it's the people, stupid
TRANSCRIPT
It’s the people, stupid.
@jschauma Jan Schaumann
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
ServerUserless Systems
@jschauma Velocity NY 2016
Useless Systems
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
Change vs. more of the same. The people, stupid.
Don’t forget malware.
@jschauma Velocity NY 2016
Developers
@jschauma
• That can’t happen. • That doesn’t happen on
my machine. • That shouldn’t happen. • Why does that happen? • Oh, I see. • How did that ever work?
Developers SRE
@jschauma
• That never worked. • Must be the network.
Developers
SysAdmins
@jschauma
• It’s not the network. • Probably a bug in the OS. • Oh, ok. DNS. • Don’t monkey around with /etc/hosts.
SRE
Developers
SysAdmins BOFH
@jschauma
• An African or European swallow? • You don’t know what you’re doing.
SRE
Developers
SysAdmins BOFH
Infosec
@jschauma
• That’s not how you do this. • Nobody knows what they’re doing.
SRE
Developers
SysAdmins BOFH
Infosec New Yorkers
@jschauma
• What? I don’t care, keep walking. Don’t talk to me. • Seriously, don’t stop in the middle of the street. I will cut you.
SRE
Developers
SysAdmins BOFH
Infosec New Yorkers
New York Infosec SysAdmin @jschauma
SRE
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma
@jschauma Velocity NY 2016
@jschauma
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
How not to be seen
@jschauma
Changing other people’s habits is a wicked problem.
Velocity NY 2016
@jschauma
Prod
Corp
Long-‐lived SSH ConnecCons
Velocity NY 2016
@jschauma
Firewall / ACLs / idled(8) …
Velocity NY 2016
@jschauma
Reverse SSH tunnel Privkeys on prod cron(8) iniCated callbacks …
Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma hLps://is.gd/80zCWX Velocity NY 2016
@jschauma
Why we take our shoes off at the airport.
Velocity NY 2016
@jschauma
NSA-‐proofing TLS cipher spec LiSle Bobby Tables
Secrets on GitHub
XSS
#Infosec: Silicon Valley’s TSA
Velocity NY 2016
Security is not a value.
@jschauma Velocity NY 2016
Nobody cares about security.
@jschauma Velocity NY 2016
Nobody cares about security. That is neither incompetence nor
malice, it’s pragmaSsm.
@jschauma Velocity NY 2016
@jschauma
People driven defense
EffecCve defense
“sophisCcated”
“military grade encrypCon”
“NSA-‐proof”
“even more cyber”
“cyber”
Vendor Crap “Security Appliances”
@jschauma Velocity NY 2016
@jschauma
Ceci n’est pas un hacker.
Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
Safety, not (just) security.
@jschauma Velocity NY 2016
A system is secure if it protects the user when used correctly.
A system is safe if it protects the user
even when used incorrectly.
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma
If your reacSon is “well, not like that”, you have a poka-‐yoke problem.
Fix that.
Velocity NY 2016
@jschauma
The most convenient / intuiSve way to use your applicaSon must be the safest way to use your applicaSon.
Velocity NY 2016
@jschauma
Users will not change default se\ngs.
Velocity NY 2016
@jschauma
Users will not change default se\ngs. (Unless a less secure opSon is available.)
Velocity NY 2016
@jschauma
Failure must not lead the user to change their default se\ngs.
Velocity NY 2016
@jschauma
Failure must not lead the user to change their default se\ngs.
Safety overrides must be temporary.
Velocity NY 2016
@jschauma
Your applicaSons, services, standards, etc., must age gracefully.
Velocity NY 2016
Poka-‐yoke so^ware & systems
• safe defaults • safe failure mode • automated, regular, unaLended updates • puts usability ahead of ‘security’ • encourages desired behavior • builds / strengthens safe habits • follows the users’ desire path
Velocity NY 2016
@jschauma Velocity NY 2016
@jschauma Velocity NY 2016
Change vs. more of the same • avoid the downward spiral of cynicism • your users, developers, engineers, … are not stupid; they’re
trying to get their job done • focus on realisSc threats, not high-‐profile security theater • understand that your aLackers are moSvated, dedicated,
human adversaries
The people, stupid. • security is not an end-‐goal • build safe applicaSons & services • understand your users’ desire paths • Poka-‐yoke Go!
@jschauma Velocity NY 2016
“Fundamentally, the problem isn’t about security. It’s about people.”
@jschauma
-‐ Bill Clinton (not quite)
Thanks!
Image ALribuSons • Monty Python, Paul Townsend hLps://flic.kr/p/nVFKH5 • Serverless, PolarFlex Rack Blanking
hLp://polargy.com/air-‐flow-‐accessories/42u-‐blanking-‐panels.php
• Downward spiral, Davo Sime hLps://thenounproject.com/term/downward-‐spiral/589704/ hLps://creaSvecommons.org/licenses/by/3.0/us/
• Mouse, MarSn Driver, hLp://wallpapersafari.com/w/UzqRxW
• Silly Walk Street Sign, Kayla Reed, hLp://www.avclub.com/arScle/crosswalk-‐norway-‐makes-‐ciSzens-‐do-‐monty-‐python-‐si-‐203164
@jschauma