BSides DC 2018 - Keynote
Show transcript [en]
besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success the the talk I'm going to give is actually a prepared talk and I'll make it available to the organizers after this and you're welcome to you're welcome to share it and so forth it's a privilege to be here and I I mean that if you came in my office you'd find that I have and I've done this forever I've had a sign on the wall that says work like hell share all you know abide by your handshake have fun I actually stole that from Harold Edgerton who invented the stroboscope if
you've seen the picture of the perfect drop of milk or the bullet going through the Apple that was on his wall and I've adopted it and the reason I mentioned that is because your imitation embodied all four of those things and I and so I very much appreciate it um there's a lot to say in some of it as a the subtle characteristics that all of you all know only too well nevertheless I'm gonna try to be crisp I must make one small disclaimer though and that is as you know I work for angkatell and my speaking here is I'm speaking for myself and not in cattell at the same time outreach is part of what we try to do
and we appreciate the opportunity to give back to the community here today where and wherever we can I'd be happy to discuss that one-on-one at the break or some other time or you can connect to one of my colleagues who are milling around here today and we have a spot outside and so forth all that said let me just get down to it when I was younger I used to say that I lived in the future and most people who would say that are thinking William Gibson whose remark you probably well know which is that the future is already here it's just not evenly distributed and but I don't mean it that we actually what I meant was that I was
staring into the fog of the future as hard as I could stare so as to pick a path through it some of you will recognize a verse from first Corinthians chapter 13 for now we see through a glass darkly but then face to face now I know in part but then I shall know even as I am also known which I mentioned because in the original Greek the dark glass is a word with substantial cybersecurity import it is enigma I return to this point shortly but in the meantime let me be clear cybersecurity and the future of humanity are now conjoined each of cyber Security's core realities carries policy Freight but full analysis of that is a
bit too subtle for this morning short exercise however you feel about the origins of the world it is now our world we are evolving it our intervention and evolution is just more evolution but at a faster clock rate changes that depend on the favorable allotment of random perturbations take geologic time including the time to test for side effects changes that are designed may have just as many unforeseen consequences but the equilibria they punctuate are of much shorter duration often a duration short enough that there's little real stability between episodes of punctuating change by analogy as wind strengthens at sea waves stop getting higher and they start getting closer together in my career I've seen enough of these cycles of
stability and surprised to find the description apt even if the cadence is a bit a rhythmic the most challenging security RFP request for proposal I ever received had exactly three bullets assesses thoroughly tell us how we compare to our peers streamis engineering change orders that keep us at constant risk and despite the brevity and clarity of that it was simply impossible to meet keeping at constant risk was and I think remains a Bugaboo the root source of course of risk is dependence especially dependence on the expectation of stable system state dependence is not only individual but mutual not only am i independent or not but rather a continuous scale asking whether we are dependent or not and it
is called interdependence interdependence is transitive hence the risk that flows from interdependence is also transitive if you depend on the digital world and I depend on you then I too am at risk from failures in the digital world if individual dependencies were only static they would be eventually evaluable but we regularly and quickly add dependence to new things then that added dependence matters because we each and severally add risk to our portfolio by way of dependence on things for which they're very newness confounds risk estimation and dust risk management interdependence within society today is absolutely centered on the Internet beyond all other dependencies except in climate and the Internet has a time rate of change five
orders of magnitude faster than climate does remember something becomes a critical infrastructure as soon as is widely enough adopted adoption is the gateway drug to criticality one thing we see here is that there's a kind of oscillation going on thirty years back you would take your data to where the computing was University central computing facility perhaps then inventions made it possible to move the computing to where the data was and every worker came to have something on their desk with which to do that processing then came the twin innovations of virtualization and software-defined networks so the distal end of the connection is once again merely a display tool while the data has again gone to where the computing is
