{"id":904,"date":"2013-05-26T11:07:52","date_gmt":"2013-05-26T15:07:52","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=904"},"modified":"2013-05-26T11:33:46","modified_gmt":"2013-05-26T15:33:46","slug":"security-b-sides-boston-2013","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2013\/05\/security-b-sides-boston-2013\/","title":{"rendered":"Security B-Sides Boston 2013"},"content":{"rendered":"<p><a href=\"http:\/\/www.securitybsides.com\">Security B-Sides<\/a> is an odd duck series of workshops.\u00a0 Are you:<\/p>\n<ol>\n<li>Traveling to attend (or already living near) a major commercial security conference (RSA in San Francisco, Black Hat in Las Vegas, or SOURCE in Boston)?<\/li>\n<li>Not particularly interested in attending any of the talks in the commercial security conference you\u2019ve already paid hundreds of dollars to attend?<\/li>\n<li>Unconcerned with any quality control issues that may arise in choosing a conference program via upvotes on Twitter?<\/li>\n<\/ol>\n<p>Then you should attend B-Sides.<\/p>\n<p>Okay, so it\u2019s not as grim as I lay out above. \u00a0Earlier this month I attended <a href=\"http:\/\/www.securitybsides.com\/w\/page\/12194141\/BSidesBoston\">Security B-Sides Boston (BSidesBOS 2013)<\/a>\u00a0on <a href=\"http:\/\/ussjoin.com\">USSJoin&#8217;s<\/a> imprimatur.\u00a0 I felt the B-Sides program itself was weak, the hallway conversations were good, the keynotes were great, and the <a href=\"http:\/\/www.themeadhall.com\">post-workshop reception<\/a> was excellent.<\/p>\n<p>But if I were on the B-Sides steering committee I would have B-Sides take place either <i>immediately before<\/i> or <i>immediately after<\/i> its symbiotic commercial conference.\u00a0 In academic conferences you will often see a \u201ccore\u201d conference with 1-day workshops before or after or both, meaning that attendees can optionally participate, without requiring separate travel, and without interfering with the conference they\u2019ve already paid hundreds of dollars to attend.<\/p>\n<p>My takeaways from the B-Sides workshop came from the two keynote talks.\u00a0 <a href=\"http:\/\/en.wikipedia.org\/wiki\/Dan_Geer\">Dr. Dan Geer<\/a> (chief information security officer at In-Q-Tel)\u2019s talk was one of the best keynotes I\u2019ve ever seen.\u00a0 Some of his thought-provoking points included:<\/p>\n<ul>\n<li><b>It\u2019s far cheaper to keep all your data than to do selective deletion.<\/b>\u00a0 He implied that there is an economic incentive at work whose implications we need to understand:\u00a0 As long as it\u2019s cheaper to just keep everything (disks are cheap, and now cloud storage is cheap), people are going to just keep everything.\u00a0 I\u2019d thought about the save-everything concept before, but not from an economic perspective.<\/li>\n<li><b>When network intrusions are discovered, the important question is often \u201chow long has this been going on?\u201d instead of\u00a0 \u201cwho is doing this?\u201d<\/b>\u00a0 He implied that <i>recovery<\/i> was often more important than <i>adversarial discovery <\/i>(i.e., most people just want to revert affected systems to a known-good state, make sure that known holes are plugged, and move forward.) \u00a0And the times could be staggering; he noted a Symantec report that the average zero-day exploit is in use for 300 days before it is discovered.<\/li>\n<li><b>Could the U.S. corner the vulnerability market?<\/b>\u00a0 Geer made the fascinating suggestion that the U.S. buy every vulnerability on the market (offering 10 times market rates if needed) and immediately release them publicly.\u00a0 His goal is to collapse the information asymmetry that has built up because of the economics of selling zero-day attacks.\u00a0 He pined for the halcyon days of yore when zero-day attacks were discovered by hobbyists and released for <i>fun<\/i> (leading to \u201cmarket efficiency\u201d where everyone was on the same playing field when it came to technology decisions) rather than the days of today when they are sold for <i>profit<\/i> (leading to asymmetry, where known vulnerabilities are no longer public).<\/li>\n<li><b>\u201cSecurity is the state of unmitigatable surprise.\u00a0 Privacy is where you have the effective capacity to misrepresent yourself.\u00a0 Freedom in the context of the Internet is the ability to reinvent yourself when you want.\u201d<\/b>\u00a0 He suggested that each of us should have as many distinct, curated online identities as we can manage &#8212; definitely <a href=\"http:\/\/jlg.name\/papers\/2009-11-13-dim09-mnikr-reputation-construction-through-human-trading-of-distributed-social-identities.pdf\">an interesting research area<\/a>. \u00a0He made the fascinating suggestion of &#8220;try to erase things sometime,&#8221; for example by creating a Facebook profile&#8230;then later trying to delete it and all references to it.<\/li>\n<li><b>Observability is getting out of control and is not coming back.<\/b>\u00a0 He commented that facial recognition is viable at 500 meters, and iris identification at 50 meters.<\/li>\n<li><b>All security technology is dual use; technology itself is neutral and should be treated as such.<\/b>\u00a0 During my early days as a government contractor I similarly railed against the automatic (by executive order) top secret classifications applied to cyber weaponry and payloads &#8212; because doing so puts the knowledge out of reach of our network security defenders.\u00a0 As it turns out, One Voice Railing usually isn&#8217;t the most effective way to change entrenched bureaucratic thinking.\u00a0 (I haven&#8217;t really figured out what <i>is<\/i> the most effective way.)<\/li>\n<li><b>\u201cYour choice is one big brother or many little brothers.\u00a0 Choose wisely.\u201d<\/b>\u00a0 This closing line is open to deep debate and interpretation; I\u2019ve already had several interesting conversations about what Geer meant and what he\u2019s implying.