As Black Hat and DEF CON organizers, researchers and members of the cyber community scramble to figure out how they can salvage or, better yet, enhance the experience as the events go virtual amid the COVID-19 pandemic, security will be a top priority. Meanwhile, other aspects of the conferences are expected to change more drastically, for better or worse.
Organizers of the August 2020 events are aware the remote shows will have to emphasize security, as the new format presents a tempting challenge to adversaries who may want to make a name for themselves by hacking into the shows' remote infrastructure, perhaps hijacking a presentation or disrupting access. While members of the cyber community acknowledged the issue, they don't seem to be fretting it too heavily.
"Sure, there is always a concern, but if cybersecurity conferences can't figure out how to secure their virtual events, well, they probably shouldn't claim to be a cybersecurity conference," said Patrick Wardle, a frequent Black Hat/DEF CON presenter, principal security researcher at Jamf, and founder of Objective-See. "And such conferences already have had to secure their websites and networks at in-person events. And oftentimes such networks were part of a public venue or... belonged to the venue itself, and thus a purely virtual event may be in a way, simpler to secure."
Security is always a priority for the Las Vegas-based conferences. "To be honest, inviting all the hackers as well as law enforcement in the world to Vegas invites a certain amount of security issues; however, with having it online, those issues will simply be different," said Wireless Village organizers Rick Farina and Rick Mellendick, who collectively are operating the venue under the non-profit RF Hackers Sanctuary. "The shows can, and will, do everything they can to pick reasonably secure platforms. But the truth is, these systems are already out there in wide use and are a major target for corporate- and even state- sponsored espionage right now. Maybe more hackers being forced to use these platforms will provide a quick boost in security, or at least separate the wheat from the chaff."
DEF CON spokesperson Melanie Ensign told SC Media said "a lot of decisions are still being made" in terms of security, "particularly in regards to which platforms we'll use and how to prepare their internal security teams to be a potential target because of DEF CON."
"We go through this process in advance of every DEF CON with the host venues' security teams," Ensign continued. "We'll still have our own dedicated security teams working remotely – and right now the DEF CON forums where most of the planning and engagement is already forming, is something that's live year-round and monitored for suspicious activity."
Steve Wylie, Black Hat general manager, added that Black Hat "will take all necessary steps to keep the platforms we use for our virtual event secure."
Larger changes will be felt as the physical events go remote. A lack of interpersonal interaction means no schmoozing and networking, no up-close sharing of intelligence, no wheeling-and-dealing, and no wandering around the show floor.
On the other hand, the new remote format that the two events announced last Friday presents unique opportunities to reach out to a larger audience and experiment with how to present research and engage virtual attendees.
"We're inspired to adapt Black Hat USA in a virtual format that will be available to our entire global community," said Wylie, Black Hat general manager. "Our team is working hard to deliver the same level of high-quality briefings, trainings and business hall programs that Black Hat attendees have come to expect every year." But how, exactly, will that work?
That question goes double for DEF CON, a unique animal among cyber conferences. The show is very hands-on in nature, with 32 "Villages" where researchers tinker with everything from cars to drones to IoT devices.
DEF CON and Black Hat founder Jeff Moss confirmed on a DEF CON forum post that the DEF CON 28 "Safe Mode" edition will feature events such as a new online Mystery Challenge game; remote capture-the-flag competitions; and the Packet Hacking, Red Team and BioHacking Villages. The fate of other Villages remains up in the air.
"We’re still in the process of determining which Villages will be available through the virtual [conference]," Ensign said. Each "Village is run independently every year. DEF CON merely provides the space, so it's also up to each individual Village whether or not they want to participate online and how."
One of the most important venues this year would have been the Voting Machine Hacking Village, where white-hats probe for vulnerabilities that attackers could potentially use to disrupt the 2020 presidential election, and perhaps even alter vote tallies.
Jake Braun, Voting Machine Hacking Village co-founder and executive director, cyber policy initiative, at the University of Chicago, is determined to host the Village virtually this year in some fashion. However, he is concerned that the remote format could struggle to capture the public's and media's attention, perhaps resulting in lack of awareness and action among government officials when election security flaws present themselves.
Just two years ago, the Village was "covered on every continent on the planet," said Braun. "That's not going to happen this year," he predicted.
For now, it is also unclear as to what extent Village technologists and vulnerability hunters will have any way to access and analyze voting equipment this time. "Every year, we got new machines that we didn’t have before, [and] we found new vulnerabilities," said Braun. "This year would have been no different, so obviously we miss out on identifying new vulnerabilities with new machines in advance of the election, which obviously then reduces folks' ability to find new fixes to those vulnerabilities."
