It's the people, stupid.

1. It’s the people, stupid. @jschauma Jan Schaumann

2. @jschauma Velocity NY 2016

8. ServerUserless Systems @jschauma Velocity NY 2016

9. Useless Systems @jschauma Velocity NY 2016

11. Change vs. more of the same. The people, stupid. Don’t forget malware. @jschauma Velocity NY 2016

12. Developers @jschauma •  That can’t happen. •  That doesn’t happen on my machine. •  That shouldn’t happen. •  Why does that happen? •  Oh, I see. •  How did that ever work?

13. Developers SRE @jschauma •  That never worked. •  Must be the network.

14. Developers SysAdmins @jschauma •  It’s not the network. •  Probably a bug in the OS. •  Oh, ok. DNS. •  Don’t monkey around with /etc/hosts. SRE

15. Developers SysAdmins BOFH @jschauma •  An African or European swallow? •  You don’t know what you’re doing. SRE

16. Developers SysAdmins BOFH Infosec @jschauma •  That’s not how you do this. •  Nobody knows what they’re doing. SRE

17. Developers SysAdmins BOFH Infosec New Yorkers @jschauma •  What? I don’t care, keep walking. Don’t talk to me. •  Seriously, don’t stop in the middle of the street. I will cut you. SRE

18. Developers SysAdmins BOFH Infosec New Yorkers New York Infosec SysAdmin @jschauma SRE

23. @jschauma

25. @jschauma

28. @jschauma

31. @jschauma Velocity NY 2016 How not to be seen

32. @jschauma Changing other people’s habits is a wicked problem. Velocity NY 2016

33. @jschauma Prod Corp Long-‐lived SSH ConnecCons Velocity NY 2016

34. @jschauma Firewall / ACLs / idled(8) … Velocity NY 2016

35. @jschauma Reverse SSH tunnel Privkeys on prod cron(8) iniCated callbacks … Velocity NY 2016

38. @jschauma hLps://is.gd/80zCWX Velocity NY 2016

39. @jschauma Why we take our shoes oﬀ at the airport. Velocity NY 2016

40. @jschauma NSA-‐prooﬁng TLS cipher spec LiSle Bobby Tables Secrets on GitHub XSS #Infosec: Silicon Valley’s TSA Velocity NY 2016

41. Security is not a value. @jschauma Velocity NY 2016

42. Nobody cares about security. @jschauma Velocity NY 2016

43. Nobody cares about security. That is neither incompetence nor malice, it’s pragmaSsm. @jschauma Velocity NY 2016

44. @jschauma People driven defense EﬀecCve defense “sophisCcated” “military grade encrypCon” “NSA-‐proof” “even more cyber” “cyber” Vendor Crap “Security Appliances”

46. @jschauma Ceci n’est pas un hacker. Velocity NY 2016

53. Safety, not (just) security. @jschauma Velocity NY 2016

54. A system is secure if it protects the user when used correctly. A system is safe if it protects the user even when used incorrectly. @jschauma Velocity NY 2016

56. @jschauma If your reacSon is “well, not like that”, you have a poka-‐yoke problem. Fix that. Velocity NY 2016

57. @jschauma The most convenient / intuiSve way to use your applicaSon must be the safest way to use your applicaSon. Velocity NY 2016

58. @jschauma Users will not change default sengs. Velocity NY 2016

59. @jschauma Users will not change default sengs. (Unless a less secure opSon is available.) Velocity NY 2016

60. @jschauma Failure must not lead the user to change their default sengs. Velocity NY 2016

61. @jschauma Failure must not lead the user to change their default sengs. Safety overrides must be temporary. Velocity NY 2016

62. @jschauma Your applicaSons, services, standards, etc., must age gracefully. Velocity NY 2016

63. Poka-‐yoke so^ware & systems •  safe defaults •  safe failure mode •  automated, regular, unaLended updates •  puts usability ahead of ‘security’ •  encourages desired behavior •  builds / strengthens safe habits •  follows the users’ desire path Velocity NY 2016

66. Change vs. more of the same •  avoid the downward spiral of cynicism •  your users, developers, engineers, … are not stupid; they’re trying to get their job done •  focus on realisSc threats, not high-‐proﬁle security theater •  understand that your aLackers are moSvated, dedicated, human adversaries The people, stupid. •  security is not an end-‐goal •  build safe applicaSons & services •  understand your users’ desire paths •  Poka-‐yoke Go! @jschauma Velocity NY 2016

67. “Fundamentally, the problem isn’t about security. It’s about people.” @jschauma -‐ Bill Clinton (not quite) Thanks!

68. Image ALribuSons •  Monty Python, Paul Townsend hLps://ﬂic.kr/p/nVFKH5 •  Serverless, PolarFlex Rack Blanking hLp://polargy.com/air-‐ﬂow-‐accessories/42u-‐blanking-‐ panels.php •  Downward spiral, Davo Sime hLps://thenounproject.com/term/downward-‐spiral/ 589704/ hLps://creaSvecommons.org/licenses/by/3.0/us/ •  Mouse, MarSn Driver, hLp://wallpapersafari.com/w/UzqRxW •  Silly Walk Street Sign, Kayla Reed, hLp://www.avclub.com/arScle/crosswalk-‐norway-‐makes-‐ ciSzens-‐do-‐monty-‐python-‐si-‐203164 @jschauma

It's the people, stupid.