SlideShare a Scribd company logo

Hushcon 2016 Keynote: Test for Echo

Deja vu Security
Deja vu Security

Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.

Technology
1 of 59
Download to read offline
HUSHCON 2016 KEYNOTE TEST FOR ECHO Adam Cecchetti Deja vu Security
Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Fuzzer : Founder, Chairman
Time: #3 Person of the Year
A Sense of Deja vu
Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
Marketing!
The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
Not That Differently
Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
You Wouldn’t March This Army Today
You Wouldn’t March This Army in 2116
Snapshot 1: 2002 vs 2016 Hackers
Snapshot 2 : 1995 vs 2016 Hackers
Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
Memory Leak in /dev/litterbox?!
We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
Jail Broken
The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
Live From the 520 Parking Lot…
Be Still My Beating Heart  The Internet of Me is coming soon.  I can’t wait until my heart has an IP address.  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for addressable organs.
Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.
How to Lose Normal People
Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
CVE-2017 – Critical Bass Overflow
How to Get Things Flowing
Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
In an Age of Infinite Scroll
“Hacked a what? Oh, right.”
Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
Ken
Ken : My Ken
Ken : Your Ken
Ken : Our Ken
Admitting Blindness is Beaten Out of Us
Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Let make new planes that are easier to move, safer, and crash less.
Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.  If we want to keep our place at the table it is our job to extend our ken with everyone seated.
Testing for Echo
Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happen to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
To Master Details  Do your research  Do not be afraid of the work  Do not be afraid to fail and never stop.  Hack fast, conserve bugs, never ever make a deal with a Blackhat.
Get to Work
Details: Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
Details: Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Unless the time vs. reward scenario is high  or the motivation .vs reward scenario is super high
Details: We Rely on Secrets  Password1!  Upper Lower, Numeric, Special!  Secure by most standards!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad jumbles then bits generated by a machine given back to a machine!
To Master Impact  See the system as a graph of lists of sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
Impact: Master The Graph
Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
Impact: Master the Clock
To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.
To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
Mastering Ken
Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
Takeaways  We have the ears of very important people.  It is easy to lose a voice at the table if we constantly echo the same message over focused on details.  Building a better tomorrow requires more than details and impact.  It requires understanding our own ken.  I hope this talk has extended yours.
Thank You @adamcecc

Recommended

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
Khairi Aiman
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
JP Bourget
 
LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
Dan Kaminsky
 
The Two Generals Problem
The Two Generals ProblemThe Two Generals Problem
The Two Generals Problem
VoltDB
 
Women working with maize
Women working with maizeWomen working with maize
Women working with maize
Anna Taylor
 

Recommended

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
Khairi Aiman
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
JP Bourget
 
LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
Dan Kaminsky
 
The Two Generals Problem
The Two Generals ProblemThe Two Generals Problem
The Two Generals Problem
VoltDB
 
Women working with maize
Women working with maizeWomen working with maize
Women working with maize
Anna Taylor
 
Live Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learningLive Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learning
Shahar Boyayan
 
External Training
External TrainingExternal Training
External TrainingVincent Catapang
 
Blogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management ProgramBlogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management Program
Ascend Business Growth
 
What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?
Fondation de la Haute Horlogerie
 
Specifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality ApplicationsSpecifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality Applications
MECandPMV
 
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterleRespostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
samuelsaocristovao
 
Hyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven HafenegerHyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven Hafeneger
sparktc
 
A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016
GerieOwen
 
Deep Learning on Production with Spark
Deep Learning on Production with SparkDeep Learning on Production with Spark
Deep Learning on Production with Spark
Shu Wei Goh
 
DeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François GarillotDeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François Garillot
sparktc
 
Twitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat ArchitectureTwitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat Architecture
C4Media
 
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
NAVER D2
 
9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys
Evan Estola
 
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Paul Brown
 
Historia de la Informática
Historia de la InformáticaHistoria de la Informática
Historia de la Informática
xaquinvaleiro9
 
Digital Marketing Trends 2017
Digital Marketing Trends 2017Digital Marketing Trends 2017
Digital Marketing Trends 2017
Webrepublic
 
data science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecturedata science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecture
chris wiggins
 
3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies
HubSpot
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
Dan Kaminsky
 
A Digital Conversation: The Next Web
A Digital Conversation: The Next Web A Digital Conversation: The Next Web
A Digital Conversation: The Next Web
Reading Room
 

More Related Content

Viewers also liked

Live Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learningLive Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learning
Shahar Boyayan
 
Blogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management ProgramBlogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management Program
Ascend Business Growth
 
What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?
Fondation de la Haute Horlogerie
 
Specifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality ApplicationsSpecifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality Applications
MECandPMV
 
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterleRespostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
samuelsaocristovao
 
Hyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven HafenegerHyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven Hafeneger
sparktc
 
A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016
GerieOwen
 
Deep Learning on Production with Spark
Deep Learning on Production with SparkDeep Learning on Production with Spark
Deep Learning on Production with Spark
Shu Wei Goh
 
DeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François GarillotDeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François Garillot
sparktc
 
Twitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat ArchitectureTwitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat Architecture
C4Media
 
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
NAVER D2
 
9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys
Evan Estola
 
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Paul Brown
 
Historia de la Informática
Historia de la InformáticaHistoria de la Informática
Historia de la Informática
xaquinvaleiro9
 
Digital Marketing Trends 2017
Digital Marketing Trends 2017Digital Marketing Trends 2017
Digital Marketing Trends 2017
Webrepublic
 
data science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecturedata science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecture
chris wiggins
 
3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies
HubSpot
 

Viewers also liked (18)

Live Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learningLive Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learning
 
External Training
External TrainingExternal Training
External Training
 
Blogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management ProgramBlogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management Program
 
What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?
 
Specifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality ApplicationsSpecifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality Applications
 
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterleRespostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
 
Hyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven HafenegerHyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven Hafeneger
 
A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016
 
Deep Learning on Production with Spark
Deep Learning on Production with SparkDeep Learning on Production with Spark
Deep Learning on Production with Spark
 
DeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François GarillotDeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François Garillot
 
Twitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat ArchitectureTwitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat Architecture
 
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
 
9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys
 
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
 
Historia de la Informática
Historia de la InformáticaHistoria de la Informática
Historia de la Informática
 
Digital Marketing Trends 2017
Digital Marketing Trends 2017Digital Marketing Trends 2017
Digital Marketing Trends 2017
 
data science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecturedata science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecture
 
3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies
 

Similar to Hushcon 2016 Keynote: Test for Echo

From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
Dan Kaminsky
 
A Digital Conversation: The Next Web
A Digital Conversation: The Next Web A Digital Conversation: The Next Web
A Digital Conversation: The Next Web
Reading Room
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
Usability Testing
Usability TestingUsability Testing
Usability Testing
Andy Budd
 
Put Some SRE in Your Shipped Software
Put Some SRE in Your Shipped SoftwarePut Some SRE in Your Shipped Software
Put Some SRE in Your Shipped Software
Theo Schlossnagle
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
Chris Roberts
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
Michael Renner
 
LeadDev NYC 2022: Calling Out a Terrible On-call System
LeadDev NYC 2022: Calling Out a Terrible On-call SystemLeadDev NYC 2022: Calling Out a Terrible On-call System
LeadDev NYC 2022: Calling Out a Terrible On-call System
Molly Struve
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
khalavak
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
Charity Majors
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
Tiago Henriques
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
NETWAYS
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
NETWAYS
 

Similar to Hushcon 2016 Keynote: Test for Echo (20)

From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
A Digital Conversation: The Next Web
A Digital Conversation: The Next Web A Digital Conversation: The Next Web
A Digital Conversation: The Next Web
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
Usability Testing
Usability TestingUsability Testing
Usability Testing
 
Put Some SRE in Your Shipped Software
Put Some SRE in Your Shipped SoftwarePut Some SRE in Your Shipped Software
Put Some SRE in Your Shipped Software
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
 
LeadDev NYC 2022: Calling Out a Terrible On-call System
LeadDev NYC 2022: Calling Out a Terrible On-call SystemLeadDev NYC 2022: Calling Out a Terrible On-call System
LeadDev NYC 2022: Calling Out a Terrible On-call System
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
 

Recently uploaded

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 

Recently uploaded (20)

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 

Hushcon 2016 Keynote: Test for Echo

  • 1. HUSHCON 2016 KEYNOTE TEST FOR ECHO Adam Cecchetti Deja vu Security
  • 2. Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Fuzzer : Founder, Chairman
  • 3. Time: #3 Person of the Year
  • 4. A Sense of Deja vu
  • 5. Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
  • 7. The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
  • 9. Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
  • 10. Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
  • 11. You Wouldn’t March This Army Today
  • 12. You Wouldn’t March This Army in 2116
  • 13. Snapshot 1: 2002 vs 2016 Hackers
  • 14. Snapshot 2 : 1995 vs 2016 Hackers
  • 15. Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
  • 16. Memory Leak in /dev/litterbox?!
  • 17. We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
  • 19. The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
  • 20. Live From the 520 Parking Lot…
  • 21. Be Still My Beating Heart  The Internet of Me is coming soon.  I can’t wait until my heart has an IP address.  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for addressable organs.
  • 22. Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.
  • 23. How to Lose Normal People
  • 24. Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
  • 25. CVE-2017 – Critical Bass Overflow
  • 26. How to Get Things Flowing
  • 27. Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
  • 28. In an Age of Infinite Scroll
  • 29. “Hacked a what? Oh, right.”
  • 30. Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
  • 31. Ken
  • 32. Ken : My Ken
  • 33. Ken : Your Ken
  • 34. Ken : Our Ken
  • 35. Admitting Blindness is Beaten Out of Us
  • 36. Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Let make new planes that are easier to move, safer, and crash less.
  • 37.
  • 38. Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.  If we want to keep our place at the table it is our job to extend our ken with everyone seated.
  • 40. Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
  • 41. Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
  • 42. Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
  • 43. Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happen to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
  • 44. Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
  • 45. To Master Details  Do your research  Do not be afraid of the work  Do not be afraid to fail and never stop.  Hack fast, conserve bugs, never ever make a deal with a Blackhat.
  • 47. Details: Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
  • 48. Details: Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Unless the time vs. reward scenario is high  or the motivation .vs reward scenario is super high
  • 49. Details: We Rely on Secrets  Password1!  Upper Lower, Numeric, Special!  Secure by most standards!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad jumbles then bits generated by a machine given back to a machine!
  • 50. To Master Impact  See the system as a graph of lists of sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
  • 52. Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
  • 54. To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.
  • 55. To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
  • 57. Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
  • 58. Takeaways  We have the ears of very important people.  It is easy to lose a voice at the table if we constantly echo the same message over focused on details.  Building a better tomorrow requires more than details and impact.  It requires understanding our own ken.  I hope this talk has extended yours.