we have to t st t r t t t
play

We have to t st t rt tt - PDF document

Feb 19, 2023 •411 likes •906 views

We have to t st t rt tt r so that we can catch terrorists, drug dealers, pedophiles, and organized criminals. Some of this data is sent

  1. We have to ✇❛t❝❤ ❛♥❞ ❧✐st❡♥ t♦ ❡✈❡r②t❤✐♥❣ t❤❛t ♣❡♦♣❧❡ ❛r❡ ❞♦✐♥❣ so that we can catch terrorists, drug dealers, pedophiles, and organized criminals. Some of this data is sent unencrypted through the Internet, or sent encrypted to a company that passes the data along to us, but we learn much more when we have ❝♦♠♣r❡❤❡♥s✐✈❡ ❞✐r❡❝t ❛❝❝❡ss t♦ ❤✉♥❞r❡❞s ♦❢ ♠✐❧❧✐♦♥s ♦❢ ❞✐s❦s ❛♥❞ s❝r❡❡♥s ❛♥❞ ♠✐❝r♦♣❤♦♥❡s ❛♥❞ ❝❛♠❡r❛s .

  2. This talk explains how we’ve successfully manipulated the world’s software ecosystem to ensure our continuing access to this wealth of data. This talk will not cover our efforts against encryption, and will not cover our hardware back doors. Making sure software stays insecure Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

  3. Some important clarifications: 1. “We” doesn’t include me. I want secure software.

  4. Some important clarifications: 1. “We” doesn’t include me. I want secure software. 2. Their actions violate fundamental human rights.

  5. Some important clarifications: 1. “We” doesn’t include me. I want secure software. 2. Their actions violate fundamental human rights. 3. I don’t have evidence that they’ve deliberately manipulated the software ecosystem.

  6. Some important clarifications: 1. “We” doesn’t include me. I want secure software. 2. Their actions violate fundamental human rights. 3. I don’t have evidence that they’ve deliberately manipulated the software ecosystem. This talk is actually a thought experiment: how could an attacker manipulate the ecosystem for insecurity?

  7. Distract managers, sysadmins, etc. Identify activities that can’t produce secure software but that can nevertheless be marketed as “security”. Example: virus scanners. Divert attention, funding, human resources, etc. into “security”, away from actual security.

  8. Distract managers, sysadmins, etc. Identify activities that can’t produce secure software but that can nevertheless be marketed as “security”. Example: virus scanners. Divert attention, funding, human resources, etc. into “security”, away from actual security. People naturally do this. Attacker investment is magnified. Attack discovery is unlikely.

  9. 2014 NIST “Framework for improving critical infrastructure cybersecurity”: “Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. ✿ ✿ ✿

  10. 2014 NIST “Framework for improving critical infrastructure cybersecurity”: “Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. ✿ ✿ ✿ The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.”

  11. “This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.”

  12. “This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.” ✎ “Identify.” e.g. inventory your PCs.

  13. “This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.” ✎ “Identify.” e.g. inventory your PCs. ✎ “Protect.” e.g. inventory your humans.

  14. “This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.” ✎ “Identify.” e.g. inventory your PCs. ✎ “Protect.” e.g. inventory your humans. ✎ “Detect.” e.g. install an IDS.

  15. “This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.” ✎ “Identify.” e.g. inventory your PCs. ✎ “Protect.” e.g. inventory your humans. ✎ “Detect.” e.g. install an IDS. ✎ “Respond.” e.g. coordinate with CERT.

  16. “This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.” ✎ “Identify.” e.g. inventory your PCs. ✎ “Protect.” e.g. inventory your humans. ✎ “Detect.” e.g. install an IDS. ✎ “Respond.” e.g. coordinate with CERT. ✎ “Recover.” e.g. “Reputation is repaired.”

  17. Categories inside “Protect”: ✎ “Access Control”. ✎ “Awareness and Training”. ✎ “Data Security”. e.g. inventory your data. ✎ “Information Protection Processes and Procedures”. e.g. inventory your OS versions. ✎ “Maintenance”. ✎ “Protective Technology”. e.g. review your audit logs.

