Jason Shirk "Privacy for Security Geeks - Dancing with Lawyers"

  • 659 views
Uploaded on

Privacy is front-page news on just about a weekly basis. Lawmakers and regulators are scrutinizing privacy like never before. And oh, by the way, privacy is a security problem. As hackers we spend a …

Privacy is front-page news on just about a weekly basis. Lawmakers and regulators are scrutinizing privacy like never before. And oh, by the way, privacy is a security problem. As hackers we spend a lot of time protecting the rights and sensibilities of users. We secure users largely by building tools, platforms and libraries to protect said data and other tools and platforms and libraries to break/ruin/steal this data. We can use these non-trivial skills and apply them to Privacy as well. All we need is a little bit of new vocabulary, a nudge in the right direction, and a (slight) tolerance for talking to lawyers.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
659
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privacy for Security Geeks: Dancing with Lawyers JASON SHIRK PRIVACY/SECURITY LEAD ONLINE SERVICES DIVISION MICROSOFT JASON.SHIRK@MICROSOFT.COM
  • 2. ABitAbout Me  I, like you, am a hacker at heart  As a Hobby… for a while (~25 years)  Professional focus for the last decade  3 years responsible for Microsoft’s Fuzzing Strategy and Toolkit  A degree, years of Vulnerability Management, Penetration Testing, etc…  2 years as the Privacy Manager for Bing and Security Manager for Social within Bing  Not a lawyer or a policy guy  Having been on the attack side I understand  Where the Jewels are hidden  What the Jewels are worth  Currently the Lead for Security and Privacy reviews for OSD
  • 3. The $64,000 Question, why Privacy?  When I made the change to Privacy, people really wondered why (I’m paraphrasing here)  Inside Microsoft:  Really, Privacy?!?  That’s a big problem, I’m sure you’ll get the skills you need, they’re uh… different than Security  Outside Microsoft:  Dude, if you’re sure then do what makes you happy.  I tried that for about 6 months and ran screaming from it, good luck!  That seems… different. I’m sure we’ll see you back before too long  Simply put, I believe that Private Data is the single biggest problem facing Technology and Security Experts are properly equipped to help.
  • 4. Technology is at an Inflection Point  Digital Persona, Social Graph and Physical Location have come together  The intersection is creating new kinds of services and data  The new services are  Real-time  Location specific  Data-centric  The opportunity is enormous  There are hundreds of billions of dollars up for grabs  As we know, for good and bad alike
  • 5. There are Some Edgy Players…
  • 6. And People are Noticing
  • 7. The Landscape has Changed  Laws exist prohibiting the exfiltration of Private Data regarding their citizens in:  The European Union  China  India  Safe Harbor agreements allow for this data to be moved to specific countries  Between the US and the EU for example  Agreements are still being discussed with China and India  Violating these agreements could nullify the ability to do business with continent
  • 8. Sony PlayStation Network (And payment systems and localized international websites and a different part of the payment system and phone site and… well… more)
  • 9. The Penalties are Increasing,Alarmingly Fast  The FTC recently fined Google $22.5M for bypassing the Safari 3rd party cookie blocking  Largest fine EVER levied by the FTC  It was called insufficient and ineffective by Privacy Advocates  Last week A US judge in California approved a settlement against Facebook for $20M  This ruling could also affect the ability of software companies to change their Privacy Policies without user approvals  The European Commission has proposed rules allowing for fines regarding privacy violations of up to 2% of GLOBAL REVENUE of a company  Expected to be effective by 2015  Oh, and this can be levied PER COUNTRY in the EU!!!  Global Revenue for Microsoft for FY12 was $73.7B  With 27 member states at up to $1.47B per country… That’s a Big number
  • 10. What does this have to do with a room full of hackers?  Privacy *is* Security, BUT:  Privacy tends to have a Policy Slant (LOTS of Lawyers)  Security tends to have a Technical Slant (Mostly Engineers)  Privacy Nerds and Security Geeks do not speak the same language (I’m both, I can say this)  Legalese vs. Technobabble  Lawyers (mostly) do not understand Technobabble  Hackers (mostly) do not tolerate Legalese  Your technical expertise is HIGHLY valued by the Privacy Community  When you speak up, they will pay attention  When you offer solutions, they will want to implement them  We have to understand their point of view though
  • 11. Privacy:ACoder’s View  Data==BusinessLifeBlood;  If (NoPrivacy) Data=NULL;  PrivacyExecutionAbilityToday < PrivacyNeedsToday < PrivacyNeedsTomorrow;  CloudDevelopment++;  ManagedCodeInvestment++;  Developer != PrivacyExpert;
  • 12. What Exactly Does Privacy Mean?  How would you define Privacy?  Trevor Hughes, President of the International Association of Privacy Professionals (IAPP)  There are 11 different definitions of Privacy (Anonymity is only 1 of these  )  Dictionary  1a: the quality or state of being apart from company or observation : seclusion  b: freedom from unauthorized intrusion <one's right to privacy>  2 archaic: a place of seclusion  3a: secrecy b: a private matter : secret