only now we're not so sure where where is the next oscillation has already begun but it like the future is unevenly distributed computing is going back to where the data resides in the sensor fabric per se at each stage of an evolution the best X ever produced is also the last X ever produced when it is itself rendered irrelevant by the leading edge of the next phase unless we have become as gods some mix of the unexpected and our adaptations to it will be that of which the future is made every invention we make proves either non viable which is to say a non-functional mutation within our human design ecosystem or viable which is to say it ceases and hitherto
unoccupied niche either by creating that niche or stealing it from whoever occupies it now whether creating or stealing a niche does not matter since over time the number of niches increases at least until there is a catharsis which and the original Greek meant cleansing or purification the important thing to realize from a biologic analogy is that to the biome to the occupier of a niche that was here yesterday and will be gone tomorrow extinction is a surprise no tree can say time to move uphill no salamander can say I need to mutate the evolutionary change depends on this unpredictability otherwise yesterday's winners are tomorrow's winners yesterday's dominant species only get more dominant tomorrow this is
true both for nature as wetware and nature as soft where I trust that some of you have read Nassim Taleb x' work such as the Black Swan for which a if not the central point is that as the tails of a distribution get fatter the average the mean the predictable becomes a function of the distributions extreme values and all the rest of the distribution there's so much window dressing a fat tailed setting inherently resists prediction but for that very reason makes prediction ever more compelling to pursue talib synopsize is the pregnant present techno social phenomenon and momentum as follows we are undergoing a switch between continuous low-grade volatility to the process moving by jumps with less and
less variation outside of those jumps note that I am NOT conjuring up nation state actors or divine intervention though I personally believe that both are at work and at all times what I am suggesting is that change is what evolution is about that change is rarely steady but rather tends to be abrupt the change is event-driven that the amount of change an event engenders is proportional to the surprise with which that event arrives and that we cannot make this otherwise our preaching on this topic wastes airtime the more we say it is coming for some cyber security value of it the more those who live only in the moment will have good and marketable reason to ignore us speaking
as a person with some training and probability the point to remember is that probabilistic events occur eventually if we look at nature in the form of the equations of ecology we see two alternative games for survival our selection and K selection our selected species produce many offspring each of whom has a relatively low probability of surviving to adulthood while K selected species are strong competitors in crowded environments k-selected species invest more heavily and many fewer offspring each of whom has a relatively high probability of surviving to adulthood if we change the term from produce many offspring to reimage frequently you now have precisely the world of VMs or to be more current still the kind of container
components and a DevOps setting where it is arguable whether moving target defense or minimizing new product introduction latency is the actual paramount goal this idea of punctuated equilibrium is perhaps you can tell as a hold on me I traced the birth of the cybersecurity industry to Microsoft's introduction of a tcp/ip stack as a freebie and windows 95 thereby taking an operating system designed for a single owner operator on at most a private net and connecting it to a world where every sociopath there's our next-door neighbor that event was the birth of our industry though the fact was unnoticed at the time the second of these moments occurred somewhere around to the best of my guess or 2006 when our principal
opponents changed over from adventurers and braggarts to professionals from then on mercenaries some armed with zero days have dominated the defense response has been varied with the rise of bug bounty programs and software analysis companies are the two most obvious an internet of things with a compound annual growth rate of at least 35 percent will be more like anabolic steroids than anything for at least those two to august's ago we passed a third such moment the DARPA cyber Grand Challenge showed that vulnerability finding and fixing which is heretofore required human experts may shortly come within the Ken of fully automatic programs or shall we say algorithms that are today at the upper level of skill with some sort of
intelligence soon as with both of the previous two turning points the effects will reverberate for the indefinite future I've long argued that all security technologies are dual use and the day after the cyber Grand Challenge Mike Walker the darker programming manager in charge of it said as much on camera I cannot change the reality that all security tools are dual use those who wrote whenever any form of government becomes destructive it is the right of the people to alter or abolish it as in the Declaration of Independence also wrote the right of the people to keep and bear Arms shall not be infringed that's in the Second Amendment and they broke both at a time when the weapons of
