Locknote: Conclusions and Key Takeaways from Day 2

This locknote (closing session) panel discussion from Black Hat Europe 2022 explores making the internet safer, community vs. industry, generalists vs. specialists, and centralization vs. decentralization.

Panelists

• Federico Maggi: From Italy, academic who moved to industry 6 years ago, security researcher, Black Hat Europe Review Board member
• Anant Shrivastava: Security researcher, Review Board member
• Moderator: Ted (facilitator)

Key Topics Discussed

Making the Internet Safer - Personal Involvement:

Federico’s Perspective:

• Question: “What can I do? To whom can I speak?”
• Not policy making: Doesn’t see himself in policy making - not his strengths
• Communication: Communicating with journalists, telling people stuff in easily accessible way
• Teaching: Does teaching a lot - how to tell stuff to people in way they understand, even if non-experts
• Effort: Means lot of effort - even at Black Hat, can choose to make talk accessible to beginners or skip introduction, go right to decision
• One-to-one communication: What resonated from Jen’s talk - take time out of professional engagements, explain to colleague or two colleagues why certain thing is security relevant
• Most ubiquitous way: One-to-one communication at workplace is much more applicable to reality
• Everyone can do it: Don’t have to be good trainer to suggest colleague to do this and that

Anant’s Perspective:

• Responsibility: We all have responsibility to educate those around us
• Most significant changes: Fed down through policy
• Important: Not just about us as individuals, but having conversation with policy makers
• How we change security: Fundamentally for everyone - through policy

Powerlessness and Middle Position:

• Frustration: “We’re sort of powerless, we’re kind of in the middle”
• Two directions:
  1. Top down: Regulation, act of the state
  2. Bottom up: Person or company closest to levers of power (Apple, Microsoft, Google)
• Reality: “A lot of things will never get better unless Apple or Microsoft or Google makes them better”
• Problem: Can invent every product in world to put on top of operating system, but unless operating system improves, we’re standing still
• Stuck in middle: Don’t create policy/regulation, and unless on development team at Microsoft/Facebook, it’s not getting better either
• Get all the arrows: “Oh the security Community you can’t fix anything” - but not at Microsoft fixing the thing
• Oversized expectations: Might have oversized expectations for what we’re capable of
• Not our fault: “It’s not my fault that Facebook can’t fix their two-factor authentication”
• Accepting arrows: Setting ourselves up for disappointment, accepting inbound arrows that don’t belong to us - should go toward manufacturers

Getting to Manufacturers:

• Incentivize internally: How to get there to manufacturers? Incentivize internally to the good
• Naming and shaming: Some successful campaigns around naming and shaming
• Prioritization: “How come this feature or company is prioritizing 50 different things?” - influence them to prioritize number 23, make it number 5, gets fixed sooner
• Don’t feel guilty: When there’s another outbreak, work harder to try to convince them to improve security

Security Industry Problem - Admiring the Problem:

• Cynical by nature: Nature of job makes us cynical
• Problem: “We only point flaws, we keep finger pointing - this is wrong, that is wrong, that is wrong”
• Never have solutions: “We never have solutions, we are never on the table to discuss the solution”
• Exception: Unless you’re the developer on the team at the company
• Reality: “We’re just admiring the problem”
• Breaking and forcing: Breaking and forcing them to fix is something that actually moved the needle (unfortunate)

Building Solutions:

• Twitter example: Problems there, people found things not working, they built Mastodon, built ActivityPub, kept experimenting
• Security industry needs: Build solutions, build some POCs, put them forward, focus on solution aspect rather than just (because that pays the mortgage)
• Incentive problem: “There isn’t an incentive to build” - unless you have goodwill in your heart
• Quote: “You’ll never convince a man as long as his paycheck is tied to not understanding the problem”

Incentives and Nudging:

• Skepticism: Skeptical about incentives - used to be big believer
• Insurance company theory: Thought insurance companies would provide economic incentives - companies choose better product, get lower rates, do economically rational thing, consumers buy safer product (like Volvo with airbags)
• Reality: That never happened
• If not insurance and not rational consumers: Who are we nudging?
• Now: Nudging regulators, policy makers to do things we can’t do
• Problem: “We’re pursuing nudging, we just keep changing the audience”
• Exhausted options: Trying to nudge everything possible, trying to put stick everywhere, whatever works - exhausted lot of options, not much progress
• Policy could be way: Seen happening with GDPR, bunch of other policies - could be way to move forward

