I had a chance today with Scott Howitt to have a little fun at BlackHat. I’ve always enjoyed the show over the years for many reasons, not least of which is avoiding taking ourselves too seriously in ways that seem to be the norm at some other security shows. 
So this time, I thought let’s not do Death-by-Slides or get preachy – let’s have some fun…and that’s what we did. And Scott was good enough to work with me on this fun project.
First off: it’s Vegas.
So let’s start with some classic films and cons that bring a touch of the casino and a lot of Vegas into it along with a touch of the charm and deviltry and mystique of all that that entails. Our goal is to apply it to our domain.
Scott and I screened a few movies and called it work (which is always fun) and had help from friends and colleagues’ suggestions and input, and the amazing thing that surfaced from Hollywood was that we didn’t need to go to movies that were digitally themed like Sneakers, Enemy of the State or Swordfish. In fact, most movies that used computers and technology used them as almost “magic boxes” for functions that needed something unnatural or impossible in the physical world, and they weren’t really very insightful for our industry. They’re fun…but they are really science fiction and are actually less relevant than many of the classics.
Films like The Sting and Oceans 11 had real gold. Movies like 21 and Oceans 13 actually have more lessons for our industry than the more CGI-intensive, special effects films that make us feel there’s a “cyber exceptionalism” at play here. Instead, basic human themes that aren’t unique to security and the darker side are the most relevant to those of us guarding the connected world. These same themes pop up over-and-over again and in fact are the most relevant to the audience:
- The opponents are human beings
- People hide in plain sight
- The bad guys are not lone wolves – teamwork matters everywhere
- Your attention is the most valuable thing you have and it can be used against you
- You can stare too closely at the details and miss the pattern
- If you look for the obvious, you’ll miss the problem
- There’s no magical “god box” or tech trick that’s going to solve it all
- Old tricks and “old school” are still resurfacing and useful on offense and defense
- Distractions and smokescreens still work
- Patience and preparation pay
- Watch what you bring in or are tricked to bring in
- Skilled people are rare
- Do you even know you’ve been scammed?
I called the session “cyberhustle” tongue in cheek because the term “cyber” has quite a history and has been used and abused much lately. There’s more than a bit of hype, to say the least, in our industry with a lot of magic beans promises, and we need to remember many of the basics in the movies we screened scenes from with the group. Rather than do a product pitch or even something abstract that ultimately pushed a corporate agenda, it’s our hope that a reminder of the “old school” will help us apply more critical thinking with vendors, our processes and the hunt for our opponents.
Hopefully, you enjoyed the session if you were at BlackHat.
As a final comment, the term “cyber” might stick or not (especially with the government’s adoption of it) – time will tell – but it is marker for the current generation of the darker side of the connected world. So I hope you enjoyed the Cyberhustle with Scott.
And of course a big thanks to Scott for being a good sport and for going through this leap of faith in doing an unorthodox session and for joining me Siskel-and-Ebert-style on stage!