BSides Canberra 2018 Panel

hello welcome to the bee sighs camera panel so the idea of this panel is that it's really interactive so I want you guys to have your hands up the entire time asking our panelists questions you'll get a list of the topics that we're asking in the booklet and online as well the idea is that this is you know quite wildly and quite interactive so so please do get involved we have five great panelists today and I'll get each one of them to introduce themselves and talk a little bit about what they do so on the Left we have metal did you want to hello there you might remember me from such columns as cubic on also a

risky business also have a beard apparently I'm old that's a joke now thanks very much everybody but I just been doing this round here for a while let's think middle

next up we have Peter Goodman you might have remembered pet equipment for our keynote earlier today so I'm technically with University of Auckland but I work more in industry than academia which means I get to throw rocks at academics and at the industry to being on which head I'm wearing and I have an interest in cryptography and high assurance systems let's welcome our Pete next up we have Jess I work in the governance compliance and risk area which has been recently more excitingly renamed these cyber strategy and governance team so that people will turn up to the meetings let's welcome Jeff

and next up Liam another another great beard in the in the panelists let's welcome lamb

and last stop Joe I'm Joe Fitzpatrick are securely Fitz on Twitter I'm a hardware hacker I teach classes on hardware hacking and talked about it a lot so yeah so I was also I came out yesterday so let's welcome Joe and all the panelists what's that sorry I can't tell Mike looks a confusion on my face right now we'll just make do it is it is a bit difficult to hear up here but um hopefully uh we'll get through this so the first question that I want to ask the panelists and this is probably something that is sort of fairly personal to me as well and we have a list of this question on the arm on the

website in the booklet are sort of we had this idea afterwards and it's a pretty simple question your shoes look lovely thank you so okay so why are techies paid less than their managers now metal you've worked you've worked as a techie and I'm sure you've done many other jobs in your experience let's let's just all the selfish result do techies get paid less than their managers instead of why - techies get paid less than their managers in your experience working with technical staff do they get paid less than the people above them that aren't necessarily technical but in managing them also the manager I haven't worked in a real organization I'm gonna ever work for a

group of hackers and we pay each other pretty well do you think that's reflective of industry that you think that techies in general are paid well compared to management I think so but yeah I know I guess we attack regular organizations from the outside so I'm probably the wrong person to ask about regular corporate structure but as well well it's a strange oh you've worked at Intel and I don't want to target Intel specifically even though I've just said that name you know you've worked in a corporate environment you know is it is it is a reflective of industry that manages to get paid more than the technical staff well the technical staff job is their job is to solve technical

problems the management staff is to let those people let the company make money right in my experience a really good manager can actually amplify and enable their technical contributors to do a whole lot more a good manager of 10 people can have 10 times the impact of an excellent individual computer so there is some argument for that at the same time there that's that's the excellent managers that's the very like you know to Sigma like top managers like this is not the you know the the developer of the middle 68% or below which I have experience with the whole range of middle how does that make you feel do you think that that that you had

managers when you when you were you know you know in hacker companies that were enabling you to perform pen tests to the to the best of the company's ability and and that the management was driving the the beyond the the funds as opposed to the check is actually doing the pentose it's good question I'm trying to think back to the last people that manage me that wasn't Brett more so have to be careful about what I say because that's great by the way I guess I'm really lucky in that I've only ever worked for people who are better hackers to me know me Bret [ __ ] Moore right anyone else who knows that garlic that

guy can hack and so yeah I always felt that he pushed me to do way more than I would have done and as a result probably deserves getting more money than me which he does by the way if he's watching Peter what do you think you work in university environments you're obviously aware that heads of schools and and general managers you know probably are on a pay a high scale then then you know a senior lecturer even you know an associate professor maybe do you think that that is reflective of what the core business of the university is you think that the senior leadership of the university should be paid more so I'm affiliated with the university but I like working

and like me I may be the wrong person to ask because I've always been self-employed so I get paid the same as my manager however comment on there I know that some organizations like IBM and Sun and so on have a concept of something like a research scientist or distinguished scientist or something like that so they recognize that they've got a technically very talented person but if they then remove their brain and call them a manager then that's not a good use of those resources so they have these these sort of parallel advancement powers where they call them something like a distinguished scientist or chief scientist or whatever so they get paid the same as a manager a senior manager

and they have the same clout as a senior manager without necessarily being a manager so there are ways of getting around that for some reason I think only large corporations do that I don't know for small businesses that do that sort of thing so we have anyone in the audience that has a view on this a techie or a manager no one wants to put up we've got a question I've got a comment over here geez I've jumped around in the industry and I think he do get variations over right you I've had the experience of both being a manager of teams up to twelve or more and then I've actually jumped out of that into

being technical specialist roles in big corporate environments where you can actually make more than you can as middle management obviously middle management are often targets of hostility because maybe they're not the two Sigma Bente but fundamentally I think that that answer was spot-on that managers can at the end of the day make sure the team is able to steer a greater amount of change than is possible as an individual contributor on the other hand as a very good individual contributor you can have that some places recognize that ends you have specific specialist roles that are actually pretty well paid even in many corporate environments what a question accommodate you here as well yeah I think it's important like from where

I've come from in my team obvious I'm very technical but at the end of the day I can down tools go home and go to bed like and not look at my phone not get hassled by executives whereas my boss goes home and stays awake for four hours stressing about stuff like that so I think it's just kind of yes I might have more technical skills than him but I guess less responsibility maybe I think it's kind of that's what I've found in my sort of working within it with management like that is I guess on I can just leave and they gets us they stay awake at night managers get paid more because if your network gets ruined by

the Chinese they're the ones that get sacked Tolley true to be honest because if you look at all the the charges that the US is making against Chinese state-sponsored hackers they're actually you know putting criminal charges against particular operators of computers they're not charging you know the you know the president or the prime minister of China they're charging the guy that's you know that that's there probably doesn't know what tool he's using it's just you know typing on a keyboard is that is that a reasonable comment okay next time I think this is a sort of a question obscured by the fact that pretty much industry government everywhere standard is salary opacity no one knows what I'm

