SlideShare ist ein Scribd-Unternehmen logo

Hushcon 2016 Keynote: Test for Echo

Deja vu Security
Deja vu Security

Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.

Technologie
1 von 59
Downloaden Sie, um offline zu lesen
HUSHCON 2016 KEYNOTE TEST FOR ECHO Adam Cecchetti Deja vu Security
Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Fuzzer : Founder, Chairman
Time: #3 Person of the Year
A Sense of Deja vu
Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
Marketing!
The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
Not That Differently
Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
You Wouldn’t March This Army Today
You Wouldn’t March This Army in 2116
Snapshot 1: 2002 vs 2016 Hackers
Snapshot 2 : 1995 vs 2016 Hackers
Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
Memory Leak in /dev/litterbox?!
We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
Jail Broken
The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
Live From the 520 Parking Lot…
Be Still My Beating Heart  The Internet of Me is coming soon.  I can’t wait until my heart has an IP address.  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for addressable organs.
Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.
How to Lose Normal People
Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
CVE-2017 – Critical Bass Overflow
How to Get Things Flowing
Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
In an Age of Infinite Scroll
“Hacked a what? Oh, right.”
Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
Ken
Ken : My Ken
Ken : Your Ken
Ken : Our Ken
Admitting Blindness is Beaten Out of Us
Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Let make new planes that are easier to move, safer, and crash less.
Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.  If we want to keep our place at the table it is our job to extend our ken with everyone seated.
Testing for Echo
Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happen to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
To Master Details  Do your research  Do not be afraid of the work  Do not be afraid to fail and never stop.  Hack fast, conserve bugs, never ever make a deal with a Blackhat.
Get to Work
Details: Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
Details: Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Unless the time vs. reward scenario is high  or the motivation .vs reward scenario is super high
Details: We Rely on Secrets  Password1!  Upper Lower, Numeric, Special!  Secure by most standards!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad jumbles then bits generated by a machine given back to a machine!
To Master Impact  See the system as a graph of lists of sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
Impact: Master The Graph
Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
Impact: Master the Clock
To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.
To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
Mastering Ken
Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
Takeaways  We have the ears of very important people.  It is easy to lose a voice at the table if we constantly echo the same message over focused on details.  Building a better tomorrow requires more than details and impact.  It requires understanding our own ken.  I hope this talk has extended yours.
Thank You @adamcecc

Empfohlen

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
Khairi Aiman
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
JP Bourget
 
LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
Dan Kaminsky
 
The Two Generals Problem
The Two Generals ProblemThe Two Generals Problem
The Two Generals Problem
VoltDB
 
Women working with maize
Women working with maizeWomen working with maize
Women working with maize
Anna Taylor
 

Empfohlen

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
Jeff Zahn
 
Hack the book Mini
Hack the book MiniHack the book Mini
Hack the book Mini
Khairi Aiman
 
Intro to web 2.0 Security
Intro to web 2.0 SecurityIntro to web 2.0 Security
Intro to web 2.0 Security
JP Bourget
 
LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best Friend
EmilyGladstoneCole
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
Dan Kaminsky
 
The Two Generals Problem
The Two Generals ProblemThe Two Generals Problem
The Two Generals Problem
VoltDB
 
Women working with maize
Women working with maizeWomen working with maize
Women working with maize
Anna Taylor
 
Live Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learningLive Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learning
Shahar Boyayan
 
External Training
External TrainingExternal Training
External Training
Vincent Catapang
 
Blogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management ProgramBlogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management Program
Ascend Business Growth
 
What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?
Fondation de la Haute Horlogerie
 
Specifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality ApplicationsSpecifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality Applications
MECandPMV
 
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterleRespostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
samuelsaocristovao
 
Hyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven HafenegerHyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven Hafeneger
sparktc
 
A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016
GerieOwen
 
Deep Learning on Production with Spark
Deep Learning on Production with SparkDeep Learning on Production with Spark
Deep Learning on Production with Spark
Shu Wei Goh
 
DeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François GarillotDeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François Garillot
sparktc
 
Twitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat ArchitectureTwitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat Architecture
C4Media
 
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
NAVER D2
 
9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys
Evan Estola
 
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Paul Brown
 
Historia de la Informática
Historia de la InformáticaHistoria de la Informática
Historia de la Informática
xaquinvaleiro9
 
Digital Marketing Trends 2017
Digital Marketing Trends 2017Digital Marketing Trends 2017
Digital Marketing Trends 2017
Webrepublic
 
data science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecturedata science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecture
chris wiggins
 