the yeoman farmer were on par with the weapons of the infantryman in the intervening centuries weapons of infantries have so far surpassed those of the yeoman than any right of the people to abolish destructive government could not rely on weapons kept at home but relative might between state and non-state is today closer than it has been at any time since 1791 this oscillation in the balance of power may be peaking but never before could a dozen guys and gals and their pajamas meaningfully annul the state's use of force justice hunters must lead their target we must lead ours what's at the time however we have first to argue arguing about what our target actually is and what is obviously a target-rich
environment but let me step back just a moment before contributing to that argument first what is security my definition which underlies or should I perhaps say bias is my analysis today is that a state of security is the absence of unmitigated surprise let me repeat that a state of security is the absence of unmitigated or so prai's the state of security is not the absence of surprise it is the absence of unmitigated or surprise in other words we will and should expect to fail from time to time second the second one and coming from the first is that the highest goal of security engineering is no silent failure not no failure but no silent failure
you cannot mitigate something that you are not aware exists all well and good as you know nonetheless no and directly in your case our hardest problem is not that of deploying mitigations but rather deciding how to spend our inherently limited deployment capacity what mitigations do we actually deploy which malware do we counter what vulnerabilities do we patch what alarm still we chase down and investigate fully you know this as well as I do the true task of the security worker is to pick what to do based on an informed sense or intuition of which task selects for the better future there's always too much to do there's always a top-down demand for protect for perfection at
this point I can start making predictions about the future but I'm not going to they might be right and they might be wrong but unless we or perhaps the organizers want to start putting real money on the table those predictions would be worth what you paid for them instead for the purpose of this talk I'm going to describe some choices we have to make choices that we will make one way or the other these are choices we have to make not in the sense of what will I have for breakfast but rather in the sense of coming to a fork in the road and picking one of the turnings realizing full well they will never come back to that fork as
unencumbered as we are now Metrix much has been written on security metrics but we are still short on what constitutes the minimum essential set for cyber security Charles Darwin said all observation all observation must be for or against some view if it is to be of any service at the macro level the fork in the road we face is which of cyber Security's two possible goals our metrics are up or our observations are to be for or against is it driving the mean time between failures to infinity or is it driving the mean time to repair to zero both can be said to achieve the same goal 100% availability but which do we steer by and by the way don't say
both embedded systems you can call this the Internet of Things if you prefer Qualcomm swarm lab at Berkeley predicts 1,000 radios per human by 2025 Pete Diamandis of the X PRIZE frame wrote a book called abundance he calls for 45 trillion networked sensors by 2035 these kinds of scale cannot be supervised they can only be deployed and left to free run if any of the free running is self modifying the concept of measurable attack service is just plain over so - as a concept of trustworthy computing at least as we presently understand it but to make clear the fork in the road embedded systems must either have a remote management interface or they must have a finite lifetime a remote
management interface delivers serious risk to us almost as much as it delivers us from serious risk enforcing a finite lifetime by contrast means culpability for those who fail to implement it but that means culpability for whom and how and for what either way immortal and unfixable is anathema defense as mentioned earlier the automated discovery of vulnerabilities is a classic dual use technology our choice our fork in the road is either to move toward proving that a body of code implements its it's it's spec and no more or to embrace moving target defense code proving is a if not the gold standard but it is also difficult and expensive enough to do that after a successful proof is in hand you must
then adopt a brutal change control to protect your investment moving target defense may be good enough to reverse the defender attacker strategic asymmetry that today favors attackers but it also guarantees that exactly how any field that instance of code really works at any given moment will require an intermediary to explain taking either path is a serious choice supported by serious results obtained by serious scientists it is also a choice that's hard to later rescind composability three years ago my colleagues at a leading software security assessment firm said that the sizes of applications they were seeing had grown so large we're talking 20 gigabyte web apps for example that they had had to be machine written code so they were able to say
that therefore that even machines can write Vaughn's today they say that the average code blob is very small consistent with a trend to micro services this is in fact more of the same but now we throw in small modules that might each be provably correct and ask whether security can made to be composable can we find a way to ensure that connecting to secure modules delivers a secure result probably not but DARPA program manager Sergey brightest is formulating an effort to see if parsing at least can be made composable until the composability question is answered the choice of module size and interconnection strategy presents fork after fork after fork from which we have to choose to fix or not