earning no one earns no I don't know what anyone else in my team is earning so how do I know whether my manager is were earning more than me he's not going to say what do you think about pay transparency well if you go and work in government you know exactly because there's very prescribed paybacks and the jobs are gazetted and you know exactly anyone can see my classification they know I you know I'm in the fortunate position that and I think a lot of us are in this room where we are well paid in this country for what we do for the most part hopefully in the nicest possible way I don't care so much about

the money as the work and that's I recognized an incredibly privileged position to be but yeah I mean I think it works well in government people knows people know what the bans are the only downside of that is you get a little bit of a little bit of not my pay grade but I think for the most part you know the people that I've seen working in government are very focused on doing the best they possibly can and getting it done often just as under-resourced and at least we've got the question about hacking here like if you want to know what someone else gets paid like that's the thing we're equipped on so that's an engineering problem right

go ask the SOP system and you know job done just to go back to what Jess is talking about I don't I don't work for government on it I never have but if you look at the the pay grades that are offered there are actual hard limits for technical roles and beyond a certain you know pay scale or grade you have to move into management do we believe my death by that statement that you know management is the natural progression once a techie gets to good they naturally move into management and they forget about their their technical abilities is there a limit to being technical because if you look at the pay grades it implies that I think I think

we really do both technicians and Management Service and I notice I'll say you kind of changed the terms of reference there a little bit earlier we started talking about managers then we started talking about leadership and there's often two very different things we often have a lot of really good managers and we have very few good leaders and I think when you're fortunate enough to have a good leader in your team then you get that force multiplier effect I think you were talking about I think it's it's a real problem when you have people whose skillset and passion and capability is in technical areas and for reasons of money or prestige or whatever the only

pathway within an organization is engine management I think organizations need to find different pathways like the research side of things you were talking about because often you know I've worked with some brilliant technical people who were terrible managers and maybe you shouldn't have been running and they can sometimes be a little bit of arrogance around that you know I'm a really smart person I can do all these amazing stuff how hard can running a business be I'll just do that rather than saying I'm great at this maybe I'll go and pay some to manage this or I'll hire someone who has that skill set and you know for the really good managers there is actually a

lot of skill involved it's not just a bunch of people who can say weird stuff and talk to people it's there's actual skill involved and I think it's a business to suggest it's an easy job and we don't do it we don't do ourselves a good service when we talk about hard skills versus soft skills and I saw somebody on Twitter I wish I could remember who to credit them recently talking about technical skills versus professional skills and I think that's a really do I'm just gonna backtrack a little bit - what do we think that a technical l1 or a technical l2 is as smart as you can get technically can you translate that

I've been in care for too long so again I I don't work for government but I do know about the grades and so in the in the federal and I'm probably the worst person to talk about this because obviously I don't know so there's the APS the Australian public service paid payment system and pay grades and you have ApS levels up to six and once you go beyond the APS level six you're going to the executive level which is one to two and then beyond that you start to get into the senior executive level and as far as I'm aware than the maximum ApS leveled for a technical person in Australia is an l1 in an l2 and it's

actually very hard to get those roles as a technical person and the natural progression once you reach that point is to move into management and then once you get beyond either through only way to get a pay-rise really in the APS is to become a manager would you I've got some shaking heads here so I'll hand it over the reason most technical people leave is that exact pay problem you can become a consultant or a contractor and in some cases go back to very similar role and get paid more than your manager was and that's a result of the Commonwealth's decisions about 20 years ago to scrap the idea of having a different classification for skilled

technical people in computing and push them all into the l1 so it's just a and then they outsource everything as well so does anyone else want to comment on that I think the contracting route is is is really an attractive thing for for many people cool um I am lucky enough to work for a start-up we don't have managers I've been given autonomy I quite like it but it's also this mix alike as companies scale that might not work but at the moment I don't need one and I really appreciate being in that position and I get paid well enough so I guess if you kill the managers money trickles down Reaganomics works and a

question a today so you did the whole industry so to me making a million dollars a week doesn't interest me it's it's just being able to learn and I found it my new job role that I'm learning things that I never could online I think that looking at that like looking at what a company values is pretty indicative if you go to a website of a company that is a security company and you look at about the company do you see salespeople and men and executives or do you see technical people who make technical contributions if you work in a big corporation even one that has thanks if you work at a company even one that

has a technical pack so intel has a technical path all the way up to grade 12 they have a manager manager of a path all the way up to grade 12 when you look every year how many new VPS are there and how many fellows are there and I think it's a real indicator of what the company values to see oh these decades we had more fellows than we had VPS but in the past ten years we now have eight times more VPS every year than we have fellows that really tells you where things are and that's where I go on the assumption that yeah management is paid more than technical contributors because it's valued more in some companies

unfortunately so I think we're sort of maybe dancing around three different definitions of management I mean like if you're thinking of a manager is you know someone but I think in a highly functioning organization what you want from management is to for them to be providing strategic direction which generally workers on the coalface no matter how good they are it's extremely difficult that sort of worker to provide that sort of strategic direction and that's why you would have that sort of progression from a technical person to a strategic leader because they can draw on their background or technical expertise to be able to provide that sort of direction from the company and I think that's missing there's also the

difference I guess between actually being a manager being called a manager so I know some organizations where they've got technical people where they realized that they were technically very good they would probably make terrible managers however in order to give them more money they would have to call the managers so they just called the managers they're still technical people it's just the titleist manager and so they get paid at the managerial level and I think in addition here is there's there's also things like industry loadings or like in in terms of different pace Scouts I think with with with government and ApS levels as well so I think there is recognition in some parts that that that technical people do

have industry skills so it is yeah so I probably am a bit you know sort of probing you guys to sort of so there there are definitely pathways for for reasonably competitive rates as well does anyone else think that Silvio's angling for a pay rise somewhere yeah but it does vary a little bit by Directorate or like departmental Department in federal government in a city government you know it applies across the organization outside of like my current experience I've known people who were technical people who were hired at say the equivalent of a near one level as Peter was saying in no other merit-based competitive process would they be awarded an al one position because the criteria for that include

team leadership management skills and all of the other stuff that goes along with that but in recognition that they have to be at least vaguely competitive with the private sector of pay scales very high technical people as you know developers or whatever at those higher levels so I think you'd see that which is fine if people want to remain and take new careers I think if they they want to pivot into something what's more managerial they might find that they are then not competitive in that area because they're very technically and they have embossed is there a natural progression to want to move into that strategic level I mean is it is that everyone's dream to move into strategy