Last year, the Village launched a pilot project that offered election officials free security advice from researchers. Dozens of officials showed up on their own dime, said Braun, and it wasn't even a significant election year.
"We were hoping to dramatically expand that, and because we got good feedback from folks who were there, we thought – since so much of this stuff is word of mouth – we would have seen an increase because of that and 2020 [elections]," said Braun, author of the book Democracy in Danger. "And we really wanted to start to open up that line of activity significantly this year for obvious reasons." Now that can't happen as originally envisioned.
On the plus side, Braun recognizes that many officials who cannot afford to travel to Vegas will now be able to attend virtually. "This is really going to force us to up our game digitally on this, and that will, we think, make these kind of free services to election officials... a lot more easily accessible."
Farina and Mellendick are excited about their revised plans, which includes a virtual wireless capture-the-flag competition that serves as a live training exercise and test environment. The pair said that DEF CON's cancellation and virtualization was the perfect impetus to focus more intently on this contest.
"It may seem impossible to bring the entire world of RF into the homes of the worldwide DEF CON audience," the pair said in a joint email interview with SC Media. However, "We at RF Hackers Sanctuary are viewing this whole thing as a positive."
"This brief respite from the free-for-all that is a 30,000-person convention in Vegas is giving us the time to build something completely new, which we have been wanting to build for years, Farina and Mellendick continued. "We are excited to finally build 'Wireless Capture the Flag: The Home Game' to serve not just our DEF CON audience, but also all those who can't travel to the conferences we participate in.
"It is, of course, a disappointment to not be able to see all our friends in Vegas this year, but the learning and sharing will continue, unconstrained by physical size, and likely reaching an even wider audience," the pair concluded.
Other members of the research community shared similar sentiments that while the virtualized conferences will create a less intimate and tactile experience, it will at least allow for greater outreach.
"A large part of these conferences are the in-person interactions, networking, and parties – so much so that terms such as 'lobby con' have been coined," said Wardle. "Clearly, a virtual event can't have these same components – well, in any comparable sense."
However, the "main goal of such events is generally to allow speakers and an audience to interact together... This of course can be done virtually!" continued Wardle, widely known for his macOS research.
Past Black Hat and DEF CON events seemingly were bursting at the seams with attendees crowding into hallways and forming endless queues to get into sessions. Now, there potentially are no capacity issues, and attendance is open to all.
Wardle said the remote format "inherently makes the talks and content more widely available... assuming the conference fully live-streams it freely. For example, those that could not travel to these events can now virtually attend. And others, who perhaps avoided such events due to other reasons such as social anxieties – well now, they can virtually attend from the comfort of their homes, safely and anonymously."
Law enforcement agencies are also well represented at Black Hat and DEF CON, where federal agents would typically gather to share intelligence and engage in dialogue with security professionals, private-sector members and the greater hacker community. Not this year though.
"It's really just about knowledge and thought leadership, because you do have some of the brightest and the smartest savvy folks in the room," said Robert Rodriguez, chairman and founder of the Security Innovation Network (SINET) – a former special agent with the U.S. Secret Service, and a frequent Black Hat attendee.
"You do, over time, build relations with those folks... and then they share information to a certain degree," said Rodriguez. "But it just depends on how much trust you can build. I think that the element of trust is critical in life." With no fraternization, "that will get lost."
"You [can] never replace a handshake," he added.
SC Media asked Rodriguez if the lack of a physical show also impairs the ability of federal agents or investigators who wish to closely monitor or gather intelligence on elements of the cybercriminal community who may emerge from the shadows to attend these shows.
After all, certain attendees have been known to play "spot the fed," attempting to identify agents and intel officials walking around in plain clothes. And, of course, there was the infamous 2017 arrest of hacker Marcus Hutchins, which took place in Las Vegas where he had just attended the Black Hat and DEF CON conferences.
Rodriguez downplayed this angle, saying law enforcement officials attend the shows first and foremost to learn and share knowledge. Getting a closer look at subjects of interest is more of a secondary benefit. "That's just natural work in law enforcement. If the bad guy's over there, then that's where they’re going to go." And losing the ability to do that this year is no "not a big deal," he opined.
Black Hat is scheduled for Aug. 1-6 and DEF CON Safe Mode is scheduled for Aug. 6-9.