  • 13. ALanguage Lesson: Privacy  Personally Identifiable Information (PII) also called Personal Data (PD)  Data that allows for a data subject to be tied to a real human being  Prominent Consent  A notice to a user prior to data collection and/or use, giving informed consent for the data collection/use  End User License Agreement (EULA)/Terms of Use (ToU)  These are true legal documents which represent agreements or contracts between a user and a software provider. Installed software typically has a EULA (Windows, Office, …) Services typically have ToU’s (Bing, O365, Xbox Live)  Privacy Statement/Policy/Terms  This is a legally required document for all electronic data collection. It is not a contract in the same way as a EULA or ToU and is usually written in much friendlier (read not-so-lawyerly) terms, but does bind the data collector to follow the terms. Both installed software *and* services typically have Privacy Statements  Retention Requirements  Conversely to being required to keep data for at least a certain period of time, it is frequent in Privacy that data may *only* be kept for a certain amount of time.
  • 14. ALanguage Lesson: Enforcers  Federal Trade Commission (FTC)  The FTC is responsible for enforcing Privacy regulations in the United States  Article 29 Working Party  A working party created by the European Commission to make recommendations for EU Article 29, regarding data privacy. They make recommendations for changes to the EU Directives and Articles.  Data Protection Authority (DPA)  Each country implements the EU Directives differently, thus each country in the EU has at least one DPA and may have several. The DPAs enforce Privacy regulations in their respective countries. CNIL (France), the UK, Irish and German DPAs have all taken recent significant action against technology vendors  Canadian Privacy Commissioner  Canada has a national-level commissioner responsible for enforcing Privacy regulations. There are also Provincial Privacy Commissioners. The Privacy Commissioner for Ontario is quite outspoken and drives significant enforcement efforts.
  • 15. ALanguage Lesson: Enforcement  Fine  As stated earlier, there are large sums of money that can be taken by enforcement agencies.  Consent Decree  The FTC has been not only levying fines, but in the agreements it is making with companies requiring *20 YEARS* of audits to verify that “Privacy by Design” is being implemented.  Facebook and Google have both recently gotten these, Microsoft had one for 10 years in the past  Injunction  Advocates are beginning to ask for legal injunctions stopping changes to policies and technology
  • 16. ALanguage Lesson: Security Privacy Lexicon  Abstraction  For Security, we speak in terms of vulnerabilities (overflow, double free, ...), exploits (arbitrary code execution, DoS, …), and payloads (Trojans, rootkits, …)  For Privacy, up-level the conversation to the potential consequences being data leaks (third-party access, database exfiltration, …), unauthorized use (prominent consent, intended use, …) and regulatory action (hearings, fines, …)  Mitigation  In Security, we excel at recommending mitigations and fixes to technical problems  In Privacy, the Security mitigations and fixes *are* often a part of the solutions needed, bring them to the table  Automation  In Security we build tools to do jobs that are too complex (or that we don’t want to do ad nauseum)  In Privacy there is a growing need for sustainable processes (automated tools) to ensure Privacy standards (moderately complex but measureable baselines) are met
  • 17. What Problems are We Facing? (Buzzword Bingo!)  Big Data is the word  From the last presidential race (Extremely accurate precinct-by-precinct predictions)  To Lady Gaga (31M+ Twitter followers that she wants the rights to mine for her own)  Everything is in The Cloud  Check-ins, Check-outs, Check-ups and just plain old Checks  The On-ramp to the Cloud is Changing  Smart phones overtook feature phones globally in 2011 (according to Nielsen)  There are approximately 2.4 Billion internet users today (according to internetworldstats.com) nearly half of that is mobile.
  • 18. What Can You Do? Pragmatic Security solutions can be applied to a number of these areas:  Static Analysis tools for Personally Identifiable Information(PII)/Personal Data(PD)  In-transit Data detection  Lightweight Encryption mechanisms  Obfuscation implementations (only for defense-in-depth of course)  By simply building tools
  • 19. Wrap-up: Privacy is a Security Problem  Security Engineers are uniquely qualified to help solve Privacy problems  We are already recognized advocates for users and their data  Up-level the conversation appropriately  Talk about impact of a vulnerability/exploit  Deliver Solutions and Mitigations to problems  Build tools and automate process/reporting  Build for the future: Big Data, Cloud, Mobile  Be pragmatic  While code trumps all, these technologies must be deployable  Help boil the problem down to bite-sized pieces and make recommendations accordingly
  • 20. Questions? Oh, and we’re hiring 