and you know is you know there's no doubt there's no doubt at all a tech is really hard right but people are harder I don't know if you've met people but people are harder and really in terms of things like IT projects one of the key critical success factors if you want to talk about it in in those kind of buzzword ways is getting the people on board and I think good managers especially managers who have maybe come up through the organization maybe have a long history with the organization they have a lot of that institutional knowledge they have a lot of knowledge about who who's who in the zoo and who are the people they can leverage and who

they can get on board and it's that kind of strategic game not just in terms of aligning with strategic direction of the organization but understanding strategically who are the who of the power makers who are the people who can actually get things done and get things green leash and kind of it's it's in that kind of level of game you know it's like 3d chess to the to the checkers that the rest of us are playing

thank you um from an organizational perspective something else to consider is from a discipline perspective not just technically but you know legal people you know other accountants even in an organization having the ability to you know have people progress from a discipline so technical into a management position gives the people reporting to them and the organization people in leadership positions that understand how things actually work in real life so you know being a being a technical person and reporting to a technical manager they they know what I need to do they know my day-to-day things they say hey how are these one two threes and ABC's and I can say yes they're this or the other and you

actually understand and so having having you know in some ways that pay disparity and encouraging people to move up can actually be positive overall for the organization because it does it brings that perspective up into the more senior echelons I think you're just rationalizing something there dick I totally am look I think we might leave it on that topic I was certainly an interesting topic but we've got other topics to talk about next I'd like has everyone heard of the the wanna cry ransomware they came out I think everyone pretty much has does someone in our panel want to give us the the quick and dirty summary of what a crier so he it was ransomware built on top of the

NSA eternal blue windows SMB bug my code exec got released into the wall that was nominally supposed to crypto people's disks and ask for ransom it wasn't very good at it that you couldn't actually pay the ransoms there was no good as ransomware we couldn't really tell whether it was denial of service in the guise of ransomware or just really incompetent went around the world took out lots of things for people who hadn't patched their Windows XP or otherwise their older Windows boxes where the seven was also vulnerable it had been patched like three or four months before that eternal blue got dropped by the shadow brokers and then a bunch of staff whole bunch

people lost a lot of money we saw was at Mayer's shipping line shut down we saw was a DHL one of the big logistics company had a whole bunch of this stuff shut down by it British National Health Service got taken out by because they to round all the hospitals on unpatched when several I guess and yeah it was a bad time for a lot of people but it was also saved by a mysterious hero and hero appeared on the internet and found there was a bunch of strings for command control and better than the binary this guy Marcus Hutchins now a tech on Twitter looked at one of the strings that was a domain name

realized it wasn't registered decided to register it knowing nothing about whether it was going to trigger it or stop it or do nothing turned out it stopped it that worked out well and as a result in New Zealand nothing got won a crime thanks to you know randomly registering to maintence who find it and we had malware on the internet so lessons to be learned from that clearly and yeah we still don't really know who did it how did the US government thank Marcus Hutchins freeze this is the greatest arrabal so he did the dumb thing which is he went to the US and yeah now he's a guest of the federal government well actually nobody's on bail these

days but he got arrested I think Theo was actually arrested for writing another piece of malware which they thought was attributed to him so it was actually incidental to the to wanna cry but it's still such a strange story that one week an Internet hero the next week but you know behind bars so is is there anything that can be done about you know want to cry happening again I mean there's so many layers here you know almost intrigue and mystery really and what can be done is is that Microsoft to blame is that the is the NSA is that the shadow brokers is that the you know the malware tech guys the reason it's such a

complicated answer is because everything about this is complicated right I mean the pervasive use of technology throughout the society throughout the world that relies on you know clearly imperfect we saw the formal validation of even a microkernel is you know Australia's greatest achievement right so having any sort of security at all is super difficult we build systems so quickly we can't understand how they work we don't know what we're gonna do when they don't work and then and into that mix we add you know geopolitics and spokes and hackers and North Koreans and money and vigilante you know warriors on Twitter and we end up with something we don't know is going on I mean the fact that wanna

cry could happen the fact that it hadn't happened until now that we haven't seen limits the Boston we saw a woman that good right agents you know Code Red and them there in slammer and sassa when what they were the one that took out IDs product was that was good times um we haven't seen a woman like that ages right that's amazing why not that's what I don't know why didn't this happen earlier rather than why did it happen and what would we have done if it was six months earlier and it was actually every windows box on the internet right and not just a bunch of unpatch ones in a few countries with a kill switch like

what would we do if every box got owned by malware it would be insane the crazy town Linux desktop yeah I mean brother a man it's the truly the year off right now we're living in it okay so first of all I have precisely one Linux on the desktop dude and I think that Linux on the desktop the year if that is twenty thirty eight but only for 16-bit versions story that you were describing

code code blue and code red that's such a terrible idea when when so to say Code Red was there a worm that came out many many easier this was in the early 2000 so I think was it useful it was not made but it was one of the responses to code went was the idea that let's let's make a worm that that patches all these computers and that and that will solve it because the problem at the time was all of the computers are unpatched what do they do you know you can't contact add means they won't fix it what do you do let's just release another one the classic hack back and it was surprising

that this actually got you know sort of almost mainstream attention in the security industry as if it was a topic for discussion maybe for me it seems absolutely crazy but is there do you think it's reasonable to have these hack back situations is that a reasonable option a minute happened last week right with that Cisco smart install bug right where there was a bargain the Cisco thing'll if you order configure switches or whatevs and some group of American vigilantes went round and like destroyed a bunch of Cisco's in Russia and Iran and stuff and then patched all of the American ones because USA which I mean on one hand clearly terrible idea on the other hand

well probably a bunch less American Cisco's caught on because of it I mean it's hard to argue with results even though it's [ __ ] terrible idea I mean it's been AI I guess going back to the code blue code read discussions that happened you know 15 years ago you know the argument was that that you know are you know non-state actors part of the the internet you know country versus country fighting you know do do we have permission to to patch people's windows machines or patch people's old servers if they aren't if they are being taken care of if the admins are looking after them why can't you know the council that's a very good point if it all works

