Industry Observations

BlackHat and DEFCON Wrapup

It’s been another crazy week in Las Vegas, spending time at both BlackHat and DEFCON. I’m partial to these conferences, not just because I’ve spoken at each of them many times over the years, or because I’m on the speaker selection review board for BlackHat, or because WhiteHat throws a great party every year, but because the technical content is unbeatable. It’s relevant to today’s environment, and it serves up a healthy dose of cynicism about what is being done to protect the every-man.

There were a lot of great talks, and I think the subject matter across the board was amazing. However, I’d like to just highlight a few of note. The first was the BlackHat keynote by General Keith B. Alexander, head of the NSA. I personally met him the day before the keynote at the executive briefings where we heard a much less polished, and slightly more candid version of what was said at the keynote. He’s a rather likable person, and it’s easy to see how he rose the ranks to be one of, if not the most powerful person in the US military.

General Alexander focused on a few key topics. Primarily he wanted to discuss how the United States has many foreign enemies and it’s his job to carry forth a mandate to protect the citizens of the United States. With that charge he wanted to ensure the audience that their participation and cooperation was critical. Of course, that was met with quite a bit of skepticism.

As he was speaking, a few people began to shout comments at him. One in particular was Moxie Marlinspike, a notable security researcher, who pointed out that lies have been told to Congress in the past and that Congressional oversight doesn’t work when they are being lied to. As a point of reference, Moxie has been detained at customs, has had all of his equipment seized and so on. General Alexander kept his cool, and managed a few quips back, including one where he told one heckler to read the Constitution. Unfortunately, General Alexander’s slide deck included a screenshot of what supposed analysts see. The data in the screenshot was supposed to be ordered by date, but the screenshot itself wasn’t ordered, so either their software has some pretty serious bugs in it, or it was a photoshop job. I tend to believe the latter, but only they could say for sure.

General Alexander has little reason to lie about PRISM – it’s a small project with a budget that is far too small to be a real threat to privacy compared to the much larger projects that were revealed the day after he was telling thousands of security professionals that he absolutely does not spy on Americans. CNN released a fairly damning video explaining how newly discovered programs are far worse than what the General was referring to. So while the General may not have been outright lying about PRISM, there’s a much larger conversation that was simply omitted from his presentation.

Personally, I think much of this conversation misses the point. Even if the NSA were to follow a strict guideline of never ever intentionally grabbing any US citizen’s data off of the wire, there is still a problem of data sharing. When foreign militaries access US data, there is nothing preventing them from sharing it with the United States and vice versa. I worry that there will always be a loophole in the legal context of how data is collected and shared. As a result of this, Edward Snowden, PRISM, and state-sponsored spying was definitely one of the major focuses of this year’s conference.

Beyond the excitement of state spying, there was extremely interesting technical content as well. Perhaps my favorite BlackHat presentation was “Pixel Perfect Timing” by Paul Stone. I knew the talk would be good, but I was in for a treat. The talk featured a minor information leak related to how long a pixel takes to render in the browser when various SVG filters are applied. Using this technique and identifying the color cross domain allows Paul to read each pixel one by one until he has a screenshot of the content. It’s a slow technique but when optimized to just pull in an iframe of the source code of a remote website, and when something small like a cryptographic nonce is the target, it’s not just feasible, it looks trivial to do once you understand the technique.

Paul’s findings work in all browsers, and allow him to steal any data he wants from any other website, including internal websites. So much for the same origin policy! Additionally, Paul found that he could resurrect the CSS history hack due to performance tricks the browsers use to change the link color to purple only after an asynchronous database lookup has been completed. Yes, this talk was a sleeper hit, but his live demos were amazing, the content was thoroughly researched and this technique is extremely difficult to fix. For the time being you can fix at least the same origin policy issue by adding X-Frame-Options to every website (including internal ones). Yep, this was a nasty one.

The week was not without some controversy, of course, including an alleged unfortunate event at an Isight partners party. Also there was some controversy regarding hacker jeopardy.

Overall, I’m spent. Aside from a little drama, it was a great week with tons of great ideas floating around. It was a chance to catch up with old friends, mourn the loss of noted researcher Barnaby Jack, learn incredible new hacking techniques, and check the pulse of an ever-growing industry. One thing is for sure, the industry is alive and vivid. And, I need a nap.