2018 BSides Toronto: Ben Huges

oh you're jumping then you're getting ahead of me here alright so because you're throwing me completely out of sync yes slides will be up on the website in a couple of days after this we just takes us a couple days to actually click them all from everybody if you're a speaker here and you have not provided us with slides please do send them to us on a more important note it was pointed out to me this morning that in my jet lag fog I did forget a very very key piece of the puzzle with regards to the Code of Conduct while I was being cheeky I missed the really important part if you do have some sort of incident you

have to report please find somebody with one of these orange shirts stand up and they will help you ASAP so that is a very serious point if you do have some sort of issue that you need to discuss please find somebody with one of these orange shirts for the B sides crew and they will help get you sorted so apologies for not pointing that out this morning I really need more coffee all right you ready well you probably be an idea so I hope everyone had a great lunch and thanks again to Proofpoint for providing that thanks again for Palo Alto for being an overarching sponsor for all this and more importantly thank you to Ben Hughes who's our next speaker

please put your hands together and give a great big 'besides Toronto welcome to Ben I hope everyone's nice and tired and sleepy from the wine and food at lunch what a speaker really once is everyone falling asleep but I came here on a red-eye so my a - I'm falling asleep so if someone could just like run at the stage and lift me up if I fall asleep that would be appreciated cool yep this is besides you're well aware my slides will be up at the end so you don't have to panic too much about that there is slides from two other b-sides there because despite the rigor of the CFP process I've made it through three times

cool on with whom I I'm a security engineer at stripe we do them credit cards things if you've heard of Shopify you've probably given us money I used to be doing infrastructure security at EDC and if you haven't bought stuff and Shopify you've pretty boots off a Nancy and I used to do infrastructure at and if you're at this you might know of puppet you might have owned puppet you might have been known through puppet and because I'm really smart I once wore these shorts and some skate shoes bring up these ones to Montreal in winter which was not my cleverest move to date so the talk yes there is one it's security even important quite a quite a fighting talk

but hey all the other talks have been lovely so I figured I'd come out swinging so it's security important of course security is important important you paid a lot of money for a ticket to RSA which I'm sure you've all enjoyed sexual tickets at cheaper so you should go to that and said I just don't get an RSA that's generally the best advice in the industry where I won't be giving this talk this is US dollars this isn't your sensible plastic money which quite rightly has the Queen on it different Queen not the same Queen yours as the queen of Canada different same person different Queen the cybersecurity market is meant to reach some ridiculous number

and is expected to reach an even bigger number because numbers go up right again those are freedom dollars they're not Canadian dollars good honest freedom dollars in Fahrenheit yeah so there's all these ridiculous predictions this Gartner on there because otherwise he would it would be remiss not to have a Magic Quadrant somewhere does anyone know the magic of the Magic Quadrant is there a quadrant wizard how much do I pay oh she got no ID No they've stopped talking to me so what about the people in security actually making money who want the giant vendors the really important people in security the ones who actually make Bank because as we saw from the first joke they seem

to be doing well despite having terrible OPSEC and like just buying law hacks off of $450 and yet they're still like profiting cool I'm not gonna make any questions from their comments on the socio-economic groups as that seems quite a contentious point earlier but this is what they look like if you can spot the hack here it someone has stolen the Apple logo off of the iBook blah blah blah criminal damages reach six trillion dollars which who knows what that is in Canadian ransomware damages are a lot because health care health care health care ransomware bitcoins I have won something in bingo Verizon data breach is like yeah we've just changed the dates on it

everyone's still getting owned by the same things and throw up I did a better version so it's a bit sister all of this is like many of these are from CSO online which if any of you are CSO's in the audience I'm sorry it's a like a dry web site then you see it so there's only one interesting link and all of that so cyber security your security as we call it or InfoSec or hacking if we're really cool it's a very serious business as is pointed out in every breach reported like the security of your data the functionality of your servers and your confidence in line owed they're extremely important to all of us except

the line owed who are running ColdFusion and then got hella owned but that was in their breach notification that it's it's extremely important to them but we are on cold fusion important ColdFusion yeah slack Hawaii drivers add a company earning a trust through the operation of a secure service will always be a highest priority it's very interesting wording I probably know who wrote that I'll be nice to them target when they got ever so slightly completely [ __ ] owned you trust it is a top priorities so it's not the top priority it's just like up there how many priorities are never mind security is blah blah blah blah blah blah I could if I wanted to