out okay maybe a blind eye will be turned but I wasn't hacking you I was remotely administering your server man and I think that free pen tests from everybody because one unfortunate customer service rep who you know sure should have done a better job and a corporate position and corporate strategy issue yeah Soviet as a pen tester I just wanted to respond to they were not being pen tested they were being hacked well we're all security professionals so so we sort of have an understanding of this but what's the mainstream you know interpretation of things like want to cry I'm pretty sure that that the mainstream interpretation doesn't include words like eternal blue or malware text the person you know that

responded to that so what is the mainstream interpretation and how does that relate to what we know is a little bit more informed about what actually happened I think probably it's a bleep bloop computer stuff who knows right that's that's essentially what most people's perspective on this stuff is there and that's that's pretty fair they don't have the framework within which to think about you know responsible disclosure of bugs or equities management process when you've got a bug like eternal blue like those things are really specialized kind of conversations that are beyond the scope of what you can expect to have in general public discourse I think right that's too complicated and they have to rely on us

as an industry to not be a pack of charlatans that make rubbish up and sell boxes that pretend to securitize when they don't and we are the ones that are you know at fault here and I don't know where that we can expect in a reasonable discussion from outside of our industry Randleman in terms of mainstream if you mean the general public and I'll put on my academic hat for a minute I mean people have done research into what the unwashed masses how they perceive viruses and malware and for the more virus as just like a biologically idiots like catching a cold if they just exist out there they come from nowhere occasionally you catch them you run an

anti-virus app and it's gone again just like taking some medicine and then you move on and that's pretty much the understanding of viruses by non-technical people so yeah something like wanna cry and if you mental blue is just as you say it's just yeah and there's no I mean you see how many people have pen tested a thing and gotten caught by antivirus whilst they were doing it hands got snapped by the AV and what do they do after they have snapped you at the AV well you know they're re-emerge the workstation job done right because there's no kind of concept even amongst IT staff that malware equals person doing bad things to you like it's just some kind of

self-contained entity that arose by itself and disappears when you take the you know McAfee panadol and it's all fine and yes so tying it back the fact there's actually real people in the case of persistent threatening people that they are persistent and threatening and I gonna keep doing things like that's lost on monthly on most people and we need to think about how we explain that in a way that's that's meaningful and maybe answer a common question over here not really question but um some Monica was a great way for us to get all that [ __ ] patched right like yeah I mean it made the news so it's like [ __ ] we're

gonna do this thing we patched all that [ __ ] that weekend it was done and that was a really great way that maybe people died yeah I mean I guess fortunate that we were a hit of a lot of people in the time zone so we managed to catch pretty fast but like it sound it only has to happen once now so like the shadow brokers did warn that they were gonna drop these NSA guys SMB before the fact and then they did drop them and they were legit Oh days so really all we need now is the shadow brokers to say we've got telnet O'Day's and all of a sudden all these [ __ ] services that are connected to

the internet that shouldn't be able get patched did yeah did you see that there was a like IDP code exec Simon dropped on Twitter this week sweet yeah now it's fun times a Monday yagan here on pop some shells good times good got a question Eric : baby yeah so we saw Stuxnet attacks by let's say unknown players against the Iranian centrifuges then we saw our players attack that Ukrainian power supply we've seen want to cry we've seen not picture a year or so ago my conjecture is that we're on the verge of essentially cyber warfare open-cycle warfare becoming more mainstream well and then we had the director of offensive cyber ops for the australian

government giving the keynote here today nobody yesterday against for this conference right if that doesn't say this is a thing that's out there in the front of your national policy I'm assuming you're Australian my apologies if you're not the fact that it's out there clearly we are in a place where that is a real tool of geopolitics obviously we see that with North Korean we've seen it with Iran and we've seen the other way the Israel have used their capabilities yeah absolutely it's a thing that we are you know on the cusp of I don't want to say cyber war because then I have to you know clearly we are in that this topic future already and

the rise of non nation-state actors in that space as well I guess the as I mentioned a couple of slides ago all right the fact that the cyber is trickling down to individual civilians and the fact men going back to the vigilante you know hat back blue thing like the fact that that happened at all it's down to probably two or three people one guy maybe did that everything with the Cisco smart install we know at the point where cut it doesn't matter where the anything is a good idea or not because the Internet is big enough that it only takes one person to go and do it and there's always gonna be that one guy

hi who's on you know mission from God and it's gonna go do it and that's you know in an age of cyber weaponry the tools of war and of mass war potentially are in the hands of when you here are on the frontlines by virtue of being equipped you know with weapons you mind a question a question over here or a comment over there do you think the public perception is changing I don't remember growing up seeing things about viruses on the news but as soon as it started encrypting people's files and they had to pay money to get them back people start taking notice front page of the newspaper in Wellington New Zealand in 1986 was about

the Stone virus taking out the Australian military and Canberra I think the microwave is a question or a comment over here so we talked about the public viewing viruses is like more or less a cold is there a way that we can change that public perception say everyone likes to go out and buy new cars can we start explaining that just good enough isn't good enough we know we know lots and lots and lots of ways that don't work so we've spent at least 15 years exploring all the ways we don't work that don't work we may eventually find one that does but so far as far as I know we haven't I mean dr. Peter here

did a talk about security interface designs of browsers right on all the ways that we've tried to explain the goddamn padlock to people for last 20 years and how well that's worked out let's place the padlock pretty pretty simple right it's either a padlock e1 or it's not a padlock e1 and that doesn't

and and look I think one of the problems is is that for an awful lot in these cases across a huge range of things just good enough is good enough okay maybe not insecurity definitely not insecurity but when you people vote with their dollars and if you tell somebody we can build you a really secure proven proven secure computing system that will have none of these problems and it will cost you even five times what you currently pay for them is that a worthwhile trade most people will either not be in a position to simply do it at all or they would choose to you know the path of least resistance which is I'll pay this you know virus tax every six

months or whatever come get someone to clean up my computer we've got a perfect example in in the mobile world by the Android ecosystem is clearly the minimum viable phone it works does the job it's terrible you can't patch it because of the ecosystem or you can pay twice as much three times as much buy yourself an Apple device which gets patches regularly and by and large you know modulo people popping O'Dea regularly is it clearly a better system but for most people what you're going to chop you by the fifty dollar phone or the $800 phone most people $50 phones the right choice right because they're not going to be hacked by people with crazy stage fright

