Cybersecurity as Realpolitik by Dan Geer presented at Black Hat USA 2014

it's a real pleasure and honor to introduce our keynote speaker today and

is a man recognized for raising the awareness of computer network security

well before it becomes broadly understood it is also recognized for his

groundbreaking work on the economics of security which is an interesting view of looking at security he also as most of

you may remember wrote in 2003 a 24 page report which resonated with many of us

entitled cyber security the cost of monopoly which is another word another way of looking at the security

challenges so ladies and gentle but it's really with great pleasure again and honor that I'm happy to introduce to you

today a true free spirit and a security luminary than gear thank you very much [Applause] [Music]

glasses have become a necessity of course you begin with good morning and thank you for the invitation to speak

with you of course you say that but you can also say that with feeling and I am doing that good morning and thank you for the invitation to speak with you the

plain text of this talk has been made available to the organizers and I trust that it will be in due course available to you I won't be taking questions here

this morning but you're welcome to contact me later and I'll do what I can to reply I'm very close to not being able to handle the number of emails and the life that I get

those of you who know Larry Lessig will know what I mean when I say I'm close to declaring bankruptcy in this regard but nevertheless I will endeavor to do it

and I invite you to do so for simple clarity I'm going to reread the abstract that went with this talk power exists to

be used some wish for cyber safety which they will not get some wish for cyber

order which they will not get some have the eye to discern cyber policies that are the least worse to think may they

fill the vacuum of wishful thinking you know there are three professions that as far as I know our tops at beating their practitioners into a state of humility

farming weather forecasting and cybersecurity I actually practiced two of those and as such let me assure you

that the recommendations that follow are presented in all humility humility let me remind you does not mean timidity rather it means that when a strongly

held opinion or belief is proven wrong that a humble person changes their mind and acknowledges that they've done so I expect that my proposals will generate a

considerable amount of pushback and changing my mind may well follow though I will say it again later the speech is me talking on my own behalf as if it

needed saying cybersecurity is now a riveting concern jeff was speaking to that as well a tough issue it's a tough issue in many venues more important than

this one by saying that I don't mean to insult blackhat rather it is to know that every speaker every writer every practitioner and the field of

cybersecurity has wished that his topic and with it us were taken seriously they've gotten their wish cybersecurity

is being taken seriously which as you well know is not the same as being taken usefully coherently or lasting like whether we are talking about laws like

the Digital Millennium Copyright Act or the Computer Fraud and Abuse Act or the non lawmaking but perhaps even more significant actions that the executive

agencies are on taking undertaking we and the cybersecurity issue have never been more at the forefront of policy and

you ain't seen nothing yet I wish that I could tell you that it is still possible for one person to hold a big picture firmly in their minds I to

track everything that is going on going on in our field to make a few if any sins of omission it is not possible that

phase past sometime in the last six years I've certainly tried to keep up but I would be less than candid if I were to say that I know what is going on

everywhere I am not keeping up not even keeping up with what is going on in my own country must much less all of them much less 91 not only has cybersecurity

reach the highest levels of attention it has spread into nearly every corner of daily life if area is the product of

height and width then the footprint of cybersecurity as I believe surpassed the grasp of any single one of us the rate of technological change is certainly

part of that when younger people asked my advice on what they should do or study to make a career in cybersecurity I can only advise specialization those

of us who are in the game early enough and who have managed to retain an overarching generalist knowledge can't be replaced very easily while those are

because while absorbing most new information most of the time may have been possible when we began practice no person starting from scratch can do that

now serial specialization is all that can be done in any practical way just look at the black hat program it will confirm

that being really good at any one of the many topics presented here all but requires shutting out the demands of being good at all the rest why does that

matter or does it matter speaking for myself I'm not interested in the advantages or disadvantages of some bit of technology unless I can grasp how it

is that that technology works whenever I see marketing material that tells me all the good things that adopting this or that technology makes possible I

remember what George Santayana said skepticism is the chastity of the intellect and it is shameful to give it up too soon or to the first comer I

suspect that a majority of you share that skepticism it is part of what being a good security person is all about by