  18. Categories inside “Protect”: ✎ “Access Control”. ✎ “Awareness and Training”. ✎ “Data Security”. e.g. inventory your data. ✎ “Information Protection Processes and Procedures”. e.g. inventory your OS versions. ✎ “Maintenance”. ✎ “Protective Technology”. e.g. review your audit logs. Subcategories in Framework: 98. ✿ ✿ ✿ promoting secure software: 0.

  19. Categories inside “Protect”: ✎ “Access Control”. ✎ “Awareness and Training”. ✎ “Data Security”. e.g. inventory your data. ✎ “Information Protection Processes and Procedures”. e.g. inventory your OS versions. ✎ “Maintenance”. ✎ “Protective Technology”. e.g. review your audit logs. Subcategories in Framework: 98. ✿ ✿ ✿ promoting secure software: 0. This is how the money is spent.

  20. Distract users e.g. “Download only trusted applications from reputable sources or marketplaces.” e.g. “Be suspicious of unknown links or requests sent through email or text message.” e.g. “Immediately report any suspect data or security breaches to your supervisor and/or authorities.” e.g. “Ideally, you will have separate computers for work and personal use.”

  21. Distract programmers Example: automatic low-latency software “security” updates.

  22. Distract programmers Example: automatic low-latency software “security” updates. Marketing: “security” is defined by public security holes . Known hole in Product 2014.06? Update now to Product 2014.07!

  23. Distract programmers Example: automatic low-latency software “security” updates. Marketing: “security” is defined by public security holes . Known hole in Product 2014.06? Update now to Product 2014.07! To help the marketing, publicize actual attacks that exploit public security holes.

  24. Distract programmers Example: automatic low-latency software “security” updates. Marketing: “security” is defined by public security holes . Known hole in Product 2014.06? Update now to Product 2014.07! To help the marketing, publicize actual attacks that exploit public security holes. Reality: Product 2014.07 also has security holes that attackers are exploiting.

  25. Distract researchers Example: When researcher finds attack showing that a system is insecure, create a competition for the amount of damage . “You corrupted only one file?” “How many users are affected?” “Do you really expect an attacker to use 100 CPU cores for a month just to break this system?”

  26. Distract researchers Example: When researcher finds attack showing that a system is insecure, create a competition for the amount of damage . “You corrupted only one file?” “How many users are affected?” “Do you really expect an attacker to use 100 CPU cores for a month just to break this system?” ✮ More attack papers!

  27. Discourage security Tell programmers that “100% security is impossible” so they shouldn’t even try.

  28. Discourage security Tell programmers that “100% security is impossible” so they shouldn’t even try. Tell programmers that “defining security is impossible” so it can’t be implemented.

  29. Discourage security Tell programmers that “100% security is impossible” so they shouldn’t even try. Tell programmers that “defining security is impossible” so it can’t be implemented. Hide/dismiss/mismeasure security metric #1.

  30. Discourage security Tell programmers that “100% security is impossible” so they shouldn’t even try. Tell programmers that “defining security is impossible” so it can’t be implemented. Hide/dismiss/mismeasure security metric #1. Prioritize compatibility, “standards”, speed, etc. e.g.: “An HTTP server in the kernel is critical for performance.”

  31. What is security? Integrity policy #1: Whenever the computer shows me a file, it also tells me the source of the file. e.g. If Eve creates a file and convinces the computer to show me the file as having source Frank then this policy is violated. I have a few other security policies, but this is my top priority.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John

Keypad: Auditing Encrypted Filesystem for Theft-prone Devices Roxana Geambasu John P. John Steve Gribble Yoshi Kohno Hank Levy University of Washington The Move to Small, Powerful, Mobile Devices Small, powerful mobile devices are

363 views • 25 slides
A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company

A Building Block Approach to Intrusion Detection Mark J. Crosbie Hewlett-Packard Company mark_crosbie@hp.com Benjamin A. Kuperman CERIAS, Purdue University kuperman@cerias.purdue.edu http://www.hp.com/products/security/ids/ RAID 2001

