Security showdown in Vegas
Las Vegas plays host to two separate security conferences this week--one for people who guard computer systems, another for those who break into them.
System administrators and hackers, CIOs and script kiddies will all gather in the desert to trade information, swap stories and take each other's measure.
At the Black Hat Briefings security conference Wednesday and Thursday at Caesar's Palace, security experts will teach network administrators and information-technology managers how to protect their critical systems.
Starting Friday, hackers will emerge at Def Con, with many from the underground culture coming out into the hot Las Vegas sun to trade code, learn new tricks and, in some cases, finally meet in real life.
"They are very different conferences," said Scott Culp, security-program manager for Microsoft, who plans to attend Black Hat but not Def Con. "Def Con is very focused on attacking systems, while Black Hat is focused on defending them."
Computer security is an area of intense interest among governments, corporations and consumers worldwide. Break-ins often amount to little more than pranks but also can result in systems being taken out of commission and information being stolen or corrupted.
In recent weeks, hackers have gained access to computer systems at a financial services company, a news site in the United Arab Emirates and a corporation that controls the distribution of 75 percent of California's power. Meanwhile, a CIA official warned Congress that in the next decade Russia and China may have computer-based tools that could do long-lasting harm to the U.S. economy.
Last month, online financial services provider S1 suffered an electronic break-in in which an unknown attacker exploited a security flaw to access one of the company's servers. In the California attack, which also occurred last month, an inexperienced intruder took control of two servers that were supposed to be protected by a firewall.
And in May, online vandals launched a denial-of-service attack on the Whitehouse.gov Web address, much like the assaults that crippled Yahoo and other major Web sites a year earlier.
Much attention--from both attackers and defenders--also has gone to a security hole in Microsoft's flagship Web server software that the company has called a "serious vulnerability." Just last week, a Japanese hacker surreptitiously posted a program that could exploit that hole in the Internet Information Service software and give remote attackers complete control of vulnerable servers.
Microsoft tests the wind yearly at Black Hat to see what security threats system administrators are most worried about, Culp said. Last year, the major worries were the virulent spread of worms through e-mail and the high cost of properly managing security.
In response to hearing such worries at Black Hat and other conferences, Microsoft focused more heavily on getting the bugs out of its own programs, announcing its "war on hostile code" in April.
Don't expect any panacea for the high-tech world's security woes, however.
"If you're looking for a killer technology that has radically altered the security landscape in the past year, it's not there," Culp said. "Security is about banging out incremental improvement every day."
The flip side of the security coin shows up at Def Con. While the past few years of media frenzy surrounding hackers has caused the crowds to swell at the conference, actual hackers still do show up, said Jay Beale, security team director for Linux software maker MandrakeSoft.
"Def Con just mirrors the population of hackers in general," he said. "The bulk are just script kiddies, but there is some small portion that really know what they are doing."
With its "capture the flag" contest, where teams of attackers try to crack a handful of servers set up for the tourney, Def Con is a big game for some. Others barely attend the conference, meeting in rooms behind closed doors to swap information and finally chat in real life.
Though there are two distinct conferences, the attendees have a lot in common. Some system administrators come early to Black Hat to attend seminars including "Ultimate Hacking," a two-day course that teaches them to hack their own systems, the idea being that knowing your own weaknesses is the best defense.
Others officially attend Black Hat on behalf of their company, then stay on to meet the other side at Def Con.
In the end, the worst thing about the conferences may be that security and hacking have become too popular, Beale said. "The only complaint I have is that there are too many people who know about it at this point."