By Franck Cecile – TheExpert Cybersecurity Squad
> See also:
- Squad at #DEFCON27 (1/3): What's that?
- Squad at #DEFCON27 (Part 2/3): My experience
My feelings
Reading my articles, you might think I have mixed feelings. That's not the case at all. There are a few things that frustrate or bother me, but that doesn't take away from the "magic" (if I may say so) of such an event. Let me explain, starting with the "negative" aspects.
The most frustrating thing, clearly, is the fact thatat DEF CON (as at any other hacking convention, in fact), the focus is exclusively on vulnerabilities. And that's it. There is no discussion of threats and risks. Who could exploit these vulnerabilities, using what means, how, and under what conditions? And above all, from a business perspective, what is the ultimate risk? What is the impact and probability?
It's a bit like watching OM crush PSG 5-0 without knowing whether it's a Champions League final or a friendly match (just kidding, PSG wouldn't make it to the Champions League final). I remain convinced that if there are vulnerabilities, there are inevitably risks. But what are they? I was only able to see (partially) one talk that focused on how an attacker could exploit one of the vulnerabilities presented.
I even go so far as to assume that most of the vulnerabilities presented are simply technical exploits, but are not necessarily applicable in real life due to additional security measures (organizational or physical).
Another detail that strikes me is the apparent lack of support for Aviation Village from major aircraft manufacturers and airlines. And that's understandable: DEF CON is very bad publicity for these industries. Hackers arrive with great fanfare, like lords capable of wreaking havoc with the touch of a keyboard, exposing the vulnerabilities they discover and contributing to the culture of fear (still too prevalent) conveyed by cybersecurity. In reality, these vulnerabilities can only be exploited with considerable technical, financial, and organizational resources (an approach confirmed by a reliable source).
It must be acknowledged that the spirit of Die Hard 4, Matrix, and Mr. Robot is very much present. And indeed, in the world of photography, there has recently been a lot of excitement about the existence of ransomware on SLR cameras. Except that the ransomware in question was not ransomware, and the chances of the attack succeeding are very slim. A similar message applies to the discovery of a vulnerability in the image and information acquisition system of an F15, which was exceptionally made available to hackers. The impression given to the general public is that hackers can block a camera as they please, or bring down a fighter jet in flight, which is absolutely not the case. A very comprehensive article on the subject can be found here.
But vulnerabilities do exist. And I believe it is necessary to continue to demonstrate to builders, manufacturers, and publishers the importance of taking digital security into account from the outset of a project. The existence of these vulnerabilities demonstrates, above all, that there are still too many deviations from best practices. As hackers have repeatedly pointed out, basic methodology is sufficient to uncover vulnerabilities. There is still much work to be done, as DEF CON and hackers are there to remind us.
Furthermore, it ultimately makes sense that DEF CON is not concerned with risks. We are in a world that is certainly zany, but also highly technical.
Hackers are like big kids, and they love to have fun breaking the (big) toys made available to them. They're not interested in anything else, and that's clear to see. If you want a risk assessment, you might as well go to trade shows dedicated to white-collar crime. But (unfortunately) here again, we see how big the divide is between different groups (technical/operational versus organizational/strategic). To my great regret, this observation is the same as in business, where these two worlds sometimes still struggle to coexist.
Finally, even if this were the case, it is clear that hackers would find it difficult to present vulnerabilities with a critical impact and a high probability of being exploited. DEF CON is above all a showcase of technical exploits and extraordinary skills. It is hard to imagine a supermarket of chaos at the touch of a keyboard.
In any case, this "frustration," which was entirely predictable, even if it remains regrettable in my opinion, does not detract from the excitement and satisfaction I get from it. Participating in such an event is unique. I remain amazed and in awe of all the knowledge, the highly specialized skills, the technologies and products on display, and this completely crazy world.
