Advertisement
Home arrow ITsec News arrow Interview with Jeff Moss - BlackHat Europe 2004
Saturday, 22 November 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  8778  71.58%
Win 2003  1950  15.90%
Win 2000  722  5.89%
Solaris 9/10  402  3.28%
FreeBSD  226  1.84%
Other  185  1.51%

Total attacks: 12263 of which 4619 single ip and 7644 mass defacements

Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
Visitors' Map
Interview with Jeff Moss - BlackHat Europe 2004 PDF Print E-mail
User Rating: / 1
PoorBest 
Tuesday, 25 May 2004
www.itvc.net/blackhat04/moss.asp
Interview with Jeff Moss @ Blackhat Europe 2004 - Amsterdam Jeff Moss is President and CEO of BlackHat and he's the founder of the DefCon hackers Conference. Daniele> I was wondering: how did it all started, the whole Blackhat and DefCon thing ? Jeff> Then I am going to tell you a long story. I had been operating in a Bulletin Board, back in the days before the Network was available to the people of my age. And I belong to all these kind of networks. Back then there where dial-up mail networks (FidoNet and compatible networks), but they were all undergroundish. One of the Bulletin Boards in Canada, called PlatinumNet, was going away, and I knew the person who ran that network, and now he's a big US HUB for that network, and he wanted to throw a party for all the people that had been on his network, and there was probably a total of a 100 people on it; So the number of people that happened to be at this party would be like six, you know: probably by the time people of my age can actually get somewhere.... he wanted to do that in Canada (!), and I did not think anyone was going to make it to Canada, and then all of he sudden he just... disappeared. So I thought it was a good idea, but instead of inviting people from PlatinumNet I invited people from all the other networks that I was on. And then I got a dialup account, got on IRC back then, and got on #poundhack, and started inviting everyone on #poundhack ! And then, posted on some newsgroups back then; there weren't that many newsgroups back then ! ...comp.os.security, etc. And why did I pick up Las Vegas: I had never been to Las Vegas, and if the show was a failure, I would at lest be *in Las Vegas* ! If all else went wrong, I would have been in Vegas, sitting by the pool, you know, drinking pinacolada, or something.... :-) So if I am broke, and there's no money left, at least I am - you know - in the sun, so... So then from there it grew.... we got a hundred people at that show, and it really was just word of mouth, people printed out our announcements, spread it around in the bookstores, covered all over the place, and we got nearly a hundred people, which is really amazing, and then it grew every year since then. By the fourth DefCon, a friend came to me: "hey, you should probably make this professional and charge a lot of money for it." We kept getting requests from people that wanted our announcements that they could show their boss, so they wanted a professional sounding announcement so they could show their bosses, and they would let them go. And we tried that one year, and then that nuts of my friend: "hey, you should probably another whole profesional show! And charge money for it, and then you can pay the speakers, then we can expect higher quality, then we can do all these other interesting things, like books, CDs, do everything". And so we started - I did not have the money that year, so the next one I borrowed some money, to have enough to try a 'BlackHat'. I forget how did I came up with the name, I was trying to come up with a name that could convey a kind of misteriousness, security, counter-spy, re-spy... at that time the term blackhat wasn't used at all, we were using the term cracker, back then. So this is how we came to the first BlackHat. It has done pretty well since. Daniele> And where do you think it is going ? Both BlackHat and DefCon ? Jeff> There seem to be more interesting training that we've been doing. Today we do training before the briefings, the speaking part, the conference portion. Portion that is done pretty well, so I think that means that maybe, given the recovery in the IT market... Daniele> ...there are going to be more investments :-) Jeff> Yes, people are more familiar now to concepts, and people that want more in-depth training, so we decided "we provide that as well". And as a company we grew, we got a consulting group now, and we also do on-site training: So instead of you going to the show for training, the trainer will come to you. And then we also do shows, anywhere between three and five "BlackHat"s a year around the world. Singapore, and we did it in HongKong before, and Japan. And we were actually thinking to now make one in South Africa. Daniele> Which one do you think is the most successful aspect of BlackHat, its 'magic formula' ? Jeff> Oh, the magic formula! When we figure out about how the people learn about the show, is almost all word of mouth. So we got lucky that the original members who came to attend were sort of the right mix of professional, hacker, government, and