15. It doesnât matter why itâs hard.
Just matters that it is.
Human factors matter.
16. âDoctors are gentlemen, and
gentlemenâs hands are cleanâ
From the great debates regarding the Germ Theory of Medicine
You really donât want to know about the history of Anesthesia.
17. Germ Theory: How does it spread,
what keeps it sterile?
==
Well Defined Interfaces
Known Good State
PRACTICAL
PRACTICAL
PRACTICAL
18. They measured. They monitored.
They learned. They rebooted.
Those white coats? Symbolic.
19. Infosec did not invent âSnake Oilâ
We used to take actual snakes, and
press them into actual oil.
20. ACTUAL CHINESE SNAKE OIL WORKS
Snakes are expensiveâŠ
Nobody could tell the differenceâŠ
Didnât yet have the analytical chemâŠ
AWKWARD HYPERMETAPHORICAL HISTORY IS AWKWARD
21. âModeling How Students Learn to
Programâ
If you donât learn it in week 2, youâre
going to fail in week 7.
{piech, sahami, koller, coopers}@cs.stanford.edu, paulob@stanford.edu
31. Phishing is a technology failure.
Microsoft Windows Technical
Support isnât walking into the office.
32. Phishing happens because victims
canât authenticate the caller but need
to trust them anyway.
Phones donât just ring once, and
INBOX is not ZERO.
33. Bad APIs are bad.
Bad APIs are bad not just if they
break machines, but when they
break people.
I mean, the machineâs next.
34. Human factors arenât an extra point.
They are the point.
Nobody intended that buffer to
overflow.
36. Itâs not just security.
Other fields are easier to measure.
We have to fight harder.
37. Hacker Latency is a problem.
We canât keep taking years to find
things.
38. âNIH for Cyberâ ==
Volunteer Firefighting is cool, but we
donât have the guy who fights cancer
Nerds, stable funding, a mandate to measure and repair this Internet
45. So letâs.
JFE: Jump to Full Encrytion
# ./jfe -D
There, all services, all ports, valid cert, if a client wants working encryption itâs
there, system-wide
46. I mean, you could do all this configurationâŠ
64. If we canât trust the cloud, we should
dramatically improve isolation.
If we can trust the cloud, we should
dramatically adopt its isolation. Itâs
way better than ours.
65. Cloudâs are not JBOS. Theyâre
services with authenticated
semantics.
Isolation becomes someone elseâs problem
Amazon is better at running servers than you are, for all values you in this room
66. Ratelocking: Rate Limiting w/
Serverless Cloud Assets.
$20 in the cash register, not all
corporate earnings.
3 logins every 10 seconds. Not 500M
67. Let the cloud make your server
getting compromised, a
survivable event.
68. The APIs make it hard, so it hasnât
been getting done.
Letâs make it easy.
71. The value prop of Open Source:
It is easier to find a solution on
GitHub, than from the team down
the hall. Or your own team last year.
None of us have unique problems.
72. We have to fix this.
We can fix this.
Whatever you can do, you can make
a difference here.
Letâs #MakeSecurityEasy.
dan@doxpara.com or @dakami
Iâm running hackathons, and gauging interest.