Time to Grow Up: Counterproductive Security Behaviors That Must End

Transcript

1. Time to Grow Up: Counterproductive Security Behaviors That Must End

   Chris Eng Countermeasure November 18, 2016 @chriseng

2. “A person who has not made his great contribution to

   science before the age of 30 will never do so.” — Albert Einstein

3. “People under 35 are the people who make change happen.

   People over 45 basically die in terms of new ideas.” — Vinod Khosla (co-founder, Sun Microsystems)

4. Like models, hackers wear a lot of black, think they

   are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade [sic], it is time to put down the disassembler and consider a relaxing job in management. http://pwnies.com/winners/

5. Dino Dai Zovi How you know that you are old

   in infosec: you remember when you were trying to get the world to care about improving security. @dinodaizovi https://twitter.com/dinodaizovi/status/783863023257518080

6. In lieu of the bio slide First computer: TI-99/4A First

   language: BASIC First software shipped: @stake WebProxy First modem: 1200 bps First security job: NSA First software cracked: “Skate or Die!” for PC First keynote: right now http://about.me/chriseng (if you insist on biographical info)
7. None

8. Security industry, current state http://www.picturesinboxes.com/2014/09/04/superman-jerk/

9. Your job today…

10. Failure

11. Self-portrait of security industry, ca. 2016

12. Infosec Taylor Swift “If it’s connected to the Internet, it’s

    already compromised.” (1) discourages security steps that work (2) defeatist (3) demonstrably false @SwiftOnSecurity https://twitter.com/SwiftOnSecurity/status/790703130321137664

13. Jeff Jarmoc In a relatively short time we’ve taken a

    system built to resist destruction by nuclear weapons and made it vulnerable to toasters. @jjarmoc https://twitter.com/jjarmoc/status/789637654711267328

14. Casey Ellis So, it’s like boxing — but your goal

    is to stay in the ring for as long as possible until you lose. Sound fun? @caseyjohnellis https://twitter.com/caseyjohnellis/status/785685415583887362

15. Consider doing differently Stop framing everything as failure Celebrate successes

    Avoid thinking in extremes Make useful suggestions Be honest about things we can do better

16. Perfection or Nothing

17. “Le mieux est l’ennemi du bien” (The best is the

    enemy of good) — Voltaire

18. Martin Fisher There is a bizarre false binary that says

    if you aren’t “secure” you’re “failing”. It's frustrating. @armorguy https://twitter.com/armorguy/status/768797512354279425

19. Darren Meyer If you’re a big enterprise then the security

    industry is your emotionally abusive spouse. @DarrenPMeyer (Slack DM, shared with permission)
20. None

21. David Shaw There have been a lot of issues with

    OpenSSL, too, but you don’t see people recommending plaintext. @dshaw_ https://twitter.com/dshaw_/status/758411021090336768

22. Matt Suiche Exploiting vulnerabilities 2006 versus 2016. Lots of mitigation

    had been put in place over the past 10 years. @msuiche https://twitter.com/msuiche/status/789072206554771456
23. None

24. Halvar Flake Time-to-exploit went from a day 15yrs ago to

    a week or so 10yrs ago to months now. @halvarflake https://twitter.com/halvarflake/status/789229987756969985

25. Mark Dowd I need a montage to write one nowadays.

    @mdowd https://twitter.com/mdowd/status/789230539806871552

26. Consider doing differently Beware false dichotomies Remember you’re allowed to

    iterate Apply the 80-20 rule (or 90- 10, or whatever)

27. Developers are…

28. Stupid Developers

29. John Wilander At #OWASPSummit: “Developers don't know shit about security”.

    Well, I got news. You don’t know shit about development. @johnwilander https://twitter.com/johnwilander/status/35031093161762816

30. Developer priorities Functions and features Uptime Performance Maintainability Usability Security

    http://appsandsecurity.blogspot.com/2011/02/security-people-vs-developers.html

31. Chris Eng We ended up finding the real “developer outreach”

    session. It had 4 people instead of 0! #OWASPSummit @chriseng https://twitter.com/chriseng/status/35701606616023040

32. Christien Rioux Developer Myth: if it was hard to write

    it should be hard to exploit. Hacker Myth: if it was easy to exploit it should be easy to fix. @dildog https://twitter.com/dildog/status/665574124564058112
33. None

34. “Instead of assuming that others share our principles, or trying

    to convince them to adopt ours, we ought to present our values as a means of pursuing theirs. It’s much easier to link our agendas to familiar values that people already hold.”

35. Proof it works

36. Consider doing differently Quit with the “developer fail” Learn about

    development process/workflow Call out your peers when they do it Understand your developers’ motivations

37. Victim Blaming

38. Just-World Hypothesis The idea that people need to believe one

    will get what one deserves so strongly that they will rationalize an inexplicable injustice by naming things the victim might have done to deserve it. https://psychcentral.com/encyclopedia/just-world-hypothesis/
39. None

40. Katie Moussouris It’s like watching people be mad at cancer

    patients for not fighting hard enough. @k8em0 (Twitter DM, shared with permission)

41. “Blame is the enemy of safety. … Assume nobody comes

    to work to do a bad job.” http://www.apta.com/mc/rail/previous/2011/Presentations/N-Leveson-A-Systems-Approach-to-Safety.pdf
42. None

43. Consider doing differently Stop being so gleeful about breaches Assume

    your people have good intentions Remember who the criminal is Look for systemic issues instead Empathy, not blame