through their friends it has kind of grown. I think that if it hadn't grown out of something like DefCon, if it had just kind of appeared, but with the wrong mix of people, it would have been too corporate, you know, or too governmental, or too underground.... There were people in the bar last night that were saying they just thought it was a fantastic mix, so many different groups were actually coming together hangin'out having a drink. They said it was really kind of amazing. For some reason, from the very beginning, we were very open about what we were doing. We invited all the FBI, Secret Services, we invited everybody we could, because we knew they were going to pay attention anyway. So let's get them in the same room as fast and as quickly as possible. So to make them realize that nobody has anything to hide, and if they are coming to the show, is, you know, pretty much it. Daniele> Cool. What do you think has changed over the past 10 years in the security 'scene' ? Not just about your events, but more in general. Jeff> When I started it, there weren't many laws about hacking at all, thirteen years ago. So since then there is all this... I am sure in the EU as well, regulations, mandatory.... It is made really difficult or illegal for a lot of young kids that are experimenting with their computers now. For if they do something wrong it could be... you know, have a record for life and ruin their whole future! Daniele> But now computers are much cheaper, so they could even just try things at home... Jeff> Yeah. So, I think the problem now in the United States, is that if you do something wrong with a computer and it is worse than driving drunk and killing somebody! practically, you know... because of the federal sentencing guidelines, and the judges have very little discussion, and it is federal offense, and they have these sentencing guidelines, and they really don't know where to move... and I think *that* is something that has kind of changed over the years. The law system is always five years behind us, ten years behind us... Another thing that's happenede is: money. When we started DefCon, when I started DefCon there was no money for people like us. There was no job in IT, no Internet, no web, none of that. All came along when the money got thrown into the mix. And that completely changed everybody. Another behaviour was that now all hackers were trying to be rockstars! Everybody tried to capitalise on that; a certain portion kind of corrupted it, a certain portion left, and certain portion - you know - who was always there, always kind of remained. And now that they had the dotcom bubble's popped in the States, that kind of washed out a certain portion of the security scene that were just there for the action. It sort of toned down now, it's more mellow, it is a little bit more calm, the people that are in the scene will probably have to stay now, and kind of have this comedy effect. But then on the other side, people might just try to grow up. The problem is: when I started back then there was no Internet, I mean there was no amazon where you could buy books on security, so you had to find a mentor. Daniele> it was difficult to get to the documentation. Jeff> yes, it was impossible to get to the documentation! a lot of the times you'd break in a unix machine just to read the manual pages, just to understand what was going on ! And all that's gone now. So now there is no need for a mentors, there's no real socialization occurring. So you now don't have to be indoctrinated in the hacker culture to learn the norms, and like how you behave... and now, any social person can just get on google, find ten websites, and a week later he'll be breaking into machines! This sort of lowers the bar drastically, of what it takes to hack! It used to be that there was this self-policing nature of the scene: the scene, if you acted too crazy, people would be afraid that you'd attract attention of the authorities, and they would knock you out. And that doesn't happen now. Too many people have too much access. Daniele> It is not anymore like a small family that can control the naughty kids! Jeff> Yeah, so now what happens is that you get to a certain level of skill, and you only associate with people of your skill level, and you stay away from anybody else because... they're dangerous. Script kiddies, you know. They are gonna get you in trouble. If you hang around them. So it kind of stratified, almost. The people who actually have a clue, all kind of hang together, and then there is all the other people that were just - you know - younger kids who are trying all kind of stuff, and they are the ones who usually end up using the tools, that these groups make, and these tools they got from these more elderly people, and they bring them to the underground, and they automate them, they make them scripts, so it's sort of ... Daniele> [who got scared at this point] Isn't that dangerous (at least it is in my opinion) to leave these kids alone, so don't teach them a way to behave like in the old times you're saying... ? Jeff> That is what DefCon