Why We Need To Stop Security Tribalism

thank you so much for having us thanks for inviting us Craig on Chester was nestea this is John and we've been working together for a long time and one of the things that we thought would be important to talk about kind of kickoff of b-sides is something to focus a little bit on the sense of community I mean that's what makes b-sides such an awesome event and we're fortunate enough to get to participate a lot of these sides are on the world and what one few of them are this well organized on the first try so can we get a round of applause for the volunteers this is truly quite phenomenal and despite first time in Wales I don't

know about you John was right as well excited to come out and talk what we're going to talk about today we decided to call from Apple apostles to Google groupies a little bit about security tribalism it seems to be you know both of us talked to the press quite frequently and I think the public is genuinely confused about security but hearing about all these breaches in the news all the time lot of contradictory things a lot of companies humpin a lot of marketing advice out as pseudo security science and you know we're often not doing ourselves any favors so we thought we'd kind of pick apart and have some fun with this a little bit

John and I are gonna take adversarial positions on a few topics here and talk about you know how this plays out and how we might think about these things a little more carefully when we're providing advice to the public to our family our friends and work better together as a community to ensure that we're actually giving our best when we're trying to advise the rest of the world on the incredibly complicated details of security and privacy topics so we've kind of broken it down into a couple little battles I guess we've got iPhone vs. Android and Huawei versus Cisco which we'll have some fun with but we're also going to talk about kind of how we need to keep ourselves up to date

with the advice we're giving as well in particular things like password policies and Wi-Fi mean everything's changing on a continual basis and we need to try to be really clear when we're talking to people outside of our our industry on how they can stay safe without trying to you know confusing intimidating them trying to get away from the the fun right so you know between the two of us back to being old I mean we've been doing this for a little more than 50 years so we've got quite a bit of experience and one of the things that you know we see continually in fact specially on these sides is arguing is really really good like

please please tell us why you disagree with us at the pub later during the the non after party I can't speak Welsh so I'm not gonna try to have gone Kovach on you know we have to have healthy debate and talk about these issues but you know we need to do it respectfully and community driven events like these sides are perfect for these kind of conversations so we invite you to disagree with us afterwards maybe not during the talk but we hopefully will have some time for some questions because they all have plastic bottles that decide to throw things at us and no crowd surfing please until the talk is over please obey the signage all right

so let's start with Android versus iPhone this is always a pretty fun debated in the jet it certainly is and I don't really understand how there's much of a debate to be honest with you I mean father Jobs told me everything is just fine and it's perfectly secure levitating on the stage and you know all your hippy dippy Android crap and it's openness is really kind of doomed to failure I'm pretty sure yeah but your homogeneity is great except when it is you've all probably heard about the you know the five vulnerability chains that came out I guess back in October yeah Wow in August that each comprised of multiple vulnerabilities right so according to researcher Ian beer at

Google who released these things most these vulnerabilities were just caused by pure poor QA so there's no owning the hardware and the software for better QA and just blatant error that should have never ended up in production code and it certainly didn't help the Wigner Muslims who were being targeted by abusing these vulnerabilities and never mind that or anybody else who was using an iPhone for a number of years so he vote abilities like this just do nothing but hurt the ecosystem and you know Messiah secures the pot sponsor too bad nico is not here so an homage to miko we thought we put up this quote about who he thought was the most secure this from a while back though i

wouldn't disagree though i mean the windows thrown to be fair like nobody's targeting it so it's a it's still true my old blackberry is pretty secure as well despite fair enough the vulnerabilities present i don't know that anybody knows how to exploit them so you know there's some safety and obscurity but obviously that that's probably not the strategy most of us going to take and I mean I get what you're saying I mean the diversity of Google's platform is interesting but I mean they think everything can be solved with an algorithm and that results in things like this which is obviously quite embarrassing and everything cannot be solved with an algorithm and one of the reasons you know the the app store

ecosystem of Apple is so much better than Google walled gardens yes they have their place but it's not the only reason Apple doing a Chet I mean curation indeed does help keep some bad stuff out but it's not a panacea and it's not just bad stuff that gets kept out of the Apple Store or the App Store we've seen plenty of abusive apps in the past and you know we'll probably see some more in the future apples decide to appoint itself the arbiter of taste and free speech or just speech in general really imagine buying a car that you couldn't drive to a strip club or a TV that refused to show Sky News well maybe that laughs oh man it's

