RealTime IT News

Black Hat 2006: 'l33t' or 'Lame?'

Reporter's Notebook: In the most entertaining presentation that I have ever attended at a technical conference, the infamous hacker Johnny Long explained to a capacity Black Hat audience how Hollywood has accurately portrayed hacking.

Long took humorous excerpts from various Hollywood films that portrayed hacking and asked the audience whether they were "l33t" (pronounced Leet) or lame?

"Leet" (sometimes spelled 1337 or l33t) means "elite" or "cool." And Long had the enthralled over-capacity audience shouting out "leet" or "lame" after he showed his excerpts. The same leet or lame measure could well be an accurate gauge for the entire Black Hat 2006 conference itself.

You would typically not expect an FBI agent to be so humorous while publicly addressing an audience.

Yet, FBI Unit Chief Dan Larkin did make a number of attempts at humor during his opening Black Hat keynote.

Part of Larkin's appeal in presenting at Black Hat was to encourage security professionals to work with the FBI. Larkin recounted that in its FBI admission form there is a question which states, "Do you support the overthrow of the U.S. government by force, subversion or violence? "

The question was supposed to be a true or false answer. Larkin noted that one individual asked if it was a multiple choice question.

Very leet.

On the second day of the conference there was a great deal of talk about cross-site scripting, cross site request forgery, JavaScript and AJAX-related attack vectors and vulnerabilities.

Considering the rapid rise and adoption of AJAX- and XML-based technologies for enhancing user experience and creating content mashups, you would think that security for those types of applications would have been front and center from their inception.

Apparently that's not necessarily the case.

Have you ever heard of RSS being used as a delivery system for malicious attacks? I certainly hadn't until I attended a Black Hat session that exposed the very serious risks.

Alex Stamos, principal partner at iSEC Partners in his presentation titled "Breaking AJAX Web Applications" leveled the blame for AJAX insecurities squarely on the shoulders of Web developers.

"You can't leave security to Web developers," Stamos said. "They're just kids in a sandbox."

When I was at the Interop conference earlier this year, I heard vendor after vendor talking about the benefits of some form of network admission control (NAC) methodology.

Typically the only negative comments I heard were from one vendor or another disparaging the NAC approach that their competitor was taking.

Then along comes Black Hat and suddenly NAC doesn't look as good to me as it once did.

In a 60-minute session, Ofir Arkin, CTO of security research firm InsightiX, convinced me that DHCP-based approaches (as opposed to 802.1x) to NAC are hardly infallible.

Again, very leet.

And of course I knew about H.D Moore's Metasploit Framework before attending Black Hat.

Yet seeing the master of Metasploit himself detail and demo the innovation in the upcoming Metasploit 3 was a surreal treat.

Moore commanded the stage as a technical rock star racing through exploit details and wowing the audience with licks against IDS vendors whom he accused of being lame.

So how does Hollywood's representation of hacking stack up against the real thing?

Apparently, it stacks up quite well, according to Long. That is if Google is to be regarded as an authority on what is real and what isn't.

Long, who looks like he belongs in a Hollywood film, is perhaps best known for his online encyclopedia (Johnny.ihackstuff.com) of Google hacks and is the co-author of the book Google Hacking for Penetration Testers.

Though Long's presentation was certainly entertaining, perhaps the most extraordinary aspect of it was his social conscience.

Both at the beginning and end of his presentation he made sure to note that the proceeds of all purchases made via his site from Amazon would be donated to various charities benefiting orphans and widows in Uganda.

A hacker with a social conscience. Now how leet is that?

So was Black Hat USA 2006 leet or lame? It's almost a rhetorical question.

With vulnerabilities and potential attack vectors detailed for VoIP, RFID, AJAX, NAC, RSS and Vista, among other technologies, it would be very lame to call Black Hat 2006 anything but leet.