is all about ! Teach to be responsible, showing what hacking is all about, we try to be responsible with showing what *good* hacking is all about, and that you can achieve all your goals and get just as much excitement doing things legally, nowadays. there is no need, there aren't the reasons that were there before: you know, you used to break into a machine to try to have a network. Now you can have a network at home, now, there is also wireless, you can have so many other options now. Compters are cheap and free. So it is important for people of my generation, people who did not have computers, or got them kind of while we were growing up, so trying to give some respect to a new generation that has computer since they were born already. They only know the Internet. They only know computers. They don't know any different. Especially kids, boys, that are growing up, they can't drive, they can't get out, they don't have a lot, they feel like they don't have much control over their lives. But here's this computer, and they can control the computer, and they can do what they want, and there's power there, and that's their freedom. And it is just dangerous because now if you download a couple of tools and you run them, and you know..... disk drives are cheap and logs last forever. You might do something today and they might knock at your door in six months from now. You don't know. And it is just kind of bad that these things become so permanent now. For anything you do online, there's a record. You try to run for president, at thirty years, and someone will have what you said on IRC, someone is going to embarass you with things you said on late night chatgroups when you were sixteen! It's kind of a different world. Daniele> And what has changed instead for what concerns companies ? Or what will change, or that you even just hope it might change ? Jeff> I hope that they're waking up to the danger. I have always figured to be terrorism, or be kind of big insider attack, that would really get companies more security, in a sense. So that they at least spend some more money looking at the problems.... I think that all of these worms that are going around: the Sasser worm, the Sobig, and all the various worms, they really cause companies to realize how exposed they are. And it's funny because I never thought a worm was going to change the way they are thinking; I've always figured it to be some big event; and instead it is just worm after worm after worm and patches after patches after patches, and boils down to companies getting so tired and finally saying: "ok, something is going to change. It's always the same occurance happening all the time. So we've got to do something different". And then, the pressure that's put on Microsoft, to clean up their code and do better, means that Microsoft has to hire other programmers, and now it's starting this trickle down (?) where everybody is starting to wake up to it. So I'd say another 5 or 10 years, and things should be a bit better, or at least the bar will have been raised to a point where there's a lot less people that have the skills necessary to break in. And I'm sure that hackers will look to another thing, gaming systems, and telephones, and other things. If they can't break in windows they'll look at linux, they will look at the databases, they will look at the games. I mean: what drives people to do this isn't going to change! It might just be that the things that they can attack will be more secure. So, I don't predict a demise of the hacker, I just think what the hacker's beating up will change.... Daniele> I was also vaguely thinking to companies (and their managers) who just want to buy a product out of the shelf and be secure... Jeff> I think that's a kind of time problem: when the management grows up, and younger managers come in, that have always been around technology, the knowledge of the upper management is changing. So when I started ten years ago, thirteen years ago, there was no awareness of the Internet. And now I think it's slowly changing every year. In the United States I am sure there's starting to be a trend where the companies are trying to have a recognized member as "Chief Information Security Officier", "Corporate Security Officer" (CISO, CSO), that is actually partecipating to an higher level in management. And that's a fair new trend in the last several years. I think this trend will accellerate. As long as there wasn't an advocate for security inside of a company, the security guy was always the person you referred to last, so just right before you would ship the product; and I think now you can get them involved a little sooner, and have a better culture of security. It's funny when you go to Japan, and you go visit, say, a big company's building, when you go in they search you! They make sure you are not taking in or taking out any corporate asset, let's say a laptop, CDs, whatever. When you check in they basically search you all. They don't do that in the States. There is no culture of that, but in Asia where there is a lot of industries and there's a lot of