a good idea though now let's face the fact that and recognize that we accept this kind of behavior from a manufacturer that controls 50 percent of the market share here in the UK suddenly picking a phone just because it's got a great camera for example you're locked into now a whole moral point of view and the app store also you know this is a good example of when they banned an app or like a Steve Jobs corner of the day because it might not flatter Cheerleader this kind of censorship it stifles freedom it stifles creativity and and safety apples more concerned about keeping their access to the Chinese market safe rather than allowing people to choose apps that might be in their

best interest instead of the interests of the users government right but I mean that freedom comes with a cost when you're talking about Google I mean the wanton reckless openness invites abuse like we see with this fortnight situation right if you're not familiar fortnight very popular game that with the young people these days and it's not in the Google Play Store you have to actually sideload fortnight onto your phone so you need to go and disable the protections that are present that limit you to the Google Play Store to allow you to introduce this application the all because they don't want to pay the 30% tax to Google for all the billions of dollars they're making with their

video game now I mean this you know III think this is really risky behavior it sets this as kind of a norm especially for young people going hey you should disable all the security and take take part in this risky behavior of loading random apk files from unknown but sources but for veggies you know that's really you know Apple protects you from those kinds of things you can play for tonight on an iPhone without having to take those kind of risks and without teaching your children bad habits okay fair point so can we can we just agree that sometimes they both suck well yeah and maybe that's kind of the point here right like the truth of the matter is we

have to assess the risk of each individual thing within the context of how it's going to be used and decide which thing might be safer clearly the App Store is more curated than the Google store but in in in both cases there are situations where one may be sent more sensible than the other okay no he's going to say but let's face it the iPhones more secure isn't a job it is I just said so in speed before he here leader passed on he assured me it was perfect yeah but I did why they didn't up the queue way it is it though like is the iPhone more secure when you look at the software architecture of both operating

systems there's a lot of similarity between them and they they may do some things differently and you know under the bonnet iOS 10 and 12 in Denver at 10 are fairly similar they use compartmentalization they use what they call Shan boxing all sorts of other cool tricks that have been around for a long time but they'll they try to make these things secure and yes we do have to acknowledge that when you're trying to compare the two platforms the hot mess that is the you know the the diverse nature of the Android ecosystem does pose some problems but if we're gonna do an apples-to-apples comparison to it you've got it take you know an iPhone

and an Android pixel the two flagship devices and compare them together and when you do that both phones actually offer you you know it just works experience and excellent security and most of the troubles start with user behavior it's just as easy to get fish on an iPhone as it is on an Android and if you take the attitude that your platform is the most secure you're probably going to fall a little bit harder than a very meticulously crafted scam and from it so it's worth it's only the most secure smartphone until it isn't here we go again this was just yesterday with an exploit that can own the entire ecosystem iPhone 4 to I phone 10 and

there's nothing you can do about it ever oh I get an iPhone 11 well yeah maybe the examples new marketing campaign for the iPhone 11 I've been looking for an excuse my wife won't just let me buy one and the latest glut of all these iPhone vulnerabilities they've even made the fine folks at zero diem change their minds about who they think is the biggest right out there yeah - and a half million dollars though I mean that's pretty good I mean so they're offering two and a half million dollars no for an Android like no click you know exploit they can drive you know five body on Android butternut Mills a lot of money yeah but do you have any

idea how much one of these costs okay you got a point in there so those are pretty expensive I'm probably more likely to get more than two and a half million if I just go directly to two Chairman Mao and offer him like my own a but I mean that's likely where this Apple Apple bug you talked about is not likely a brand new thing that was discovered and published yesterday that's probably how the FBI's been getting in the output bones for years and cellebrite and all those other guys so the bottom line is here this debate is really more about preference and lock-in than technological competence additionally neither platform is really great at protecting the users that need

it most really and iPhones just too expensive for most of the planet to afford and the alternative is a cheap phone that's forever stuck on Android 5 so you know let's not pretend that one is objectively better than the other when what you really want around corners all right so I think we beat that horse to death what's let's move move on and talk a little bit about password policies rather being limb being adversarial here I think we're just gonna take a look at kind of this weird hole we've dug for ourselves with regard to how we handle authentication and sadly it's a pretty deep and complicated maze I'll begin with kind of looking at the problem we

have I think we've all are pretty familiar with this problem this is the top 60 breached passwords during the rock you reach 7 8 9 10 years long as it been now it's been a long time so a breach but this problem hasn't gone away in fact that I suspect we'll start seeing door - password hashes showing up any time now and you know this this is clearly the problem I mean we're not trying you know you look at this the number on the second column there that's the number of people who had that password buy that back I mean you're literally looking at seventy six thousand two people who had one two three four five six seven eight

nine so this isn't like three idiots that you met at the pub like this is a giant problem and this is what people think a secret pass phrases so are clearly we're not trying but only 32,000 with princess so okay fine fine if that's the case I'm just gonna introduce complexity right if people aren't gonna do the right thing voluntarily will just simply require them to do it right I thought complexity was the enemy of security they didn't the Generalissimo uh yeah mr. Talman no no wasn't Stallman it was pointy him ponytail liar Shanaya said the security of the complex enemy complexities enemy of security but nonetheless this is how we end up with this now I mean these were just two

random ones I ran into while I was actually setting up this presentation the the one on the left I particularly like this you know we need to make sure that we're incredibly prescriptive here 8 to 32 characters two of the following must not include more than two identical characters which I don't know what the purpose of that is and even worse our banks I start looking at banks and banks my bank in Canada actually does not even preserve case sensitivity because they don't want me calling tech support if I have the caps lock key pressed and this particular this is Westpac in Australia an example from them that you know really interesting note again no more

than two repeating characters so at least I can have a double s in my princess in my password but you know it's getting out of control right like these things are not really helping and what it results in is this right I end up having to have instead of one password I use on every website which is my dream I end up having to create variations of it to meet these ridiculous things including I I eventually came up with princess with one ass in order to meet the no repeating characters qualification from the first website in order to comply with it and everything goes pretty ridiculous fine complexities bad so I'm just gonna expire the passage

periodically so at least if they're stolen or compromised we can kind of limit the damage that could well I mean that kind of results in this right I mean we we simply increment them on a schedule and I certainly worked for more than a few organization that did this and and you know you look somebody up on LinkedIn you're like oh they make they've 90 day password change policy you look them up on LinkedIn they've been there a year I'll just add four to the end of all my guesses and and I'm likely to hit the jackpot right your password is princess sixteen now right no well the pin rocks like eighteen years we have we shouldn't

disclose what are our password expiration policy so this is actually I'll disclose it we don't expire them because it's actually contrary to me choosing a good password but we can talk about that in more detail later there are some exceptions to these rules right I mean the whole point of this talk is to go you know these things made sense at a point when you mentioned password expiration immediately in my head I got back to thinking when we stored plain md5 hashes in the etsy password file before the shadow file on UNIX systems you know those could be broke in those days over the course of years so you can set a password change policy of 90 days

and since everyone had access to the hashes you know you kept the rotating them fast enough you were likely to not have them be broken you know those kinds of things made sense at the time but we have to re-evaluate whether they make sense now there are a few cases and in particular when I work with organizations that don't have single sign-on I mean expiration can make sense that can be very helpful right like if you've got six different systems you log into you've got Active Directory and you've got the UNIX systems and you got some cloud thing and they're all different passwords you probably have a hard time decommissioning people when they're fired you know so having a 90 day

expiration means you know the person you just pissed off when you let them let them out the door they can only exploit you for 90 days until your password expires that can actually help strangely enough but we need to think about these things within the context of where we're applying these policies and think about a risk management approach to this and what we're really trying to do of course is increase increase entropy if human beings are terrible at this right like the everything we do in our lives is to try to reduce the entropy in our lives largely to to make sense of things and that makes choosing passwords really really difficult all right but there's other things you can do Chet

if you want to harden authentication you just you know use knowledge-based authentication right that'll really stop bad guys I'm going to but something I know and something I know is not multipack yet I know a lot well yeah this I couldn't help but use this example I love that you probably can't see it it's a terrible thing somehow United Airlines made it impossible to screenshot their website with the drop down that's so easy like the time screenshot thing and none of it would work so either take a picture of it cuz I just couldn't believe how unbelievably bad it was not only did they limit my password to 10 characters and not allow me to use any symbols and

all kinds of other things so my password manager was freaking out but in addition to that they did this KBA stuff and I don't know if you can see this but the top one there is what is your favorite breed of dog and not only that they they only allow you to choose predefined answers to the thing that's going to bypass all my password security and let you drain my mileage account and get a free trip to Antigua sure and I mean it's just you know these things are not really helping we have to look at things that would help and try to think about putting yourself in the position of your customer if it's a customer

facing thing your employee that kind of thing and John I have the privilege of travelling the world quite a lot and III got to think about different things that would really help one of the things I run into a lot is people in Asia are often second or third language English speakers restricting people to our character set is really gonna make them choose bad passwords right they need to be able to put in Mandarin they need to double put in Cantonese they need well to put in Japanese why would we limit the entropy the available things that people can use when we're storing hashes when we can allow them to input emoji like do everything impossible to enable

every type of person who's going to be accessing your system to do something that's clever for them or useful for them to be safer without restricting them obviously multi-factor can play a role and another thing you know that the one restriction that both NIST and I agree on is that this is the American national National Institutes of Standards and Technology is you know yeah banned those rocky passwords right you know how there is actually a few very few websites that that have like the top 1000 used passwords that have been disclosed to breaches you know piffle wild princess and one two three four five six that's fair right don't let people use things that you know are easily just and abused and

simple but a few simple guesses but on the other hand you know don't require 32 characters assemble and no repeating characters because you're really making it impossible that can fly and what we're seeing the most success with a lot of organizations is actually tearing these things down and even to into tears if you're familiar with the traffic light protocol that we use more sharing security information often you know you have TLP white where it's publicly disclosed and anybody can share it you know do you read maybe you know you are not allowed to share it whatsoever this kind of thing stop looking at your systems in a similar way and go right you know the

system at sofas that publishes virus identities could you know compromise all of our customers but if somebody were to break into it so we're gonna require multi-factor we're gonna require it it can only be done from certain systems that have a certificate installed you know we're gonna put barriers in place that actually make it somewhat unpleasant to use but because of the security and the nature of that product we need to make sure it's secure whereas when I'm on the road and I need to access the wiki the fact that I know my username and password and Active Directory is enough to let me access the wiki right like don't make things more difficult because the more difficult you

make them that's why you result in everybody people will out stupid your system no matter what your policy is right so don't make them want to out stupid it make it easy enough to use that they're willing to comply with the things when they're important and that they're not required to comply with things that are unimportant eggplants smiley face there you go here's another topic that's getting a lot of press lately you're American Q born in the USA is there's a DJ here ya know we're not really talking about huawei versus Cisco or are we is this really about China versus the USA well don't be foolish I mean we know the PLA is all up in Wally's business and you

know not to mention it's the law in China right like they're required to provide access to their gear at the request of the military establishment so I mean I think it's pretty clear yeah yeah Cisco was obviously more secure than Bob they say they're not well yeah just ask them right but their CEO is former PLA racing yeah and Taurus Johnson's a muppet but doesn't mean I want to see him on BBC kids right so firstly there there's never been any published evidence for these claims right it doesn't mean that the five eyes doesn't have any but they're just not talking to us in the general public about not TLD white it is not TLP white

and also the NCSC the front folks are a GCHQ who have the same Intel as the Americans they published a few papers stating that they haven't found anything either in their code reviews as a matter of fact what what they did publish is that the coach is garbage and and barely meets the standards for a modern security and software engineering so if that's the case that kind of evens the playing field doesn't it probably cuz they stole the code from Cisco but I mean backdoors right like we just talked about they have to read they have to provide backdoors there must be backdoors in the hall we get come on I mean yeah Wow I don't know there is a

risk right even if the manufacturer is not complicit it's not proof that they're there the US government by law can not you know hack in American companies and implant backdoors or do all sorts of shenanigans but it doesn't mean they won't find other ways of getting their stuff on to your eventual systems right don't you remember that time when the NSA the ta oh group you know they introductive a bunch of Cisco boxes have on their way to the customer sites and then email a hijacked a truck or something yeah I didn't never figured out how they really did and then we are the kind of implanted their own special toys right I just wonder how much time these guys

have to spend at the Def cons tamper-evident Villa village before they they got it right right so I mean if if we can't we know we can't trust Huawei come on they're they're owned by the PLA we've established that so we've got plenty other market leaders like if we're not too sure about the safety of Huawei then why would we choose them why wouldn't we just choose one of the other established players we've got plenty of people in this space that I feel a lot more confident in that I feel in Huawei we got Cisco we got Juniper we got Nokia you know all kinds of vendors out there and you know I would just choose a

different one okay speaking of back doors Cisco does not even need the government's help in this department as a matter of fact they excel in this department would you really trust the world's largest purveyor of hard coded pastors with your network security but you know instead of speculating about this stuff let's take a little bit more of a data-driven approach I know this isn't like a very rigorous perfectly scientific method but it gives us a sense of the general security of the two companies products when we look at the numbers of vulnerabilities per product in Cisco versus Huawei it's not even close all right so we know we can't trust Cisco and obviously we can't trust Huawei

either Nokia's almost as bad as Cisco in the vulnerabilities Department so they're out too but I hear they make great tires and not only has juniper also been accused of having backdoors in their code but they're volatile is even worse than Cisco's but he said well where does that leave us I mean I guess the little place at the top who's that I don't know tp-link what mines do we really care right does it really matter who's Reuter your traffic is going through everything that really matters it's encrypted right you can't see it so decides if you know you know that your traffic is going from point A to point B sometimes you can't even tell

whether it's leaving your own country the BGP and all yeah I mean I don't think I've ever been able to establish what brand of river my packets are traversing the internet on anyway I mean it seems like a pretty absurd argument really comes down to it so it's impossible to know so why stay up at night worrying about it the bottom line for this is Orion it's us oh it's almost purely a political issue right this is an argument between a man who fundamentally misunderstands tariffs walking a lot of things an arrivals power that's trying to unseat the great you know reigning champ in an unwinnable trade war okay so those are the way we

determine password complexity sucks we can't trust anyone and iPhone and Android suck sometimes and sometimes they're great all right okay so final topic we'll look at is a little bit around public Wi-Fi being scary I started getting asked about this last holiday season when I was actually here in the UK I was in London doing some work and a bunch of journalists were talking to me and asking like or you know scary advice for people for a holiday shopping like the you know should scare them into not using the Wi-Fi at the mall and can you give me ten reasons that Wi-Fi is scary and I started thinking about it and going you know I don't really think Wi-Fi is that

scary anymore and you know that can be a controversial opinion but like what's what's the big into it the way we've dug into Huawei and Cisco and iPhones and androids a little bit and think about this all right so you think you Jinping is all up in your Rooter and public Wi-Fi isn't scary I forgot the health and safety warning I do have a walkway phone so any conversations we have later on will be piped directly to the PRC don't you know I'm all up in your cookies bro by the way I I'm a amateur artist on weekends and that that's my interpretation of the fire so bad it's good it's the best I could do we

don't have access to the Arts Department so I mean the truth of the matter is you know start digging into things back to your argument that it shouldn't matter what the the router is that's traversing my traffic cuz I should be protecting the data before it gets there we're making a lot of improvement I mean this was back in the Ed Snowden days here on the left side of the chart right after the Snowden allegations we were still less than 30% of the general web traffic was encrypted so that blue line up the center there is the global average of encrypted websites this data is from the Watson crypt and the Mozilla Foundation so basically if you use Firefox and you

set that thing saying I agree to share telemetry with Mozilla that's what's beating this data and that bottom line there is the worst-performing country which is Japan around I think they're about 69% encrypted for Japanese uses Firefox the global the blue line right now is at seventy eight point four percent and the United States is the top line with the most encrypted traffic at eighty nine point one percent now based on data I have from Sophos labs and some testing I've done in the past I would argue most the Western countries Western Europe UK etc all around that ninety percent mark these days unfortunately I was unable to extract that data directly from the Mozilla dataset but you know ninety

percent of our traffic is encrypted and I'm suspecting the other ten percent might be things I don't care about I know I'm a big fan of using no if you don't know about it's great never SSL comm it's the last HTTP website but it helps you trigger all those captive portals on the train and at the airport and all that because if you try to go to encrypted sites often they get you know you can't trigger the portal right so I think a lot of those HTTP things are people logging into their tp-link and you know accessing captive portals at hotels those types of things Oh Sheldon all right so you you only think it's

encrypted you know haven't you heard about a little thing called SSL Script you've been around a while yeah well I mean that was a problem but you know again these some of these problems are solved problems to a degree uh uh whoa let's go back over it and back yes so you know HSTs I mean most you've probably heard of it HTTP strict Transport Security I was able to get the this graphic from a gentleman who did some training on this stuff I thought this is a great representation of what it is if you're not familiar but the whole idea is to protect against SSL strip and things like that happening on hotel Wi-Fi networks and airports in these types of

things and the idea being you remember that a site was encrypted last time you went there but you no longer you not only remember that the site was encrypted and only ever access it encrypted you also can bypass things like SSL strip by remembering the certificate it was encrypted with and who the issue of that certificate was so that you are less likely to have somebody be able to compromise your traffic and you might say yeah but it's optional when it is optional and you know how prevalent is it really and is it going to me against the things I'm worried about cuz usually I'm worried about you know my credit card my financial stuff this

kind of thing if I'm I'm using a public Wi-Fi I'm less concerned about other things and I just did a little digging out of curiosity this is a couple screenshots from the HSTs cache on my firefox on my laptop and i just built like rebuilt my laptop about two months ago and I already had 1,024 sites have me store their TLS certificate with with some timeouts and you know if you look through those I mean it's really diverse I mean some of them are obvious things like Google and Gmail and you know financial institutions and those types of things but but even CD ends like CloudFlare and Akamai that are sitting in front them the vast majority of the

web today are enforcing this by default for random people's you know WordPress blogs and crap that are behind them right it's almost become the default or the de-facto all in another zone and I think that's amazing progress we've made and only of the you know eight to ten years since the Snowden allegations - all the way to now where we got 90% of the web's encrypted we're walking it down we verify identities and we only connect to them in a safe manner the starting to make me feel better and better about Wi-Fi are you a closet millennial I see snapchat up there I use the windows millennial audition and we'll talk about that later all right so fine fine but what's the

stop a network provider introducing unwanted code in your network traffic if you remember a little while back a couple years ago there was a case in Argentina please wash earlier yeah yeah well maybe 20 teen but what happened was is Starbucks provide free Wi-Fi when you walk up there you just have to say yes I agree the terms and conditions and after you go and start bucks pays for that obviously but they also have to pay for somebody to provide that for you locally they pay a local network provider and so the local network this is an Argentine the local network provider there who was managing all the Starbucks Wi-Fi beside well they're gonna skim a little off the

top as well right so they actually injected crypto mining code into every session that was browsing through the captive portal because they thought maybe they could earn like a fraction of a penny for from anybody logging onto their life but have you seen inflation in Argentina yes but so what are you gonna do about these guys who want to introduce crypto mining code or something else into the free Wi-Fi that I think is you know not very secure to begin with I mean it's at one point it's kind of an acceptable risk to me and it seems incredibly unlikely to cause me much harm what I'm really worried about is whether somebody can booby trap that with an exploit get

back to you talking about the iPhone exploit chains that were discovered back in August that's the kind of thing that really scares me a lot more than necessarily a crypto minor on a page that I'm gonna be on for 30 seconds while I click accept you know the convenience when I'm in Argentina and I actually traveled Argentina a couple times a year of getting free Wi-Fi versus paying roaming charges and if you've ever seen a Canadian cellphone bill it it would it's it's rather disturbing compared to what you guys have here in Europe when it comes to roaming like ridiculous the prices you pay so you know I think that's an acceptable trade-off and you

know for exploit chains and things like that to work they often won't work in a captive portal because you're not able to access the Internet where much of the code and the command and control server and all the malicious things out there that are out there it just seems unlikely if I'm patching my computer that that's going to be a real risk that I'm worried about so I think I got you because the way to do this is probably with like DNS manipulation right so remember a DNS changer that that's I think that's that's what I'm gonna go so obviously if you're man in the middling connections there's there's a lot of ways I can

