Black Hat 2019: Majority of Security Experts Would Use Bots to Gain an Unfair Advantage

This year’s Black Hat conference was as full of surprises as any year before it. The biggest players in the cybersecurity industry were present to showcase their latest discoveries, innovations and vulnerability discoveries, and discuss the future of our industry. For PerimeterX, this was a fantastic opportunity to take stock of the security industry’s understanding of something most people are aware of, but may not fully understand: bots. Taking to the show floor filled with security experts, we found the following surprising results when we quizzed a sample of 304 attendees about their understanding of one of the most commonly known terms in security.

The good: Security professionals know how to define a bot

When security professionals were asked to choose a definition of a bot, they were incredibly successful in identifying the correct answer. Nearly 80% correctly answered that a web bot is a software application that runs automated tasks over the Internet. Even more respondents, 84%, correctly answered that despite the often-justified negative press, not all bots are bad. Your personal assistant, like Siri and Alexa, and many of the customer chat portals you interact with online, for example, are bots that are perfectly harmless.

The bad: The legality of bots is still very much a gray area

Bot activity in the consumer space is often viewed through the prism of consumer goods and event tickets, which are snapped up by automated bots and then re-sold for exuberant prices. Most of us have felt the sting of not being able to see our favorite band when it comes to our city because the tickets have sold out in a matter of minutes (if not seconds), only to reappear on secondary market websites for up to five times the original value. However, the legality of activity in this area is widely misunderstood, even among the infosec community that attend Black Hat. A significant portion of respondents were unaware that, unfortunately for retailers, it is perfectly legal in the United States to use bots to purchase all of the stock in an online flash sale – as most notably happens via sneaker bots every time Kanye West releases a new model of his Yeezy sneakers. Only 32.4% of respondents were aware of this. However, the legality of bots varies massively from sector to sector. 33% of respondents identified that it is illegal to use bots to purchase concert tickets and 27% answered that it is illegal to use them to sell the same concert tickets. The real answer is “it depends.” It’s illegal to surpass purchasing limits posted on event ticket sites and illegal to resell event tickets bought in violation of the law with the knowledge of the seller. Check out the BOTS Act of 2016 to learn more or ask your lawyer.

The ugly: The security industry knows too much!

While the answers would indicate that the legality of bots is nowhere near as clear or as well publicized as it should be, another section of survey questions aimed at understanding something a lot less tangible: How the security industry feels ethically about the use of bots to purchase consumer goods or events. This line of questioning has possibly produced a vindication of the phrase “the less I know the better,” as over half, 56% of the respondents admitted that they would use bots themselves to get a good deal during a flash sale. Even more concerning, nearly 20% of respondents said they had already used bots for these purposes! Perhaps the attendees at Black Hat – security savvy, business-minded and often actual hackers – were answering our questions with the knowledge that using bots for these methods is extremely successful when a business isn’t well protected, and at the end of the day, it’s a buyer’s market.