Back in 1997, when tech companies didn’t understand hackers very well and didn’t take them seriously, the founder of DEF CON, Jeff Moss, decided to create an event that would give everyone the chance to peek inside the minds of these creative geniuses. Black Hat was born.
“[T]he Black Hat Briefings will put your engineers and software programmers face-to-face with today’s cutting edge computer security experts and ‘hackers,'” the official announcement promised. “Only the Black Hat Briefings will provide your people with the tools and understanding they need to thwart those lurking in the shadows of your firewall.”
Attendees of that first conference, held July 7-10, 1997, right before DEF CON, got to hear from a stellar list of speakers. Mudge gave a talk on secure coding practices, Bruce Schneier explained why cryptography is harder than it looks, Adam Shostack had a presentation on making code reviews worthwhile, and Dominique Brezinski showed how attacks against Windows NT networks work.
The keynote speaker was techno-philosopher Richard Thieme, who gave a prophetic talk about the role hackers would play in our society.
“You are going to be the thought leaders in the 21st century,” Thieme remembers saying. “The technological revolution was going to transform the context of everyone’s life in ways that people could not foresee and didn’t expect.”
His words might have sounded far-fetched at that time because there weren’t any degrees in cybersecurity yet and no certifications with endless letters. Moreover, software companies threatened those who dared to find flaws in their products.
“Every time hackers found a bug, software vendors would come up with some way of downplaying or criticizing it,” says Ira Winkler, chief security architect at Walmart, of those early years. “They would criticize password crackers saying, ‘Who’s going to sit around and just try to brute-force a password?'”
Black Hat helped the corporate world understand the value hackers could bring to the table by giving these creative minds a certain stamp of legitimacy. Twenty-five years after its first edition, the event has expanded to include multiple niches and geographies.
“We have additional tracks: Community & Career, Human Factors, or Policy,” says Shostack, who’s a member of the 2022 edition’s review board. “I think the philosophy has broadened.”
The Early Days
But let’s turn back time to Black Hat’s early beginnings, when Moss, aka The Dark Tangent, recognized the need for a more formal conference. DEF CON originated from the idea of throwing a party where everyone’s invited, but Moss wanted an event that brought hackers and software companies together without being ultra corporate.
His idea was to create “a forum where everyone could exchange ideas and talk about what they were working on,” says Jeremy Rauch, co-founder of Latacora.
Moss, who was a penetration tester before that term even existed, took a genuine interest in everyone’s projects, which helped him to build a community around the event.
“I would imagine everyone who was speaking at those early Black Hats would say Jeff was a friend doing a conference, and I was excited to be able to speak at his conference,” Rauch says.
Thieme adds: “There are a number of ways Jeff manifests real genius. He gives you a chance, and he’s willing to take risks.”
Moss’ gift for networking helped to address at least a bit the divide between the hackers and the software companies they were targeting. Microsoft, for instance, took part in Black Hat’s first edition and even invited a few speakers to dinner.
“We came here to look at the hackers’ perspective, to understand what they’re thinking and what their concerns are,” Carl Karanan, then Windows NT marketing director, told ITProToday. “It’s good to look at things in perspective: this conference does that. We’ve opened up a dialogue. The hackers do a service. We’re listening and we’re learning.”
Later on, the Seattle giant ended up sponsoring Black Hat. “And so, the big baddie, who people loved to hate, was showing up and paying for your drinks,” Shostack says. “And by and large, not always agreeing, but at least listening to what you have to say.”
The gap between the multimillion-dollar Microsoft and the hackers, who often used weird-sounding nicknames and didn’t have traditional jobs, was visible. “I remember being in a hotel, and we literally ordered the cheapest bottle of wine on the menu because split four ways, it was what we could afford,” Shostack says.
Little by little, the hacker community has grown wider, and its top professionals started to have lucrative jobs or build companies. “I am confident that there are still people who are [splitting a cheap bottle of wine], but I think there are fewer people who are doing that, who also are speaking at Black Hat,” Shostack says.
The transition from doing it for fun to making money started slowly. One thing that helped the hackers raise their profile was the quality of their technical talks.
Some of Black Hat’s Iconic Hacks
In its first decade, Black Hat grew by word of mouth. Its bold presentations touched on everything from cyberwarfare to cryptography, anonymity, or flaws in operating systems. The speakers took the stage excited to showcase their work, although sometimes they experienced pushbacks.