manipulate that traffic and so if DNS can be manipulated it just proves I've just proved it that Wi-Fi open Wi-Fi exacerbates this whole problem yeah it's certainly DNS is the weak link in the chain but that's now why we have well okay the rest of the world aside from the UK has DNS over HTTP I think it's an easy thing now that you're leaving the European Union or not but Mozilla actually announced last week that in no way shape or form will they allow the UK to be secure by turning this on by default it's only for the rest of the world because you're wants to spy on your porn but that anyway you can turn it on yourself they

just won't turn it on for you but this is the answer this is one of the answers potentially an answer to this problem DNS over HTTP well it's true I asked me about cloud fair at the pub because I'm not entirely down with this scheme but I am down with you know the privacy and the security it provides over attacks like darkness talking about on public Wi-Fi and certainly while I've been travelling here in the UK this week I've forced turned on my Firefox to use this feature for the privacy enhancing features of it I don't really trust the Marriot Wi-Fi from the standpoint of it not being tampered with I just have to trust in you know trust in crypto to

protect me and this is just another layer of that to protect me from attacks on that network yeah but where else you gonna get your H in all right fine so given all that I think the answer is fairly clear right let's just risk M type everything through a VPN and that will solve all of our problems because now they'll be fully encrypted and and more than you know more than before we'll have encryption on top of encryption so what do you say to that smart guy well is that I guess the question is is that making things better like should I trust Nord VPN more than I trust the Marriott Cardiff I'm not really confident in that

for one VPN services attract people often that are committing crimes or trying to maintain their privacy which makes them incredibly attractive to governments spies and hackers who want to actually compromise their traffic their exit points no different than tor exit nodes are often the focus of spotting because you know that's where the people trying to hide are all coming out onto the Internet so I'm not convinced that that's really that helpful but I as a thought exercise wall is working on the slide I got to thinking like what would the best VPN service possibly be and my conclusion was NSA VPN a free service available to you you're guaranteed to be spied on but only by the NSA nobody else has the

wherewithal to spy on the NSA so when your traffic comes out you know Uncle Sam's watching you but probably nobody else and to be fair looking at you know my risk I'm going you know this actually doesn't sound half bad to me like I kind of figure the NSA is already all up in my anyway and if I got a service from them yeah it seems like I'd love to get through out of their network without being spied on so yeah I don't know how you feel you can share your opinions with us later about NSA VPN but I was thinking about approaching them with this idea and seeing if I can get some startup funding how does it say GCHQ VPN

but they're already spying anyway so only an American's excellence so I'm safe as a subject of Her Majesty the Queen okay so fine you're saying that you know public is great but if I choose the wrong choice here then I'm exposing myself to like all sorts of stuff specifically Network worms like eternal blue blue cape and all the other worms that have yet to come and maybe start still around yeah that's true that's probably true on your land as well but that's why we have client isolation and as much as we travel I've been testing this quite a lot doing a little bit of Wi-Fi sniffing perhaps as a motoring about and almost every public Wi-Fi

network I've accessed in the last year has client isolation enabled and not that's a reasonable layer of protection against the spreading of worms in fact it's probably safer than your land arguably and we've been making a lot of progress in this department the last few years I don't know if any of you have much time to look at some of the new Wi-Fi standards they were all kind of ratified and announced last June but not really deployed anywhere widely to speak of as at this point but Wi-Fi six is interesting because Wi-Fi six as part of the new standard requires that all new here that wants to be certified by the Wi-Fi Alliance has to comply with WPA

three standards and there's a lot of new and interesting things going on with WPA three and and particularly what's called Wi-Fi certified enhanced to open and that's a bit of a mouthful and doesn't really roll off the tongue but enhanced open is the new public Wi-Fi standard and that in essence negotiates a perfect forward secret Keaney in secret for every connection to an open Wi-Fi without any pass well why don't we why do we need this because like wpa2 or you know PSK enough and then well yeah I guess you could just write the Wi-Fi thing on a you know a coupon that the cost of coffee or whatever and give it to people like they

have a tendency to do but in doing my own research on this I thought well how hard is it to like crackin wpa2 PSK these days and I haven't realized that some researchers with the hash cat group that work on how house busting with GPUs and things when they were looking at WPA 3 discovered some new flaws and wpa2 that we hadn't known about before and have accelerated the cracking and capture of PSK keys without even knowing what they are or even being able to observe the initial negotiation you can actually force an access point to cough them up and I thought oh I'm gonna try this on my home network I have a reasonably secure Wi-Fi password on my