at stage fright bugs or something until I guess everybody gets hacked by live stage right bugs but yeah it's a great it's a perfect example of that but then again on the other hand a consumer who goes into a mobile carrier shop to buy an Android phone has zero information in which to you know express their free market you know a hand on the basis of security it's not a thing by which you choose your bank or your phone because they're not metrics that are exposed to people it's one of the reasons the SSL security a despite being you know the fact that that is a thing we care about largely as an externally observable

metric but if someone's got a rubbish cert on their website or they haven't tuned their cipher settings on their Apache it tells us something about their security posture in general but not in any with any specificity in because it doesn't actually matter who's knowing it's hacked by yourself um but the yeah I guess the point I'm trying to make is you don't make consumer choices on the basis of security because a either not important or B we don't tell anybody anything about the security they find if you tell people like if the $50 you know Alcatel android phone had a warning label like a sick pack of cigarettes actually the biological side of things like both analogies to like

biological vulnerabilities like okay we know that you can wash your hands and you go get sick less how many people have observed other people that don't wash their hands in a public bathroom right we yeah maybe it's only the men's rooms that I see that happening but I mean the the advances that have come they're like people people still don't believe that vaccines are helpful and in some cases maybe they are maybe they aren't you know individual cases are always do are always very interesting and unique the point is like it's a psychological and a human problem that people are not adopting all these things that they could do that make themselves healthier right so when we look at it

for you know our digital devices and our thing our systems and servers and and computer viruses and attacks and hackers and all that stuff it's it's the same thing like we we can come up with technical solutions and that's gonna help but people are still gonna not understand it even with all this education even with science and data and everything else that we've done yeah and I think in the same way that any sufficiently advanced technology is effectively indistinguishable from magic any sort of sufficiently plausible marketing claim is indistinguishable from [ __ ] where the phone a B or C actually truly represents and which you have the ability to dominate those plans all you have

for you um you're just literally taking it money trust I think we are starting to see some approach you know where there is testing than the US Federal Trade Commission for example has really started to move against Internet of Things rubbish manufacturer web cam bin doesn't that kind of thing who've had their stuff owned and when some of them remember which one tp-link maybe that have like a 20 year injunction against the by the FTC where they have to submit like every couple of years an audit report that explains why they're not gonna get owned this week to the FTC for the next 20 years right which in terms of Internet I wouldn't exist in 20 years of business or being

bought by Broadcom and so we are starting to see like just many IOT things I guess is a place where those where the the devices and the services of software are a bundled together into play you know be small industry enough that you can kind of consume you know a general consumer rating like this one cares about your privacy this little this one cares this little you know you can make some informed choices about your sixties all the way because no one's gonna make an informed choice about a 16th or my webcam is gonna buy it can we just take a question from George's been waiting for a little while sorry make a hand yeah sorry just a

question on something which is obviously in emerging future technology but it's here and available for us today which is the blockchain and surprising and debatable but it's sort of sifting science fiction from science fact what do you see is a realistic future for blockchain tech perhaps contextually in Australia and maybe in terms of the segments that you're involved in and what do you think we'll we'll see in terms of those developments over the next couple years so the blockchain is illegal because it contains child pornography in the case of the Bitcoin blockchain so yes no one use Bitcoin because it's illegal I was it I think the future of the blockchain is that metal can you just explain that sorry

because it's a really interesting actual technical story about what you're talking about so you just want to discuss what what what people have put in the blockchain and it is actually there today so yeah obviously blockchain is an immutable storage mechanism for storing you know incrementing bits of data and there are a ski out pictures of silvio and if there isn't there will be by the end of this if someone wants to take their like $40 where the transaction fees to stick and ask you out picture silvio in there then i've got right here my wallet so good um you can store arbitary data in the blockchain as part of its purpose and yes of course people have done

everything that you would imagine store goatse in its stores or pornography in it store pictures of silvio in it very soon and yet about possession of child pornography is a crime in hopefully every jurisdiction it's better with but does this represent a really significant problem for those types of technologies that you can put arbitrary data like how do you prevent that it's good question i guess make it expensive I don't know goodbye Bank we've jumped the sharks so far with this whole blockchain thing that I'm still legit trying to figure out if that was like a serious or a troll question what's gonna be done with the blog trainer what we use to drive monorails faster-than-light transport

and space elevators I think now it's a good time for a topic change excellent doesn't want the truth there so Australia's just recently brought into effect mandatory data breach notification laws they've come into effect this year ultimately how do you guys think it will affect us it doesn't you know do you think it's gonna work does it work overseas maybe Jesse can answer this one I think the short answer is that we can actually see already that it is working to an extent and I think things are gonna have to settle down over time the OFC which is the body that administers received 63 breach notifications in the first six weeks of the scheme and they're produced a

quarterly report based around them that compares to a hundred and fourteen notifications for all of the previous financial year when it was a voluntary disclosure situation there's an interesting things around that the requirement to report the breach it's up to the organization itself to determine whether it's actually a significant risk of harm to the affected individuals for that for that bridge so there's no kind of hard and fast which is whipping in in many ways you know most of our governance around this kind of stuff is risk-based rather than compliance based in check box space is there some is there some regulations that there an annual turnover of three million dollars for commercial yeah so it applies so they

they talk about what they call 8pp entities and a P P is the Austrian privacy principles which is later in the Privacy Act 1988 which is the federal the federal legislation all of the states and territories have their own version of that as well that they they need to be compliant with as well and so Appl keys and look I'm not a lawyer but this is from my exposure to it and my understanding of it is includes most federal government agencies it excludes most state and territory governments and it includes private sector and not-for-profits where their turnover is greater than 3 million as as you said so I think the issue there is the threshold that means that

small businesses don't have enormous compliance burdens around this is this sort of sort of thing but it's you know I personally think it's it's a good approach I don't know about how much fine-tuning or tweaking is gonna need to go and I think that's a matter of you know my preference would be you put it out there but there's depending on which country you're in and which sort of political persuasion or end of the political spectrum you kind of sit in if people may think that regulation is a great thing or a terrible thing or you know any different thing but in many industries we say many times that if you allow industries who its primary

motivation it is profit to self-regulate they tend to not always do an awesome job of it and sometimes they only start really giving good consideration to it when they're serious threat of regulation brought in or actual regulation it's the same as some you know people talking about various sort of things for which we could we're all adults we can just behave why do we need you know whatever it is code of conduct or something like well yeah but if we're all nice people then why do we need laws and why do we need jails it's like let's just all be nice to each other again I say have you met people but that's just not viable and so