One defining moment in the history of Black Hat happened in 2001, when James Bamford, author of The Puzzle Palace and Body of Secrets, gave a talk on the NSA, explaining how the agency has been listening to people since World War II. His presentation prompted a conversation on whether Bamford was a whistleblower or a traitor, 12 years before the Snowden revelations.
Another expert who wasn’t afraid to speak his mind was Mike Lynn. In 2005, when he was 24, he prepared a presentation on a vulnerability in the Internetwork Operating System used for Cisco routers. But Cisco and the company Lynn worked for at that time, Internet Security Systems (ISS), were unhappy about it. They asked him to refrain from discussing the vulnerability, although it had been patched months before the conference — and threatened to sue him if he didn’t comply.
The two companies also pressured Black Hat organizers, telling them not to include information about the talks in the proceedings of the event. Shostack remembers Moss coming to him with an unusual request: “He handed me a razor blade to help cut pages out of it because Cisco’s lawyers had shown up in bulk and threatened to shut down the conference if we distributed this.”
Lynn responded by quitting his job at ISS. And on the day of his speech, wearing a hat with the word “Good” written on it, he took up the stage and asked the audience: “Who wants to hear about Cisco?” Of course, he went on with his talk, and he was later sued.
This event, dubbed Ciscogate, put Black Hat on the front page of The Wall Street Journal. “When your mom’s friends are asking her about the convention or about security, you know you’re starting to reach prime time,” Moss said in an interview for CNN.
With the publicity it attracted, Ciscogate eventually helped software companies understand how not to deal with vulnerability disclosures, thus moving the needle on making everyone safer. That year, though, Moss sold the conference (to CMP Media, now part of Informa, Dark Reading’s parent company).
While some of Black Hat’s presentations are highly technical, a few speak to large audiences, trying to show everyone how easy it can be to get hackers. For example, just a year after Ciscogate, researcher Joanna Rutkowska took inspiration from the movie The Matrix and introduced the Blue Pill, a rootkit based on x86 virtualization.
During her talk, she argued that the new technology she built could create malware that would be “100 percent undetectable,” with no performance penalty. The idea behind the Blue Pill is to start a thin hypervisor and virtualize the rest of the machine.
“[A]ll the devices, like [the] graphics card, are fully accessible to the operating system, which is now executing inside [the] virtual machine,” she wrote on her blog. Later, Rutkowska built the Red Pill, which can help detect a virtual machine’s presence.
Then, in 2010, the late Barnaby Jack forced two ATMs to spit out cash on the conference’s stage. One of those was hacked remotely, while for the other, he used a thumb drive loaded with malware.
Equally iconic was the talk security researchers Charlie Miller and Chris Valasek gave in 2015. They showed how they hacked a Jeep remotely while Wired journalist Andy Greenberg was driving it at 70 mph on a highway. The two researchers changed the car’s air-conditioning settings, started its windshield wipers, cut the transmission, and toyed with the accelerator. In addition, they were also able to kill the SUV’s engine at lower speeds and disable the brakes.
Such talks touch on the values Moss tried to instill into Black Hat, such as creativity, spontaneity, and collaboration.
The days when Shostack split a cheap bottle of wine with his friends in a hotel room are long gone. The security industry has matured, and so did Black Hat. The event has transformed from a rowdy bunch meet-up that was kicked out of hotels to a professional conference with a Code of Conduct that’s taken “very seriously,” according to its organizers.
“People should expect a professional, safe, and inclusive environment, and we regularly take action to ensure that’s the case,” says Steve Wylie, general manager of Black Hat. “As one of our industry’s most established conferences, I think Black Hat plays an important role in promoting diversity and inclusivity.”
This year, the event has a diverse speaker lineup and editorial board. It also includes scholarship programs for underrepresented groups. Keynote speakers include Kim Zetter and Chris Krebs; topics include the cyberattacks against Ukraine, the SpaceX Starlink system, elections and disinformation, surveillance vendors, and the burnout phenomenon that has impacted many professionals in the past years.
“There’s not a Black Hat conference that goes by where I don’t see several talks in the list and think, ‘Wow, that’s really cool. That’s amazing,'” Rauch says. “It’s amazing how far everything’s come and how much really hard work people do these days in the name of security research.”