3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies
HubSpot
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
Dan Kaminsky
 
A Digital Conversation: The Next Web
A Digital Conversation: The Next Web A Digital Conversation: The Next Web
A Digital Conversation: The Next Web
Reading Room
 

Weitere ähnliche Inhalte

Andere mochten auch

Live Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learningLive Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learning
Shahar Boyayan
 
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterleRespostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
samuelsaocristovao
 
DeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François GarillotDeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François Garillot
sparktc
 

Andere mochten auch (18)

Live Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learningLive Streaming and Virtual Reality in E-learning
Live Streaming and Virtual Reality in E-learning
 
External Training
External TrainingExternal Training
External Training
 
Blogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management ProgramBlogging is Critical For Business Growth | Blog Management Program
Blogging is Critical For Business Growth | Blog Management Program
 
What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?What’s Trending in the Luxury Watch Industry?
What’s Trending in the Luxury Watch Industry?
 
Specifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality ApplicationsSpecifying Drymix Mortars for High Quality Applications
Specifying Drymix Mortars for High Quality Applications
 
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterleRespostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
Respostas do-livro-geometria-analitica-alfredo-steinbruch-e-paulo-winterle
 
Hyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven HafenegerHyperparameter Optimization - Sven Hafeneger
Hyperparameter Optimization - Sven Hafeneger
 
A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016A wearables story mobile dev and test 2016
A wearables story mobile dev and test 2016
 
Deep Learning on Production with Spark
Deep Learning on Production with SparkDeep Learning on Production with Spark
Deep Learning on Production with Spark
 
DeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François GarillotDeepLearning4J and Spark: Successes and Challenges - François Garillot
DeepLearning4J and Spark: Successes and Challenges - François Garillot
 
Twitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat ArchitectureTwitch Plays Pokémon: Twitch's Chat Architecture
Twitch Plays Pokémon: Twitch's Chat Architecture
 
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
제5회 D2 CAMPUS SEMINAR - Go gopher 길들이기
 
9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys9 17-16 - when recommendation systems go bad - rec sys
9 17-16 - when recommendation systems go bad - rec sys
 
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
Educator’s Selfie: Analysis and Suggestions for Institutional Social Media Im...
 
Historia de la Informática
Historia de la InformáticaHistoria de la Informática
Historia de la Informática
 
Digital Marketing Trends 2017
Digital Marketing Trends 2017Digital Marketing Trends 2017
Digital Marketing Trends 2017
 
data science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecturedata science @NYT ; inaugural Data Science Initiative Lecture
data science @NYT ; inaugural Data Science Initiative Lecture
 
3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies3 Proven Sales Email Templates Used by Successful Companies
3 Proven Sales Email Templates Used by Successful Companies
 

Ähnlich wie Hushcon 2016 Keynote: Test for Echo

From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
Ori Pekelman
 
A Digital Conversation: The Next Web
A Digital Conversation: The Next Web A Digital Conversation: The Next Web
A Digital Conversation: The Next Web
Reading Room
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
Chris Roberts
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
Michael Renner
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
NETWAYS
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
NETWAYS
 

Ähnlich wie Hushcon 2016 Keynote: Test for Echo (20)

From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
A Digital Conversation: The Next Web
A Digital Conversation: The Next Web A Digital Conversation: The Next Web
A Digital Conversation: The Next Web
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
Usability Testing
Usability TestingUsability Testing
Usability Testing
 
Put Some SRE in Your Shipped Software
Put Some SRE in Your Shipped SoftwarePut Some SRE in Your Shipped Software
Put Some SRE in Your Shipped Software
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
 
Secure encryption in a wiretapped future
Secure encryption in a wiretapped futureSecure encryption in a wiretapped future
Secure encryption in a wiretapped future
 
LeadDev NYC 2022: Calling Out a Terrible On-call System
LeadDev NYC 2022: Calling Out a Terrible On-call SystemLeadDev NYC 2022: Calling Out a Terrible On-call System
LeadDev NYC 2022: Calling Out a Terrible On-call System
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
 
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped futureOSDC 2014: Michael Renner - Secure encryption in a wiretapped future
OSDC 2014: Michael Renner - Secure encryption in a wiretapped future
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Hushcon 2016 Keynote: Test for Echo

