10 Aug Hackers and government live in an uneasy house – Black Hat
Michael has been at Black Hat for the past few days. Here’s is a reblog of the best summary of the event. This has been reblogged from Examiner.com
Black Hat, the annual gathering in Las Vegas of hackers, researchers, government officials and corporate security chiefs, is perhaps the most significant cybersecurity conference of the year. That’s not because it makes major news about advances in new security technology, but more often it reveals deep and serious flaws in how we are protected from criminal mischief. And yet yesterday’s opening session focused less on how smartphones, cars, and even satellites can be hacked (yes, they all can), but more significantly how growing mistrust between the technology community and our own government is threatening to blow wide open.
The tone was set in the morning’s opening keynote by Jennifer Granick, a director with the Stanford Center for Internet and Society. Granick, who has been attending Black Hat and another hacker conference, Def Con, for a long time, did not mince words before an audience that responds well to candor. “The dream of Internet freedom that brought me to Def Con twenty years ago is dying,” said Granick.
She pointed to increased government regulation, both in the U.S. and abroad, as a major reason for her concern, citing misguided laws and zealous overregulation on the part of Congress as key factors. “The message from our government is that if you step over the line, we will come for you,” Granick told the somber gathering.
Sessions that followed her on the densely packed Black Hat program helped reinforce her concern. One of the day’s most stunning examples was the story of LabMD, an Atlanta-based medical technology company who has been fighting a two year battle with the Federal Trade Commission (FTC). Appearing at a session yesterday afternoon, LabMD’s founder, Michael Daugherty described how one supposedly leaked file led the FTC to prosecute his company without the kind of disclosure normally found in a court of law.
“The FTC, like most agencies, has playbooks that are top secret,” said Daugherty, who ultimately was forced to close his company and fire over 40 employees. But he has refused to give in to the FTC.
The story of LabMD has been documented in bits and pieces in the press for the last year as the case rolled on. The gist, as recounted yesterday by Daugherty and described more recently in the media, is that the FTC acted when a mysterious private cybersecurity company called Tiversa provided them with evidence (which Daugherty has yet to see) of a data breach. According to the LabMD founder, his company refused an offer from Tiversa to “fix the problem” for a fee, which prompted the cybsersecurity firm to notify the FTC.
Three months ago, a former Tiversa employee testified in federal court that the company engaged in fraud and shakedowns of small technology companies.
Daugherty has documented his saga in a book, “The Devil Inside the Beltway,” and expressed concern yesterday that the FTC needs to be reigned in by Congress. “All this is to me is bullying behavior,” said Daugherty.
Despite presentations like the LabMD case, the program at Black Hat also included government representatives seeking to mend fences and perhaps build bridges to the hacking and security research community. For the first time in memory, a high ranking official from Department of Justice attended Black Hat and presented his side of a tough story.
Leonard Bailey, the special counsel for national security at the Department of Justice, made his point that of the over 56,000 cases filed by the federal government last year, only 194 of them dealt with computer fraud.
“We’re not coming after security researchers,” said Bailey.
But the Justice official acknowledged that prosecution of computer crime can have an intended impact. “All it takes is one flogging in the public square, and there’s a chilling effect,” said Bailey.
The Department of Justice has come under fire in the hacking community over theprosecution of Aaron Swartz, a hacktivist who was arrested for creating a program at MIT that would automatically download academic journal articles. Faced with 35 years in prison, Schwartz committed suicide in 2013.
The first question for Bailey from the audience yesterday concerned his agency’s handling of the Swartz case. “That was a tragedy,” said Bailey, but he refused to comment further.
Another government enforcement agency on the Black Hat agenda yesterday was the Federal Bureau of Investigation (FBI). Three members of the team that recently brought down one of the most significant cybercrime operations ever discovered, the Gameover Zeus botnet, presented their findings to a captivated audience.
The operation targeted a vast network of one million infected machines that systematically looted banks and corporations. “They were able to move money a lot faster than we were able to chase it,” said Elliott Peterson, a special agent with the FBI.
According to Peterson, Zeus was run by a sophisticated mix of Russian and Ukraine criminals, led by a man named Evgeniy Bogachev who has yet to be caught. The FBI announced yesterday that they are offering an unprecedented $3 million reward for information leading to Bogachev’s arrest.
Peterson was joined by the highly-regarded security researcher Michael Sandee who highlighted one curious aspect of the Zeus case. According to Sandee, the code created to steal money was also designed to gather government and intelligence agency data. “This is something we don’t typically see in financial malware,” said Sandee.
As the power of Internet continues to grow, there is a great deal at stake for governments, corporations, and individual citizens. This week’s Black Hat dialogue only reinforced the feeling that sorting all of this out will be difficult and contentious at best. Meanwhile, the U.S. Senate adjourned for their summer recess yesterday without taking action on a cybersecurity bill passed by the House three months ago.
Original article found here