… the argument that Apple has enabled a law enforcement backdoor seems to miss what Apple has actually done. Instead of building a system that allows the company to recover your secret information, Apple has devoted enormous resources to locking themselves out.
Great explanation of Cloud Key Vault! I wonder if Apple's programmable HSMs are the same ones being used at Certificate Authorities? It seems that there are two types of HSMs: PKI environment's CA HSM and card payment system's bank HSM.[1]
Little bit of an aside: Why do most infosec practitioners prefer conferences like BlackHat and RSA to Bsides and Def Con? The price differences are staggering.
BlackHat is run by the same people as DefCon. BlackHat is their (very success) attempt to monetize the infamy surrounding DefCon. Many of the talks you see at BlackHat will appear (usually watered down) at DefCon.
Black Hat has become the premiere vulnerability research conference, and, like the top science journals, there's a prestige effect to being accepted. Also, unlike Defcon, Black Hat isn't an entertainment event; if your talk is accepted at BH, there's no uncertainty about whether it's there because it's "fun" or there because it (supposedly) makes contributions.
Black Hat's talks are, as vuln research, generally much better than Defcon's. And Bsides is literally a conference defined by talks that are perceived as not strong enough to make it into Black Hat. That's why it's called "B-Sides". As with music, there are some B-sides that are better than their A-side. Some.
I don't know that many people in my field who take RSA all that seriously. I don't, and I'm continually annoyed by credible people in my industry twerping about submitting or attending RSA talks. RSA is a marketing conference.
Finally, with regards to price: I recommend against paying for your own Black Hat ticket. I have no insider information here, but I've been in the industry for a long time, some substantial amount of which was spent doing marketing professionally, and my insight about BH tickets is this: the two most important vectors acting on BH ticket prices are:
* The maximum price that companies will pay for a professional development event for their employees (this was the original goal of Black Hat: to come up with a way to get companies to expense Defcon)
* The sweet spot between attendance and ticket price that maximizes what sponsors will pay for sponsorships. Too high and attendance drops so much that impressions don't justify Gold sponsorship. Too low and the median attendee is no longer a prospect for most potential sponsors.
Neither of these two forces are about you, the conference-goer.
So my practical recommendations are:
* If your employer is footing the bill, get them to pay for Black Hat. Chances are it makes not a whole lot of difference at the margin whether they pay for Black Hat or Defcon; what they'll remember is "paying for you to go to an event", not how much the event cost. Black Hat is expensive, but it's not expensive relative to other professional development events in other spaces.
* Otherwise, pay for B-sides and (depending on utilikilt tolerances) maybe Defcon, but arrive in Vegas on Tuesday night and lobby-conf Black Hat. For the past several years BH has been at Mandalay Bay, and there's a big, terrible bar right at the food of the conference center that everyone hangs out in. Just treat that bar like the conference and tag along with people to events. Go to B-Sides for any talks you're particularly interested in.
* Don't ever go to RSA.
Other cheaper, credible, non-BH vuln research events include Infiltrate, Recon, and CanSecWest. They differ sharply in size w/ Black Hat, but not quality.
The HSM is only the backup, it is not the primary copy. Losing the HSM means you are down to 1 copy (the vault on your device). That means there is only a small window of exposure where, if the HSM goes down and you lose your device, your passwords are gone.
They could probably roll with duplicated HSMs to mitigate this somewhat.
...