Yesterday was the ‘Technology in Wartime‘ conference, held at the Stanford Law School. Some of the topics were on autonomous robots, human rights, and cyberterrorism.

Bruce Schneier gave the keynote on Dual-Use Technologies. Here are my notes from his keynote:

  • Estonia was the first cyberwar.
  • Lots of technology is dual use.
  • In 24hrs, a worm tends to jump networks, even if they are physically separate.
  • GCHQ evaluated PGP and found a bug. They communicated to PGP and fixed it. Everyone benefits.
  • Out thinking of security is backwards. We assume its secure. People find bugs, company patches.
  • Assurance model – assume unreliable / insecure until you show me otherwise.
    • If you find a bug, your assurance mechanism and procedures are broken.
    • Lots of time and money involved with this change.
    • We don’t care if software crashes – It’s not life or death.
    • But alot of software is in the middle – Bad things can happen.
  • So how can we make companies use secure coding practices in the SDLC and comply to the assurance model?
    • Consumers don’t have influence, but government and military do.
    • What about smaller companies?
  • Technology can help the attacker or help the defender.
    • It’s all about leverage.
    • Tech multiples potential.
    • There are more attack tools available.
    • Biometric identification allows quick lookups.
    • Attackers are quicker to adapt to new technologies.
  • Four aspects on tech
    • Notion of tech as a helper – It mediates the communication between everything we do.
    • Notion of a class break – Once a software breaks, you can find it everywhere. It’s not one time use.
    • Notion of automation – Automation makes marginally successful attack good.
      • Separates skill from ability – script kiddies.
      • This comment reminds me of phishing.
    • Action from a distance – Physical attacks are based off proximity. The net has no notion of distance or place.
  • Equity issue – Do we tell them about it, or do we keep it for ourselves?
    • In the 1980’s, the government kept it to themselves.
    • In the 1990’s, the government fixed things because its better for the infrastructure.
    • After September 11, 2001, it reset it all.

Many of the talks were very interesting, and thought provoking. I especially enjoyed the talk on government wiretaps, and the ethics of offensive cyber warfare. I hope there are more events like this to continue the discussion.

The rest of my pictures can be found on flickr.