I personally think a degree of regulation it's good it means if nothing else organizations have to steer it seriously so I'm considering and there will be some organizations who maybe choose not to disclose but at the very least it means that their calculus has to include what is my potential penalty if I choose not to disclose if I do disclose and if I'm subsequently found out if I don't disclose rather than just do we think we can get away with not telling anyone I did notice something very interesting it said that in addition to two government agencies and departments and so forth and and three million dollar turnovers that tax file number recipients would also be

obligated under the mandatory data breach notification laws to disclose that and that includes things like tax agents and accountants and if you know in my experience anyway your average tax agent you know maybe he's got two or three people it is at his company you know he's not exactly or he or she is not you know has a great security posture they're just a small business will under that three million dollar turnover rate and they're going to be required for mandatory data breach notifications do we do we see this as we're going to have a huge surge of tax agents that are disclosing breaches well you know does it happen do tax agents get attacked

you know Liam and a metal you've got a lot of pain testing do you pen test tax agents accountants people that were seen for tax for numbers who's gonna inform all those small businesses that they've been breached that's a good point so you know you know who's really not a big fan of mandatory breach disclosures to the extent that they put in a special exemption in the legislation that we didn't mention is political parties are explicitly exempt from this legislation which is fantastic for them isn't it well take a question or a comment over here in regards to the exceptions to the exceptions of Privacy Act talking about the tax file number recipients I think it's pretty

interesting to consider the fact that pretty much all businesses regardless of new turnover are going to be recipients of tax phone numbers because of their employees and their payroll so if those organizations are breached they will have to notify their own employees that their personal information has been breached so I think one of the considerations and I can't I guess I can't really speak to the engine of the AIC to my way of thinking when we're doing risk assessment you know from a security perspective on ICT systems things like that one of the things we consider is not just say the classification or sensitivity of the data the value of the data but also in aggregate that it

changes the risk profile of that so if you're a company that employs 10 people and yes you do have their tax file numbers that's one kind of risk it's not the same thing as if you are a tax agent and you maybe have 10,000 or 5,000 the the the scale of that means that it's kind of a different risk calculus around it so I think that's actually maybe a reasonable approach to it where you can say okay companies below three million dollars probably don't have that many people on staff they maybe should be I mean you know this is again this is the minimum compliance standard it doesn't mean that you're not allowed to report

things that don't meet the threshold if you think it's important to do so you can choose to do that and and in fact from that perspective you know a city government under this scheme is actually not considered an apt entity but we're in the process because one of my hobby horses is about trusting and those kind of things I'm really pleased to see us having done this is that from a policy perspective there's a draft policy that's being put together and circulated that is going to you know the intention is that it will state our position that we will behave as though we were in a being entity even though we're not technically required and look as as

territory in state but you know legislation catches up with some of these new introductions I would expect maybe they might you know some of these provisions in their own legislation as well but bid makes it explicit and and I think that's a good thing because I think you know one of the key the key success things in in delivery of government services is you know is their trust by the citizens in the government and that's really a long - at caesars do they trust okay that they're ready to keep their data secure in the first place do they actually think we can do it and secondly is do they trust that the purpose for which we

using the data is what we've said and are we gonna creep the scope in some way now we're not allowed to under the Privacy Act under other organizations but that doesn't mean that I would encourage anyone who is not sure do it am I technically obliged to report this breach you know maybe they're on the side just kind of skating away with we have a question or a comment over here so we've touched on anticipated effects of this new legislation a little already and I guess because it is so recent you know it's gonna take some time before we can actually measure outcomes - I'm wondering what the wider panel thinks may be about the likelihood that this is

going to result in you would call it improve behavior in you know in terms of businesses and things because as we've discussed like you can give users information about okay this company has had a breach but that doesn't necessarily mean they have the context to decide I'm gonna go with a competitor now in the case of something like Equifax in the US they don't have the option of selecting a competitor anyway is I get so yeah two parts sort of is the idea that now that there is mandatory disclosure there is more like an increased Avenue for oai c2e delivery enforcement coming the Privacy Act does require you to take reasonable measures but also do we think that just

having to admit you got owned and then get ridiculed on Twitter for a bit is going to result in improvements or is like people are still gonna spam me I accept the risk button so we've actually got some data on this quite recently from the Facebook scandal where within the last couple of days some organization reported that something like embassy ended users in the US I don't know how accurate this is but the embassy interviews Facebook users have closed the accounts so you don't really need an enforcement you just need some way to let people know this thing that you're doing in the case of Facebook you know I guess everyone in the room knows that

putting lots of private stuff on Facebook isn't a good idea the general public probably had some vague inkling inkling but didn't know how bad it was now that they've had this discreet disclosure of notification via the media people are actually realizing this is a really bad thing and closing their accounts so there was at least some evidence and that that disclosed notification does work although possibly not you know in the way that maybe the Australian government I'm intended when they passed the legislation we don't think we don't know how accurate that data's humans we certainly have seen examples overseas where the breached notifications have just kind of you know people get bored once you've lost your public your

private data three times it's kind of private the fourth fund the incremental cost of having a breach of both your data reported to you you know is essentially zero after you've lost your birthday to your face or your biometrics or whatever else

