Monday, May 05, 2008

Blue Hat 2008

I don’t recall drinking any Kool-aid while in Redmon, but I can’t deny something about my first trip to Blue Hat (Microsoft’s bi-annual internal security conference) affected me. The only thing I can think of is those crafty people over at MS security must have piped something in the air ducts or put something in the eggplant parmesan, because well, I was impressed -- influenced even. Andrew Cushman, MSRC Director (among other things), managed to convince me to attend, even though I thought I knew what the event all about.

Well, my precognitive abilities failed me. There we no underground chambers, secret member handshakes, career limiting NDAs, or endless interrogation by the brainwashed hordes hunting for 0-day. Apparently I also wasn’t even there to be recruited away from WhiteHat or at least convinced to give up my MacBook. To test the theory I brandished it in hopes it might start some kind of scene, but to no avail, no one really cared. What Blue Hat had did have is a technically kickass speaker/topic line-up, better than most infosec conferences I’ve attended. I also got to opportunity to hang out with Billy Rios, Nitesh Dhanjani, Nate “stolen laptop” McFeters, Kuza55, Fukami, Adam Shostack, and several others.

The attendees were mostly MS software engineers looking to learn about the latest security goings on. What struck me in when conversation with them was their openness. Not “open” in a sense that they were willing to share all their secrets, but more that they genuinely eager to listen to the thoughts and ideas of others. No arrogance detected and truly wanted to make their products better. By contrast there is much general animosity towards Apple now amongst the security researchers within the community. While many of the bad guys are searching for their precious Windows 0-day, the good guys are focusing attention on OS X now mostly out of spite (or at least to win a MacBook).

My role at Blue Hat was to participate on Vulnerability Economics Panel, the name describes it all. The other panelists definitely had some interesting things to share. Including Windows XP SP2 and IE 6 vulnerabilities come at a premium over Vista due to market share factors and well above OS X. Also interesting is the rose colored view of the world that the security community still tends to have in believing that reverse engineers won’t be influenced by money. Yah, like we all work for free or something. Their thinking is that 0-day work product will continue to flow like it has to software vendors or intermediaries (TippingPoint / iDefense) even if the potential payout on the black market (or other venues) is orders of magnitude higher. I hold onto no such illusions.

Some mental notes I made to myself, which not all the panelists agree with are:
  • As MS reduces the number of externally found 0-days, their black market street value goes up. Maybe into the high 6 or even 7 figure range over the next 2-3 years.
  • iDefense and TippingPoint 0-day payouts are getting larger, now often in the 5 figure range having already purchased 300 or so issues.
  • As the black market 0-day payouts rise, “freely” disclosing issues to MS will seem less attractive to freelance security researchers.
  • Microsoft vulnerability metrics will continue to decline as they clean up their software, hired most good reverse engineers as employees or contractors (taking those issues off the market), and those who remain considering their options for profit potential.
  • Third-party applications will come under heavily increased scrutiny.
  • Increase likelihood of vulnerabilities being purposely introduced into MS code by insider threats looking for a big payout.
  • 3-5 year prediction, the US Government regulates the sale of 0-days, much like encryption, likely stimulated by the a major incident resulting from a sale.
Overall, I had a really good time and hope to be back for the next one.


Rob said...

Hahaha, Nate is pretty worried about what happened to his laptop. Anyway, it was good meeting you talking some BJJ.

Nate McFeters said...

Haha, that's a low blow man, low blow.

Bastard Rios jacking my laptop... oh well, at least he didn't get the opportunity to do anything.


Arshan Dabirsiaghi said...

I strongly agree with the insider comment. MS already rewards developers with bigger bonuses for writing security-bug free code - a model which I initially really liked.

Unfortunately, they can't (now or soon) afford to match the incentives of the underground. A single IIS remote BoF that could be used in a worm to propagate adware/malware silently, a la MySpace/Zango? That's easily worth $1m.