and large I can tell you I can tell I can tell what something is good for once I know how it works

tell me how it works and then but only then tell me why you have chosen to use those particular mechanisms for the things you

chosen to use them for part of my feeling stems from a long-held and I believe well substantiated belief that

all cybersecurity technology is dual use perhaps dual use is a truism for any and all tools from the scow hole to the hammer to the gas can they can be used

for good or for ill but I know that dual use is inherent and cybersecurity tools if your definition of tool is wide enough I suggest that the cybersecurity toolset

favors offense these days Chris anguish recently retired deputy director of the NSA remarked that if we were to score cybersecurity the Whateley

score soccer we'd be 20 minutes into the game and the score would be 462 to 456 that is to say all offense I will take

as comment as confirming at the highest level not only the dual use nature of cybersecurity but also confirming that offense is where the innovations that

only states can afford is going on nevertheless this essay is an outgrowth from an extension of that increasing

importance of cybersecurity with the humility of which I spoke I do not claim that I have the last word what I do claim is that when we speak about

cybersecurity policy we are no longer engaging in a parlor game I claim that policy matters are now the most important matters that once a topic area

like cyber security becomes interlaced with nearly every aspect of life for nearly everybody the outcome differential between good policies and

bad policies broadens and the ease of finding answers falls as HL Mencken remark and I would say rather trenchant

light for every complex problem there is a solution that is clear simple involved the four verities of government are

these most important ideas are unappealing most appealing ideas are unimportant not every problem has a good

solution every solution comes with side effects this quartet of verities certainly applies to the interplay between cybersecurity and the affairs of

daily living over my lifetime the public expectation of what government can and chant should do is spectacularly broadened from guaranteeing that you may

engage in the pursuit of happiness to guaranteeing happiness in and of itself the central dynamic internal to government is and I suspect always has

been that the only way for either the executive or the legislature to control the many subunits of government is by way of how much money they can hand out

guaranteeing happiness has the same dynamic that the only tool government really has is to achieve the outcome of everybody happy or everybody healthy or

everybody's safe at all times from things that go bump in the night is to the dispensing of money this is true in foreign policy one can reasonably argue

that while the United States 2007 through surge in Iraq provided an improvement in safety the ultimate sacrifice of the troops lost there may

not have been as effective as was the much less publicized arrival of c-130s full of hundred-dollar bills with which

to buy off potential combatants why should cyber security be any different suppose however their surveillance becomes too cheap to meter that is that

is to say too cheap to limit through budgetary processes does that lessen the power of the legislature more for the power of the exam

get more I think that ever cheaper surveillance substantially changes the balance of power in favor of the executive and away from the legislature

while President Obama was referring to something else when he said I've got a pen and I've got a phone he was speaking to exactly this idea things need no

appropriations exists outside the system of checks and balances is the ever wire deployment of sensors in the name of cybersecurity actually contributing to

our safety or is it destroying our safety in order to save it to be entirely clear by way of repetition this

essay is written by someone as his own opinion and not on behalf of anyone else it is written without the supposed benefits of insider information I hold

no clearance but ever instead informs solely by way of open source intelligence this path may be poised to

grow easier if the chief benefit of a clearance is to be able to see into the future a little farther than those who don't have one then it must follow that

the pake that as the pace of change accelerates the difference between how far you can see into with a clearance versus how far you can see without line

will shrink there are in other words parallels between cybersecurity and the intelligence functions insofar as predicting the future has a strong role

to play in preparing your defenses for probable attacks as Dave I tell of immunity has repeatedly pointed out the

hardest part of crafting good attack tools is testing them before deployment knowing what your tool will find and how

to cope with that is surely harder than finding an exploitable flaw in and of itself this too may grow in importance if the rigor of testing

causes attackers to use some portion of the internet at large as their test platform rather than wherever we ate that can afford the setup in their own

shop if that is the case in full-scale traffic laws become an indispensable intelligence tool insofar as when an

attack appears to be de novo those with full-scale traffic logs may be in a position to answer the question how long

has this been going on the company net witness now part of EMC is one player who comes to mind in this regard and there are of course others yet this idea

