Tuesday, August 8, 2017

BHUSA17: Keynote!

BlackHat 2017

BlackHat/DefCon founder, Jeff Moss! Lots of lasers! This is the twentieth year for BlackHat – incredible (and I’ve only been twice, though many more times to DefCon, starting with DefCon 2).  There are attendees from over 80 countries and over 200 scholarship recipients.

The first year’s speakers were basically all of Jeff’s friends – he just wanted to know what they were working on. People say that if hackers and security researchers are talking about a problem now, it will be a problem for the rest of us in 6 months or a year. It’s a “crystal ball” of computer security.  He learned in the first year to never hold a BlackHat in the same hotel as DefCon – otherwise the DefCon attendees come early and eat all of your food and drink all of you booze! DefCon is more of a hacking conference – a creative way to explore.

Moss found the Internet to be quite liberating as a 13 year old boy – he could go online and discuss things like rock and roll and nobody knew he was just a kid. It took him awhile to fully understand, but he’s learned the importance of being social. Your future success will be based on how social you are.  How much money can you spend on defense and protecting the systems? Sounds technical, but to get budget needed, it’s really a social and political conversation to do defense greater than offence.

Security is no longer a local problem – it is a global problem, though the problems vary by geo. Issues faced in Palo Alto are different than those being faced in Bangalore or on a remote island.

We have to get engaged in the problems of lack of diversity and lack of generalists – mentor, help people write CFPs, advise upcoming students, get out there and help.

Alex Stamos, CSO, Facebook. Twenty years ago he couldn’t afford BlackHat, but he was at DefCon and he found a place where he belonged. Coming to the desert every year and hanging out with DarkTangent (Jeff Moss) is like a reunion. Coming together as a group now for weddings, birthdays and baby showers. In 2002, he brought his then girlfriend to BlackHat for their first vacation – she’s been with him every years since.

Attending and speaking at DefCon and BlackHat is not always safe for people for their career or livelihood. For example, one man quit his job on stage so he could discuss router vulnerabilities, another engineer was arrested in the airport, others have had federal injunctions against them to prevent them speaking.  But this work is important and impactful, and we need to share.

Nowadays people finally understand why they need to build secure systems – no longer a fringe idea. We are no longer the ‘hacker kids’ – we are CSOs, working for the federal government, and industry experts.

Many people in this room got into security well before they were paid for it – on bbs’es, in hacker meetings and saving up summer job money to come to Vegas for DefCon. The things we are talking about now will become startups over the next 2 years – yet, we are not living up to our potential.  We are finding problems, but we need to think about what we do after we discover bugs. We have to realize how many people depend on the technology.

We have a tendency to focus on the complexity, not harm caused. Adversaries will do the simpliest thing they can to exploit a technology. It is fun to see really complicated attacks that someone worked really hard to figure out – but that’s unlikely where the actual abuse will be. Abuse is the technically correct use of technology to cause harm. This can include exploitation of adults and children – can be done very easily, not through complicated attacks.

We are suffering from lack of empathy. Think about the expression of the problem being behind the keyboard – that attitude helps you shift responsibility away from actually securing a system to an uninformed user.  “Just use your knowledge of X.503 to decide if this certificate is safe to use” “don’t click on that link” “don’t use that site w/out HTTPS".  We have to understand there are more and more people coming online that don’t have experience on the Internet and they need to be safe.

We have a problem with security nihilism – that we are all under attack by the most sophisticated adversaries possible, any security that doesn’t use encryption is “security through obscurity”.

About 10 years ago, there was a bunch of research on technologies that are deployed in the cloud. The research on GPUS and hypervisors was great – and made the public cloud more safe. This gave the impression, though, that the public cloud was not safe, that the existing protections were not good enough – those weren’t the real problems. The real problems were excessive privileges, poorly defined network policies – things that are much easier to address and to exploit.

We don’t want to discourage people to deploy any security features just because they are not perfect – they are better than nothing and need to help the bulk of users.

There is another fallacy where attackers believe they are just as smart or smarter than people who design the systems, which is not necessarily the case. Systems are designed under all kinds of constraints and nobody is perfect.

Stamos feels strongly that people have a right to secure and private communications, even though some people (law enforcement) don’t always agree.

Think about people who have to try to put pedophiles and people that exploit children behind bars. How can we help them, without creating backdoors? How can we relate to and understand their needs?

At Facebook, they have a dedicated red team that all they do is try to break into their systems – unannounced the blue teams.  Stamos and Facebook are big proponents of bug bounties – particularly for open source that everyone uses, but don’t necessarily have big owners.

Millions of people are getting inexpensive smart phones that are shipping with out of date operating systems – it’s still Facebook’s responsibility to make sure their app is still secure on these devices. They are worth protecting.

We also have to worry about protecting users during elections – there are many issues (slide font too small to read), but we need to think about what we can help with and what we can do.

The Belfer Center is working on a project to help protect future elections from outside influence. Facebook is sponsoring this effort. In November of next year, there will be many house seats, senate seats, gubernatorial campaigns and local offices participating in elections. All of these campaigns are built up from scratch from a technology point of view, often with volunteers. How we can we help them build secure systems, easily? If things go wrong, can we help them with mitigation and analysis? It needs to be a practical solution – to do this, we must work as a team and we need to have diverse teams. You wouldn’t want a toolbox with only the best screwdrivers in the world, would you?

Facebook is sponsoring legitimate CTF competitions in middle and high schools. The winner are treated like athletes – this is important to increase interest in this field. Make sure your team is open and respectful of discussing diversity. Be open to criticism, do not assume how a minority wants to be treated.  But remember, don’t make snide comments, don’t ask women if they are here with their boyfriend – that has impact.  Be respectful. Things are getting worse, not better. Let’s make this a special week here in Vagas this week to be respectful of other people – if you see something that isn’t right, call people out.  This is a critical moment – we’ve been asking for people to pay attention to us – now they are, and let’s show them something great.