fix in 2014 in Atlantic Monthly Bruce Schneier asked a cogent entirely first principles question our vulnerabilities in software sparse or dense treating that as a policy question if they are sparse then everyone you find and fix meaningfully lowers the number of avenues of attack that are extant if they are dense and then finding and fixing one more is essentially irrelevant and a waste of the treasure spent finding it six take away one is a 15% improvement 6000 take away one has no detectable value my policy answer is that for any body of stable code under competent leadership vulnerabilities become sparse over time but as code volume explodes the total number of excellent vulnerabilities must rise
which leads again to NASM Talib and the heavy tails of power law distributions and the black swan the ongoing work by various researchers on the rediscovery rate of vulnerabilities is most instructive in this regard in any case this is another fork in the road defense by hardening versus defense by moving target to quote Cassius Clay or Muhammad Ali I should prefer dance like a butterfly or sting like a bee support in the real world abandoned things that matter a car a house a baby bank account they'll get seized for the public good abandoned codebases should be no different and abandoned code seized for the public good almost surely means open-sourcing it this fork in the road is actually a Hobson's
choice but take it or leave it proposition note that in the sense used here code means not just source but the build environment reproducibility is the issue reproducibility is the requirement tell that to your average router maker but if seizing an abandoned codebase is too big a stretch before breakfast then start with a certifying authority that goes bankrupt who gets the keys machine learning algorithms that are self modifying are either blindly trusted or they must be interrogated or by which I mean that you must be able to get an understandable coherent checkable answer to the question hey an algorithm why did you just do that yet as data volumes grow algorithm efficiency becomes more crucial but the more efficient the
algorithm the less interrogate able it is this was the exact theme of a workshop held by Morgan Stanley and the Santa Fe Institute in October of 2014 entitled our optimality and efficiency the enemies of robustness and resilience for what it is worth every speaker said yes if we choose the blind trust fork and that is what we do we blindly trust just that said thereby setting in place the precondition of a silent failure if we choose the fork that requires interrogate ability then we have in front of us today a research grade problem to solve before there's any more deployment and we give up optimality and efficiency for robustness and resilience because we have to
this fort presents itself anew every single day we put something into production who and we're a public safety argument mandated that we geocode all cellular devices in real time do we use a public safety argument to mandate geocoding the internet if so we have a changed the dynamic of both attack and service provision in addition to a new duty for ISPs of course if cellular endpoints come to overwhelmingly dominate the client-side internet which now seems likely soon to be true parts of this question may become largely moot nevertheless since 1684 Westphalian states have had a monopoly on the legitimate use of force within their territory for that to have continuing relevance cyberspace must be balkanized
and each state must amass the means to project cyber force yet as we know with enough interconnections physical boundaries and cyber boundaries lose all correlation so states increasingly define cyber territory by where their subjects electronically go whether by destination control and the Chinese style or data control and the EU style and so appears a second impetus to geocode the Internet the merger of national security with domestic tranquility prioritization amongst the classic triad of confidentiality integrity and availability we have heretofore prioritized confidentiality especially in the military sector that will not be the case going forward in a civilian sector integrity will supplant confidentiality as the highest goal of cyber security if for no other reason than a growing dependence on data-driven
algorithms confidentiality may not even be in position number two that may turn to be availability what we get to choose at this fork in the road is a body of procedural niceties as to win the need for integrity Trump's the need for confidentiality which is of course where anonymity and provenance have their long-delayed head-on collision this in turn leads to data mitigation we have to soon choose what we want to happen when stolen data is for example not just exposed but also put on a blockchain from which it cannot be erased put differently assured data deletion is far harder than permanent data retention yet many civilized goals including but hardly limited to the right to be forgotten require the
