Technology in Wartime Conference

Yesterday was the ‘Technology in Wartime‘ conference, held at the Stanford Law School. Some of the topics were on autonomous robots, human rights, and cyberterrorism.

Bruce Schneier gave the keynote on Dual-Use Technologies. Here are my notes from his keynote:

  • Estonia was the first cyberwar.
  • Lots of technology is dual use.
  • In 24hrs, a worm tends to jump networks, even if they are physically separate.
  • GCHQ evaluated PGP and found a bug. They communicated to PGP and fixed it. Everyone benefits.
  • Out thinking of security is backwards. We assume its secure. People find bugs, company patches.
  • Assurance model – assume unreliable / insecure until you show me otherwise.
  • If you find a bug, your assurance mechanism and procedures are broken.
  • Lots of time and money involved with this change.
  • We don’t care if software crashes – It’s not life or death.
  • But alot of software is in the middle – Bad things can happen.
  • So how can we make companies use secure coding practices in the SDLC and comply to the assurance model?
    • Consumers don’t have influence, but government and military do.
    • What about smaller companies?
  • Technology can help the attacker or help the defender.
    • It’s all about leverage.
    • Tech multiples potential.
    • There are more attack tools available.
    • Biometric identification allows quick lookups.
    • Attackers are quicker to adapt to new technologies.
  • Four aspects on tech
    • Notion of tech as a helper – It mediates the communication between everything we do.
    • Notion of a class break – Once a software breaks, you can find it everywhere. It’s not one time use.
    • Notion of automation – Automation makes marginally successful attack good.
    • Separates skill from ability – script kiddies.
    • This comment reminds me of phishing.
  • Action from a distance – Physical attacks are based off proximity. The net has no notion of distance or place.
  • Equity issue – Do we tell them about it, or do we keep it for ourselves?
    • In the 1980’s, the government kept it to themselves.
    • In the 1990’s, the government fixed things because its better for the infrastructure.
    • After September 11, 2001, it reset it all.

    Many of the talks were very interesting, and thought provoking. I especially enjoyed the talk on government wiretaps, and the ethics of offensive cyber warfare. I hope there are more events like this to continue the discussion.

    The rest of my pictures can be found on flickr.

    OWASP Stanford Meeting

    Yesterday was the first meeting under the newly founded “OWASP Bay Area” chapter, which combines the San Francisco, San Jose, and East Bay chapters into one big one! The meeting was held at the beautiful Stanford Alumni Association Center.

    Niels Provos presented on how Google detects malware from their web crawlers, and the ties to the safe browsing plugin. Jerry Yang, the co-founder of Yahoo! was also present, and he asked some good questions. He seemed very interested on if Google was doing this program for the greater good of the web, or if there was a business case for it.

    The second talk was from a Stanford Ph.D. student. He gave some neat examples on how attackers can gain information from users. Some techniques he went over was iframes, mixed content behavior, cross site request forgery, and DNS rebinding.

    Both talks were excellent, and the crowd turnout was great. Another nice thing was the open bar :)

    The next OWASP meeting will be in San Francisco; location to be determined soon. I took a few other pictures at this event, which can be viewed at flickr.