485 views • 14 slides
Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

CSE/ISE 311: Systems Administra5on Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems Administra5on Outline Introduc$on Finding log files Syslog:

547 views • 21 slides
CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF

CYBER SECURITY AND REMOTE WORKING Maritz Cloete, CISSP, M.CIIS 18 June 2020 HOW OUR WAYS OF WORKING HAVE CHANGED Social distancing means working from home is the norm Substantially more reliant on IT to engage internally and externally,

884 views • 17 slides
Top 3 Tech Challenges of 2019 AEC industry report reveals which data points will make or break

Top 3 Tech Challenges of 2019 AEC industry report reveals which data points will make or break

Top 3 Tech Challenges of 2019 AEC industry report reveals which data points will make or break your business Presented by Marge Hart, VP, Product Management Sponsored by MA MARGE HA E HART VP, Product Management 20 years experience with

569 views • 30 slides
Planning and Research Peer Engagement Group October 2020 Data-Driven Justice Johnson County,

Planning and Research Peer Engagement Group October 2020 Data-Driven Justice Johnson County,

Data-Driven Ju Justice: Planning and Research Peer Engagement Group October 2020 Data-Driven Justice Johnson County, Iowa David Schwindt david-schwindt@iowa-city.org Existing Data vs New Data Housing First Study Housing First Study

620 views • 34 slides
Prioritization of Tasks integrated Rule Oriented Data System Reagan Moore {moore, sekar, mwan,

Prioritization of Tasks integrated Rule Oriented Data System Reagan Moore {moore, sekar, mwan,

Prioritization of Tasks integrated Rule Oriented Data System Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine, sheauc}@diceresearch.org {chienyi, marciano, michael_conway}@email.unc.edu 1 Future Development Development of

689 views • 20 slides
Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice

Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice

Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University Everyone has logs Tamper evident solutions Current commercial solutions Write only hardware appliances Security depends on

1.32k views • 82 slides
Evidence-Based Elections CDAR Risk Seminar Philip B. Stark 15 September 2020 University of

Evidence-Based Elections CDAR Risk Seminar Philip B. Stark 15 September 2020 University of

Evidence-Based Elections CDAR Risk Seminar Philip B. Stark 15 September 2020 University of California, Berkeley 1 Many collaborators including (most recently) Andrew Appel, Josh Benaloh, Matt Bernhard, Michelle Blom, Andrew Conway, Rich

1.12k views • 100 slides
JSONB AUDITS PRO & CONTRA WIR HABEN EINEN TRAUM DIE STAUFREIE STADT 2

JSONB AUDITS PRO & CONTRA WIR HABEN EINEN TRAUM DIE STAUFREIE STADT 2

Felix Kunde and Petra Sauer JSONB AUDITS PRO & CONTRA WIR HABEN EINEN TRAUM DIE STAUFREIE STADT 2 Wirtschaftsatlas Berlin In the GIS scene more and more users are interested in data curation. Data creation has been too

909 views • 31 slides
The Battle for Principles & concepts Trust and DREs Accountable Voting Voter

The Battle for Principles & concepts Trust and DREs Accountable Voting Voter

Outline The Battle for Principles & concepts Trust and DREs Accountable Voting Voter verifiable audit trail Systems Future Conclusion Prof. David L. Dill Department of Computer Science Stanford University

298 views • 7 slides
CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Recall the rules 1. Understand the requirements 2. Make it fail 3. Simplify the test case 4. Read the right error message 5. Check the plug 6.

637 views • 20 slides
SWALA Evaluation and the Audit Trail Emily Heard Head of Procurement, Competition and State Aid

SWALA Evaluation and the Audit Trail Emily Heard Head of Procurement, Competition and State Aid

SWALA Evaluation and the Audit Trail Emily Heard Head of Procurement, Competition and State Aid Bevan Brittan 7 June 2016 Overview General principles A practical example The audit trail General principles (1) TFEU

828 views • 24 slides
Multi-Party Function Evaluation with Perfectly Private Audit Trail Edouard Cuvelier &

Multi-Party Function Evaluation with Perfectly Private Audit Trail Edouard Cuvelier &