McGann we certainly have seen that kind of breach notification fatigue I mean how many of you have been to like ever been poned and looked up your staff and to see how much of your email accounts I mean how many how many have done it more than once twice three times four times I mean who doesn't like every week text rings on posting pretty sure it is in this room but the wider audience probably not probably nobody I don't know whether it's an effective thing other thing that occurred to me listening to this conversation not being super familiar with the Australian legislations is there a penalty for reporting of briefs that didn't happen like can you tell me

err on the side of responsibility right if you're not sure maybe report of anyway but

might be some kind of denial of service attack I'm just saying that as a hacker I see you get a fine for not reporting a brief that did happen and you don't get a fine for reporting for reporting a breach that didn't happen Klaas seems like you do to set up the cron job to report a breach every day right that's covering you for the breaches get those know about right and they need a bigot fine it seems like an engineering solution [Applause] it's no it's just hacking clearly I like the way you think but having said that I mean the fine is not the only outcome obviously reputational damage as the other side of this coin is that the fact

that the AIC will maybe having transparent reports around the people who did breach and we can also get a signal which sectors maybe are more at risk or more trash fire than others is that you're not just you know most larger organizations are not really super worried about it any kind of fine that's such a regulatory body may impose on them they're more worried about being dragged through the court of public opinion and losing potential customers but then when the report comes out right and there's a graph that says here are all the breaches that happened and here's this one can be reported 365 breaches one for every day of the year by marketing visibility like mine shared

straight to the top by top right of a gap of magic ah given I think maybe that's one response the other responses really is still reporting a breach every day and you still haven't touched your stuff after all this time we'll take a question or a comment over here as a young person and sort of university student myself I've noticed that a lot of young people seem to have given up on the idea of privacy and the idea that they can put something on the internet and it will remain private especially thinking back to things like snapchat Yahoo and yeah more recently Facebook and the idea that their information is effectively being used the Prophet

anyway so I know a lot of young people I talked to who aren't technically inclined you tell them things like you know don't use the same password for everything and they say oh why does it matter I've been hacked a hundred times anyway the NSA is watching me through my webcam why should I care do you think we'll actually get to a point where that sort of I that peeking becomes more pervasive and to a certain extent privacy just loses its value in general because daughter is not private I think that's an absolutely valid conclusion to draw from from you know if you're a person growing up in the current state of things and I'm you

know as a as an old man I'm really sorry that we did that to you right we did that we built this system that you grew up in and there's now taken all your privacy when I was your age right I wrote all my dumb [ __ ] on a BBS we're just long gone right there's no record of that on the Internet one's got to feed on it archives it's great okay let's talk about feet of the archives [ __ ] that stuff died right and it gave us a chance to make mistakes on the Internet to learn that the the trade of hacking and to not really pay the price for that unfortunately now we we you

know as a young person trying to get a job every dumb thing you've ever posted a picture of on Facebook or whatever probably they use Facebook as your aren't person and it's old people but yeah and that's a that's a really shitty situation I think you guys are in and I'm real sorry about that I know what you're gonna do about it but you know we'll get to a point I guess when you know you've matriculated into being a hahahah man like me where you know maybe we will have paid the full cost of that and much like we're paying the full cost of fossil fuels now or at least beginning to think of it we'll start to

pay the full cost of giving away privacy and pretending it doesn't matter any but when it absolutely does and all of the 90s cypherpunks who are crying you know into their open BSD installs you know will have been replaced by people who have new and fresh ideas about how we're going to do this I will take a question in the comment on this side yes yes hello great I know that I sometimes use like notifications from have I be prone to say you have an account on this very old website did you remember that you had do you how do you good of your information on the internet do you keep track of the accounts that you

have to patiently go through like all the counts it sounds like a really good idea yeah definitely best practice yes I'd know like the guy who make what's the guy makes the shoes called who's kids always have our shoes is that the Cobb sorry yes cobblers have terrible shoes public toilets are not great those toilets are fantastic those ovo you spent your money well and and there's like there are a whole bunch of tools that are great for managing that sort of stuff now that I guess didn't exist fifteen years ago when I was creating these damn accounts that I wish didn't exist so in in a lot of ways people registering accounts now sort of do have a lot more options in

terms of managing that yeah we're probably the worst people to ask about it because I'm sure we have like horrible logs on the internet that don't look for them i I registered a domain that I tried to get for like a decade before the person who had it gave it up and it's Joffe it's calm because you know Joe Fitz and I've been interested in all the emails I get to that domain to this day I know a lot about this person a lot more than I ever wanted to know about another person their tastes and their opinions and their thoughts and the websites they registered to and it's pretty interesting I don't know what you're talking about

well to take a Commodore a question over here going back to what you were saying earlier about you know the idea of privacy being dead on the flip side of that and perhaps naively optimistically what do you think of Cory Doctorow his idea of this being the period of peak indifference where we've hit a point where everybody doesn't care enough and this is the point where after this point more people will begin to care than didn't care so on that topic like I don't necessarily buy this narrative that like young people don't care about privacy I think people like Mark Zuckerberg like love that narrative I think they care about privacy in different ways to the older generation

like if you have taken a photo and put it on Facebook or on snapchat then you're accepting that yeah this is probably going to end up being seen by other people on Facebook or snapchat there's a chance it might get you know hacked this is a risk that I am managing in my life because I choose to participate in these services but it's still something that you've consented to play the game so there's a lot to privacy where you're you know if I have taken photos that I didn't put on the Internet or you know if I put on what I thought was a private service and got hacked that is still I think felt as a massive

breach of privacy and you know I could be wrong obviously I'm not a young person anymore but that's yeah I don't I really don't buy into that whole like privacy is dead narrative I think that's [ __ ] can we take a question or a comment ivy over on the side yeah given that the quarterly report or you mentioned that 60 something signed up to this straight away but really the most recent data breach was Facebook and that only resulted in about 10% of people deleting their accounts how do you easily convey that information even though it's going to be in accordingly report in a way that likely people can easily see akin to like the health star rating or how much

water you use with every flush on your toilet I think there's a risk of oversimplifying data which is you know we need to strike a balance between that I think one of the critical things that all of this is you know as we talk about the you know a free hoping press is a great thing to have you know they can they can play that game of taking the detailed report anything you know most people will not have read the detailed report that the OAC release they will have read somewhere or seen a 30-second graph on a TV show or something like that so I mean I think I'm not sure that's a new problem that we need to

solve that's really a the ongoing issue of how do we take complex data and representative ways that are meaningful and impactful to people who don't have expertise and how do we ensure that the people who are doing that are not skewing through their own biases and you know we all talk you know if you if you have that kind of skeptical approach you talk about not wanting to accept arguments already but the truth is is that most of us make that as part of our calculation in where we get our news sources how reliable we think it is and you know those are kind of the critical skills that people take a question on this side so we're tufts from a bunch of

