
‘Legacy system’ exposed Black Hat 2018 attendees’ contact information - RobertSmith
https://techcrunch.com/2018/08/22/legacy-system-exposed-black-hat-2018-attendees-contact-information/
======
ghaff
I guess this is a story because it's Black Hat and someone who wasn't supposed
to be able to access this info did. However, conference attendee information
is widely sold and shared as a matter of course. You shouldn't consider it as
anything approaching confidential.

~~~
BuildTheRobots
> conference attendee information is widely sold and shared as a matter of
> course

Is that something people get warned when buying a ticket?

edit: [https://www.blackhat.com/us-18/registration-
terms.html#priva...](https://www.blackhat.com/us-18/registration-
terms.html#privacy) links to [https://legal.us.ubm.com/privacy-
policy/#Choices](https://legal.us.ubm.com/privacy-policy/#Choices) which
someone smarter than me should interpret.

~~~
adiusmus
Having never been to a black hat conference, I’m surprised that such people
would be so easily open to attack. Surely no one gives out their real email
address or phone details at these events? I hope they don’t take critical
hardware with them full of secrets to be happily liberated by someone more
enthusiastic. They wouldn’t have “interesting” conversations in taxi/ubers,
would they?

Maybe there are less black hats at these conferences than the numbers suggest.

~~~
cschmidt
Black Hat is a corporate "vendor" conference. You're probably thinking of
DEFCON. At DEFCON, you don't register. You pay them in cash, and they give you
a (complex, hard to fake) badge. You wear the badge and they let you into the
conference area. They don't want to know who you are, which nicely avoids the
problems Black Hat was having.

~~~
tptacek
Black Hat is the most important industry vulnerability research conference of
the year. It is also very corporate, and for the last several years it's had a
large trade-show vendor "expo". It's a big-business UBM conference and
certainly makes money from vendors, but don't get confused; that stuff is all
bolted on to the gigantic multi-track speaker conference.

There are, so far as I know, no pay-to-play Black Hat talks; all the listed
briefings were picked by the review board.

~~~
cschmidt
That's good to know that there isn't pay-to-play (and
[http://www.blackhat.com/about.html](http://www.blackhat.com/about.html)
confirms that). I assumed anything so corporate would be.

~~~
tptacek
It would be a fair assumption for something like RSA, and the vendor side of
Black Hat looks a bit like RSA.

~~~
billyhoffman
On the plus side, if you have a talk that was accepted at Black Hat, you
usually can just re-submit it to RSA.

It's been several years, but I remember the RSA conf held in early Spring
usually had it's CFP deadline something like a 6 months before. So if you were
speaking at BH, then around July/August you had everything ready to present,
which was perfect timing to submit for the following year's RSA.

------
driverdan
Can we change this to the original post?
[https://ninja.style/post/bcard/](https://ninja.style/post/bcard/)

------
walrus01
It's amazing the number of things you can find by simply enumerating through a
sequential series of integers, in what is basically a "gimme data" request to
some public facing data endpoint.

~~~
gwbas1c
I once heard of a very major website essentially being DOS-ed because a
scrapper was enumerating IDs in the URL. (Can't say the name because I signed
an NDA.) The engineers involved all assumed the scraping was legitimate
indexing by a 3rd party or researcher.

------
metric10
It's worth noting that Black Hat was spun off from Def Con to get corporations
to allow employees to expense it. Often speakers at Black Hat also present at
Def Con. Def Con as a matter of policy does not collect any information about
its attendees [0].

[0] Read the fine print:
[https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20rec...](https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20receipt.pdf)

------
jenkstom
In related news, apparently 90% of the attendees were named "Chuck U Farley".

------
blablabla123
Integrity is quite a thing ;)

------
walshemj
Why would you goto black hat and use your real name / identity ?

~~~
billyhoffman
Because real black hats don't spend multiple thousands of dollars to go to BH,
unless they also have a corporate day job. In which case, they have no reason
not to use their real name. Otherwise it gets a little awkward to meet your
co-workers for a MS -sponsored happy hour with a con badge that says "Mr. ThE
PlaGUe"

~~~
walshemj
But even if your a civilian player you might say I am "John" from Att or BT -
but that's not your real name and you actually work for the security group.

------
vvram
in other words MQLs (Marketing Qualified Leads) from BH2018 are free (if your
know how to get them).

------
vanrysss
ironic

~~~
gammateam
and nothing more

