EiTESAL Digital Transformation "Role of Open Source" Event 29/11/2017 Open Source Systems & Security Presentation by : Sherif El-Kassas

1. Open Source Systems &
Security
Sherif El-Kassas

2. OSS & Security
● Outline:
– Principles, Motives, & Opportunity
– Trends and attitudes
– Case and examples
(The small matter of Mr. Snowden)
– The way forward

3. principles

4. Design Principles
• Well known set of principles
– Saltzer, J.H.; Schroeder, M.D., "The protection of
information in computer systems," Proceedings
of the IEEE , vol.63, no.9, pp.1278,1308, Sept.
1975
– Smith, R.E., "A Contemporary Look at Saltzer
and Schroeder's 1975 Design Principles,"
Security & Privacy, IEEE , vol.10, no.6, pp.20,25,
Nov.-Dec. 2012
– See also:
http://www.cryptosmith.com/book/export/html/365

5. Saltzer & Schroeder
1. Economy of mechanism
2. Fail-safe defaults
3. Complete mediation
4. Open design
5. Separation of privilege
6. Least privilege
7. Least common mechanism
8. Psychological acceptability

6. Saltzer & Schroeder
1. Economy of mechanism
2. Fail-safe defaults
3. Complete mediation
4.Open design
Kerckhoffs (19th century)
Shannon: “The enemy knows the system”
5. Separation of privilege
6. Least privilege
7. Least common mechanism
8. Psychological acceptability

7. motive

8. Motive
“While security for the user might
mean the repulse of `evil hackers […]
security for the vendor means
growing the market and crushing the
competition.”
– Ross Anderson, "Security in Open versus Closed
Systems - The Dance of Boltzmann, Coase and
Moore", Open Source Software : Economics, Law
and Policy, Toulouse, France, June 20-21, 2002.

9. opportunity

10. Reflections on
Trusting Trust
Ken Tompson
Communication of the ACM, Vol. 27, No. 8,
August 1984
Opportunity

11. Reflections on
Trusting Trust
Ken Tompson
Communication of the ACM, Vol. 27, No. 8,
August 1984
Opportunity
“The moral is obvious. You
can't trust code that you
did not totally create
yourself. (Especially code
from companies that
employ people like me.)”
http://www.cs.tufts.edu/comp/98/Ken_Thompson_84-Reflections_on_Trusting_Trust.pdf

12. What if we don’t manage
trust & ignore scrutiny?

13. Lastupdated6July,2011
The Two Faces of Hackinghttp://spctrum.ieee.og/static/hacker-matrix

14. dependability of the connected world

16. https://www.wired.com/story/car-hack-shut-down-safety-features/

18. War stories

19. http://www.quadibloc.com/crypto/ro0204.htm
http://www.iwm.org.uk/online/eniga/eni-intro.htm

20. French Weapons in the Falklands
• France manufactured the Exocet
[…]
– France also provided a vast,
virtually unprecedented
amount of technical
assistance, including
information on how to combat
the Exocet missile, which
could well have been
decisive in assuring a British
victory.
http://en.wikipedia.org/wiki/Exocet

21. conspiracies as facts

22. www.theguardian.com/world/2013/jun/08/nsa-prism-server-collection-facebook-google
en.wikipedia.org/wiki/2013_mass_surveillance_disclosures

23. https://www.schneier.com/crypto-gram-1311.html

24. https://www.schneier.com/crypto-gram-1311.html
“Attacks only get better”

25. the way forward

26. Physical vs. Digital world
• what Morpheus might have said
– “Do you believe that my being stronger or
faster has anything to do with my muscles in
this place?”
• mediation, proxies, and trust

27. ● Stallman: How Much Surveillance
Can Democracy Withstand?
“Robust protection for privacy must be
technical”
wired.com/opinion/2013/10/a-necessary-evil-what-it-takes-for-democracy-to-survive-surveillance/

28. R&D agenda

29. R&D agenda
• Trustworthy technology
– Build our own?
– Open source strategy
– Open scrutiny
– Certification program to ensure quality
●
Note worthy:
• People
• Ensure no harmful shortcuts are taken

30. Opportunity
CRA, November 2003, [unsolved] grand challenges:
● Economic
● Epidemic
● Engineering
● Human
http://archive.cra.org/Activities/grand.challenges/security/home.html
– The Economist, November 2015:
● “The cost of immaturity”
– Average time to breach detection 205 days
– Estimated global cost of 90m cyber-attacks: $575 billion
● “cyber-security industry is booming”
– Market: $75 billion a year now [...] $170 billion by 2020
– 2016:
● cloud, mobile, social media, and more: “Cybersecurity is terrible,
and will get worse”; IoT “will be a security disaster”
https://www.lightbluetouchpaper.org/2016/02/22/financial-cryptography-2016/

31. Thank you..
Questions?
www.cse.aucegypt.edu/~skassas/Eitesal-oss-2017

32. Trusting organization

33. http://spectrum.ieee.org/telecom/security/the-athens-affair

34. Kill switches!

35. spectrum.ieee.org/may08/6171

36. trends

37. 2013 2014 2105
.00
500,000.00
1,000,000.00
1,500,000.00
2,000,000.00
2,500,000.00
3,000,000.00
3,500,000.00
4,000,000.00
4,500,000.00
insider
unintended
physical loss
portable device
stationary device
“DataBreachesbytheNumbers,”http://www.securityweek.com/data-breaches-numbers

38. 2013 2014 2105
.00
20,000,000.00
40,000,000.00
60,000,000.00
80,000,000.00
100,000,000.00
120,000,000.00
140,000,000.00
hacking
“DataBreachesbytheNumbers,”http://www.securityweek.com/data-breaches-numbers

39. other conspiracies

40. http://www.f-
secure.com/weblog/archives/00002226.html

41. http://vincentarnold.com/blog/chinese-backdoors-hidden-in-router-
firmware/

42. What can be done about trust?

43. Only the paranoid survive!

44. “Anything that happens, happens.
Anything that, in happening, causes
something else to happen, causes
something else to happen.
Anything that, in happening, causes
itself to happen again, happens again.
It doesn't necessarily do it in
chronological order, though.”
--Douglas N. Adams, “Mostly
Harmless”