Home & Office

Security showdown: Black Hat vs. Def Con

Las Vegas plays host to two separate security conferences this week - one for people who guard computer systems, another for those who break into them
Written by Robert Lemos, Contributor

Las Vegas plays host to two separate security conferences this week -- one for people who guard computer systems, another for those who break into them.

System administrators and hackers, chief information officers and script kiddies will all gather in the desert to trade information, swap stories and take each other's measure.

At the Black Hat Briefings security conference Wednesday and Thursday at Caesar's Palace, security experts will teach network administrators and information-technology managers how to protect their critical systems.

Yet starting Friday, hackers emerge at Def Con, with many from the underground culture coming out into the hot Las Vegas sun to trade code, learn new tricks and, in some cases, finally meet in real life.

"They are very different conferences," said Scott Culp, security-program manager for Microsoft, who plans to attend Black Hat but not Def Con. "Def Con is very focused on attacking systems, while Black Hat is focused on defending them."

Microsoft tests the wind yearly at Black Hat to see what security threats system administrators are most worried about, Culp said. Last year, the major worries were the virulent spread of worms through email and the high cost of properly managing security.

In response to hearing such worries at Black Hat and other conferences, Microsoft focused more heavily on getting the bugs out of its own programs, announcing its "war on hostile code" in April.

Don't expect any panacea for the high-tech world's security woes, however.

"If you're looking for a killer technology that has radically altered the security landscape in the past year, it's not there," Culp said. "Security is about banging out incremental improvement every day."

The flip side of the security coin shows up at Def Con.

While the past few years of media frenzy surrounding hackers has caused the crowds to swell at the conference, actual hackers still do show up, said Jay Beale, security team director for Linux-software maker MandrakeSoft.

"Def Con just mirrors the population of hackers in general," he said. "The bulk are just script kiddies, but there is some small portion that really know what they are doing."

With its "capture the flag" contest, where teams of attackers try to crack a handful of servers set up for the tourney, Def Con is a big game for some. Others barely attend the conference, meeting in rooms behind closed doors to swap information and finally chat in real life.

Though there are two distinct conferences, the attendees have a lot in common.

Some system administrators come early to Black Hat to attend seminars including "Ultimate Hacking!" a two-day course that teaches them to hack their own systems, the idea being that knowing your own weaknesses is the best defence.

Others officially attend Black Hat on behalf of their company then stay on to meet the other side at Def Con.

In the end, the worst thing about the conferences may be that security and hacking have become too popular, Beale said.

"The only complaint I have is that there are too many people who know about it at this point," he said.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards