After the big success of the first Usenix Enigma conference in 2016 I set my mind on participating in 2017. Conveniently, I run the program committee of the Swiss Cyberstorm Conference (October 18, 2017) which gives me a good excuse to take a week off and to fly to California. I landed during the #NoMuslimBan protests at US airports, enjoyed 2.5h of queue at the border and I got the feeling this was not the same country I visited the last time around. But that is not our topic.
On Sunday, I did my share of sightseeing in San Francisco and I do not want to bore you with the typical clichées, so I’ll make it brief. Hell yeah: San Francisco is steep (if this would be Switzerland, the street would have warning signs), the cheese selection at at the buffet is splendid (and really good!) and the official wifi access in US hotels does indeed seem to be run by cutthroats (glad Usenix does a far better job).
I was joined by Keren Elazari (@k3r3n3) on the first day of the conference. Keren is hand-picking the @swisscyberstorm program together with me. Obviously, I can not cover all the talks, I attended. So I will concentrate on those that rang a bell with me (and those which I actually understood. My background is in medieval history, so there are a few weak spots in my capacity swallowing hard tech talks).
The first day started with Prof. and Turing award winner Manuel Blum addressing the uneasiness some of us feel when using the password managers we all rely on. There is a lot of trust going into these services and Prof. Blum for one does not trust them. He thus proposed a way to calculate (!) passwords in your head by using an easy-to remember keyword and permuting it with a key. Yes, I am not joking and neither was he. I liked the general idea and the way he presented it all made me smile. But then he faced strong opposition from the audience and seemed to dogde most of the questions with what somebody called “permutations of obscurity”.
This was probably not doing him justice, but I am not convinced.
But then came Brad Hill from Facebook who presented a solution to the password recovery problem that is often the Achilles heel of many otherwise decent authentication schemes. Most of these schemes somehow lead back to a single email address for most users and the hacking of said mail account gives access to half a dozen if not more services via the means of password recovery and stupid questions (“What is your favorite color?”). Brad Hill announced an open, federated protocol that addresses this problem by setting up a decentralised way of password recovery without the use of SMS or email. This talk was very well received – not the least because facebook seems to be aware that “the industry” do not really want FB to “own” the password recovery. So FB’s role is not central in this scheme. (See here for more infos)
Ian Haken came next and he described the problem with storing secrets: There is a secret which you encrypt with a 2nd secret, which you then store and protect with the next secret which you have to put on a different server, protected by a secret… He took a bit long into this talk to go over this problem again and again, but then he really came up with an interesting solution used by Netflix to bootstrap the initial secret. A redundant set of “secret-servers” hand out the secrets based to the client servers. The clients submit their request together with signed meta-information they received from the cloud provider writing into the client instance. The interesting idea is now that the “secret-servers” are able to bootstrap themselves via this service as well. So once the first of these services is up and running, its peers can be bootstrapped. This is chaos-monkey-proof and sounds very hot.
Emily Schechter from Google explained the various ways how the adoption of HTTPS was encouraged and supported by Google’s MOAR TLS and other players in the web. Given that we have reached the tipping point with TLS adoption it was very interesting to hear what Google thinks that got us here. I was impressed by the purely non-technical reasoning behind the use of the various icons in Chrome (and Firefox) indicating secure, mostly secure and rather insecure connections. That’s the multi-discipline approach to security, that I like.
Right before lunch, Susan Mernit from Hack-the-Hood got a full talk’s length to present her NGO that attempts to provide access to technical education for underpriviledged kids in the Bay area. The success stories were very beautiful. Of course, I live more than a continent away and I do not know the local issues, but this seems to be a non-government initiative to address a burning problem: Giving the youths alternative career paths that lead them into the internet industry that is so strong in the area. There are people coming from all over the world to work here, but the underpriviledged communities in the area lack the education to apply and participate in the success.
After the lunch (good food allaround. I am hard to please with conference buffets, but man the cheese was good!), a long IoT session followed. We all know that the “s” in IoT stands for security and I expected another series of talks circling around that meme. But I was disappointed. Jos Wetzels from Twente University in the Netherlands went down to explain some of the unique problems faced by those trying to solve the IoT security issue on the byte level. His insight was backed by his research into the security of dozens of products and embedded systems used in high security environments (nuclear power plants, figher jets, you name it). I loved that talk and Jos is definitely on the short list for our Swiss Cyberstorm Conference.
Gorka Irazoqui‘s talk on LLC Cache attacks was well received by the audience, but it went beyond my knowledge level, so I can not really comment on it.
Professor Yongdae Kim presented attacks on IoT sensors and demonstrated a supersonic attack on a drone live on stage (Live demo! Drones! Attack! Crash!!!). That was very cool.
Next came Julien Vehent from Mozilla demonstrating the integration of test driven security into the deployment pipeline at Mozilla and how they were able to reduce the number of reported XSS in their productive online services in 2016 down to zero. He proposed a 5-step process of security testing that starts with sitting together with the developers and define the security baseline (1). Then you write the tests (2), you run them regularly (3), you teach the developers how to pass the tests (4) and finally, you make it a requirement to pass the test as part of the review process for any pull request (5). Their program integrates seamlessly into the DevOps process / deployment pipeline and complements the manual review of the pull requests. Under the line it all boils down to establishing a security baseline that allows security people (and developers) to deal with the more complex problems at hand. This sounded a lot like DevOps done right. Need to talk to that man.
Before the main talks came to an end, Hudson Thrift from Uber explained how big tech companies can work with startups to improve the startup’s product and reduce their own costs along the way. He started out with a situation where they thought about buying into a “alert orchestration” service with license costs of over one million USD, but covering only 80% of their needs. Building would ideally cover 100% of their needs (not a very safe bet he admitted), but it might take longer and maintenance costs would all be on their shoulders on the long term. So their solution was sitting down with the partnering startup (Phantom) and working on their product. Thrift advocated an engineering look at products that stretches beyond mere requirement lists: What is the design and architecture behind this product and does it fit into our environment even if it does not meet all our criteria just yet? He would then explain the importance of the a gap analysis and the transparency in the process which has to lead to a win-win situation that has to be protected from sales cycles interfering with the development process (maybe I got this wrong a bit). I was sceptical with this talk and the approach for it sounded like a big corp trying to save money on the back of a startup. But then I liked the methodological approach and it sounded to be beneficial to both parties.
So that was the first day. I am so happy to be here. The conference is exactly what I had hoped for. There is a strong focus on defense talks and uplifting success stories presented by a set of high class speakers. It was quite obvious that not all the speakers were natural born entertainers. But the program committee of the conference beat them to polish and practice their talks to make them really shine. Program Co-Chair Parisa Tabriz (@laparisa) confirmed to me that there is a strong need for speakers to present their message in an accessible way. If you have great research, you may be able to write a great paper. But presenting it to an audience is a whole different pair of shoes. So they took on those speakers they knew would deliver and those speakers that agreed to an intense exchange on the merits and shortcomings of their presentation. The rest was practice and practice and more practice. This resonates well with my experience and the success we had a Swiss Cyberstorm 2016: The best presentations are those where an organiser knowing his audience comes together with a speaker who knows his topic by heart. Together (!) they can develop a presentation that lets the speaker shine on a great stage like Usenix Enigma 2017! Given all the talks will be published as videos, people not attending will have a fair chance to pick up the presentations too.