Hack in the Box (Dubai) 2008 reminded me of the early Black Hat shows -- intimate, deeply technical, and a whole lot of geeky fun. HiTB is run by a small crew (from Malaysia), all passionately involved, and super cool to hang out with. *I got a kick out of their accent, its like a cross between Jamaican and Vietnamese*. Leader of the pack was Dhillon Andrew Kannabhiran, who did a masterful job pulling together a successful event. Proceedings were organized, guests/speakers treated exceptionally well (thanks Belinda and Amy), and the content offered something for everyone. Even the venue was seriously posh. Photos posted.
I found time to attend several talks, a rarity for me, and learned some cool stuff in the process. The standouts were Token Kidnapping (Cesar Ceurrudo), Cracking into Embedded Devices and Beyond! (Adrian ‘pagvac’ Pastor), and Hacking ‘Second Life’ (Michael Thumann). Elite stuff. Smaller events are cool because hallway conversations tend to be better and more meaningful - not rushed. I really enjoyed getting to meet various people from the region, learning about the issues they’re trying to overcome, and how mature their environment is relative to the U.S. Plus getting time to hang out with pdp, Shreeraj Shah, Adrian, and Dhillon was fantastic as well.
I hear the KL HiTB is their main conference and I’m going to do everything I can to make it down there. From what I’ve been told it sounds like a blast. I only get to do a couple of international trips per year so I have to be very select on which ones. So far, I’m sold. :)
I’m not ashamed to admit that I was nervous about delivering a keynote. Not only did I have to compare against InfoSec icon Bruce Schneier, but the presentation (w/ notes) was all brand new and I had no idea how the audience would respond. Still I took a chance on something fresh, attempting to be insightful and forward thinking, though high level enough to be considered a keynote. I felt this was an opportunity to openly state some of my own personal thoughts on the infosec industry – the good and the bad.
I decided to leverage statistics cobbled from around the industry and apply them to the “Did you know?” meme. I called entitled it "Hacks Happen" (HiTB download). From where I sit most of us are mired down in our day-to-day jobs and don't have the time or cause to look up and consider where we are headed. These days it seems we have a lot more experts and less expertise. More products and less coverage. More best practices and less security. More news and less information. This type of environment I think is why hacks happen every minute of every hour of every day. And its my opinion we need to take a second look at what we know, reconsider what we think we know, and possibly come to a new set of assumptions.
Upon sharing my slides ahead of time with Robert E. Lee for feedback, he found me the follow text that captured the essence of my presentation:
"There is a proverb that illustrates the way to quickly determine whether or not someone is sane. The individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If, instead, he decides to empty the pond with his bucket without first stopping the in-flow then he would be considered insane."
By looking even at the limited metrics we currently have, I personally believe way the industry perceives and responds to information security matters is insane. When you looking at the statistics and extrapolations in the slides you’ll get a better idea why. Please keep in the mind that some of the cited statistics in the presentation are stronger than others and overall material is a complete work in process. If anyone has better numbers, different ways of looking at the data, or feedback… I’m all ears. Enjoy.
I’ll cover Dubai itself in another post.