  • 1. HUSHCON 2016 KEYNOTE TEST FOR ECHO Adam Cecchetti Deja vu Security
  • 2. Hello!  Adam Cecchetti  Deja vu Security : Founder, CEO  Peach Fuzzer : Founder, Chairman
  • 3. Time: #3 Person of the Year
  • 4. A Sense of Deja vu
  • 5. Deja vu. Deja vu. Deja vu. Deja vu. Networks Applications Web Cloud Internet of Things (IoT) “The tubes are on fire!” “The desktop is on fire!” “The world is on fire!” “The sky is on fire!” “Your pants are on fire!”
  • 7. The Problem is Big  The first step to recovery is the hardest.  Awareness is good, but it doesn’t cure cancer.  Security issues must be found they can’t be created.  Inherited, passed down the software genepool.  Plentiful, defense helps but we kick over more rocks.  Random, the future is asymmetrically secured.  Polymorphic, the tools we use to build systems are security issues.  We are going to have to start thinking differently.
  • 9. Tick, Tock.  Data movement is a cadence to how we’ve built things.  Echoes, the ghosts of usage models past.  We leave data and code everywhere users go.  User data replicates every decade or so. t Centralized Distributed 70’s 90’s 2010 2030 80’s 00’s 2020 Mainframe Web/Email Cloud Internet of Me PC Social Networks IoT
  • 10. Security is a Snapshot in Time  Security is a snapshot in time.  Tomorrow is a new day full of drama on Twitter!  Today is a great day to deprecate a system.  Move user data to a safer and better place.  Hackers are unstoppable in 1995.  The closer the temporal snapshot to 1995 the better for hackers.  The person building the system decides the snapshot that is taken.  Protocols from 1995  Libraries from 2006  Binaries from 2014  A Linux build from 2016
  • 11. You Wouldn’t March This Army Today
  • 12. You Wouldn’t March This Army in 2116
  • 13. Snapshot 1: 2002 vs 2016 Hackers
  • 14. Snapshot 2 : 1995 vs 2016 Hackers
  • 15. Computers are Awesome!  They don’t LET you do anything.  They DO anything!  And only things you tell them  CPU: AMMA that’s about Machine code to Microcode  Good luck with the rest! That’s not what I do!  General computation is good however it means:  No reliability, no availability, no security.  This includes anything we build.  Complexity leads to side effects and exploitation is programing with side effects.
  • 16. Memory Leak in /dev/litterbox?!
  • 17. We Are at an Odd Juncture  Mobile is eating all markets just like the PC did.  User habits are changing, again.  Web ate the rest of the world.  User data flows in new directions  And lingers in the eddies.  And for those of us left that still care about general computation we have to run unknown kernel and firmware exploits to program our phones.
  • 19. The Internet Finally Showed Up!  The amount of air gap between our lives and the Internet is shrinking daily.  Soon it will be gone. Good Riddance! Plug me in!  Unless you have decided to live in a cave.  And in another tick tock there’s still a chance it will have IP enabled bat guano.  Technology is awesome!  In 5 years my self driving car will live stream.  Localized live traffic video broadcasting and viewing is going to be a thing.  There are going to be people sitting in traffic watching other people sit in traffic around the world.
  • 20. Live From the 520 Parking Lot…
  • 21. Be Still My Beating Heart  The Internet of Me is coming soon.  I can’t wait until my heart has an IP address.  And firmware updates  And an app store to monetize!  Cardio Trainer+ 4.0  Now with Twitter Integration!  Cardio Trainer+ 4.0.1  Pushed a patch as some users were excessively twitching while Tweeting.  Move fast and break things is not what I want for addressable organs.
  • 22. Everybody Bugs  Bugs happen.  They happen to the best.  They happen to the worst.  Imperfection is the proof of life and existence.  Mistakes are proof you actually did something.
  • 23. How to Lose Normal People
  • 24. Start with Details  “The buffer can overflow causing a corruption of the pointer which in turn is referenced by the vtable to cause code to jump to a known location as a result of ASLR being not compiled into a supporting DLL”  “The password is P@ssw0rd!”  “User A can access the details of User B”
  • 25. CVE-2017 – Critical Bass Overflow
  • 26. How to Get Things Flowing
  • 27. Helping People Understand w/Impact  The user’s bank account can be drained.  One person cares.  The company can no longer perform transactions.  The entire company cares.  The car performs a J-turn at 60 mph during rush hour  1 news cycle.  The planes crashes  2 news cycles, 4 if they can’t find the plane.  The pacemaker stops and kills the user.  2 Federal Agencies + n pacemaker users care.  The power plant explodes.  People care until the lights come back on.
  • 28. In an Age of Infinite Scroll
  • 29. “Hacked a what? Oh, right.”
