A Conversation With Jeff Moss

Omer: I was going through random Google searches against your name and I found Platinum Net, what is it?Jeff: That was one of twelve underground messaging networks, Fido network that I belong to. And they all used the Fido net method of straight forward messaging. It wasn’t the part of Fido net but it used the Fido net protocol to reach on private messaging networks. It was a pretty small network out of Canada and it dealt mostly with the hacking information, and how to modify your car engine and whole bunch of random hacking kind of related topics, that was the reason I start DefCon,15 years ago because I was a friend with a guy who ran Platinum Net there. He ran the US main node and redistribution in United States. He got a new job; his parents had to move, so he had to take down the network. He wanted to do a party for every body and he asked me for help. But then his parents left early and he had to go over night as well. I was just stuck there, holding my bag, thinking about how to deal with the situation. I turned off to the other networks I belong to and invited every body to DefCon.Omer: Jeff Moss was already in place, why did the idea of black have evolved?Jeff: When DefCon started it was all a passion. Nobody at our age could get jobs; there were no jobs in computer security. And there wasn’t really even a market. The only people who were doing security work were people working for government, banks or universities or maybe manufacturers. There was really no chance to get a job. But then the internet boom sort of changed all that and as the boom was beginning, people started looking for IT people for installment of networks and other infrastructures. All of a sudden everybody started getting jobs that we knew. And they were looking for jobs, they got it and then they tried convincing their bosses to pay for their trips to DefCon. DefCon was just a straight hacking convention, and not really something serious. The announcements made there were not really serious, so you show that to your boss and he is not going to pay your way to DefCon. So everybody suggested that there should be something more serious and conventional event similar to the nature of DefCon. So they can show it to their bosses and their trips can be paid. A friend of mine, Larry was his name, suggested to do a whole new convention which is more serious sounding and charge them a bunch of money for it, because when you charge money for something, you can sort of manage expectations. So by charging money we could fly in the best speakers, we can pay the flight rent, we can pay to spend some time to develop the content. So that’s what it sort of became. Black Hat was totally a spin off.Omer: What do you think that how the whole idea of security has moved a step further, from PDP’s to the modern computers, how far has it come from the early days of personal firewalls to the unsupervised IDS algorithms?Jeff: It is fantastically more complicated now. The market just for security skills is fantastic. Competition sort of breed specialization and so 15 years ago it used to be 4 people each with different knowledge and you can pretty much understand any problem, you know the telephone problems, the UNIX problems, it wasn’t that complicated back then. Now you can have hundred people in a room and still not understand all the implications of dynamic html and a virtualized system on the multi processor core and it goes on and on and it can be hideously complicated. So on one hand it has matured the security market and on the other hand, the problems it created for it self are more and more complicated and harder to understand specializations. So it isn’t about one technology anymore. For example, if someone is expert on “SQL Injection on Oracle”, they don’t know much about anything else, because they have specialized it so much and it has extremely vast scope. And I don’t know if that is the best for the market place because if that person is to go find a job again, there will not be many places out there, hiring people who know about SQL injection on Oracle. So after re-training, they can pick those skills and may be do SQL injections on Microsoft products. But even that is completely different from what it was probably 6 to 7 years ago. I think it has changed a lot to what it used to be 10 years ago.Omer: How do you think that DefCon and Black Hat have helped the security industry?Jeff: I think yes, it has helped a great deal. It has raised a level of awareness in masses. Just to read the articles written about security makes you understand about a lot of stuff that you never knew before. There are some people out there who really know the technology and its weaknesses, and they might use it for bad purposes. So it’s our responsibility to figure out weaknesses and make people aware about it. Back then it was just kids who were curious and not a lot of organized crimes were there. You had to find somebody to teach u. Now you can learn how to break into others computer and never have to meet another human. You can be just reading web pages online, buying books and practicing the hacking skills. So, now it’s easy for criminal groups. They can easily learn these things in the comfort of their sofas. And the motivation now is so much greater, I mean now there is enough money online, enough consumers online, and enough commerce floating around. Now there are actually big targets. 10 years ago my mom wasn’t online, just then there wasn’t so much money online to go after. But now everything is online. So of course that’s where the criminals are going.Omer: Last year, there was a lot more nuisances, Michael Lynn’s controversy, about the black hat bug probably? How do you deal with all those political and social pressures? And how does it impact Black Hat content?Jeff: Well that’s a really interesting problem there. First of all it was really stressful at that time, because we were actually at the same time trying to sell the business. We had 6 prospective companies, who were at the show, trying to decide that maybe there is something that they are interested in buying. So we are in the middle of trying to sell our business and getting sued by Cisco and ISS and trying to run a show at the same time. 3-4 prospective buyers were scared away thinking that security conference base is too much risk, too much chance of being sued. But the remaining people, 3 companies said “Wow you are getting fantastic press attention and this is really good because they are not going to be scared away”. And you’re really spaced with the dilemma that if you don’t try to defend your self, you can wreck the whole business, because the public will never gain the knowledge that these researchers have acquired because they will be shut down through these lawsuit and it will pretty much wreck my business. Its like I have to fight or I have to give up. So we had to save more money for possible law suits. The good thing with Cisco was that it ended up looking pretty bad that a lot of people have learnt the lesson. That it is probably better to contact the speaker and try to work it out behind the scene and not make it public on the front page of a news paper.Omer: With all these political pressure and whole bunch of money