It is easy to grow depressed at Black Hat, the annual gathering of security researchers, corporate information security officers, cybersecurity lawyers, government prosecutors, spooks, weirdos, and hackers in the hellish heat of Las Vegas in August. And not only depressed in the normal, burned coffee, Sponsored Networking Nook, and PowerPoint fatigue manner of your average tech conference — more like "what is even the point" depressed. Existentially resigned. This event radiates distrust, like a mean old croupier.
"Better turn off the Bluetooth on your phone!" the receptionist at Caesars Palace — miles from the conference — told me as I checked in.
"Mark my words: Computers will destroy the world!" a Vegas cab driver told me, when I admitted that I was a journalist in town to cover the conference.
"The dream of internet freedom is dying!" Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, told the thousands crowded in the huge and dark ballroom of the Mandalay Bay convention center to hear her pessimistic keynote address.
Glurb-uhhhh, I thought, craning my neck back spastically at 30-second intervals to make sure the incredibly normal-looking man seated behind me had not quietly removed an RFID scanner from his pocket in order to pilfer the information stored in my back pocket, in my wallet, on my debit card, my hotel keycard, my frequent-buyer coffee punchcard, etc.
Black Hat is where the people who study and worry about and monetize the ways the digital world is insecure come together to marvel over the latest ways the digital world is insecure. Along with its zanier sister conference, DefCon, it engenders, with a wink and a nod, a robust sense of paranoia in its attendees. In so doing, the endless hallways of the convention become a neat little replica of the spiritus mundi of the internet in 2015, in which no one trusts one another, and in which everyone is likely fucked, often in new and surprising ways.
For example, if you drive a recent model car, you are fucked. Two charming hackers — Charlie Miller and Chris Valasek — presented their research, which consists of figuring out a way to remotely cause newish Chryslers to do all sorts of things that you wouldn't want your Chrysler to do, like blast the air conditioning in the dead of winter, play Justin Bieber against your will, and cut power to the accelerator when you're on the highway.
Also, if you use a Mac, you are fucked. Though the current crop of Mac malware is only a "C+", according to Patrick Wardle, a former National Security Agency staffer who now heads research at the security firm Synack, that's only because not enough people have spent enough time trying to hack Apple computers. The idea that Macs are safe is a carefully curated myth: "They have more marketing people than security people," Wardle joked, to nervous laughter.
Also, if you use any kind of contactless payment technology, you are fucked. If you use Android, you are fucked. If you are a country, guess what: You are fucked.
Imagine a man walking up to your house, breaking a window, climbing inside, and then asking for a pat on the back for showing you that your windows are not robber-proof. That is what happens at Black Hat. The strange logic of the security conference requires that we applaud security researchers for enumerating the ways that we are unsafe. The reason: Whatever weaknesses they have found have also likely already been found by bad actors and nation-states with unlimited resources and no regard for individual humans, or soon would be. And in the depressing, trustless context of internet security, this logic is totally correct. That is why all of these hacks are referred to as "wins."
It's enough to make a person long for a little regulation, and a little enforcement, just to put a stop to all the unmitigated fucking. Leonard Bailey, the special counsel for National Security in the Department of Justice's Computer Crime & Intellectual Property Section, gave a very smart, very clear, very measured talk about the way his office makes charging decisions under the much-maligned Computer Fraud and Abuse Act. It was nice for a moment to imagine him, to imagine the federal government, as the Grown-Ups, meting out appropriate but not gratuitous justice to the Fuckers.
Then, of course, I realized that Bailey was as fucked as anybody, maybe more! As a federal employee, Bailey had almost certainly been compromised by the enormous hack of the Office of Personnel Management. What was he going to do, charge the (presumably) Chinese government with an abuse of the CFAA?
No, the world of Black Hat is one of no real authority, where the only way to be safe is to, as Bailey joked, wear a Faraday cage. Total digital abstinence is the only solution. That's why, despite the fact that these conferences bring together some of the most sophisticated people in technology, everyone takes notes on paper. It's absurd.
"What good is a totally open network where no one trusts each other?" asked Granick, during her speech.
There are a few meager lessons to be learned here. The first is to be humble. Stop saying things are unhackable, Miller and Valasek pleaded to their audience. You will be proved wrong, and stupid. The second is to have a conversation with yourself about how bad things could get if you get fucked, and then make peace with it. The third is to drink.
It fits that Black Hat and DefCon happen in Las Vegas, an untenable place that the desert will almost certainly reclaim. The feeling here, among the security prophets, is not if, but when. So here's what I'm telling myself: Enjoy this while it lasts. It's going to get worse. I'll be at the bar.