things where we've built this complex system and whenever we build a complex system we lose a lot of the resiliency in it with the data breach notification I was being vague on some of the terms of it you've got the chance that for the example of the tier fence that companies might have internally I can see some of them probably taking a path where they say we don't have the data to know that a breach happened therefore maybe we don't have to disclose know no crime and so then we've also got in terms of how things get reported who is this broken an abuse contacts are really hard for the internet for what we were talking about before on the sort of

code blue idea I think you're going to have a hard time saying that you haven't violated something that sounds like the computer misuse act if you go around patching unilaterally but on the other hand you've got a middle ground where outfits like shadows properly reporting to a quarter of the people in this room but they've got a poodle vulnerability it's more of a gray area if it every ends up being a discussion how you fingerprint whether someone's vulnerable right because some of the tests for these things actually cross into let's say reading memory in the case of some of the more interesting exploits that have been out there versus just fingerprinting version strings or whatever else but all this resilience is

going to be lost in the in the common stories but there are abuse mechanisms are broken the way people would report that a company that's a third party might have suffered a breach might be to their line one that doesn't know how to recognize it and doesn't know what they're doing this whole thing is pretty broken but can we push off some of the abuse to maybe the people responsible for getting them on the internet so actually the resellers of IP space and ISPs there's so many parts to that question that I'm afraid you overflow to buffer in my head

I think it's a cogent description of a great many problems that we have and if they were easy answers that we could give glibly on a panel then we totally would but yeah look we're running out of time so we'll take one more question and then we'll cross over for you guys to close up with your thoughts

Lily returning to your peak indifference thing I was thinking about it whilst the other questions happening I'm sorry and I don't know how many of you have followed the situation and privacy in China over the years and this kind of concept of a social credit score where like if you get drunk and spit on the bus then you're no longer allowed to ride a bus anywhere in the country because they can data match you and they know that you're a bad citizen and you have this kind of like you have credit financial credit scores in the US but in China you have this kind of social credit score which combined with pervasive facial recognition like

romantic facial recognition DoublePlay recognition all the ways of tracking where people are what they're doing integrated monitoring of communications in and out of the country right you think we're at peak and difference can you imagine what it's like in China right and you only have to look like we are in let's face it the liberal West right where if we think it's bad I mean how many of you have been to China and tried to operate your regular Western internet life behind the Great Wall of Great Firewall of China but that's a pretty eye-opening experience right you realize actually what blue code proxies are capable of turns out quite a lot of SLM to see up there I guess some people

do get hacked by yourself after all um but yeah like we are so far from peak indifference right if we get to the point where that kind of things happen here like then we're gonna see some like wow privacy is totally dead so whilst everything we have is terrifying and it's all super depressing like you look at how much worse it's gonna get unless we figure out some reasonable balance between just terrifying and you see how they're gonna have to rise again and so we might actually end up because they and their Android phones that they're carrying around the contrast there's another comment on peak indifference is that and again putting on my academic hat from and I mean

researchers have done have explored ways of communicating risk to users better so currently we communicate risk really badly can we do it better and the answer is yes we can do that but being users you have no way of responding to that all it does is it raises the level of level of anxiety they look around there's nothing they can actually do to deal with that and eventually they sort of ignore it and keep moving on so it's not so much of people don't care it's that even if they do care there's nothing they can do about it if you know let's say you use an android phone okay that means google can know about pretty much anything you do that

involves that phone unless you're a technical person and you run some custom hacked up version of android that doesn't report back to google there was nothing that the average user can do about that so it's not so much for people don't care it's that maybe they do care but there's nothing they can do about it I'm gonna have to stop you guys there and continue that thought but we'll just get a closing comment from each of our panelists maybe starting with Joe close with some words and and leave us with some ideas inside all the things [Applause]

kill chain threat hunting cybercriminal accepted risk and base64 encryption thank you at least we've already got blockchain I don't I'm often considered I think a cynic I think is the difference between sarcasm and cynicism I kind of have hope in people and I think actually what I see is a lot of people here who provide a lot of hurt also a lot of Terror but you know a lot of hope as well and sure you know the world is terrible and everything is on fire but I see an amazing group of people who are perhaps you know our last best hope for architecting some of the future fire extinguishers that may help us navigate this wonderful terrible

thank you let's think Jess [Applause] Peter so mingle still mentioned earlier car analogy for security so here's an extra car analogy the average person knows you get into a car you turn the key to the right and the engine starts you turn it to the left the engine stops they don't need to know how an internal combustion engine works or details of an inter management unit or a million other things so why should users actually need to know all these low-level technical details about security and padlocks and viruses and all these other things when they don't need to know the same thing with cars you know what car manufacturers have managed to get it right why can't

computer people get it right [Applause] I think because cars are relatively simple by comparison to global technical infrastructure I don't know I am I feel like it's the same way SGS except without the hope I think it is clear from this conversation and you listen to rescue biz you sure we all have heard the refrain that we live in the cyberpunk dystopia and we totally are in just like the worst science fiction noir cyberpunk dystopian future and you guys are the you know noodle eating cyber implanted tip of the spear of that stuff and if you want to stop us from ending up that I'd like to fill an extra one there's good stuff cybersphere spear

mm-hmm if you guys want to help us not end up in wherever this worst timeline is heading absolutely [ __ ] is then you are the ones that are equipped to make a difference in a way that almost no one else on the planet is right you've got the force multiplier off the cybers was that only a force multiplier sorry of the cybers you are and you you are individually one man one person one woman forced multiplier right now and you can go out and euchre and patch all of the micro tech routers on the planet tonight if you want right grab Jame read off of github little micro devices and you could have yourself a hundred

thousand robot near you know this evening obviously have to fight off everybody else is doing the same thing but you can't right you can go out right now and you can do that and you can do your bit to try and turn this into the least timeline on the other hand you could say I get a job work with the bill industrial complex make some cross the bombs blow up some babies whatever else camera op I can't say that here right I don't know it's a shitty timeline we live in and welcome to the cyberpunk future you know I hope you got your mirror shades there cuz we're sorry here thanks metal

and one more round of applause for all of our panelists [Applause] [Music] [Applause] we have now our closing awards and ceremony so we'll set up and we'll kick off in a few minutes