Everything Is Awful (And You're Not Helping)

moment all right I want to remind you of a couple more things that we have been doing throughout the evening there is going to be a happy hour at the end of the evening uh there's a raffle for that and there are people putting their names in the pseudo Fishbowl outside for that so if you want to be part of that raffle please go ahead and participate and then we'll go ahead and ask for names again tomorrow morning uh for the one that we'll be having there we'll give away some some stuff from no starch press as well as Fitbit question he had a question I did not want to answer it uh I want to turn over

the next speaker just reminding everyone to please thank our sponsors uh if you do so here in person or if you do so online or if even if you just happen to bump into someone while you're here we really appreciate that they help put on and cover the cost of all the things like food and the like um if you have any feedback besides sf.com feedback please share that information every year we hear people go oh so and so said something about the event I'm like then they should submit it it so please go ahead and do that anyway I'm going to go ahead and turn it over to next speaker thank you very much all right thank you so who here

uses a computer who has it turned on and makes daily use of it you all stink at information security those are the first three laws of uh computer security um initially termed by Robert Morris who here knows who Robert Morris is all right um not the guy with a worm his father anyway who here is Robert Morris you never know right anyway my name is Yan and I'm from the internet and I'm here to help you guys ever been on the internet they got some crazy stuff there on that internet like Twitter for example who here is on Twitter yeah you're not helping you're not helping neither am I you can follow me on Twitter vote quim me um so I went

on Twitter the other day and it turns out that most people Express opinions that are not those of their employers I'm like what the [ __ ] RTS are not endorsements crazy anyway so instead of Rage quitting Twitter I figured I'd take a page of their uh notes and say you know what this talk is not endorsed by my employer whatsoever they don't even know what I'm talking about about so don't blame them but they paid for me to come here which is really nice so thank you Yahoo and we're hiring vote Quimby anyway um so I came all this long way from New York to tell you something you all already know you're working in

information security and you know that everything is awful it's terrible so I'm surprised they invited me here because everybody knows this already right here has the things that are awful so if you search around in GitHub you know your regular git Dorking you see schot 777 which is really awful you go on and you can search for SQL injection and that is really really awful too right so there's there's lots of things that are terrible on the internet and um we and infos we are well aware of this and we keep talking about this and ridiculing people for this we say that developers clearly do not know what they're doing and this is our position and I think that's not really

helping other things that are awful the internet of unpatchable [ __ ] we have toys with cameras on them that you know spy on children or some such and of course if you perform some sort of uh research on how many of these might be vulnerable then yes you find that almost every single one of them has a back door and all these wonderful devices that we put out there are really really easy to compromise that's

awful the internet of unpatchable [ __ ] is terrible things that are really really old by now this is from over three years ago still gets a lot of kicks in the infoset community particularly because of the headlines like this and of course the particular application of this vulnerability is something that is really not a whole lot of fun but you know ridiculing the internet of [ __ ] is something that is really really easy and we do it a lot right we have a lot of fun doing this and we laugh at it it's kind of like shooting fish in a barrel or like you know sifting sifting through showd on and seeing what kind of vulnerable things

are out there on the internet what do we have over here we've got some sort of Subway payment system and another toilet um conac Distillery and some ski lift apparently yes infos research at its finest we're just browsing showan and we're calling it you know furthering the state of security and I think this is where we T have to take a little bit of responsibility and accept that we're not helping by just doing these things it's really really easy to laugh about these things and really really easy to point fingers and say developers don't know what they're doing and users don't know what they want and look at all these you know things that are open up there but

we actually should be focusing a little bit more on trying to help in this regard all right on so one of the side effects that occurs is that I think every industry gets the conferences they deserve and the conferences are a reflection of how the industry behaves and we apparently have reached a point where people who are paid for a living to play pretend get to tell us how to do our job that's a little bit awful this is also a reflection of a certain mindset where some people think that they can do somebody else's job and this is the lesson that I think Sean pen has to learn just like I think we have to learn it too being really

good at this one thing does not mean you're really good at this other thing being a really good actor does not make you a really good investigative journalist or somebody who understands the implication of operational security but on the flip side being really good at those things does not mean that you're a really good developer and does not mean that you are really good at building infrastructure and does not mean that you're really good at running internet services and all these other things and so I think that we have to become really aware of this because we often times present ourselves as ridiculing other people and laughing about their incapabilities because we understand how all this stuff works

right we are on the end we know how the internet works and we know how to break it and one of the reasons that I think we're not helping is that we do not live in the real world we do not live in the same world like the people that we try to protect or the people that we try to help information security in general is not the same as the real world we live in a world where Hon's razor is really really dull where the Assumption of um maliciousness is much more likely than stupidity in the real world it's the reverse of course Snowden didn't help the whole thing a lot you know all the