sealing of records or their outright destruction which do we give up the slick usefulness of immutability or information crime becoming unmitigated what does consent of the governed mean when a technology can and does trump a court order might we say that the fork in the road is whether a technology that Trump's a court order makes us choose between variants of libertarianism work or is it a characteristic of what technology must be found to be inherently unlawful what is to be done when contraband information appears and an otherwise innocent blockchain if an algorithm is in charge of something we care about what is to be done if the data from which that algorithm was derived becomes suspect or even is made
to disappear names and reach ability the fraction of the world's endpoints that have names mis fallen if you combine an estimated three billion endpoint addresses that are globally reachable and a global routing table that contains 750,000 entries then a routing table entry represents on average approximately four thousand potential end points or in CID terms a slice twenty notably many of the smallest routing table entries are nat gateways network address translation gateways and so might represent a vast population of other endpoints in the sparseness of ipv6 a named endpoint is discoverable and hence reachable whereas an unnamed endpoint is not are the nameless to be constrained to initiate outbound transactions but never to accept inbound ones what is a key
management model for a trillion small devices that have no resolvable name in the name of security do we require nameless outbound only entities to ask for an occasional update and if so only from entities that do have names momentum says that soon the majority of internet endpoints will not be describable by name nor discoverable by scanning another layer of indirection will of course solve some of those problems and create others provenance and forensics are going to be all but surely deeply affected so what really is the meaning of taking the fork that leads to namelessness more to the point do we dare take it if we can't answer that question analog the most telling fork in the road of them all is whether
we retain an ability to operate our world or at least the parts we would call critical by analogue means analog means and only analog means do not share a common mode failure with the digital world at large but to preserve analog means requires that they be used not left to gather dust on some societal shelf and the hope that when they are truly needed they will work this requires a base load a body of use and users that keep the analog working there's a genuinely substantial debate going on now in Sweden over where their cashless Ness and over carelessness and exactly what regulatory mechanism for keeping a base load of cash processing in place is
societally necessary as the difference between Sweden and Puerto Rico shows being cashless by design and being cashless by accident is equivalent senator angus King Senate bill 79 is pending it would require that the electric grid be operable by analog means frankly it needs your support but entirely uniquely keeping the analog working is also a civil rights issue what we have here is an historic anomaly under nominally where the most readily available counter to an otherwise inexorable drift into a vortex of interdependent singleton technology and preservation of a spectrum of non-trivial civil rights is one in the same counter the guarantee by force of law were necessary that those who choose to not participate in the digital milosh
can nevertheless fully enjoy life liberty and the pursuit of happiness there to opt out of the digital vortex does not require that they live in medieval conditions and by doing so we reap a national security benefit in the bargain as those opting out are the base load for the analog alternative this is a fork in the road worthy of Robert Frost I shall be telling this with a sigh somewhere ages and ages hence two roads diverged into a wood and I I took the one less traveled by and that has made all the difference and that is what I'm here to tell you that the future of humanity and cyber security are conjoined so that as we prepare to make some
decisions that are of the fork and the road caliber we need to think it through because in making decisions about cybersecurity we are in fact choosing amongst possible futures for Humanity those decisions will be expensive to later reverse and either dollars or clock ticks the onrushing world a full personalization means the rational decision for the individual or the small entity does not and will not aggregate into the rational decision for society at large perhaps that is the core effect of a rate of change up with which we cannot keep perhaps this is not just the wisdom of Robert Frost but also that of Donald Knuth premature optimization is the root of all evil perhaps it is
Michael Dell left to themselves creative engineers will deliver the most complicated system they think they can debug or is it Secretary of State John Foster Dulles the measure of success is not whether you have a tough problem to deal with but whether it is the same problem you had last year or maybe it as David wheeler all problems in computer science can be solved with another layer of indirection except for the problem of too many layers of indirection which immediately invokes Camille Paglia the sweeping appeal to history somehow overlooks history's far darker lessons about the cyclic rise and fall of civilizations which as they become more complex and interconnected also become more vulnerable to collapse the earth is
littered with the ruins of empires that believe they were eternal you we us are the masters of the universe now what will we do with that power which we have but a short while more there's never enough time thank you for yours [Applause]