make a breach report generator I could just do this so how serious is this serious cybersecurity industry serious serious extremely important serious that uber serious this is a case study if you've heard of this popular ride-sharing company based frightening Lee close to my old apartment in San Francisco uber will pay a bunch later cash to set some claims because only 57 million customers drivers riders names email address phone numbers probably other exciting PII just kind of got kind of got taken by at least one person and then they went I know what we can do we can call this a bug bounty and pay them off and then no one need ever know so 148 million US dollars

Uber's net worth five point nine it wasn't it worth - 148 million five point seven five who here would be like no no I want the five nine I'm not settling for the five point seven and a half billion dollars yeah everyone's fine with five point seven billion dollars it's not like you're not crying all the way home with only five point seven billion dollars man I could have had an extra a few more million dollars like how big is this ball pit so they got away with paying a fine it seems quite big like I wouldn't want to have to pay that fine it would him smashing my piggy bank into many pieces but for uber who've had so much

investment that I know whatever they do they make self-driving cars or as we call them trains it's mad yeah socialism I can say that here so what they had to go to the court and in the Senate and the CSO was see so left four went to the hearings those key missouri's from Lisa security there's hacker one so they kind of got in trouble with the Senate but like the stoop going as a company seems to do this thing anything in this even harder to read caller is probably a link so you can go and read all the CSR online articles afterwards if you are having trouble sleeping do you think through the ACS are under the bus so Joe Sullivan he was

there CSO or CSO because I have both I didn't really understand their internal politics he was he got fired or he left probably with the particular settlement and now is running security at CloudFlare so huge ramifications they're like oh no I got found out I'll just leave this company and go to another really well-paying other company to do the same thing yeah well you've learnt your lesson core Intel this is now my second favorite caption competition like is going on but that's like a CEO of Intel blah blah blah probably not the right one for this I think if you've heard of meltdown inspector they're both gifts that eventually turned into bugs I believe that's how the process works you

basically hire smart designers and then they come up with cool images and you're like [ __ ] now we have to reverse engineer some stuff I also can't think of Specter without thinking it's like some 80s cartoon but just showing my age so fun game audience who on this graph can tell me when Intel announced melt of meltdown inspector and this is their share price I mean yeah just like throw a number one to ten across the room where do you think oh I'm not getting a lot of audience feedback so I'll just die then it's about about round here surely before goes ARP loads so they announced they announced like oh yeah the biggest runner ability to ever hit

silicon that will not really be fixed possibly forever and as in maybe millions if not more CPUs around the world in loads of architecture it's like yeah that really like that really messed them up because it was in like February and then they had an excellent start for the first half of year and they expect 2018 to be a record so biggest floor ever biggest security vulnerably ever put in hardware we're making dollars so I yeah there's no implications for the largest most ingrained vulnerability possibly of all time it's in the whole of computing pretty much affecting every device from cell phones to networking infrastructure to all of AWS to inode to like they probably more sold more CPUs out of this

but like there are some ramifications fee Intel's CEO resigns which is why he's looking very anguished there he was a sold like 24 million dollars of stock like before announcing the breach and the but remember security is job number one job number one after insider trading security security is number one it's a good old Theo the people's prior to rats and the Core 2 Duo like we're saying this in the ER otters because OCP user now releasing they have massive aratus and if that doesn't terrify you and think that security is a solvable problem when the most basic bit of hardware in your entire machine has a list of bugs in it at shipping time that everyone can read

you're like definitely gonna secure this application because there isn't bugs all the way down in like microcode and silicon so yeah that's that's pretty fixable so why did Brian resign was it the SEC filing was it the massive security breach no it's because he was having a relationship with an employee almost as if like insider trading and a massive vulnerability aren't that important Sony Pictures how long must they have spent buffing that logo which you probably can't see because this is going through a vga adapter because apparently this setup is from Canada's phone network time of the 1800s oh but true I'm sorry who here loves Rogers who doesn't work for them so this is where another place I wouldn't be