from platinum sponsors (i.e. Microsoft and Cisco), does it make any difference to what the speakers have to say?Jeff: We don’t give the speakers any guidelines on what to say and what to do. In the very beginning, there weren’t much security vendors. There wasn’t any money to be made from vendors. Later on as the market started growing up, there was an opportunity and we started getting extra money from the sponsors (they wanted to help out and be involved some how). But we made it pretty clear that you don’t get any special consideration. I believe that there are two sides of a business. There is one side that goes and gets sponsors. And there is the other side that reviews contents. There was an instance when one sponsor has recommended eight different talks and none were accepted. Another sponsor had three talks which were accepted.Omer: who decides the acceptance of the content?Jeff: Ultimately it is me, but we have a review committee. And for each show the people who review it are different sometimes. There is a core 3 of us in the office then we have outside people. If you talks about crypto we have crypto experts. Talks about reverse engineering we have reverse engineering experts. Most of the times we consider how exciting the new research is, how fundamental and important is it? Does the person have a good speaking record? We really try to pride our selves with introducing the public with new speakers. So sometimes our presentations aren’t that polished but what we really after is good tact and little less about how good a person looks upfront. Because you know there are a lot of other conferences where you can find you know really polished speakers, delivering the same speech that they delivered 50 times before. We look for someone that has maybe delivered the speech once before, but it’s brand new.Omer: What’s your take on censorship policies??Jeff: It has never affected us. I think we have a little bit of self censorship, besides the security market is rapidly growing up and a lot of our speakers now work for companies. And sometimes companies don’t want to anger vendors for other customers. So we are finding it actually kind of hard now for some speakers for pointing out names of vendors with whom they had problems, because they have been told by their bosses that if you did that it will disrupt our business relations. So the independent researchers who have nothing to loose, they are usually very interesting as they can say and do whatever they want to. But sometimes you get people who get intimidated when you start working for big companies.Omer: You have been associated with the security market since its very beginning. Why do you think that there is a gap between an actual product development and security?Jeff: I think still a lot of decisions are based on marketing claims which necessarily don’t match reality. A lot of purchase decisions are made by the people who aren’t informed enough to make those decisions. So a typical example is the CFO is golfing with Microsoft representative or something and he get tossed into buying the new product. So he tells his IT Managers that we are now going to deploy the new Microsoft product and instead of the decision to be based on bottom up. The managers decide to do it top down. “We are buying oracle!” instead of people down below saying “hey we can do this in MYSQL or some other data base for half the price”. So I think there has been a disconnect from the very beginning on purchasing depending on how company is set up. And once the product is purchased, a lot of times people don’t properly account for them. I mean the amount of time required to monitor these programs, how many companies have IDS system deployed? But nobody has watched the output. They review the out put like weekly. That’s a little too late, incase you know you been attacked. And the more and more these systems have people deployed, they have BYT boxes on it, they have IDS and ITS, they have more routers, they have automated voice response systems, the web servers, the mail servers, hey have all these appliances of load balancers, application accelerators and there are so many boxes on the network in bigger companies now. But there aren’t enough people to watch them all! I was talking to a bunch security guys at a committee gathering in Seattle and I was asking them how many boxes do you have on you network? That aren’t servers they are just like other things you know. SNMP, Trap managers, logging servers etc. and they had like 28 – 30 boxes. They have to manage all of them.Omer: Each box gives a new avenue for vulnerability and maintenance..Jeff: Yes and each one of them, you have to be constantly updating and maintaining it. It’s almost more then a full time job. Track all the bios versions, active control policies etc.Omer: And then there is human error as well..Jeff: Yes, that is true. Even a guy who got hired and then moved away, he was the only one who knew how to manage and had the understanding for it. And the new guy has to come along and figure it out himself. That’s why you can burn Rome in a day but it takes a life time to build.Omer: Do you think that there has to be a better process for revealing vulnerability rather then a full disclosure? Maybe a table talk with the vendor before revealing it to the whole world?Jeff: That kind of works in the beginning. But the problem is that if you told the vendor, the vendor might not tell the greater world. What would happen is why I would need to upgrade my Sun OS. I don’t need to upgrade my Sun OS. And Sun is not going to say you better got upgraded to those 5 critical vulnerabilities, they would just hope people would upgrade. And so people without being told, why wouldn’t bother upgrading. So if Sun keeps on saying that well there are critical vulnerabilities, then people are going to go trying to look at what they are and I think it becomes more and more time consuming only. As the researcher spend all the time to find some bugs, his job is not to spend the next 3 weeks holding the hand of the vendor, explaining everything to them. They want to just get on with life and do the next thing. So it can be faster and easier for the bug finder too. More likely he will go, find more bugs and the world will come to benefit due to his research. But if it’s going to bog him down with weeks and weeks of effort, he wont do it publicly but he won’t tell us. He is still going to talk to his friends about it but we wont get the benefit.Omer: Next 2 years, where do you see DefCon and Black Hat heading?Jeff: I think office applications and web services would be something new for us. May be more and more clever attacks on browsers, particularly mobile browsers and Java scripting, dynamic web pages and cross site scripting is still a difficult problem to solve. What we plan to do with DefCon and Black Hat is to introduce more hardware related researches, I mean all those embedded systems in your infrastructure are only appliances with vulnerable software written on top of it. I think this is an area that the world has forgotten about. Hardware hacking is whole unproven green field just right for exploitsOmer: Jeff, Thank you for your time. It has been a pleasure talking to you.Jeff: Thanks a lot.Interview concluded.