BlackHatUSA 2017 Keynote: Alex Stamos

You have probably seen the twitter posts about the lasers and smoke machines on display at BlackHatUSA's Keynote speech on Wednesday. If you have not then I can give you the very quick run-down on that: Last-gen/old hackers, who are very anti-conformist and anti-corporate, turned their noses up because BlackHatUSA's keynote speech showed how much bank they made.

Holla holla get dolla

And why shouldn't they? The Briefings Pass, that would get you into all of the talks, runs for $2095 USD if you ordered before May 10th, and $2795 USD if you bought a ticket at the door. Trainings Passes were also expensive with additional costs for workshops you attended. Jeff Moss, the founder of BlackHatUSA and DEF CON, admitted that BlackHatUSA is a conference aimed at professionals and is premium-priced for large corporations because DEF CON's low barrier to entry made it harder for employees to sell to their bosses.

While many old-school hackers stopped paying attention the moment they saw the smoke and lasers, I can say with certainty that the spectacle didn't diminish the experience for the stadium's full house. Jeff Moss gave a speech about how BlackHatUSA started, and how it got to be where it is today, with some self-aware humor sprinkled in. But what really mattered was what Facebook's CSO Alex Stamos had to say. Plenty of people have written about the speech already so I hope you're here for my Opinions™.

From my seat in Section 105 I waited to see what he saw as the community's values. The infosec community plays a gatekeeping role in the security industry, for better or worse. If you can't make friends and keep a good reputation, you won't survive long on your own.

The infosec community can have a large sway on the public's general security due to their role in developing the technologies end users use. However, bolting security on after the fact isn't enough anymore and unless we make things secure-by-default most of what we bolt on won't make a difference. The entire keynote boils down to a defined theme: Infosec is a community, and our values do not align with protecting people. We can and must do better.

Stamos calls out three behaviors that show that our values aren't about protecting people.

  1. Our culture focuses on complexity, not harm.
  2. We shame and punish imperfect solutions in an imperfect world.
  3. We don't engage the rest of the world effectively enough.

You've heard people scoff at a phishing email as not being a "sophisticated attack." You've probably heard malware analysts talk about how bad ransomware developers are at programming. When NSA 0-days show up we all take the day off to analyze what they are and how they could be used. When malware begins spreading using old-hat red team tactics we all yawned because we've seen it before.

How many lost their life savings to that phishing scam? What parents lost the only records of their child's infancy when a ransomware couldn't be decrypted? NSA 0-days are fun to talk about. Who should we point the blame at when mundane red team maneuvers get the best of an entire country?

From my, admittedly limited, time among infosec people I can say that the community as a whole makes the wrong choice when presented with each of these questions. We're intelligent people who love to solve problems and once we find a solution we move on. We tell people to bolt our solutions on top of whatever they already have without knowing what they have. But that isn't enough. If the infosec community really wants to help people they have to put their money where their mouth is and put these problems to bed.

Security Nihilism: An overlapping belief that assumes attackers are perfect, everyone has the same threat model, and any compromise to make a security feature more widespread should be considered a bug.

We need to avoid falling into the trap of Security Nihilism that Stamos described. Attackers take the path of least resistance because not only is it easier but also safer for them. We have to build the foundations of what everyday people live day-to-day on better to remove the ability for those attacks to impact people. We have to understand that our deep understanding of niche vulnerabilities doesn't solve the problems that affect the most users. We have to stop romanticizing complex theoretical attacks and point the media spotlight at the problems that people encounter every day and give them the tools to make intelligent choices about their situation and how to tackle those problems.

And you know what? That's hard. Security nihilism comes from a place of exasperation. We feel like we have been trying for so long and that nobody listens or cares and we are all so tired of it. I have talked to people and heard them describe why it can be so hard for them to put in the effort.

There are groups that deal with that problem every day. Voicing real solutions and the human costs of ignoring problems and being ignored day after day. Life-long activists on all sorts of issues from human rights to not getting shot by cops at random for literally no acceptable reason. Security nihilism is a real issue that we have to cull if we want to make things better.

I think that infosec advocates need to take some cues from other activists who have experience fighting long, unrewarding, but ultimately necessary fights. They might be able to help us make changes.


Popular posts from this blog

BlackHat/DEFCON, Part 1: Travel Advice

Asus Chromebook C201

BlackHat/DEFCON, Part 2: My experience