In addition to routine activities such as briefings, vendor showcases, and book signings, big conferences like Black Hat usually bring to light a "new" keyword which reveals a strong recent trend or/and defines the industry direction for upcoming years. I said "new" in quotes because usually it is not really new but something known to a narrow circle of experts for many years and lies in hiding without much attention until its time comes. This year, such a keyword is software liability. At first glance, you may not see any direct link to cyber security. In reality, however, it's possible that our (virtual) life would be significantly different if we had software liability in place from the beginning of computer and especially Internet era. Imagine a world where you could sue Microsoft for data files deleted by malware from your PC, or get paid by Apple for pictures stolen from your iPhone. Businesses could invest their money in more reliable operating systems and applications instead of various extra security tools. I don't know how big the chances are that software liability will ever become a reality, but at least now we are allowed to dream about it.
Interesting blog post with my opinion on the topic.
I am impressed by today's Blackhat USA 2015 keynote by Jennifer Granick. One of her "areas of interests" is protecting hackers from persecution by governments and corporations. I wish I could meet her two years ago when I was finishing my book about payment security Hacking Point of Sale. So here is my book's keynote. This is first time I am publicly speaking about the real story behind the book. I was literally being threatened by my then employer - the point of sale software vendor. They did not want this book to be published so they could continue hiding the facts about real state of security of their products, holding information about vulnerabilities from public disclosure, and lulling their customers into a false sense of security. I was forced to leave my job. They did not fire me but I was placed in a "vacuum" environment where I could not productively work anymore. I don't regret at all because eventually I had an opportunity to develop my career at much better work places. However, many important facts and technical details were excluded from the book as a result of those events so I could protect myself and my family from persecution by corporate lawyers. The final version of the book is mostly focused on grim role of PCI DSS while shading a not less important role of POS vendors in an endless chain of card data breaches. Maybe if I had a support from some organizations and people like Jennifer Granick, I could prevent much more card data breaches which happened just about the same time the book was released (remember famous Target breach just to name one?). If I ever get a second chance (Wiley, how about second edition?), I will do my best to include more specifics and clues that would help retailers to avoid further breaches.