  • 30. Ken  Ken /ken/ noun  “one's range of knowledge or sight”  “know”  How far you see.  How wide or narrow are you focused.  How much you understand.  How far someone else can see, focus, and understand.
  • 31. Ken
  • 32. Ken : My Ken
  • 33. Ken : Your Ken
  • 34. Ken : Our Ken
  • 35. Admitting Blindness is Beaten Out of Us
  • 36. Ken  Their Ken: I need to move 14,000 planes a day with 300 people in them each or the global economy stops.  My Ken: Planes can move in ways you don’t intend if you connect them to the Internet, might even crash.  Their Ken: Customers don’t like to crash.  My Ken: Less planes move if they crash.  Our Ken: Let make new planes that are easier to move, safer, and crash less.
  • 37.
  • 38. Ken  Accepting WE > I  Knowing the range of my knowledge and vision enables me to spend our time better.  Knowing how to better understand the range of another’s vision helps us get to shared impact faster.  Then we can start sharing details.  If we want to keep our place at the table it is our job to extend our ken with everyone seated.
  • 40. Test for Echo  You have lost if:  All you are hearing is your own words come back.  Things you already know.  Shared exchange of ken is shared extension.  Sustained echo is at best rapid construction of a chamber.  On a more than decade time scale it is slow death.
  • 41. Details: Our Three Wins  Firewalls  Encryption  Two Factor Authentication
  • 42. Impact: Three Extensions of Ken  Firewalls  I don’t want to run Ethernet cable in my house.  Wifi + Firewall = Win!  Encryption  I can’t make it to the bank or store today.  I need to work from home.  Commerce from home + encrypted tunnel = Win!  Two Factor Authentication  I don’t want to re-grind my character.  World of Warcraft = Win!
  • 43. Ken: When Have We Won?  We’ve won the same way everyone else has.  When we’ve made someone’s life better they adopted a technology.  It happen to be more secure because we spent years working on the details.  If we want to get pedantic we used Trojan horses to backdoor security into people’s lives.  Applying security to a shift in user behavior.  This is better!  We defined that part of being better was more secure!
  • 44. Ken: The users  Want to do the thing and will always want to do the thing.  Help the user keep doing the thing they want to do.
  • 45. To Master Details  Do your research  Do not be afraid of the work  Do not be afraid to fail and never stop.  Hack fast, conserve bugs, never ever make a deal with a Blackhat.
  • 47. Details: Data as Code  What do Cross Site Scripting, SQL Injection, and Buffer Overflows all have in common?  They are all data being interpreted as code.  Any place that user or machine controlled data is being used, interpreted, parsed; a security issue awaits.  This is big enough to master that you can spend multiple lifetimes right here.  We’ve actually started to make steps towards fixing this problem in some places.
  • 48. Details: Gamers are Going to Game  Logical Issues require someone to game the system  Must try and understand all the unexpected behavior of the logic of the system.  Few good ways of automated testing here  The Meta Game  Attackers will continue to go for the weakest link  Unless the time vs. reward scenario is high  or the motivation .vs reward scenario is super high
  • 49. Details: We Rely on Secrets  Password1!  Upper Lower, Numeric, Special!  Secure by most standards!  “ Or ‘1’=‘1’; --  Upper, Lower, Numeric, Special!  No key words!  16 characters!  Secure!  If not bad jumbles then bits generated by a machine given back to a machine!
  • 50. To Master Impact  See the system as a graph of lists of sorted by time.  Know what matters in the system.  Use the details to break the system.  When the system will not break change the game.
  • 52. Impact: Master The Graph  Seeing the system as a graph allows direct access to what is most impactful for the system.
  • 54. To Master Ken  Know yourself and share ideas and creations.  Ask to know and understand others.  Use impacts to connect yourself to others faster.  Seek the patterns that allow you to extend your vision and knowledge.
  • 55. To Master Ken  In cooperation:  Use your ken to help others see what they cannot.  Ask to be shown what you cannot see.  In conflict:  Find the blind spots.  Where someone is blind they cannot defend.
  • 57. Ken: Test for Echo  Step out of the echo chamber from time to time.  Find people who have problems you’ll never have.  Listen to them.  See how much you can share, but more importantly see what comes back when you do.
  • 58. Takeaways  We have the ears of very important people.  It is easy to lose a voice at the table if we constantly echo the same message over focused on details.  Building a better tomorrow requires more than details and impact.  It requires understanding our own ken.  I hope this talk has extended yours.