44. Dogma

45. passwordistoostrong Warning: Your password policy must not contain more than

    6 bullet points. @PWTooStrong https://twitter.com/PWTooStrong/status/777929902993670146 (also see http://password-shaming.tumblr.com)

46. Clever analogy does not equal good advice (Twitter link redacted

    out of courtesy)

47. Avi Douglen Really any kind of cargo cult “Best Practice”,

    without risk analysis. Prescribing solutions before understanding the problem. @sec_tigger https://twitter.com/sec_tigger/status/784081180589232128

48. Wendy Nather Conventional wisdom in infosec assumes everyone has a

    standard set of pieces. Sometimes all you have to work with are 2 pawns and a penny. @RCISCwendy https://twitter.com/RCISCwendy/status/787378750631481344

49. Rob Graham The problem in infosec is that few accept

    the important fact that security is a tradeoff: effort spent on security means [effort not] spent elsewhere. @ErrataRob https://twitter.com/ErrataRob/status/787913823135076352

50. Pwn All The Things Spending any seconds at all on

    “weak SSL ciphers” when your website is still full of SQL injections. @pwnallthethings (Twitter DM, shared with permission)

51. “Basically, you’re either dealing with Mossad or not-Mossad. If your

    adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://.” http://scholar.harvard.edu/files/mickens/files/thisworldofours.pdf

52. “Obscurity as a layer can be used to enhance real

    security that already exists.” https://danielmiessler.com/study/security-by-obscurity/#gs.H=fo=_w

53. USENIX Security Happy 25th Anniversary USENIX Security Symposium! Hope to

    see everyone again at the 26th! #sec16 @USENIXSecurity https://twitter.com/USENIXSecurity/status/764220203525865473
54. None

55. Wendy Nather Try saying this: “This security choice doesn't look

    good to me, but I don't know all the internal risk analysis that went into it.” @RCISCwendy https://twitter.com/RCISCwendy/status/764594565617627136

56. Consider doing differently Resist the urge to present dogma as

    “best practices” Remember that security decisions are tradeoffs Avoid the phrase “best practices” whenever possible Don’t rush to judgment

57. Hacker Cred

58. Shawn Moyer The aggressiveness by which someone self identifies as

    a hacker is almost always inversely proportional to how much they are one. @shawnmoyer https://twitter.com/shawnmoyer/status/775756753644449792

59. https://www.flickr.com/photos/digitalgamemuseum/6120468075/ (CC BY 2.0)

60. Peter Pan Syndrome (not officially a DSM disorder)

61. Hey, y’all http://www.businessinsider.com/22-maps-that-show-the-deepest-linguistic-conflicts-in-america-2013-6

62. Embracing the stereotypical hacker mystique as a means of signaling

    “eliteness” (i.e. group membership)
63. None

64. Consider doing differently Act like adults Pragmatism, not paranoia Be

    humble Help us all get taken more seriously Think about how you’re being perceived

65. And More… Squirrels, thought leadership, stupid users, and sexism

66. Alex Stamos Not a single sample [from Operation Manul]... employed

    a 0-day. @alexstamos https://twitter.com/alexstamos/status/761264871778365443

67. 99% of attempted attacks impacted vulnerabilities for which an update

    was available. Or, put differently, 0-day vulnerabilities were barely relevant in the overall picture. https://blogs.technet.microsoft.com/mmpc/2011/10/10/new-microsoft-security-intelligence-report-volume-11-now-available/

68. Dave Aitel There's a dichotomy of things that are easy

    to scan for and things that are actually risky, and they are very different sets. POODLE is only really useful to the NSA. — Dave Aitel S4x16 Keynote, January 2016 @daveaitel https://www.youtube.com/watch?v=p1zSlUBfSUg

69. Jayson Street You’re not a rockstar. You’re a dentist. Get

    over yourself. @jaysonstreet https://twitter.com/RCISCwendy/status/790648162142871553 (Wendy’s tweet, Jayson’s quote)

70. Chris Eng Remember #RSAC #thoughtleaders, ask me for a ribbon...

    if you qualify (i.e. you've ever had a thought). :-) @chriseng https://twitter.com/chriseng/status/704143336290930689 http://tiny.cc/thoughtleader (n.b. some cultural references outdated)

71. John Bellomy Engineers don't let engineers design user interfaces. @cowbs

    https://twitter.com/cowbs/status/516045565847535616

72. British Gas Help We'd lose our security certificate if we

    allowed pasting. It could leave us open to a “brute force” attack. Thanks ^Steve @BritishGasHelp https://twitter.com/BritishGasHelp/status/463619139220021248

73. Adrienne Porter Felt My sister mistook Chrome’s red lock icon

    for a red purse. And you know what... she's totally right. So. Goddamn. @__apf__ https://twitter.com/__apf__/status/634858452309831680

74. Arne Roomann- Kurrik Next time you talk about trying to

    design something so simple your mother could use it try using a sewing machine you condescending shit. @kurrik https://twitter.com/kurrik/status/786395581237170176
75. None
76. None

77. The Persister is dedicated, observant, and conscientious. They believe that

    values are essential virtues. They are motivated by recognition of their convictions. As Persisters experience pressure and distress, they notice faults in others. They notice more of what is wrong than what is right. They may go on the attack, preaching to others from a strong belief system in a self-righteous and condescending manner.
78. None

79. We talked about some things Failure Hacker cred Perfection or

    nothing Squirrels Dogma Sexism Victim blaming Stupid users Stupid developers Thought leadership