competitivness, that's accepted. They do some physical security things very well in Asia, technological things that might be less, but I am just trying to say that each culture approaches the problem differently. And I think some kind of culture needs to come into the States, than just security, and it is just not long their freewheeling, you know the dotcom bubble when you set up a company, and you just expect to be bought in two months, security's not even on your radar, you are trying to get a better evaluation for your EPO.... And now that that's kind of gone, I think that now people can take a longer term view, can do some more realistic planning, and everybody's got this big sigh of relieve: "we survived that. now, on the real business. the crazyness is over. now on the real business." ...and the real business is... Daniele> More mature ? Jeff> Now they've survived, and they are going to stay, just remain, a lot of people still have to find their position. I see this year there's a lot of security companies consolidation. It started a bit last year, but a lot of actions are happening right now in the computere security space. Everybody is looking to be bought, or to be sold. A lot of people are tryng to broaden their product line. I think this year there can be a lot of action in the security space, getting ready for next year and the year after... for when it's really going to become, you know, just a couple of key players. Daniele> Ok. you already explained me why you picked Las Vegas. And now I would like to know why did you choose Amsterdam, for the European edition... Jeff> Why Las Vegas ? Why Amsterdam ? Las Vegas way kind of random, but I have been in some other hacking shows, where what happens is that as soon as there's nothing to do, like at 6, 7, 8 at night, all the hackers are trapped in the hotel, and there's nothing to do, except watching tv and drink and wonder around... so what happens is that they wander in the hotel, point fire alarms, it's going crazy! And I figured that is that was going to happen, I wanted to be in a city that never sleeps. Where there's always something to do, that has always a place they can go to, instead of being trapped. Daniele> So in a way you see this similarity between Amsterdam and Las Vegas. Jeff> Different thing is that I don't have to worry abot BlackHat's attendee, you know. But for DefCon I needed a 24-hours-city. That was Vegas, where they are used to big groups and crazy people and they probably can handle it: "crazy hackers" :-) And they also use to have cheaper airfares and it was kind of an attractive location in the sense that people might come and might bring their girlfriends, so the girls go around during the day, and the hacker guy hangs out with the rest of them. So it might attract more people that would normally come. That seemed to be the winning force of that party. Because you either like vegas or you hate Vegas, there is always something to *do* there! And so I wanted to grow and I wanted to find something else that was kind of that, for BlackHat. And everybody said: "you know, in Amsterdam everybody speaks english, and there's a lot of hi-tech, a lot of fiber optic, cable, and there's a lot of interesting things to do, and there's culture, so some people might come here just to go to Amsterdam. And if you hold it in Munich or in Berlin, you're not going to attract people. Not as much. If I hold it in the UK, what I have heard from people is that that's not considered an european show, that's considered an english show. And I wanted a European show. And in Singapore they speak english, there are big IT HUBs, it is smaller country, but it connected to everywhere else, and it's the easiest of the asian country to first visit if you're a foreigner. They have five or six national languages, it is the most kind of 'westernized' of all the eastern countries I have been to. So it's the least amount of shock to us, and the attendees can understand our speakers better. It made a good sense. Daniele> What do you see as being the main difference between the American, the European and the Asian edition of BlackHat ? Jeff> Each one has a different cultural spin. So each place has a interesting cultural spin. So here, in Amsterdam, everybody really seems very mellow. All the speaker say: "oh, they're so mellow, they're gonna sit there, they don't ask questions; or maybe they'll ask a question... everything is kind of relaxed.... And in Asia sort of the same thing: nobody asks questions in Asia. They don't want to appear with their friends as they don't know the answer! So nobody asks questions until you have a coffee break, and then they ask you the questions. For the speakers is really strange, because they know that people have got questions, but nobody's asking them. It's kind of ackward. And they don't really laugh too much. Daniele> And this is different in the States.... Jeff> Yes, in the States people ask questions, they'll challenge you, it's much more interactive, and I think is also because in the school system in America you are expected to ask questions. When