of looking backward for evidence that you previously didn't know enough to look for does certainly have intelligence value both for the

nation-state and for the enterprise and there is a lot of traffic that we do not have a handle on John quarterman of internet perils makes a round number

guess that 10% of Internet backbone traffic is unidentifiable as to protocol whether he is off by a factor 2 in either direction that is still a lot of

traffic our networks estimates that perhaps 2 percent of all identifiable backbone traffic is to use their term raw sewage there are plenty of other

estimates of this sort to my way of thinking all such estimates continue to remind us that the end-to-end design of

the internet was not some failure of design intellect or the brilliant avoidance of having to pick between the pitiful toy a completely safe internet

would have to be versus an Internet that was the ultimate tool of state control and nothing else is it more I have to

say freedom security convenience choose to let me now turn to some policy pro while proposals on the suite of pressing

current topics none of these proposals are fully formed but as you know those who don't play the game don't make the rules these proposals are not in

priority order though some reward odds with current practice than others and might therefore be said to be more pressing there are more where these came

from but this talk is a time limit and there is a meta-analysis at the end so

area number one mandatory reporting the United States Centers for Disease Control or respected the world around when you really get down to it three

capabilities describe the CDC and why they are as effective as they are one mandatory of reporting of communicable

diseases to stored data and the data analytic skill to distinguish a statistical anomaly from an outbreak and

three a wing teams to take charge of say the appearance of Ebola in Miami everything else is details most

fundamental of these is the mandatory reporting of communicable diseases at the same time we have well-established rules about medical privacy those rules

are helpful when you check into the hospital there's a licensure enforce accountability based need-to-know regime that governs the handling of your data

most days that is but if you check in with bubonic plague or typhus or anthrax you will have zero privacy as these those are the mandatory reporting of

communicable disease conditions as variously mandated not just by the CDC but by public health law in all 50 states so let me ask you would it make

sense in a public health of the internet way to have mandatory reporting a regime for mandatory reporting for cybersecurity failures do your favor having to report cyber

penetrations of your firm or for that matter your household to some branch of government or some non-government entity should you face criminal charges if you

fail to make such a report 48 states vigorously penalize failure to report sexual molestation of children the u.s.

Computer Fraud and Abuse Act defines a number of felonies related to computer penetrations and the u.s. code said it is a crime to fail to report the felony

of which you have knowledge is cybersecurity event data the kind of data around which you want to enforce mandatory reporting forty-six states

require mandatory reporting of one class of cyber failures in the form of their data breach laws while the Verizon data breach investigations report found and

the index of cyber security confirmed that seventy to eighty percent of data breaches are discovered by unrelated

third parties not by the victim meaning that the victim might never know if those who do the discovery were to keep quiet if you discover a cyber attack

do you have an ethical obligation to report it should the law mandate that you fulfill such an obligation my answer these set up this set of questions is in

fact mirror the CDC that is for the force of law to require reporting of cybersecurity failures that are above some severity threshold that we have yet

to negotiate below that threshold I endorse the suggestion made in a piece two weeks ago surviving on a diet of poisoned fruit by Richard Danzig

Secretary of the Navy under Jimmy Carter and now a member of the president's intelligence advisory board he made this proposal in our quote fund a data collection consortium that will

illuminate the character and magnitude of cyber attacks against the US private after using the model of voluntary reporting of near-miss incidents in

aviation use this enterprise as well to help develop common terminology and metrics about cyber security while regulatory requirements for aviation accident reporting are fully established

to the National Transportation Safety Board there are no requirements for reporting the FASTA numerous and often no less informative near-misses efforts to establish such requirements

inevitably generate resistance airlines would not welcome more regulation and fear the reputational and perhaps legal quantity consequences of data visibility were over near accidents are

intrinsically more ambiguous than accidents nevertheless an alternative plan was forged in 2007 when mitre a government contractor established the

aviation safety information analysis and sharing system AIAS receiving a near-miss data and providing anonymized safety benchmarking and proposed

improvement reports to a small amount of initially participating airlines and the FAA in the quotation today 44 airlines

are in that proper program voluntarily the combination of a mandatory CDC model for above threshold cyber events and a

voluntary ASI as4 below threshold events is what I recommend that leaves a great deal of thinking still to be done diseases are treated by professionals malware infections are treated by

amateurs disease is spread within jurisdictions before they go global malware is global from the get-go diseases have predictable behaviors now where it comes from sentient opponents

etc don't think that this proposal is an easy one or without side effects category 2 net neutrality

there's considerable irony and the FCC classifying the internet as an information service and not as a communication service insofar as well that may have been a gambit to relieve

ISPs of telephone regulation the value of the Internet is evermore the bits it carries not the carriage of those bits the SEC decisions

are both several and now old the FCC classified cable as an information service in 2002 price of five DSL as an information service in 2005 classified

wireless broadband as an information service in 2007 classified broadband over power lines as an information service in 2008 you get the idea a decision by the DC Circuit Court of

Appeals on this very point appeared earlier this year but settled little question remains is the internet a telecommunication service or an

information service I have nothing new to say actually nothing to say about the facts and near facts nor the many line distortions inherent in the debate

regarding network neutrality so far are still to come what I can say is that network neutrality is no panacea nor is it anathema people's tastes vary and so

do corporations what I can say is that the varied tastes need to be reflected in a can train constrain set of choices rather than the idea that the FTC or

some other agency can assure happiness if only it and only it rather and corporations or individuals does the

choosing channeling for doctor suits if I ran the zoo I'd call it the ISPs and say this hello Uncle Sam here you can charge whether we like based on the

contents of what you're carrying but you're responsible for that care content if it's hurtful inspecting brings with a responsibility for what you learn or you

can enjoy common carrier protections at all times which you can neither inspecting or act on the hence of what you are carrying and it can only charge for carriage itself bits

or bits choose wisely no refunds or exchanges at this window in other words ISPs get one of the other they do not get both the FCC gets a lot

of heartache but it also gets a natural experiment in weather those who choose common carrier status turn out differently than those who choose multi-tiered service with liability

exposure you already have a lot of precedent in the law in this space the United States Postal Service's term of art sealed against inspection is

reserved for items on which the highest postage rates are charged is that whispering into the base as a side comment I might add that it was in dr.

Seuss's book if I ran the zoo that the word nerd first appeared in English if black hat doesn't have an official book

that's the one to pick topic three source code and liability net Howard said that security will always be exactly as bad as it can possibly be

while still allowing everything to function but with each passing day that an still function Clause requires a

higher standard as Kim Thompson told us in his Turing Award lecture on trusting trust there is no technical escape in strict mathematical terms United trust a

program nor how she created 100 unless you created it 100% by yourself but in reality most of us will trust a house built by some googly skilled

professional usually we will trust it more than one we had built ourselves and this even if we never met the Builder or even if the Builder as long since did

the reason for this trust is that shoddy building work has had a crucial fort for else clause for more than 3,700 years

the code of hammurabi from BC 1750 if a builder builds a house for someone and does not construct it proper and the house would seat bill it falls in and fuels its owner than the Builder

shall be put to death there's nothing new Under the Sun today the relevant legal concept is product liability and the fundamental formula is if you make

money selling something then you better do it well or you will be responsible for the trouble it causes for better or poorer the only two products not covered

by product liability are religion and software and software shall not escape

Oh Paul hiding camp you may know as PHP at FreeBSD and I have a strawman proposal on how software liability regulation could be structured it goes

like this cause zero consult the Criminal Code to see if damages caused with student intent or willfulness you know we're only trying to assign liability for unintentionally caused

damage whether it's sloppy coding or insufficient testing or cost-cutting or incomplete documentation or just plain incompetence Clause 0 moves any kind of

intentionally inflicted damage out of scope that is for your criminal code and to deal with and most do Clause 1 if you

deliver your software with complete and buildable source and a license that allows disabling any functionality or code the licensee decides their

liability is limited to a refund clause 1 is how to avoid liability make it possible for your users to inspect and chop out any time any and all bits of your software they don't want to trust

or run this thing that includes a bill of materials library ABC came from builder XYZ so the trust has a basis parallel and whether your ingredient

lists on processed foods the word disabling has chosen very carefully you do not need to give provision to change and modify how the program works only to disable the parts of it that the

licensing does not want to trust liability is limited even if the licensee never actually looks at the source code as long as he has received

it you a maker are off the hook all your other copyrights are still yours to control and your license can contain any language and restriction you care for leaving the situation unchanged with

respect to hardware locking confidentiality secret software policy of software privacy magic numbers and so

forth free and open source software is obviously covered by this clause which leaves its situation unchanged laws to

you are liable for whatever damage your software causes when it is used normally in any other case if you do not want to accept the information sharing in Clause