Multi-Party Function Evaluation with Perfectly Private Audit Trail Edouard Cuvelier & Olivier Pereira Universit e catholique de Louvain ICTEAM Crypto Group 1348 Louvain-la-Neuve Belgium UCL Crypto Group SDTA - December 2014

781 views • 35 slides
Final blow before Tea! Atif Rahman Twitter: @mantaq10 Zetaris www.zetaris.com Data Exchanged

Final blow before Tea! Atif Rahman Twitter: @mantaq10 Zetaris www.zetaris.com Data Exchanged

I was like her according to her; We were both outliers Privacy Preserved Data Augmentation using Enterprise Data Fabric Final blow before Tea! Atif Rahman Twitter: @mantaq10 Zetaris www.zetaris.com Data Exchanged (without consent) GPS

559 views • 39 slides
Moral Responsibility and Technology Agent : The entity that performs the action and causes

Moral Responsibility and Technology Agent : The entity that performs the action and causes

Moral Responsibility and Technology Agent : The entity that performs the action and causes something to happen Patient: The entity that is affected by the action Moral responsibility: deals with the link between the agent and the

602 views • 3 slides
Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda

Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda

Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda Product vision Project status Functional gaps covered Features and technologies Installation and usage demo Where to get more

564 views • 23 slides
NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish

NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish

NOSCAM : NOSCAM : Sequential System Snapshot Service Sequential System Snapshot Service Ashish Gehani and Gershon Kedem Duke University Computer Science Introduction Internet survivability design Security of single node Growth of

435 views • 19 slides
QUALIT ITATIV IVE R RESEARCH T H TRADIT ITIO IONS How t to a address t the he d

QUALIT ITATIV IVE R RESEARCH T H TRADIT ITIO IONS How t to a address t the he d

QUALIT ITATIV IVE R RESEARCH T H TRADIT ITIO IONS How t to a address t the he d different nt a aims ms o of e evalu luation? n? Ge Gene neration o n of i inf nforma mation t n to a aid d decision-ma n-maki king

384 views • 16 slides
Keep Calm and Make Your Life Easy - Audit Trail, Quick Find, Credit Card Import, One Time Vendor

Keep Calm and Make Your Life Easy - Audit Trail, Quick Find, Credit Card Import, One Time Vendor

Keep Calm and Make Your Life Easy - Audit Trail, Quick Find, Credit Card Import, One Time Vendor and 1099 Vendor Accelerator www.sisn.com About SIS Founded in 1996, Headquarters Duluth, GA (Greater Atlanta) SIS (Strategic Industry Solutions)

206 views • 17 slides
How cloud platforms are automating payroll services for profit Rachel Hynes Ian Jenkinson The

How cloud platforms are automating payroll services for profit Rachel Hynes Ian Jenkinson The

Webinar Presenters How cloud platforms are automating payroll services for profit Rachel Hynes Ian Jenkinson The webinar will begin shortly. Marketing Senior Sales Executive Executive Questions & Answers Webinar Recording How cloud

222 views • 5 slides
How I Built an Access Management System Using Apache Directory Fortress Shawn McKinney Nov 18,

How I Built an Access Management System Using Apache Directory Fortress Shawn McKinney Nov 18,

How I Built an Access Management System Using Apache Directory Fortress Shawn McKinney Nov 18, 2016 ApacheCon EU, Seville Session Objectives Learn about some access management specifications Take an unflinching look at an open source

1.32k views • 102 slides
What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) About me

What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) About me

What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) About me Peter Czanik from Hungary Open Source Evangelist at One Identity -- home of syslog- ng and patron of sudo syslog-ng packaging, support,

421 views • 26 slides
Switching Safety September 4, 2019 Utility Week Asia We are Youtech US Inc A Subsidiary of

Switching Safety September 4, 2019 Utility Week Asia We are Youtech US Inc A Subsidiary of

Managing Infrastructure Security and Switching Safety September 4, 2019 Utility Week Asia We are Youtech US Inc A Subsidiary of Zhuhai Unitech Innovating, developing, and deploying safety and security solutions for over 30 years with

358 views • 14 slides

More recommend