\u00a0 My position is that his earlier points (e.g., observability is out of control and is not coming back) demonstrate that we\u2019ve already crossed the Rubicon of \u201cno anonymity, no privacy\u201d &#8212; without even realizing it &#8212; and that it\u2019s far too late to go back to a time where <i>no<\/i> brother will watch you. \u00a0Can anything be done? \u00a0I\u2019m very interested in continuing to debate this question.<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.cognitivedissidents.com\">Mr. Josh Corman<\/a> (director of security intelligence at Akamai) gave the second keynote.\u00a0 Some of his interesting points included:<\/p>\n<ul>\n<li><b>Our dependence on software and IT is growing faster than our ability to secure it.<\/b>\u00a0 Although this assertion isn\u2019t new, it always brings up an interesting debate: if you <i>can\u2019t<\/i> secure the software, then what <i>can<\/i> you do instead?\u00a0 (N-way voting?\u00a0 Graceful degradation?\u00a0 Multiple layers of encryption or authentication?\u00a0 Auditing and forensic analyses?\u00a0 Give up?)\u00a0 A professor I knew gave everybody the root password on his systems, under the theory that <i>since he knew it was insecure then he would only to use the computer as a flawed tool rather than as a vital piece of infrastructure<\/i>.\u00a0 Clearly the professor\u2019s Zen-like approach wouldn\u2019t solve everyone\u2019s security conundrums, but the simplicity and power of his approach makes me think that there are alternative, unexplored, powerful ways to mitigate the imbalance of insecure and increasingly critical computer systems.<\/li>\n<li><b><a href=\"http:\/\/blog.cognitivedissidents.com\/2011\/11\/01\/intro-to-hdmoores-law\/\">HDMoore\u2019s Law<\/a>: Casual attacker power grows at the rate of Metasploit.<\/b> \u00a0This observation was especially interesting: not only do defenders have to worry about an <i>increase in vulnerabilities<\/i> but they need to worry about an <i>increase in baseline attacker sophistication<\/i>, as open-source security-analysis tools grow in capability and complexity.<\/li>\n<li><b>\u201cThe bacon principle: Everything\u2019s better with bacon.\u201d<\/b>\u00a0 His observation here is that it is especially frustrating when designers introduce potential vulnerability vectors into a system for no useful reason.\u00a0 As an example, he asks why an external medical devices needs to be configurable using Bluetooth when the device (a) doesn\u2019t need to be frequently reconfigured and (b) could be just as easily configured using a wired [less permissive] connection.\u00a0 The only thing Bluetooth (\u201cbacon\u201d) adds to such a safety-critical device is insecurity.<\/li>\n<li><b>Compliance regulations set the bar too low.<\/b>\u00a0 Corman asserts that the industry\u2019s emphasis on <a href=\"https:\/\/www.pcisecuritystandards.org\">PCI compliance<\/a> (the payment card industry data security standard) means that we put the most resources towards protecting the least important information (credit card numbers).\u00a0 It\u2019s a double whammy:\u00a0 Not only is there an incentive to <i>only<\/i> protect PCI information and systems, but there is <i>no<\/i> incentive to do better than the minimal set of legally-compliant protections.<\/li>\n<li><b>Is it time for the security community to organize and professionalize?<\/b>\u00a0 Corman railed against \u201ccharlatans\u201d who draw attention to themselves (for example, by appearing on television) without having meaningful or true things to say.\u00a0 He implied that the security community should work together to define and promulgate criteria, beyond security certifications, that could provide a quality control function for people claiming to represent security expertise and best practices.\u00a0 (A controversial proposal!)\u00a0 A decade ago I explored related conversations about the need to create\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/Regulation_and_licensure_in_engineering\">licensed professional software engineers<\/a>, both to incent members of our community to adhere to well-grounded and ethical principles in their practice &amp; to provide the community and the state with engineers who assume the responsibility and risk over critical systems designs.<\/li>\n<li><b><em>\u201cDo\u00a0something!\u201d<\/em>\u00a0<\/b>\u00a0Corman closed by advocating for the security community to come together to shape the narrative of information security &#8212; especially in terms of lobbying to influence Governmental oversight and regulation &#8212; instead of letting other people do the lobbying and define the narrative.\u00a0 He gave the example of unpopular security legislation like SOPA and PIPA: \u201cyou can either DDoS it [after the legislation is proposed] or you can supply draft language [to help make it good to begin with].\u201d\u00a0 I felt this was a great message for a keynote talk, especially in how it matches the influential message I heard from a professor at Carnegie Mellon (<a href=\"http:\/\/betterembsw.blogspot.com\">Dr. Philip Koopman<\/a>) who fought successfully against adoption of <a href=\"http:\/\/en.wikipedia.org\/wiki\/Uniform_Computer_Information_Transactions_Act\">the Uniform Computer Information Transactions Act<\/a> and who exhorted me and my fellow students to <i>be that person who stands up and fights on important issues when others remain silent<\/i>.<\/li>\n<\/ul>\n<p>All in all not a bad way to spend $20 and a Saturday\u2019s worth of time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security B-Sides is an odd duck series of workshops.\u00a0 Are you: Traveling to attend (or already living near) a major commercial security conference (RSA in San Francisco, Black Hat in Las Vegas, or SOURCE in Boston)? Not particularly interested in attending any of the talks in the commercial security conference you\u2019ve already paid hundreds of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/904"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=904"}],"version-history":[{"count":10,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/904\/revisions"}],"predecessor-version":[{"id":917,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/904\/revisions\/917"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}