Graham Ingram opened this year's AusCERT conference, the thirteenth, saying that the most obvious theme is that of you lose trust in security. "Where are you? What's left?" he pondered.
Now that we are in what Ingram called the "post-Snowden era", the security community needs to reconsider security completely. This is what drove this year's conference agenda leading to what Ingram called a "battleground" as the program committee grappled with which speakers and topics should be covered.
Is Trust Dead?
The first speaker at this year's opening plenary session was Felix Lindner from Recurity Labs. His topic, "The Extinction of Trust", was founded on a quote by Neitsche "Convictions are more dangerous enemies of truth than lie". His talk, which was somewhere between a philosophical soliloquy, rant, ramble and analysis of the infosec world, covered a lot of ground.
The security industry, proposes Lindner, is based on people buying lots of tools, a preponderance of sensors providing information and a focus on the perimeter. But the real world is very different.
The actors in infosec are nation states and they are making the Internet a more dangerous place, reflected Lindner. Citing the work of Stephen Van Evera, Lindner discussed how Offensive-Defensive Theory is a substantial driver of the actions of nation-states in their offensive online activities. In short, there's a belief, according to Lindner, that many nation states "have a lot to gain for little effort". But he believes those perceptions are founded on assumptions rather than facts.
The focus of these nation-state attacks are often on critical infrastructure but this i
Lindner reflected on the history of the Internet. Reminding the audience that the Internet was initially created and funded by the military (back in the ARPANET days) he says it's no surprise "that they want it back". In parallel, the definition of what is a military target is increasingly fuzzy. Is an attack on a power grid a military action, what the UN calls war, or is it a use of force that isn't war.
The Wassenaar Arrangement, an international agreement covering the trade of arms, was modified to include "Intrusion software" in December 2013. While the widely used weapon of the 20th century was the AK47 rifle, in the 21st century the most widely used weapon is the botnet.
Lindner says that if you talk to security system and software vendors you'll learn that all technology in commercial security comes from hacker research. However, it's no longer legal to share this research as it's now considered arms dealing.
Continuing by doing the same things we've always done, is like continuing to dig in order to get out of a hole. The only silver bullet for security is people.
"Whether we win against the bad guys is really not what matter. What really matters is what do we sacrifice and what do we keep safe," concluded Lindner.
Ultimately, Lindner's message was straightforward: "Trust security – it's all we have left".
Fight back against mass data collection
The second keynote speaker was Edward W Felten from Princeton University. He is also the Chief Technologist for the United States Federal Trade Commission.
He started by looking at the continuing release of data leaked by Edward Snowden, pointing out that there is a desire by the NSA to collect, process and exploit as much data as possible. This is a contrast to past strategies by agencies that only collected and processed targeted data.
How do we defend against and all-powerful adversary? How to defend against pervasive insecurity?
Felten started by reminding the audience that trust, from a security point of view, had a very different meaning than what is generally attributed. On security terms, when one party trusts another it really means that you're letting them into your systems and that they will have access to sensitive material.
In his wide-ranging speech, Felten said it was important that the security community railed against mass data collection. For example, he suggested that telephone data records should not be stored en masse in a central repository – a position held by security agencies in the US – but retained in databases held by telcos.
Mass collection and retention by government agencies was a poor outcome for the community, he argued.
Awards and USB Sticks
In parallel with AusCERT 2014, is the Law Enforcement Challenge. Mark Laffam of the Australian Catholic University won this year's challenge.
Conference materials were provided on an encrypted USB stick this year. Hopefully, there won’t be a repeat of the embarrassing gaffe where USB sticks distributed at the 2008 event were infected with malware.