EDPS, the Electronic Design Process Symposium, always has the second of the two days dedicated to a single topic. This year it was cyber security. The day started with a keynote from Chris Eagle. He is a Senior Lecturer of Computer Science at the Naval Postgraduate School in Monterey, just a few miles from the symposium. Chris is an inveterate player of capture the flag, one of the people currently building the competition infrastructure for DARPA's Cyber Grand Challenge. Chris opened by reminding everyone of some of the famous exploits from the previous year: Exploiting DRAM rowhammer bugs to gain kernel privilege Stagefright, a bug affecting Android Hackers remotely killing a Jeep Heartbleed, a bug in openSSL As he pointed out, the people in the room are technically well-informed compared to the general public, but still naive about security. He had some questions for us all: Why can I find your car on the internet? If I can watch my nanny, who else can? Is online X a good idea (banking, buying, dating…) Is it a good idea I can just photograph a check with my phone and upload it to my bank His overall theme was that "Convenience generally trumps security.” Photographing a check rather than having to go to an ATM machine (or even a real bank teller) is certainly convenient, but the security is questionable. It used to be said that cars were unsafe because nobody would pay for safety, but gradually that has changed and it seems insane to consider buying a car without seatbelts, airbags, ABS, and more (even if it were legal to sell one). Right now, people are not prepared to pay for security and so manufacturers do not deliver it. They are also not held accountable. Chris had a two-year old Samsung Galaxy S4. The Android operating system on it has been upgraded a couple of times, but that is it. It will probably never be upgraded again. From Verizon's point of view, they would rather he bought a new phone. The primary reason he would want to upgrade would be for better security, but he admits he is in a minority. Google actually does a pretty good job of keeping Android patched, but the operators like Verizon do not push the updates to all their customers. The Stagefright bug affected nearly a billion phones. But it was thousands of different phone models with different versions of the operating system. The most recent phones got patched but old phones will never be. Most of us replace our phones every year or two, but we don't replace our refrigerators (nor that cliché of the IoT world, the internet-connected toaster). Who is going to keep those up to date 20 years after they were purchased? The situation with phones doesn't inspire confidence. On many phones, the operating systems are not being updated, just the apps. He pointed out that he drives an old Mustang that has no computers and no network connections. He has a friend who drives an old Corvette for the same reason. I pointed out above that people wouldn't buy a car without safety features, but actually Chris and his friend have done just that by driving a thirty-year old car that has none. I guess security researchers just don't trust security, and they should know. Chris works for the US government but doesn't trust them after the breaches at the office of personnel management (OPM). As he said, his social security number, not to mention everything he had to produce for his security clearance, are sitting on some hacker's PC in China. Chris finished with a plea that the balance between convenience and security has to change. Obviously convenience is not a bad thing, but convenience that puts consumers at risk is a bad thing. The people like us that create products need to understand the hacker mind. I remember reading a good example of the hacker mind in one of Bruce Schneier's books. When he was a kid, he got given an ant farm. It comes with a card that you send off and they mail you the ants. Most people see this as a way to get the ants for their farm. But Bruce, already with the hacker mindset as a boy, saw it as a way to send a shipment of ants to anyone in the country. The final takeaway is "Don't let convenience trump security." DARPA Cyber Grand Challenge I mentioned above that Chris is a big player of capture-the-flag, not one involving real flags, but a computer security competition. The DARPA cyber grand challenge is a version in which software programs defend against hackers to identify and plug security breaches. The final will be held just before DEF CON in Las Vegas on August 4, and is open to the public. For a brief introduction, see the 60 Minutes video below (under two minutes). (Please visit the site to view this video) Previous: FD-SOI: Can I Design It and Manufacture It?![]()
![]()
↧