you are in Asia is more kind of comformity. Each culture has got its impact on what the show is about. The things people are interested in Europe are different than what the people in Asia are interested in. In Asia there's more comformity, and everything seems to be Microsoft of Linux, or Checkpoint FW-1 or Cisco PIX, so there's really only a few big technologies, and they are not really interested about too much of the forensics. Each one is slighly different. Daniele> and now, even if you partially already answered, talking of the Con, I would like to know: "what is the difference you see in the hacker culture in Europe and in the States ?" Jeff> I would say that my perception is: in Europe they are a bit more politically aware, socially conscious. And in the States I would say they are more just interested in technology. That's also kind of generalization, but there's not many socially-oriented hacking groups in the States. The CCC seems to be pretty active politically in Germany. Maybe there are exceptions, but it is more sort of: you form a group, and you talk to your friends in your group, and maybe you talk to some people in a couple of other groups, but you really stick amoungst them with yourself, and you maybe go to a show, and you see some other people and you say 'hi'. Well in the States is sort of like: everybody talks to everybody. And even if you are in a group, that does not really mean anything, you still talk to everybody. So it seems a little bit more open in the States. It has maybe something to do with geography. i have heard an interesting thing here, in Europe, and it was: "to an american, a hundred years is a long time; to a european a hundred miles is a long distance.". So when people maybe have to take a car and drive a hundred miles to see you friends, many other groups mingle more in the States. Daniele> Do you think that also corporations and governments approach security differently in Europe and in the States ? Jeff> Yes I would say so. I would say that probably a spin off of the american military, that always invested so heavily in ARPA, DARPA, creating the Internet... they have always been aware of it, of its potential, and they've always tried to - since we don't have the most soldiers in the world, compared to when Russia had many more soldiers then - they always wanted to win through technology. So there always was this big drive to understand the technology. So I think that was always a very important thing to the US military, which then became important to the government which became.... and in Europe since there were so many small countries and not one of them had a large military base; maybe germany or france... but they never really had that big imperative. Because of that I think they didn't invest that much, so it was really up to the companies to worry about the technology, and not so much to the government. Their investments in technology lagged in the Unites States for a while... now I think everything is pretty much even. Anybody can go to university and learn about computer security. the bar entry is not that high, maybe before it was, for access to equipment was difficult, but now since equipment access is so cheap I think that pretty much everything is equal now, on the ability to learn. I would also say that the threats that the europen are concerned with are different than the threats that the States are concerned with. I would say that it forces to spend money differently. So we get a lot of federal attendants at BlackHat and DefCon, the FBI, Secret Service, we get everybody coming just to try to figure out what the hacker is up to next. What are they talking about ? Daniele> don't you get it also here ? Jeff> Yes, I would say, but it is to a smaller extent. Because really there's so many more countries here, organizations, police forces and investigations.... Daniele> They are insituting a Europol (sort of FBI in europe, for how I understood it) here... Jeff> Yes, so if they consolidate that now, instead of sending 50 police officers, one from each contry, you might now send five, they'll write a report that everyone else reads. you don't get Secret Services from all the 50 states... yuo get a couple from Washington DC, and they tell everybody else what's going on. the people they send understand what they're seing, so they fill in, and they get along, and they make friends, so is not illing to them.... I don't know. It is a tough question, because each contry has a different culture... what I can say is my opinion, which is not even near to what really is going on.... I think in the future, the EU is going to try much harder in this area. I can say that the Asian country are trying much harder in the whole economic, electronic warfare, hacking, because it's kind of... not bloodless, but... it's difficult to capture on CNN. So you can perform electronic attacks and there's nothing on the frontpage on the newspaper... it is not as risky, harder to detect, and all the things; for a number of reasons, I think it is appealing. And everybody realizes that. Daniele> Do you think that the