Another year, another gap-toothed Black Hat Briefings. Last time, as you remember, it was lawyers from networking giant Cisco Systems that forced show organizers to rip out materials concerning a security hole in Cisco's IOS operating system from the 2005 Black Hat Briefings in Las Vegas.
As InfoWorld reported, this time around, it was lawyers from secure card maker HID that prompted the excision of a presentation by Chris Paget of IOActive on security holes in HID's proximity cards, which are used as door access cards at many companies and government facilities.
Chris was enjoying a much deserved cigarette outside the beltway hotel where Black Hat is being held this year. He said the past few days have been a blur of activity, as he and IOActive struggled in vain to reach agreement with lawyers from HID that would allow Chris's presentation to go forward. With time running out and no indication from HID that a compromise of any sort was possible that wouldn't lead to some kind of litigation, IOActive CEO Joshua Pennell and Paget were forced to ask Black Hat director Jeff Moss to abridge the conference Briefings (above) and do a rush job reissuing CDs and other conference materials.
And Paget wasn't the only one feeling the heat from deep pocketed corporations. Word is that security vulnerability guru Dave Litchfield of NGS was also forced to withhold some details from his presentation of "Advanced Oracle Attack Techniques" at the company's request.
The increasing willingness of big corporations like Cisco and HID to use threats of legal action to block free and open discussions of security holes in commonly used technologies could threaten the very future of shows like Black Hat, DefCon and the like.
That's almost certain to happen if broad claims, like HID's assertion that any discussion of how to break their products violates their patent. "It's arguable that everything is patent and nobody gets to go to any show," Moss said in a press conference on Tuesday. "Either that or you only accept speakers who put up bonds or come from huge companies like IBM where their lawyers can just fight it out."
Ironically, much of the legal wrangling works at cross purposes to what the companies are trying to accomplish -- actually drawing attention to presentations that otherwise might have gone unnoticed and unreported.
"I get the sense that at these companies, the right hand is legal and the left hand is marketing," Moss said yesterday in a press conference to discuss the HID problem. "I saw it with Cisco, where the attorneys were doing one thing and the PR people were doing another."
While disappointed that he will not be able to give his "RFID for Beginners" presentation, Paget said that he is hopeful that the press attention to the dispute with HID will raise awareness of the problem of insecure proximity cards.