home network I think my my passphrase is around 14 or 16 characters I'd actually have to count but I know the decent length decent complexity but something I can remember and tell people and I threw it at my AMD GPU in my desktop machine at home and I cracked it about 2 minutes and 35 seconds with one computer right like if I didn't have my laptop it probably would have been 10 or 15 minutes because I don't have a powerful GPU but like I could steal a PSK wpa2 key without ever knowing what it was or even knowing that somebody's using it I hadn't realized that it actually gotten that bad WPA 3 fixes a lot of these

things and one of the primary things that does to fix it is what is called simultaneous authentication of equals which is a program or protocol called dragonfly in order to do the initial key negotiation well how obviously not going to go through it nor can I explain the mathematics because I don't have a mathematics degree but you can kind of get an idea of the the commitment confirmed process that's used in order to negotiate those keys and it's quite robust at this point no one's really aware of any terrible weaknesses in it there have been a few holes poked in WPA 3 by some researchers along the way which is good because the fact that it's

not widely deployed yet means we can kind of fix the standards a little bit as they're getting baked into the firmware of devices that are starting to ship now and most vendors of our shipping enterprise gear supporting this or firmwares that add it to their existing enterprise gear around now and and you'll start seeing a lot more of it in in the first calendar quarter of 2020 so the bottom line is we have to take factual and data driven approaches to these arguments rather than just letting you know our emotions and our preferences take control of this yes sharks are hazard when you're swimming in the ocean they can get biting from time to time but that

usually happens when they feel threatened or there's some sort of you know external stimulus like chemical signaling or environmental stresses or you know mistaken identity I'm a scuba diver I've been diving with sharks it's great they're magical you know magic creatures but when you're going into the ocean it's where sharks have been known to frequent in time to time it does increase your risk of shark attack but unless you're wearing your tuna flavored swim trunks in shark-infested waters your risk of attack is still fairly low do they make tuna flavorant swim trunks they do now it's a Kickstarter Holly bother so security is really no different right there are hazards as we've shown and there are risks but each

must be honestly recognized and weighed and these topics are just much more nuanced and complicated when you dig into the details even when the hole is only an inch deep as we've hopefully shown today we couldn't go deep into any of these because it is nuanced it is complicated and more over a request context right why are you doing this how are you using it so I'm far more comfortable with my mom using public Wi-Fi than I on Facebook and to me those are sensible decisions and Mike might fairly technically illiterate mom uses an Android phone and she's alright so let's do she plate for tonight she does not like all right so let's keep having

these vigorous debates about security right but in a way that's respectful and on us about the real reasons and the real risks as opposed to the perceived ones this is how our community here in Wales and the larger security community are going to solve these complex and important problems so by all means keep arguing keep debating but most importantly in the words of two most righteous dudes be excellent to each other thank you I see Thomas grabbing the microphone so I'm assuming that means we have time for a question or two kids if anybody has one or challenge your challenge animal wait we accept a good building a question moto so you keep marriage to do or wait Cisco I

think we've got a historic example so what happen or what nor tell nor find Canadian company find Canadian company has been decimated by patent oh yeah no yeah I mean Nortel I guess well I think you might end up in the Windows Phone category if you have Nortel gear which is nobody knows how to hack it because they can't get it anymore might be a win you know fine Canadian engineering from Ontario I believe yeah I actually funny enough to bring up nor telling that I was doing some research for RSA last year and Microsoft bought nor tells IP space lived for a sure because they needed ipv4 IP addresses so the the old nor tell I things are

assigned to Azure now and it was the source of like 8% of the malicious traffic we saw in sofa slaps oh this north tell traffic so it's it's still alive if you do a who is on the IPS they shall come back as nor tell Microsoft's not taking ownership of I think they paid like 16 bucks per IP pretty expensive maybe that's what we do we just go find old Nortel gear and we use that as our routers and switches yeah I've got some old synaptics base which is in the closet I think but anybody else I do it is cool have a criminal suit on yeah thank you very much [Applause]