Welcome to Codebook, written this week from the Black Hat and DEF CON conferences in Las Vegas.
Codebook is staying in a hotel that plays music on a 3-hour loop. In case you were wondering, that means everyone at the front desk hears "Africa" by Toto an average of 3 times a shift.
Illustration: Sarah Grillo/Axios
At this week's Black Hat cybersecurity conference, panels about hacking automobiles and airplane WiFi are being interspersed with a new focus: mental health.
Why it matters: Issues like anxiety and depression aren't new in the cybersecurity field, and stress is rampant: pros work long hours under enormous pressure to protect critical networks from ever-increasing threats. Black Hat's new focus on the people, not just the technology, may instigate broader industry changes.
The big picture: Black Hat has long had conference tracks like cryptography, forensics and incident response. This will mark the first year the "community" track joins that roster to provide a place to talk about less technical, more human issues.
Black Hat has a large industry presence, and shining a light on topics that tend to be discussed outside the corporate eye — things like suicide, stress load, mental illness and trauma — may force major employers in the field to think about those issues, too.
Mental illness and suicide: "In the past year I know several people in the community have taken their own lives," said Jay Radcliffe of Boston Scientific, who's well known for hacking devices. "With global staffing shortages in information security, we're seeing departments that should have 10 people work with 5. And that increases stress."
Stress: Two NSA researchers, Celeste Paul and Josiah Dykstra, will release data on the effect of stress on operator performance and how to combat it.
Post-tramatic stress disorder: Cybersecurity also draws a wide array of ex-military members, including Dragos Security's Joe Slowik, a Navy veteran who will talk about his experience with PTSD.
Sexual assault: Cybersecurity, like other industries, has faced a reckoning in recent years as victims of sexual assault and harassment have come forward.
The bottom line: The community track is a chance to change the industry. "There’s such a talent shortage right now that companies may need to take advantage of community track to recruit employees," said Radcliffe.
At this year's DEF CON, the other top-tier cybersecurity conference in Las Vegas this week, children between 8 and 16 years old will race to hack state elections websites with voter registrations — or, at least, a fairly good replica thereof.
Why it matters: The testing systems replicate vulnerabilities used to hack the real websites across the country.
The intrigue: At last year's DEF CON, hackers given access to a variety of voting machines took less than five minutes to figure out how to hack them. State websites are obviously different but the recent vulnerabilities used by hackers are less complicated.
R00tz — the adults behind it, not the kids — will be happy to help states looking to bulk up security.
What they're saying:
The century-old consumer safety testing group Underwriters Laboratories is growing into its new role of evaluating cybersecurity.
Next year it plans to launch a physical seal of software security to go along with its physical security seal and a hardware security program, Ken Modeste, the firm's director of connected technologies, told Codebook.
The background: You may not immediately recognize the name Underwriters Laboratories, but you appreciate the work they do. The sticker on the bottom of your microwave or phone charger that says "UL" means the labs tested the device for safety problems. (If it doesn't have that sticker, maybe buy a fire extinguisher.)
Vendors and consumers are still learning what to make of a UL cybersecurity certification. Currently, its certifications are all online (they'll get a sticker next year).
Intelligence firm GroupSense explained in a report released yesterday how a network of at least 9.5 million email addresses — which appear to come from high profile data breaches — was used both by Russia for its social media campaign and to send the FCC comments both supporting and opposing net neutrality.
"We're still checking against breaches we hadn’t done before. The number will go up," said GroupSense CEO Kurtis Minder.
Why it matters: If Russia is involved with muddling the debate around net neutrality, it marks the first known instance of Russia manipulating the policy process to create chaos.
The background: GroupSense collects data on breaches and has obtained billions of records. So, after the indictment went public, GroupSense looked to see if the the email addresses mentioned in the indictment were in their databases.
Several accounts were used to post comments to the FCC site during the contentious net neutrality debate nearly. The posts were identical to a handful of templates, often coming multiple times a second. The bots backed both sides of the debate.
It could be Russia or another client behind the FCC bots, if it is indeed a criminal market selling these email addresses.
But Minder notes, "Who else would purchase these addresses?"
Photo: Joe Sohm/Visions of America/UIG via Getty Images
West Virginia announced it would allow overseas troops to vote via a smartphone app.
Why it matters: This would be a first of its kind program in the U.S. and not for particularly flattering reasons. Security experts overwhelmingly agree that online voting makes it far easier for hackers to tamper with votes.
Codebook will return Thursday.