1 you are not doing it intentionally as in clause 0 then you fall under Clause 2 and must live with normal product liability just like manufacturers of

cars blenders chainsaws and hot coffee how dire the consequences and what constitutes used normally is for your legislature in your courts to decide but

let us put up yet another straw man example a salesperson from one of your longtime vendors visits and delivers new product documentation on a USB key you

plug that into your computer and you copy the files that is what use normally means and it should never cause your computer to become part of a botnet transmit your credit card number to Oh

Bonilla or copy all your design documents to the vendor if it does your computer's operating system is defective the majority of today's commercial

software would fall under Clause 2 and software houses need a reasonable chance to clean up their act or to move on to clause 1 so a sunrise period is required

we suggest five years and no more we're trying to solve a tower security problem an unlimited time it's not in our interest that's it really either

software houses deliver quality and back it up with liability or they will have to let their users protect themselves the current situation users can't see

whether they need to protect themselves and have no recourse to being unprotected cannot go on we prefer self protection and fast

recovery but others mileage are likely different would this work in the long run absolutely yes in the short run it is pertinent it is pretty certain that there will be

some nasty surprises as badly constructed source code will get a wider area the free and open source community will in parallel have to be clear about what level of

they have taken and they're build environments as well as their source code will have to be kept available indefinitely the software houses will

yell bloody murder under the minute legislation like this is introduced and any pundit or lobbyist they can afford with spewed dire predictions like this law will mean the end of computing as we

know it to which Paul and Myers considered reply is well yes please that

was exactly the idea number four strike

back I suspect that a fair number of you have in fact struck back at some attacker somewhere or at least on the targeting research even if you didn't pull the trigger

I trust many of you to identify targets carefully enough to minimize collateral damage but what we are talking about here is the cyber equivalent of the

smart bomb as I implied earlier cyber smart bombs or what National Laboratories of several countries are furiously working on in that sense you do know what is happening behind the

curtain and you do know how hard target really is because you know how hard attribution real activation really is the issue of shared infrastructure and

that issue is not going away there are some entities that can operate globally and strike back effectively Microsoft in the FBI teaming up over again the GAMEOVER Zeus Trojan for example but

that is expensive therapy and in limited supply smaller entities cannot do this in fact I would suggest that all smaller entities can do is put their effort into

fast recovery so I dismiss strike back as much as I would like to do it myself number five resiliency there's been water talk about weather

about what to do when failure is unacceptable and yet inevitable here too for almost anything that is come to be seen as essential to the public gets some sort of performance standard

imposed on it electricity and water say but let's talk about software for one example a commonly voiced desire for cryptographic programs is algorithmic agility the ability to swap from one

algorithm to another if the first one becomes unsafe the security benefit of such a swap is not what you can turn on but what you can turn off for that to be

possible the second algorithm has to be in place already and and there has to be a way to choose amongst them one might argue that implementing algorithm

agility actually means a single more complex algorithm or maybe what you want is to over that's where you always use both such as encrypting by one algorithm and then super encrypting by another so

that if either one fails it doesn't matter I say all that just to demonstrate that it is not only simple I have a pre deployed fallback should something break the design willpower

alone is not enough so perhaps mandating pre deploying fallbacks is a bad idea of alter altogether perhaps where is impleaded as a way to reach out and upgrade the

endpoints when the time of necessity comes we'll soon now though it's embedded systems there will be the most numerous and I've written about this elsewhere so I'll just give you the

punchline embedded systems either need a remote management interface or they need to have a finite lifetime they cannot be

