When the Black Hat conference rolls around each year, some people no doubt remember the almost certainly apocryphal story about a bar that was frequented by both mobsters and policemen. The idea is that everyone would relax, no hits or arrests would be made and the mayhem would resume the next day. One night, a mobster was good-naturedly extolling the virtues of the crooked life to a policeman. Much more money and much better hours, he said. "That's certainly true," said the cop. "It's just that I don't like your retirement plan."
The same sort of mix of good guys and bad guys -- and those in the middle -- is no doubt characterizing Black Hat USA 2007, being held this week in Las Vegas. This story in InfoWorld details what is expected at the show, which coincides with Defcon, which the story says is "even edgier" than Black Hat.
InfoWorld provides one of the better overviews. It traces the change in orientation from an emphasis on attacking Windows vulnerabilities to a focus on exploiting vulnerabilities in Web 2.0 applications. This is a significant and troubling evolution. A key element of the story says that the tools used to build Web 2.0 sites have security issues, but many programmers remain ignorant of the threats.
NewsFactor Network details how the world of hackers and crackers has evolved from pony-tailed geeks intent on proving their superiority to a highly structured arm of organized crime. The story focuses on bots, the armies of hijacked computing devices that are infected to do the criminals' dirty work. The story, in a nice turn of a phrase, refers to "gangs of software-drugged, sleep-walking PCs."
The news surrounding Black Hat invariably is more interesting, say, than what emerges from a conference on dual-mode mobile devices or the latest in triple-play service marketing. This year is no different. Thomas Dullien (aka "Halvar Flake"), who this Slashdot post says is a regular attendee at Black Hat, was denied entry to the U.S. The post includes a link to Dullien's blog, ADD/XOR/ROL.
Vendors also keep an eye on Black Hat. Wired says Apple "perhaps not coincidentally" released patches for vulnerabilities in the Safari browser, WebCore and WebKit, right before the conference started.
iPhone 1.0.1 addresses vulnerabilities that allow cross site scripting (XSS) and the possibility of arbitrary code execution occurring at a malicious site. Researchers were aware of the XSS vulnerability from shortly after the device was released. Mozilla also released versions 184.108.40.206 and 220.127.116.11 of the Firefox browser on July 17 and July 30, respectively. The posting describes the vulnerabilities.