giving this talk so Sony got owned this became their website for a bit good job then wow that's really legible good job BGA so they got owned 24th of November which is where that line is that you really can't see like there is I promise you a line here that's when they got owned this is where they made more money before that they made less money then when they got massively owned so yep that share price has died it didn't it oh no we've been owned in the largest data breach of all all of our history well it's not the largest in their history the second-largest in their history they yeah they turned up with

their VPNs and Wi-Fi which was an odd choice like our servers have been owned over the Internet quick let's turn off Wi-Fi mm-hmm I think I understand how they get hacked so easily yeah we would tell them to go home because the the networks has been hacked and if you've turned off their VPNs then yeah go home but it isn't even bigger Sony breach so one of this is hilarious anyway so how do you data breeches affect breeches how do you data pants how did data breaches affect stock market share prices this is taken probably from some more CSO online or some other analyst website yeah turns out after breach your share price goes up like larger breaches had less of an

impact on share price and smaller breaches so if you're getting owned and it's a small bridge like just hack more internally low it didn't you don't fix it just like get more people to own [ __ ] and then you like oh mister won't affect our share price and the sensitivity to the breach had a less clear impact on share price in the long term or the US government who just hand out their data I'm picking quotes to support my argument but there is like if you do real research on the websites and you can find this this is the stock market so the stock market doesn't care the stock market doesn't care about hackers

and computers and and that's because we're cooler than them but we are in the financial center of Canada so you kind of have to deal with the fact that finance is important mostly I just want to use this gift because Vincent dortmund is kind of the best character ever so there's some other examples this is a misquote from a friend of mine rich Smith who's a Jewish security when we worked with him we were doing a merger and acquisition of company and he was like yeah I used to do this at like large bank whose name I won't name so we can give this talk hopefully somewhere and no merger and acquisition like pen tests or security report ever said we

shouldn't do this acquisition like that has never happened in all my years of owning other people [ __ ] before we buy them it's lowered the price and it's made us go oh god what are we doing but it's always happened so like if you've been through any merger and acquisitions you may have experienced this I'm sure someone has a counter example one time to prove me entirely wrong happy for you and the best thing about this is you do this big report you find this company you're buying is like a security Horror Show and then you're like wow cool that's still happening and then in six months this is our problem go to the bar I'm staying there for a

year so what am i saying this is indeed my real name and that is indeed a good question in most of what you do security is very unlikely to be the most important thing that your company does if you work for a security company that's doubly true I challenge you to find one where that isn't the case I would say more important than security is selling or shipping product there is security in the product org but most people don't go I'm gonna start a business I'm gonna make it really secure what are you gonna sell I know I'm just gonna make sure it's really secure so do you have a plan for making money really

secure good luck with that says security is a part of your company sure you hope but it's not all of it and you should be there the role of security is to inform and advise the business protect it as much as it can and as much as reasonable but it's not there like even if your CEO or CTO used to be a CS or was the CSO has the Jew role it's still not going to be the most important thing good company does because otherwise you're a like security charity not a company and I don't know too many of those I guess the e FF is a security team yeah maybe security is a business unit and it's a

compromise and not that kind of compromise red team is calm down now blue team is your pagers and going it's compromised in the other sense it's okay and security should be a compromise has anyone made anything that's a hundred percent secure I don't see a ton of hands that's lucky so can someone steal your brick what about if there are two of them I mean I can keep going I'm gonna steal your brick and I have a shield yeah how do you like that right so if you throw that brick at me I now have your Berk which is what I was trying to do in the brick stealing pert thing even bricks have O'Dea anyone

wants to wage that I will take full responsibility for nothing if you make something 100% secure whether it's a brick or whether it's a computer system it probably wouldn't do anything and if it did it wouldn't do anything well you can think of counter examples where you can make things do things really well that are in like crazy and secure if anyone's used WordPress that is zero percent secure but it doesn't work really well I actually had to be like I used WordPress for one project I was like oh [ __ ] this is really good no wonder everyone uses it I can't really just have a go to it all the time for its security because it's actually