immortal and unfixable because to do so is to guarantee that if they live long enough something bad will happen if you live long enough as my wife was a behavioral neuroscience says if you live

long enough you'll begin becoming demented if a piece of software looks long enough it will be taken over so embedded systems either have to have a

remote management interface or they have to have a finite lifetime I want to skip over something here and

the interest of time but for those of you who are attending DEFCON I believe there is an event at DEFCON which actually talks about this which is this so hopelessly broken session talking

about home-based routers which exhibit this problem exactly at four and five-year-old Linux kernels for which Cee has a number of ways to take them

over remotely it is likely that there is a botnet and Brazil that is using this now I could take down the internet with that and so could you I'll let it go with that you can read this later

and I suggest that it for those of you who are interested in do we have such a problem now that you attend the session at DEFCON I just want to say though that

resilience is an area where no one policy can be sufficient so we need a trio of baby steps embedded systems cannot be immortal if they have no remote interface embedded systems must

have a remote interface if you can't go back to where they are and swap over is preferable to swap out six vulnerability

finding vulnerability finding as a job it's been a job for something like eight years now give or take for a good long while you could do voted will be finding as a hobby and get paid bragging rights

but now it's a job it's too hard to do in your spare time and bragging rights don't count this was the result of a lot of hard work on some of your parts and a lot of vendors parts and so forth I applaud it

but as them as the last of the four verities of government said all solutions have side effects and a side effect here is that once we made it too hard to do as a hobby and kids get paid

in bragging rights we guarantee that those who are finding them don't share and as such a go back and take a look the percentage of all attacks that

involve a zero-day has risen and that is unsurprising in a May article in the Atlantic Bruce

Schneier asked the provocative question around this topic and that is our vulnerabilities and software dense or sparse if they are sparse than every one

you find and fix meaning Lee lowers meaningfully alone as the number of areas of attack that are extant if they are dense they're just wasting your money six take away one is a fifteen percent improvement

six thousand take away one doesn't matter at all if a couple of Texas brothers could corner the world of silver market there's no doubt the US government could openly corner the

entire world while durability market and I suggest that we do we simply announced will pay 10x show us a competing bid and we'll pay your 10x at first there will

be people say I hate Americans I will not sell to them I only sold in the Ukrainians that's fine but when you're paying ten actually motivate all nobility finding at a level at which anyone who finds one knows that someone

else will find it too ending course and you better sell right away and if we make them public that's the crucial point if we make them public we zero the inventory of cyber weapons that other

people have and that we don't know about we don't need intelligence to do it we can zero it where it stands of course this is contingent March not the answer to shiners question being vulnerable

these are scarce or at least nearly numerous if they are in fact uncountably dense this doesn't help and we've made the problem worse because we're finding

a matter rate where the vendors have to spend all their time fixing them and it's security theater oddly enough so I suggest that we try this I believe that software exploitable

software vulnerabilities are scarce enough that if we corner the market we can make a difference and I've written about this elsewhere that you can know the references are here and you can look

at let me know however that my colleagues and static analysis report that they regularly see web applications that are two gigabytes in size and have 20,000 variables

now those can only have been written by a machine and yet they find vulnerabilities in them meaning the vulnerabilities were written by machine so my question is how does that change

my analysis and the answers I don't know I don't know if our reaction has to right ever more complicated absolute machines which have the capability of creating vulnerabilities faster than you

and I can that may change this I don't know it may involve all the line building question that I spoke of

earlier and probably does number seven the right to be forgotten I've spoken at length in other places about how we're all intelligent agents now because we

collect on behalf on each other on behalf of various overlords everything we do is identifiable this they you know

you may not have the kind of software I'm talking about already in your pocket or your dashboard or embedded in your smoke detectors but that's only a matter of time you're digital exhaust it's entirely unique and therefore

identifying pooling everyone's digital exhaust also has the interesting effect that saying how you differ from the masses privacy used to be proportional to that which is impossible to observe

or at least that which is a can be observed but not identified no more if you're an optimist or an apparatchik then your answer to this problem will

