My colleague Luis Huapaya and I attended the weeklong “hacker summer camp” of the combined Black Hat and DefCon, which drew over 22,000 attendees to Las Vegas last month. Below are our observations from the two events.
Overall, we continue to think the security industry is still ripe for commoditization, especially from the cloud providers who have the capacity to simply offer features as a default. Last year we thought we saw evidence that security vendors were consolidating and on the cusp of providing higher order services to meet this threat, but we didn’t see much evidence of that strategy this year.
Looking for Quantum
The biggest security specific omission for us was the lack of discussion on quantum computing and the impact it will have on the industry. Much has been written about Crown Sterling and we won’t go into that here; however, there was a very interesting talk in the 101 track at DefCon that offered some good analysis of the threat and how we have been, perhaps, focused on the wrong benchmarks. According to this analysis, we shouldn’t be tracking how close we are to running the Shor algorithm on a quantum computer, but rather the advancements in algorithms that combine noisy quantum computers with classical ones.
Even more surprising, D-Wave’s Quantum Annealing processors, which are generally considered to be not much of a threat to cryptography are emerging as a real threat when the factorization problem is reformulated as an optimization problem such as in Raouf Dridi and Hedayat Alghassi’s paper. This work has already proceeded to the point of factoring a 20-bit number with only 89 qubits on existing hardware. The presentation by Andreas Baumhof suggests that we are no more than 10 years away from breaking RSA keys in use today using this technique based on the historical doubling of qubits every two years. If any breakthroughs are discovered, this timeline would be accelerated.
Perhaps the industry is waiting on NIST to finish the post quantum crypto algorithm recommendation process. At a minimum, organizations should be looking at quantifying their level of risk using our Post-Quantum Risk Assessment tool.
In addition to these observations, here are our top takeaways from Black Hat and DefCon this year:
Top 5 Takeaways From Black Hat:
- The innovation area is always a favorite, but we are starting to see a lot of returning presentations and think it really needs some dedicated space rather than a corner adjacent to larger players.
- While far and wide claims around AI and machine learning remain a mainstay, there was less emphasis on these technologies then in years past which was great to see.
- There were some interesting sessions and conversations on APIs, bug bounty programs, deep-learning and behavioral analysis. On display, we saw quite a bit on monitoring and reporting services. We also noticed that across the board the user experiences have been taken up a notch.
- Times have changed because anti-virus was not focused on at all and there was little on encryption. There was also less talk around zero trust than last year.
- As mentioned above, we were looking forward to hearing more on quantum computing but there was nary a peep.
Top 5 Takeaways from DefCon:
- The show organizers have done a great job of bridging the gap between beginners and veterans.
- We buzzed around a couple villages and the IoT village was impressive. There were literally hundreds of IoT devices on display that you could hack.
- The packet hacking village was also fantastic. One could show up without a laptop and just start hacking away (i.e. laptops were provided pre-loaded with all the tools you need). Beginners could focus on learning how to use basic tools like ncap, while veterans could focus on how to automate their tools into a more efficient hacking mechanism. It’s a great place to get started with stuff like Kali Linux (or the tools shipped within Kali Linux), using tools like a pineapple, etc. It also allows attendees to get pretty good visibility on how products fail in terms of security.
- Of note, the Caesar’s Palace wireless network was hacked on the first evening of the conference. Anyone going to DefCon next year should remember to turn their cell phone off and bring a ‘burner’ laptop (do not bring your corporate laptop in there).
- As a fanciful note, Luis competed in the Lockpick Hunt Competition and ended up in sixth position overall out of ~300 competitors with a time of 1:00 to pick five locks. (He’s feeling pretty good about that.)
Now that we’ve had time to rehydrate and rest our feet from so much walking over the course of a week, we look forward to attending Black Hat and DefCon in 2020. With so much going on in our industry, we are sure there will be lots to observe, take part in and discuss next summer.