Here is a review we wrote for Sabretooth Global’s blog after attending the BlackHat conference in 2011:

This year I attended the BlackHat conference at the Caesars Palace Las Vegas Hotel and Casino. The conference took place from July 30th through August 4th. The first four days consisted of various training sessions (i.e. classes) you could take. They were typically two day classes that cost an average of about $2500 and lasted from 9am to 6pm (ouch!). The last two days were the briefings (i.e. presentations) which was the actual conference portion.

Less than three months before the conference was to start, I reviewed the list of presentations at the conference and was really unimpressed. So I decided to sign up for two, two-day classes. One was Application Security: For Hackers and Developers for the first two days and the other was Web Application (In)Security for the next two days. About a month later, while still working out the details of the registration, I reviewed the list of presentations again and saw a much longer, more interesting list. So I dropped the Application Security: For Hackers and Developers course (application security isn’t the hottest topic these days anyway) and signed up for the briefings instead, shifting my trip later by two days. A few weeks after that, I was notified that my Web Application (In)Security had been cancelled. I tried to sign up for my second choice course, The Web Application Hacker’s Handbook, 2nd Edition: LIVE!, but with my luck it was all full. So I signed up for my third choice course, Hacking by Numbers: W^3.

The Hacking by Numbers: W^3 course focused on teaching various exploits used against websites and how to protect against them. The course covered many of the common exploits such as client-side proxy attacks, code injection attacks and SQL injection attacks and for each one required us to utilize the exploit against a sample website that they had created for us. Though useful to know how these exploits are used so you can prevent them, the execution of the course was not the best. The instructors ran into far too many technical difficulties during the course of the class. So much so in fact that as much as a third of the class did not return for the second day. The examples were also fairly unrealistic in the sense that the scenarios created would not be found in real-world websites. A much more useful approach would have been to demonstrate how an attacker would go about revealing vulnerabilities in a real-world website and then how they would penetrate those vulnerabilities. In the course, we were not taught an attacker’s real approach and therefore we didn’t learn how to protect against such an approach. The course was also not focused enough on protection schemes against these exploits and just glossed briefly over it. None of the examples demonstrated patches against these vulnerabilities and how they could have been prevented. This was surprising for such a corporate course where half the students are involved in information security (i.e. penetration testing) and the other half are developers looking to protect their companies against attacks.

Overall, I found the course interesting, but I don’t think I walked away with any useful knowledge unfortunately. If you are a developer or security expert who is looking to protect assets, the course probably won’t teach you anything useful toward protecting those assets. If you are a hacker looking to expand your knowledge of exploiting websites, this course was much too simple and focused on utilizing tools that a hacker probably learned to use in their first week of hacking. So overall, I would not recommend this course and it was my third choice for a reason.

The next morning after the course was finished, and with very little sleep, I attended as many of the briefings as I could. I caught just the end of the opening keynote speech, during which the loud and bright alarms were going off often because hackers had exploited the system. The keynote speaker seemed inspirational and told the attendees that they were very important for our nation’s security.

I attended the lecture War Texting: Identifying and Interacting with Devices on the Telephone Network. The lecture was interesting and discussed reverse engineering a couple of protocols that use SMS in order to compromise systems. For example, they demonstrated a tool that is able to unlock a car door using their laptop. However, the lecture involved too much detail with this particular example and how they exploited it specifically instead of focusing on the big picture and how such systems can be exploited and how these exploits could be prevented.

I then attended the lecture Owning the Routing Table – New OSPF Attacks, which ended up being a refresher course in how OSPF works and how it has conventionally been compromised. But the new compromise they uncovered was simple and could have been described in five minutes instead of a whole hour and a half lecture.

I caught just the end of Server-Side JavaScript Injection: Attacking NoSQL and Node.js which again seemed too specific for me to care. I was starting to sense a trend by this point that all of these lectures were just focused on one particular finding that these lecturers had uncovered and didn’t actually care to educate anyone with actual useful information that we could take away and use for our own benefit.

For the last class of the day I decided to attend Pulp Google Hacking – The Next Generation Search Engine Hacking Arsenal because the title sounded like it would be a really interesting lecture. However, this was far from the case. The class was focused on selling a tool developed by the lecturer (I’m not sure if it cost anything or if it was free but that is irrelevant) to not actually hack Google, but to use the search engine in various ways to find useful information. Basically, the tool was a GUI front-end for Google, searching for information in ways that are more obvious than actually typing into Google. However, in my opinion, this tool, and therefore this lecture, was completely useless.

After a very frustrating and useless day, I had pretty much made up my mind that these lectures were all useless. It was very surprising to me that such an expensive and high-profile conference wouldn’t have really good quality, educational, cutting-edge lectures. Fortunately, some of the companies with info booths at the conference threw open-bar parties that night and that made up a bit for the frustration of the day. Then late at night, after these parties, Bellagio’s craps table paid me handsomely, so most of the day’s (and the next day’s) worries were washed away.

After the previous day and especially the previous night and the uninteresting list of lectures, I decided to skip the first morning lecture and attended the second lecture, Exploiting the iOS Kernel, which basically just covered the lecturer’s particular exploit and its sleep-inducing detail.

After lunch, I attended the lecture Security When Nano-seconds Count, which was again one of the types of lectures that could have been summarized in five minutes. This lectured covered the fact that brokerage systems don’t use firewalls because they need to be able to execute trades very quickly. This makes them inherently insecure and so developers need to engineer methods to secure them without compromising speed. This in essence was the whole lecture, which didn’t cover any specifics about how these methods would actually be implemented.

For my final lecture (I had to catch a flight), I attended Smartfuzzing The Web: Carpe Vestra Foramina, which was again a lecture focused on trying to sell a beta tool that nobody has heard of for fuzzing. This was another totally useless lecture.

At the end of two days, I concluded that all the lectures fell into one or more of three categories. They were either 1) going over the boring, gruelling detail of one particular exploit that they found and were trying to show off or 2) trying to make something that you could summarize in five minutes into a whole lecture or 3) trying to sell a tool that was completely useless. Overall, the BlackHat lectures were horrible and I would never recommend them to anybody.

On a side-note, however, I heard from many people that the much cheaper (only $150 or $100 if you attend BlackHat) Def Con conference, which is held in Las Vegas every year right after BlackHat, is much better. I was told that the lectures are very interesting and educational and the content is cutting-edge and exciting. I am definitely looking forward to attending it next year but will most likely never attend BlackHat again unless it is changed.