Security

RSA Conference 2018: Tuesday Keynotes

Leave a comment

Keynotes on 30 second delay stream to public

RSA Announcements

Women in tech

Message of diversity

Microsoft Announcements

Call for a digital Geneva convention (https://twitter.com/BradSmi/status/831553031422386176)
– No targeting
– Assist private sector
– Limit offensive ops
– Restrict cyber weapons
– Non-proliferation
– Report vulns

Shipping a secure linux kernel because “Microsoft now is a Linux company”

Tech Sector Accord
– protect all users and customers everywhere
– oppose all cyberattacks on innocent citizens and enterprises
– provide tools and info to help community protect self
– deepen co-operation & information sharing between companies

Five-eyes are collaborating on blaming attack on North Korea

Message of unity: “It about trust…we need the world to come together”

Message of diversity. Bring different kinds of people together: “learn, change and grow” to “build a safer world”

Award Stuxnet: Michael Assante
Award Public Policy: Admiral Michael Rogers
Award Math: Ran Canetti, Rafail Ostrovsky
Award Humanitarian (created by yours truly): Tim Jenkin

McAfee

An ode to the Skyjacking Threatscape security evolution
1961 became a crime after Cuban revolution
1972 peak of hijacking, nuclear threat
1973 passenger and bag screening
2001 post-sept slow and long lines
2006 3-1-1
2009 underwear scans

User the airline model: “if you look to the air travel industry, obsessive about safety and security”

“Think about what you can take back from this to our offices…try to drive a culture where security gets prioritization it deserves.”

Cryptographer Panel

Moxie
Paul
Whit
Adi
Ron

Interesting year

Ron
– elections interest. central to democracy. crit infra.
– spectre attack

Adi
– lack of preciseness in research. crypto has theorem/proofs. no cyber equivalent. need quantitative

Whit
– memory of wife, elder of cryptography, partner enthusiasm. everyone loved mary. marty’s fondness
– mayland doyle. most influential cryptographer at RSA (sig sally pivotal to development of cryptography). worked on KI-1. designed crypto for KY-3 used for 30 years. KG-30 designed, long-cycle decrypters.

paul
– performance security tradeoffs. security gains have equalized with performance

moxie
– shift in perception of technology. connecting the world no longer utopian. cyber now seen as weapons not connecting

Bitcoin

Adi
– pronounce differently

Whit
– spell differently

Ron
– hashing for crypto far greater than for security

Whit
– space heaters based on crypto, amortized cost of hashing

Blockchains

Ron
– not pixie dust. interesting decentralized, public, immutable. fail at scale, throughput and latency
– really bad for voting because centralized and secretive. electronic database doesn’t allow verification by voters. paper is better choice

Adi
– overhyped. post-quantum world ensure security of digital signatures. 50 years valid guarantee of digital signatures. generated today before quantum computers available. doesn’t matter if new tech comes, show early generation of signature

Whit
– when you don’t have to have secrets you shouldn’t

Paul
– commercial applications

Moxie
– distributed nature is valuable, not many applications of that in real world. consumers see as zero value. distributed systems tend not to work. like P2P craze of 2000s

Quantum compute

Adi
– Microsoft talk, prediction of his boss. first qbit by end of year. computer in five years. distanced self from prediction.
– 82 proposals, 64 remain. three main groups. 26 proposals based on lattice. 19 based on coding theory. 9 based on multivariate. 3 based on hash-based. all schemes had to be nailed-down, fully specified. surprised by speed. most few milliseconds. some hundreds of microseconds. key sizes 1 and 10 kbytes.

Ron
– how many came from proofs?

Adi
– proofs were fairly weak. NIST will have hard time within three years professing a winner. took 15 years for RSA to be accepted. took 15 years for eliptic (1985 to 2000s). hard to design and tricky. fortunately one suggestion time-tested. post-quantum RSA

Whit and Adi get into a fight

Paul
– don’t omit looking for hash-based solutions for digital signatures

Adi
– NIST will choose one of the hash-based because evaluated a long time
– only incremental progress on computers, long away from something that will break crypto

Adi
– would accept improvement in any area. instead, silence

System level bypass

Paul
– found old presentation and noticed the exploit. noticed google had done same. found twice within a few months.
– who can fix hardware in process, who can notify? press leaks ended up in panic end to embargo. decision was made to release early. failed twice with embargo. need ethicists to create a roadmap

Adi
– worried we get to point massive amount of processors would be bricked. huge disaster

Paul
– we have a huge mess. guidance is instructions on all your paths. slow and tools don’t exist. lots of work to be done.
– in context lots of bugs. hardware bug doesn’t change aggregate issues

Ron
– hard to avoid leakage on shared systems

Paul
– we have to start bifurcating and dedicating hardware
– build systems with primary security objective

Apple iCloud hosting in China, with keys there

Adi
– not exceptional when everyone has access

Paul
– China in for surprise when their data gets hacked. won’t end well

Ron
– EU commission report in favor of strong encryption. back doors bad for security, as well as privacy

Moxie
– it’s easier to say i can’t instead of i won’t. hard to resist

Broader implications beyond China

Ron
– FBI wants access, but they didn’t try very hard to get into SB phones

Paul
– idea that you suck up all the data to make sense of it. these kinds of processes create risk by putting tools/data in one place. corporate level trade-offs easy to see. nation-wide scary

Adi
– telegram told give keys to russia. refused. telegram became illegal. banning schemes they don’t have master key for

Moxie
– easier to say i can’t than i won’t. if design without key, then can’t give

Facebook

Paul
– wasn’t in their interest to protect our data. risks we incur are not us. facebook made decision to hurt users. didn’t build system to protect users. companies that benefit won’t help

Whit
– economics. more money means weaker processors. same for databases

Paul
– Bain conclusions on cost to society

Moxie
– Facebook is the Exxon of our time. indispensable tool everyone despises. as much as everyone hates Exxon, dumps oil in ocean. Exxon is civilization and Facebook is the Internet. Facebook going through Exxon moment and people thinking better tech investment time

Adi
– EU fines for GDPR huge (4%). plan B of EU to tax american companies (couldn’t get it one way, so get it other way).
– interesting issues there. look into it because can impact

Moxie
– GDPR can entrench monopoly. good for them because refuse service if don’t consent, but they’re the internet

Adi
– goes beyond. privacy by design, default, mandatory encryption, right to erasure

Silver Linings in Cloud of Security

Ron
– we’re in era we feel attackers are winning. where are they focusing, what will we defend. 2/3 people on paper ballots. voting the hard way is the silver lining

Adi
– moving at high velocity. didn’t mention forward or backward. silver lining is our job security guaranteed

Whit
– don’t have to find new job

Paul
– band on the titanic is small silver lining. complexity growth will lose us the battle. better hardware is optimistic. more things than just crypto being robust. make a chip of low-chance of buggy

Moxie
– privacy and crypto tech less about shards of info, more like infrastructure for the world we want

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.