Black Hat Descends on Washington

By Sean Michael Kerner

February 22, 2008

Hackers flock to D.C. during this week's conference to talk government, security and going on the defense--for a change.

The name "Black Hat" for years has been synonymous with shadowy hacker activities. Many also know that the term refers to the popular annual security conference of the same name, long held in Sin City itself -- Las Vegas.

This week, however, the Black Hats aren't flocking to Vegas. Instead, they're meeting in the heart of the federal government: Washington, D.C., a setting that makes for a very different type of security conference.

"It's almost the 'white hat' Black Hat, with much more focus on defense than offense," said Brian Chess, founder and chief scientist at enterprise security player Fortify Software.

Chess is no stranger to either Black Hat or Washington. His firm is a partner with the government-funded Computer Emergency Response Team (CERT) on automated compliance checking.

At the last Black Hat Las Vegas event, Chess also ran the famed Iron Chef Black Hat hacking challenge.

This week, he's expected to speak once more on security issues. This time around, Chess will be talking about software testing and using functionally tests to find vulnerabilities.

"It's about how you build software right, as opposed to how you break something," Chess told InternetNews.com. "We'll be talking about some of the less-than-ideal ways that people go about finding security vulnerabilities in their code."

In Chess' view, developers often fail to do a great job of security testing simply because they don't have to. Since plenty of bugs can be found easily, they typically feel little incentive to undertake a more rigorous and thorough search that might find all bugs, he said.

On the flip side, "if you actually want to build something that is secure, there actually is a lot you can do," Chess said.

Not surprisingly, the security conference's inside-the-Beltway setting also means it will have a special focus on government. Among the week's sessions are a talk on phishing and the Internal Revenue Service (IRS), and a discussion of potential cyber-threats to the 2008 presidential election.

The government focus is also reflected in the background of some of the speakers at the event. The only keynote of the Black Hat D.C. event is being delivered by Jerry Dixon, a former deputy director of US-CERT and the founding director of the IRS's Computer Security Incident Response Capability.

A former U.S. spy is also on the speakers list. In a talk about social engineering, Peter Earnest, a 35-year veteran of the Central Intelligence Agency, will discuss his experiences in espionage.

While this week's conference will offer a different perspective compared to its larger, more free-for-all Las Vegas counterpart, followers of the goings-on at Black Hat can still expect much of the same.

"It's still Black Hat," Chess said. "The reason why people come out for Black Hat is they want to get a taste for what's going on from a technical, vulnerability-researcher point of view. So I expect the presentation style will be about the same."


This story originally appeared at Internetnews.com.


Comment and Contribute
(Maximum characters: 1200). You have
characters left.