tin foil heads that were spewing all sorts of theories a couple of years ago and we laughed at them and nowaday we're like oh yeah that actually happen so yeah thanks Obama uh I mean Snowden um but there are other people who live in the real world and they live in a different world than we do amongst them are journalists journalists trying to protect sources and in 2016 as well as in 2013 at this case still do not know how to protect their sources appropriately and have to be taught slowly and very painfully so there are people who live in the real world who are doctors and nurses and Hospital administrators who all of a

sudden have to figure out how to use Bitcoin to pay somebody ransom for their data and that is a real word for them The Real World includes people who are store clerks who have to verify signatures on credit card receipts I don't know if you can read this but some infos person wrote butthole as their signature big new Cas knew all sorts of things in these regard but we know that this is funny but the people in the real world actually probably do not think so parents live in the real world parents who hear stories about cyber attacks cyber bullying cyber pornography and all things other cyber and who are just trying to do their best

and you know where this is going right you know that yeah well you've got a parenting app that actually spice on children then of course that leads to a data exposure and those people are all at risk that's also awful lawyers live in the real world lawyers who try to communicate with their clients and that cannot be guaranteed any confidentiality and we come and we tell them oh wait you should use pgp there's no way they're doing this there's no encrypted phone calls there's no not even an expectation of privacy and the data that they are logging here is then of course exposed very quickly other people who live in the real world include Librarians Librarians

who are trying to expunge the records of the books that are being lent that are being requested and they are teaching classes to try to help other people understand how to maneuver the internet and how to use the computers they're doing so using computers that are 20 years old and they're still doing an amazing job at it not all things are awful this was the case where Librarians were finally allowed to run tour relays and tour exit notes in the library because Librarians actually understand many of these problems they do live in the real world and seriously Librarians are [Applause] awesome Librarians are awesome Librarians really understand the implications of privacy and freedom of expression and all those things and you

really should stick with them so don't [ __ ] with Librarians those are people who live in the real world and that is not our world those are all the people who live in the real world who have a different world than the ones that we do and we should try to figure out how to help them and normally whenever we see these problems what do we do well we recommend you rub some crypto on it because that always works crypto never fails but we should probably step back and think whether or not this is the right solution for the regular people who live in a different world than we do so yeah everything is awful and we're

not helping um I said earlier or I had on my slide anyway that I call this an optimistic talk U because yes everything is awful and we're not helping but maybe we can figure out a way out of this maybe we can take a look at what all these cases where things are awful have in common and if you look at those you get a couple of stories that keep repeating who knows who this is anybody yes this is the s in RSA correct Ari Shamir who here knows who adish Shamir is if you don't how did you get in here God damn it anyway fun fact did you know the s in RSA does not stand for

sha and pen anyway who here is Ari Shamir all right got to cover my basis never know so arish Shamir when he accepted his touring award gave a speech and he coined Three Laws one of them is that absolute secure systems do not exist the second law said to half your vulnerability you have to double your expenditure and cryptography is typically bypassed not penetr traed so he gave this speech and this award in 2012 uh 2002 and 14 years later I don't think we have completely internalized uh these lessons and it would behoove us to do so absolutely secure systems do not exist there something that we have to learn and accept and just really deal

with it and it's a problem for people who deal who work in cryptography for example because if you fail a little bit in crypto yeah you fail all the way that's just the way it is but all problems are crypto problems even though they are security problems so we have to sometimes accept that we have to make trade-offs and and we have to deal with certain imperfections so absolutely secure systems do not exist but that's fine often times it is entirely sufficient to just raise the cost of an attack above a certain level so that your attackers can no longer exploit it for that of course you have to know your threat model I said that raising the cost of an

attack is entirely sufficient in most cases if you understand who your attackers are and what their capabilities are so you have to actually understand your threat model um in this regard you're welcome who here knows who this is anybody see that's another problem we know the security people we don't know other people this is Fred Brooks famous computer scientist you may know him from his is um work as in the mythical man month and in particular the essay no Silver Bullet it's particularly important and useful in the software development community and would behoove us to actually understand those two anyway so he had in this essay the idea of having certain types of complexity in

software namely that you have essential complexity and accidental complexity essential complexity is complexity you can't remove from the problem accidental complexity is all the stuff that you add around it accidentally and that really makes things more complex but you could do without it here's an example if you have a web service and I hear that's a thing and you put it on the internet and you want to do this over https there are certain things you cannot avoid you will expose it on Port 443 you will use TLS and it will speak HTTP this is the essential complexity of this problem but at the same time you do not not have to have a million ciphers enabled you do not have

to have all sorts of different limitations uh different libraries that you're using and the slide is cut off there you don't have to have all sorts of different applications serving HTTP content either that is accidental complexity and we should strive to reduce accidental complexity to simplify the world because it turns out not only is this better from a software engineering perspective it also is better from security perspective because reducing complexity drastically reduces your attack surface and if you reduce your attack surface then you are winning you should have some data data is your friend we have over here a chart that just shows a little bit scaled down the distribution of some of the SS um