tend towards rules of data procedure administered by a government in trust of control if you are a hacker maker or a pessimist then your answer will tend towards the operational and your

definition of privacy will be mine you have privacy if you retain the effective capacity to misrepresent yourself misrepresentation is using disinformation to frustrate data fusion

on the part of those watching you some of it may be low-tech such as misrepresenting by paying your therapist in cash under an assumed name arming yourself not at Walmart but in living

rooms swapping affinity cards at random with like-minded folks keeping an inventory of misconfigured web servers to proxy through putting a motor generator between yourself and the smart

grid using tor for no reason at all hiding in plain sight when there's no one else where else to hide not having one digital identity that you furnish cherish and protect but as many

as you can handle in short you're fused identity is not a question unless you make it one unless you think this is a problem for the random paranoid individual let me tell you that in the

bigeye intelligence trade crafting good cover is getting harder and harder and for the exact same reasons misrepresentation is getting harder and

harder if I was running field operations I would not try to fabricate a complete digital identity I would just shall we say borrow the identity of someone with

the characteristics that I wanted look up the national strategy for trusted identities in cyberspace if you want to see where this is likely to go so after

a good bit of waffling and I admit having waffle for a long time about this I conclude that a unitary unthinkable

digital identity is no bargain and I don't want I want to choose or the Fitness represent myself I may really use it but it is my right to do so if

that right vanishes into the panopticon I have lost something in my view gained next to nothing in that regard and acknowledging that it is a baby step I include that the European Union's right

to be forgotten is both appropriate and advantageous and does not go far enough being forgotten is consistent with moving to a new town to start over to changing your name to a definition of

privacy that turns on whether you do or do not have the effective capacity to misrepresent yourself I will remind you that this is routinely granted to some individuals such as those who help the

government and end up in witness protection a right to be free audience the olenin chapter on the tidal wave of observability that ubiquitous sense or fabric is birthing as we speak

observability that changes the very quality of what the phrase in in public means entities that block deep linking to their web profile resources are

utilizing index ability governments of all strive for irretrievably vulcanizing the Internet to the same mechanism the only democratizing break on this runaway

train is for individuals to be able in their own small way to do the same as other entities I find it notably ironic that The Guardian newspaper champion which

champion dead were students revelations about privacy loss has also has however editorialized that no one has the right to be forgotten or contrary other than

initiative they must assuredly do remember hate internet bullying which I

won't dismiss for this audience ferret out number nine abandonment if I abandon

a car on the streets someone eventually claims title if I abandon a bank account the state takes it if I abandoned real estate and don't really trespass adverse

possession takes over if I don't use my trademark the rights go over to those who do if I abandon my children and everyone is taxed to remedy my actions if I abandon a patent application that

goes away if I'm banned under storage locker it ends up on reality TV you get the idea Apple computers at ten to 0.5

or less get no updates Microsoft computers at XP or earlier yet no updates the end or security updates follows abandonment is certainly ironic that freshly pirated copies or windows

get security updates that older versions of all a gentleman late or not stating what to me is the obvious policy stance if company X abandons the code base then

that code base must become open-source many of us are in position to work on that art the very latest in coupled with the other proposals I've made learn what

it is of that we don't want to run so either you support it or you give it over to the public just like either you drive your car and register it or it becomes someone else's property if the

two major desktop suppliers update only half of the day's what percentage will they update if you say make them try hard then the legalistic regulatory position is your

position and the ACLU is trying that route if smartphone auto-update becomes a condition of merchants of merchantability and your smartphone holds the keying material that

undeniably says that its user is you then how long before the FISA Court its orders a special auto update to your phone for evidence forever if you say

but all we already know what they're going to do don't we then the question is what to do about abandoned code bases I would suggest that open-sourcing abandoned code bases is the worst option

except for all the others and if that is too big a question for you to consider before breakfast start with when a public key certifying authority goes

bankrupt who gets the keys number 10 convergence we can ask you a question on the physical world in the digital world converging the answers yes but the

real question is has meatspace becoming more like cyberspace and vice versa it seems to me that cyberspace the v-space is becoming more like cyberspace but let