investments of Bush government in the war against terrorism, and the war in Iraq, have impacted - and how - in the *information technology* security scene ? Jeff> It definitely has. It has not necessarily been a good impact. A lot of the security money has been all diverted to Afghanistan and Iraq. So they are not really spending in a awful lot of technology right now. That's what they call "bombs, beans and bullets". All the money is buying bombs, beans and bullets; and it is not buying a whole lot of computer securty right now. So all the planners are just waiting for their money to freed up from Iraq, so they can actually go and do some other things. That's kind of disappointing. Because we all expected that there were going to be lot more investments in Information Security. But then there weren't these big electronic attacks from AlQueda, there weren't these big these eletronic threats that everybody had been predicting.... and it became just another conventional fight again. So that's what you spend your money at. Daniele> Last question for our readers: what would you suggest as a path for someone who would like to work in the infosec field ? Jeff> I receive a lot of emails from people who're going to ask me "I want to learn to hack, I want to do this, I want to do that....". When I started it was possible for two or three people to get to a room and understand all of these things, about hacking, phone systems, computer security, everything. Nowadays it's so specialized, it has become so popular and complex that is very hard for one person to get really good, it's really hard for one person to be able to be a master of all now. But before you could get two or three people and really be a master of all. Daniele> Machines were less complex. Jeff> Yes, there were not as complex, there were one or two vendors, not five hundred. Daniele> Mainframes were one machine, centralized. Jeff> Yeah, it was X.25, that's what it was! So instead of getting overwhelmed about the number of directions you could go in, read a couple of general books on computer security. I always reccomend the old ones: "Firewalls and Internet security" is a good one. Matt Blaze (? not sure of this name- doh!) has a new book out, it's fantastic, anyway... just read, read general security books, and in there you will find all of these different 'divisions'. Pick one, and investigate that for a week, a month. Instead of trying to investigate them all at once. And you'll be much better off, because what you'll find is that ou run into lots of people who know a little bit about a lot, but as soon as you know a little bit more than they do, then you become valuable. It is hard to make your way as a generalist, there's much more demand for specialists. So if it intersts you, read all you can, but then specialize in *one* area! And as an example, Joe Grand, who was a speaker... Daniele> yeah, on the mobile devices and telephone stuff... Jeff> Yes, he was hanging out with a couple of buzzwords and he did not really know what to do. And he was told "what about maybe taking apart a calculator or anything? maybe you should try that." And he started doing that and threee months later he said "hey guy, check this out, check what i can do out of it" - and everybody encouraged him, and encouraged him, and that became a specialty, and now he's one of the leading people doing this kind of embedded security. And out of all fields, he got some encouragment in this one, and he started with it. And now he's world-known. he might have just knownb a bit of everything.... And I'd suggest: there's plenty of free resources online, you can get quite a lot of education without having to spend money for books. I don't know how expensive the books are in Italy. Daniele> they're nowhere that cheap. Paper costs. Jeff> Yeah, cut it out. Go quite far without actually taking classes. But I'd also suggest maybe getting a professional credential of some sort, If you are truly interested, you wanna set yourself apart from all the hobbists, and get a professional credential or two, just to show that you are taking it seriously (since it's a business). There's a number of those - I'm sure - societies you can join, and once you start circulating in these societies, and meeting other people, what happen is they'll cause you to focus your direction and lift your goals. When you play with a better tennis player, you raise the challenge. And you want to get in that community. Millionairs hang around with millionairs, not with garbagemen; you want to find your peer group and hang around them, and then you'll learn, much faster with a couple of friend who are into it than trying to do it on yourself. Greetings: I would like to Thank Jeff again for the great opportunity of talking to him about such interesting stories. Keep up the great work, Jeff !


Comments Index (Total Messages: 0)


Post Reply
Name:Guest
Title:
Comment:



Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
Advertisement
 
Top!
© 2008 Zone-H.org - Unrestricted Information
Joomla! is Free Software released under the GNU/GPL License.
 Top!