By Robert Vamosi
Special to CNET News.com
July 30, 2007
LAS VEGAS -- The 11th annual Black Hat security conference will occupy
more space at Caesar's Palace this year in order to accommodate more
people, more topics, and, of course, more controversy.
The conference kicked off over the weekend, starting with four days of
topic-specific training, before concluding Wednesday and Thursday with
two days of public sessions.
If past conferences are any guide, expect the overall total attendance
to be more than last year. With that in mind, Black Hat is expanding its
footprint within the Caesar's Palace resort here.
But count out at least one prospective attendee. On Sunday, Thomas
Dullien, CEO of the German company Sabre Security, reported in his
personal blog that he had been denied entry to the U.S. for reasons
having to do with H-1B visa regulations. He says that U.S. Customs
officials detained him over material he was carrying to Black Hat in
order to teach what was billed as an "intense course encompassing binary
analysis, reverse engineering and bug finding."
A larger conference means not one but two keynote addresses. One is from
Richard Clarke, President Bush's former special adviser on cyberspace
security. Clarke, whose 2002 Black Hat keynote speech stated that
software vendors and Internet providers must share the blame for
malicious software, is now with Good Harbor Security. This year, he will
talk about those "who seek truth through science, even when the powerful
try to suppress it." The other keynote speaker will be Tony Sager,
vulnerability chief of the National Security Agency, who will talk about
creating government security standards while working with commercial
Unlike last year, when Microsoft hosted an entire series of sessions
focusing on the yet-to-be released Windows Vista platform, there will be
no similar tracks offered this year. Returning tracks include sessions
on voice services security, forensics, hardware, zero-day attacks and
zero-day defenses. New tracks include operating system kernels,
application security, reverse engineering, fuzzing and the testing of
But it's the individual sessions that could get heated.
Several presenters are familiar to Black Hat attendees and not without
controversy. Neal Krawetz is returning to tackle image forensics,
showing how to peel back the layers to find less-than-obvious
manipulation; Dan Kaminsky is presenting his annual Black Ops survey;
and Phil Zimmerman is returning to talk once again about his vision of a
secure telephone for the Internet, called the Z Phone.
Meanwhile, Jeremiah Grossman will talk more about "Hacking Intranet
malware", and Billy Hoffman will team with Brian Sullivan to discuss
"Ajax-ulation," a talk about building a secure Ajax-laden Travel Web
The talk "Breaking Forensics" is already controversial. iSec researchers
Chris Palmer, Tim Newsham and Alex Stamos have stated they've found up
to six vulnerabilities within Guidance Software EnCase, a digital
forensics program used primarily by government and law enforcement,
prompting swift denials from the company.
Also controversial is Joanna Rutkowska, whose presentation last year
drew a standing ovation from the crowd. This time, Rutkowska is
appearing alongside Alexander Tereshkin to talk about methods for
compromising the Vista x64 kernel. Luis Miras will reprise a talk he
gave this past spring at CanSecWest on hacking peripheral devices such
as mice and pointers.
In the evening, there will a mock hacker trial presided over by a real
judge, and a talk by security researcher Johnny Long titled "No-tech
Hacking"--and that's all just within the first day.
On Thursday, there will be only one keynote speaker, Bruce Schneier, who
will talk about the psychology of security. Then David Maynor, who last
year presented an Apple wireless flaw, will return with "tips your
security vendor doesn't want you to know." Mozilla's Window Snyder and
Mike Shaver will introduce new tools to fuzz browsers as well as talk
about the security features expected in Firefox 3 due later this fall.
Also, Hoffman will give a second talk along with John Terrill on the
possibility of a Web-based Ajax-enabled worm and how antivirus companies
might cope with it; Gregg Hoagland will give a talk about reverse
engineering; Adam Laurie will talk about RFID vulnerabilities; Gadi
Evron will discuss the supposed cyberwar in Estonia; and retired Special
Agent Jim Christy will host a regular feature called "Meet the Feds."
At the end of the second day, F-Secure's Mikko Hypponen will talk about
mobile phone vulnerabilities. Meanwhile, Brian Chess and Jacob West will
have some fun with something they're calling "Iron Chef Black Hat," a
session where two different methods of vulnerability testing will be
used to try to discover the "secret ingredient" nestled within in an
All Black Hat events are being held here at Caesar's Palace. A sister
conference, DefCon 15, will run Friday through Sunday at the Riviera
Hotel, also in Las Vegas.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com