me speak about that possibility is number number one is it cyberspace becomes more and more like meat space forego the recreation of borders and jurisdictional boundaries is what happens next possibility number two is

that cyberspace becomes more and more like cyberspace ergo jurisdictional boundaries grow increasingly irreverent Carolla and something akin to one we're all technical technical addict

government soon follows the former is heterogeneous the latter is a monoculture of a single nation-state as we all know resiliency and freedom obtained only from heterogeneity so

converging these space to cyberspace is the unfavorable outcome what can we do about it if you it the Pew Research Center asked twelve thousand experts the answer to a question by 2025 whether

these significant changes for the worse to the ways in which people get and share content they got predominantly yes and they got four kinds of yes

actions by nation-states lead to more blocking trust evaporates in the wake of revelations commercial pressures affecting everything from architecture

to the flow of information endanger the structure of online life as we now know it and efforts to fix the too much information problem backfire and make it

worse if cyberspace converges to our physical reality then we will have balkanization and commercial efforts to artificially create information monopolies out of the physical world

goes toward digital space than we have greater surveillance erosion of trust and information leakage and the reaction to that leakage the reason for this is

that the last 20 years have changed this ratio of power persons now have much more power than they used to and the natural reaction for those entities who

used to have the power and now do not is to do something about it in a countervailing way in other words convergence is an inevitable consequence of the very power

of cyberspace in and of itself I don't argue with various individuals that an increasingly powerful location-independent technology in the hands of the many will tend to force

changes in the distribution of power in fact that is the central theme of this essay that the power that is growing in the net will soon surpassed the ability of our existing institutions to modify

it in a meaningful way so either the net must be broken into manageable chunks or the net becomes government I argue that we are in a feminist put it

this way it is said that all civil wars are about on whose terms reunification will occur I would argue that we are hit

to coin a phrase in a cold Civil War to determine on whose terms convergence occurs everything in meatspace we give over to cyberspace replaces dependencies that are local and

manageable the ones that are not local and I would argue much less manageable I say that because the root cause of dependence is the root cause of risk is dependence and most especially

dependence on expectations of system state I say much less secure because one is secured that is to say one is in a state of security if and only if there

is the absence of unmitigated or surprise and more we put on the internet the broader and more unmitigated Internet surprises can't become

disappeared in Bloomberg only this week or these security and SP the financial industry I was about to say security industry but I mean the financial time

the financial industry called for a war council with eight of federal agencies because they can no longer protect themselves from either states our global

terrorist actors how do you think about that further so here we have the biggest financial firm saying their dependencies are not manageable and that the state's monopoly on the use of force must be brought to bear what we are talking

about is that they have no way to mitigate the risk of common-mode failure bounding dependence is the only way out

if we don't bound dependence we invite common mode failure this has a long article narrow it's going to quote from which

but you get the point it finishes with this the most insidious source of common mode failures are designed faults that cause redundant copies of the same

software process to fail under identical conditions in some as a matter of policy everything that's officially categorized as a critical infrastructure must

conclusively show how it can operate in the absence of the internet the 2008 financial crisis proved that we can build systems more complex than we can

operate the best policy counter to which has been the system of stress tests there and after administer to the bank's we need stress tests in our field even

more there's a lot to say you never know when to quit the problem with this is it comes from the complexity and I will close here it comes from the very

complexity that Jeff spoke of and that all of you know I've long preferred to hire security people who are more than anything else Saturday wiser they and only they know

what comes but why most of what commercially succeeds 60s only so long as attackers don't get their attention on what commercially failed is not because it

didn't work but because it was an easier sexier cheap enough those are not rose-colored glasses those are glasses spattered with realpolitik sadder but

wiser however of what hires however come only from people who've experienced private tragedies no one has experienced at this field we're now talking about there are no people who are savvy

requires er about what happens when you connect everything to everything until such people are available I will busy

myself with reducing my dependence on and thus my risk exposure to the digital world even though that will be stated

mistaken for curmudgeonly nostalgia call that misrepresentation if you like [Music] there's never enough time thank you for

yours let's go Dan another round of applause I think Dan Dan enumerated a lot of my concerns thank you [Applause]