SSL ciphers used on the web stack over time as we're dialing them down if you track them you see one going down and as this one goes down the other one goes up so if you have a preferred Cipher list and you Shuffle it around a bit you can figure out which one is all of a sudden already dropping off once you realize which one's dropping off you can turn it off completely and once you do that you can move on to actually serving very well TLS and you have reduced the complexity on the attack surface of the problem and getting this out to your entire stack also then reduces your attack surface so data is your friend if for

example example you take numbers from your bug Bounty program and you look at the frequency of issues that are reported then you have a whole chunk of data and you can say hey which one is the most important for me to address but you have to be careful with your data you have to understand what what story the data is telling you this is just frequency So based on frequency you would say hey we should focus on SQL injections and xss and then we have you know knocked out almost 3/4s but at the same time the different vulnerabilities may have different value and you're probably paying different values for them so you can actually do

another graph you can just say hey what's the average payout by a given type of vulnerability and then you can see which one you should focus on this is a parto chart which I'm particularly fonded of to try to help you make these decisions I left out the actual numbers so that you don't come to me and say hey you didn't pay me enough for my self xss and it's going to cost you if you want to reduce your attack surface if you want to reduce your vulnerability you have to pay so you can actually also see how much it's going to cost you to win how much if you use the data so data is your friend let's take a

look at this all the things that were awful earlier we said okay where are they we have sqli xss rce redirects all these things what we're missing here is AP breaking our cryptos that is nowhere in there this is not the lwh hanging fruit that we're seeking cryptography is typically bypassed not penetrated you will not see these kinds of things show up in your bug Bounty because they're bypassed not broken cryptography is typically bypassed sometimes legally so a six digit PIN seems to be sufficient to foil a fairly capable adversary here's a graph of how the US does risk management we have cause of death on the left in the BL in the blue column and

government spending in the green one the column that goes all the way off the chart is Terrorism this is risk management in the US that is awful but we are doing something similar we are pretending that AP people breaking our cryptos is this really super important thing and we spend all our focus on it when on the same side we have people just doing script kitties doing sqli and people pushing their keys to GitHub Etc and maybe we should adjust our Focus here so AP is super exciting because we can think hey we can do all these wonderful things we want to fight against all the evil governments and all the mafias and all those things but in

fact what we're really seeing as a persistent threat is the I love you virus from 2000 basically still fishing still works is the way into the system maybe we should focus on that if you think problems can be solved by cryptography you're probably wrong there are very few cases that you can actually solve by applying stronger cryptography one of the things that does not work is people uploading their credentials to GitHub that's the thing everybody does that yes we have a lot of those it's really sad but crypto will not help us here so yeah everything is awful and we're not helping let's figure out a way around this first of all we have to

accept that everything is awful that's fine we said that is the internet on fire probably in fact we have an open SSL advisory coming up on Tuesday mhm yes so the internet is probably on fire but the internet is always going to be on fire I put this website up after hot bleed and since then every week or so some major event happens and we are panicking and we're losing our [ __ ] and we're starting to try to patch things and the next week we repeat it over and over again we should focus on being calm here and addressing these problems more easily without losing our [ __ ] so don't waste your time on busy

work measure your impact and prioritize in order for you to be able to do that you have to actually understand your threat model as I said earlier in order to understand your threat model you actually have to have a threat model to begin with so maybe start there threat models are awesome and I know that many people here understand threat modeling in general and I'm just going to leave this up here for completeness sake we have a bunch of circles we have threats you know about threats you decide to defend against you can defend against and some threats that you care about and you should figure out how to increase the circles appropriately the blue circle is really

important so is the green one and the yellow one and the red one all those circles are really important so understand your threat model is what I'm saying so yeah measure your impact prioritize but help others to take responsibility because you can't do this all by yourself you have to help others you have to teach them and you have to guide them and when you do this try to be understanding other people's jobs are not as easy as you think they are we say oh you should just upload not upload your keys to GitHub you should just do this you should just do that when you say just do stop talking you do not understand the whole implications you're

not an expert at all things you may be an expert at infos try to be understanding that other people are experts in their domain so yeah do try to prioritize and be helpful teach and listen listen to the other parties to the other teams what they're doing what they're working on and stop with the [ __ ] sunzu quotes those are not helping at all all right thank [Applause] you thank you we want to give you a speaker gift of a fit thank you very much for really appreciate it awesome we're going to get the next speaker up here hopefully very short