in the operating system that powers Cisco routers. Today, such research is likely to be released ahead of the actual conference rather than during the show, such as when researchers Charlie Miller and Chris Valasek unveiled their remote Jeep hacks in 2015.
The value of (social) networking
For most conference goers, big historic events aside, when you ask them about their early conference memories and the value they get from either show, they’ll usually mention networking and the chance to meet security professionals that might be otherwise out of reach.
Stefano Zanero, information security consultant and researcher, and Black Hat review board member, recalls the impression from his first Black Hat (2004) where he also presented. “I was a young Ph.D. student presenting for the first time to such a large international audience. Obviously, it made quite a big impression on me,” says Zanero. “Black Hat was extremely engaging. The conference was smaller then and being a speaker made sure that you had occasions to meet the whole "who's who" of security. That character probably gets lost somehow in its growth,” Zanero says.
That growth hasn’t stopped Zanero’s ability to make valuable contacts over the years, he says. “I think networking and in-person meetings are the actual value
of conferences in this growing but still very small world of cybersecurity. The network of professional contacts I made over the years at Black Hat is an invaluable asset in my work,” he says.
“When I first attended Black Hat, it seemed to be a unique amalgam of hacker culture and business focus, united around information security — something that was both novel and necessary for security to garner the attention and budget it would need to become a priority for all but the tech elite,” says Taylor Banks, long-time security researcher and principal Hacktologist at ACE Hackware.
Banks, says that some in the DEF CON and broad hacker community viewed the Black Hat conference as selling out. “For me, I found it [Black Hat] to be a good mix, and was pleasantly surprised to find an information security conference that could justify a high price tag and simultaneously provide a good environment for networking and recruiting, while still proving to be a good value to attendees and their employers,” he says.
“Admittedly, I think to compare Black Hat to DEF CON was a bit unfair. I would argue that while much of the same information was often presented at both events (and often by the same people), it made DEF CON a significantly better value. But for many organizations, the stigma of sending employees to a “hacker con” made it much more difficult to justify even a small expense to less tech-savvy stakeholders and board members. I also think that, because of the environment, those new to the field found DEF CON quite intimidating, while Black Hat seemed a much easier event to break into,” says Banks.
How has Black Hat changed over the years? “The obvious answer is that it dramatically grew. The less obvious answer is that growth brought in a wider spectrum of people, so networking activities and occasions dramatically changed,” says Zanero, who says he does miss the more tight-knit community of years ago. “The current exhibit hall is overwhelming,” Zanero says. “What has not changed, in my opinion, is the quality and level of the talks, while they somehow [also] broadened to a wider range of topics,” he adds.
When speaking with many who have attended the conference over the years, the verdict on whether the quality of the talks has remained high is mixed. “The past that disappeared was Black Hat as a cutting-edge hacking convention,” says Thieme.
“What it's become, especially since it was sold, is a mini RSA. It's vendor-driven, and the focus is determined somewhat by the technical expertise, but also clearly voiced needs of the marketplace, which are not necessarily always highly technical,” says Thieme. “In the old days, there were probably more hitters who swung for the fences. Today, there are more journeymen ball players who self-censor about things that are likely to get them or the enterprise into real hot water,” Thieme says. “It's become mainstream.”
Another big change that paralleled the growth of the audience has been the growth of the expo floor. “The expo floor was much smaller, and it was always companies that were focused almost exclusively on the things Black Hat was doing. The expo floor was full of companies who were pen testing or were hardcore security companies, and it wasn't just companies that happen also to have a security product or service that came to the show,” says Wysopal.
That begs the question, considering all of the growth and broadening of focus: Is there still value to be found? The answer is near unanimously a “yes.” One just has to work harder for it and hunt down what they want from the show. “If you're targeted and know how to hunt value, then the place is an absolute jungle teeming with animals,” says Thieme.
Wysopal agrees. “There are many different types of audiences going to these shows. There are people who want to attend the talks, and they’re learning something by doing that. There are others that are going to network. Maybe they are looking for a job, or they’re simply catching up with people they only see at the conference every year. Then you have those who are actually looking for products and solutions there. You have all of this going on at once, and not everyone is doing everything. You get a successful conference when you can satisfy a lot of different audiences,” says Wysopal. And by that measure, both Black Hat and DEF CON certainly continue to succeed.