“Choose two from freedom, convenience and security”
Speaking in the opening keynote at the Black Hat conference in Las Vegas, In-Q-Tel CISO Dan Geer covered a ten point policy to improve online security, including convergence, mandatory breach reporting and the right to be forgotten.
Admitting that everyone wishes this was taken as seriously, but admitted that it is taken usefully or corherently, he said “we never been more at the of forefront of policy” and that he wishes it was possible to keep security in “the minds eye”, but it was not possible and that phase has passed in the last six years.
He said: “We know it is going on everwhere and I am not keeping up with what is going on in my country, let alone 91 (the number of countries represented at Black Hat). Security has spread into every corner of daily life, and its footprint has surpassed everyone of us.”
Speaking on performance, he claimed that there are now numerous embedded systems, and as a result we “need remote management interfaces, or for them to have a finite lifetime”. He said: “If they live long enough they will be taken over. Home based routers display this exactly.
“You can get routers for $20 and they have not updated for a while, as they are not on the interior and the network is on the outside and only on the side facing ISPs. If you can build a botnet on routers, you can take down the internet.”
Asked if remote management would open a backdoor, he said it could, but you have a choice of it either living forever, or introducing remote management you could say that intersection is vulnerable. “The interface is a risk and an absent risk is a different set of risks and interface management is another piece,” he said.
Talking about secure software, Geer said that we “have to do something different”, but we don’t know how to do that, and it was either the vendor’s fault or you can do something to protect yourself. “We either let people protect themselves or you take it on, but I would like to give vendors some way to make a decision,” he said.
He also commented that he had seen applications which were 20GB and obviously wrriten by a machine yet it still had vulnerabilities, “so even machines write vulnerabilities”.
He later said that rather than being in a cyber war, we were in a “Cold Civil War”, and we need to determine on whose terms we accept solutions. Asked what he meant by that, he said that it is like a civil war as there is no shooting, but like the cold war as there is a lot of posturing