like really easy to do things and I would have taken me months to do this otherwise damn but like name one company that's a hundred percent secure or organization cool I mean I know it was just lunch but really I was hoping for a few more words I see you're really cementing your position the NSA they got owned by a SharePoint admin also sharing who was but who's like burning stolen data onto CDs writing up artists of the time like Celine Dion or whatever you like here and they're just walking on the building with these CDs full of NSA owed a hacking team a comedy designed to just own [ __ ] got the most owned of any

company ever Apple have been hacked they have a good security team Google have been hacked they have a good security team brick incorporated I'm waiting for their breach report I think it's called a window so your job as a security person is to balance the risk trade-offs between your company being secure your company actually doing something I give you a wonderful example the wonderful Alex Salmond's who have a lot of respect for the interpreters with this image I can only think this

so alex is a great person but he he left Yahoo exclamation in 2015 because of them working with the NSA or FBI to give them more insight than they would normally have in - yeah his customers yeah whose customers there's a phrase people who hadn't deleted their yahoo account because they didn't know they still had one he left Facebook in 2018 because of a whole bunch of things like his security team weren't being whatever those words say you can read words so there was a conflict in the business between what he thought was secure and what Facebook the company were like yeah we couldn't care about what you're saying so when one of the CSA's of the

top company in the world you've been a company who's done amazing amazing things like we all quite like God's query thank you thank you that's fine you don't you don't patronize me enter into encryption in whatsapp this is before the adverts but they're not above compromises business you know or in fact parts of the business will argue against them going you can't do that so yeah so what does all this mean this isn't this isn't some of them a nice thing it's me trying to say how good I know what the time is this is me saying your job is to help the business you're employed probably to help your business to do things the business once you're

not employed to set up the most amazing security academic research lab proving like end-to-end secure things for everything because then you're working in a university and you can't afford to eat it's not saying security is unimportant or should be ignored it's just not that be on end of the world as many people see securities that's wonderful absolute and if you're not investing all your time as a company into being secure then what are you even doing you're probably making profit which living in America is all I care about insecurity can be the center of your world but it shouldn't be the center of capitalism or the businesses world because it isn't like the business cares about the security probably more

but like as much as they care about like the printer team or like the legal team I imagine are probably on a reasonable par but they don't the company no company even lawyers don't base everything they do as a company based on legal decisions again Rupa it's often like a compromise between all of these things so this is a good thing because it frees you from the mindset that security is a hundred percent and that's impossible to get you there's for the thing where you tell a security person you can get from 98 percent secure to 99 percent secure this isn't bricks or you can get from in something else you can get from like ten percent secure to 80

percent secure and all the security people go like the 98 secure it's near a hundred and you're like yeah but that's you're really bad at math just like yes you're closer to being this mythical 100 percent secure but you're not actually making as bigger changes if you did the easier thing so I think security has a lot of closed mindedness on or like binary thinking and on security that if the delightful off dimensioned regex soft ops have sort of said anything and it's like working together and actually acknowledging other parts of the organization I'm working with them is better than just ignoring them and thinking you know best yeah that's a very pretentious slide now it's also

very pretentious slide you can tell I was really dragging it out at the end cool that's mido not a great finish [Applause] if you have questions that aren't brick related you please do your own talkin bricks I will heckle the [ __ ] out of you yeah cool loves easy any harder questions

yeah well a PCIe company have to face more financial stringency and like fines yes because that's kind of what PCI pins a self upon like if you're not this you only the people who prevent it from taking credit card payments or we will find the crap out of you and that's like a lot of compliance it's like the big stick of finding you but turns out some companies like 146 million dollar fine come at me or they just stop doing PCI and give that to some other company I work at stripe we will take your PCI problems for you so yeah money talks turns out

why do we still believe security is important eager the security industry is famed for it's ridiculous ego and the us-versus-them stance and a lot of attack versus defense kind of furthers that so I think that at least in my point of view I'm very much against the like that aspect of security as you can probably tell by everything my chest on

funny things about GDP ours you notice you got all those emails a few months ago and suddenly everyone took your privacy really seriously because 4% of their income every day would hurt yeah so there's that and the difference is in Europe there was like oh yeah GDP oh that's really cool everyone's getting secure and in the u.s. it was like [ __ ] GDP are ruining everything now we have to do and you're like oh yeah you do two sides of the world have different mindsets no no you were going like I now have to fill out loads of information about database tables have I took too long Thank You Carly Ben thank you