Conversations with Software Engineers:

• Question: “Do we have good conversation with software engineers?”
• Remember: Each of us who worked as security researcher or vulnerability researcher remembers having good productive conversation with software engineer
• Help them understand: What could be good consequences, what happens when their software gets abused
• Incentive model problem: When you have giant hyperscalers like Google, their incentive model is to reduce network latency, more interactivity
• Result: “We’re not going to do certificate pinning, we’re not going to do DANE, what we’re going to do is certificate transparency”
• After the fact: “After your horses have run out of the barn, we’ll tell you your horses are out of the barn with certificate transparency - after you’ve already suffered the harm”
• Data collection: Lot of data to collect, they can analyze it, get telemetry, study the web
• Small business perspective: “As a small business, I want the barn door to be very secure and stay closed - I like certificate pinning, I like DANE, I like all the things that Google didn’t like because it was cumbersome or slower or didn’t give them the analytics they wanted”
• Outsized weight: Because they have so much outsized weight and they have Chrome, they just throw out what they don’t like, throw in what they do like
• Not necessarily more secure: “That’s not necessarily what’s more secure, but what’s better for them”
• Little person: “As the little person, we don’t have that much influence”

Community vs. Industry:

Job Market Survey:

• Looking for job/change jobs/hiring: Very few
• Totally happy, not looking to move: More, lot more happy where they’re at than looking to turn

Community Focus:

• Black Hat, Defcon, Chaos Computer Club, Bsides: Community focused
• Doesn’t pay mortgage: Community doesn’t necessarily pay your mortgage
• New people: Come into industry through television or read book - “I can get paid, it’s paying well, stocks are growing”
• Not for community: Don’t necessarily come for community or to comment on latest legislation
• Come to make money: Make money, grow their family

Question:

• Problem: Do we have problem socializing people into “the community”?
• Normal: Is this normal? Like automotive makers - people passionate about making automotives, people just there to assemble thing and go home
• Worry: Is this thing we should worry about?

Perspectives:

• Motivation question: “Will it still motivate and drive creativity, critical thinking, or push individuals in slightly different direction?”
• Common pattern: This is common pattern across every industry - people passionate about things, people there to do the job
• Doesn’t mean not creative: Doesn’t necessarily mean they won’t be creative - they’ll be creative between 9 to 5, they’ll switch off, go back home, live life with kids, family
• Reality to accept: If industry needs to grow, if we keep talking about skill shortage, resource shortage, if want to fill that gap, we need people who are here to work
• Don’t care about community: Lot of them would not care about how good community is or even if community exists - they don’t care about it, they’re here to do the job, they’ll do the job, they’ll move on
• Should not be hostile: “We should not be hostile towards that attitude if you want to keep moving forward, keep growing forward”
• Reality: Some of us are passionate, not everyone is, and that’s fine

Mentoring Experience:

• 50/50 split: Italian students who want to go abroad
  1. 50%: “What’s the fastest way to get into security and find good internship in top tech company”
  2. 50%: “Tell me what you do, why you like your job”
• Same answer to both: “Try to look around the community, try to orient yourself into what we do, into what conferences”
• Results:
  • 50% with open mindset: Keep going with open mindset
  • 50% who came for internship: Another half stick to asking for internship, maybe 25% convert them into thinking first about what they really want to do

Historical Parallel - Ad Industry:

• Early days of internet cybersecurity revolution: Big split between people professionally creative and naturally creative
• Ad industry (40s/50s America): People who would create advertisements because they were great at it, then it became industry - had to be professionally creative every day
• Same with hackers: People at incredible exploitation or understanding but can’t do that every day - not their thing
• Split: Between “the sellouts” - anti-sec movement, “oh you’re a commercial infosec sellout, you’re doing that to get paid, you’re not doing it because that’s what you love”
• Bad attitude: Now long gone
• Reality: Some people can only be creative in coding when it suits them, other people can sit down grind it out for eight hours a day
• Burnout: People who are creative especially because they’re limited to eight hours - will burn out when do over hours for too long
• Not everyone: “Everyone who says I want a nine-to-five job is not also loving their job”

Generalist vs. Specialist:

Audience Survey:

• Generalists: Some
• Specialists (e.g., “IDA Pro Ninja”): Close to equal, maybe few more generalists

Historical Perspective:

• Longest time: Generalists were dying off, all the money was in specialization
• Paycheck control: How deep, how far you could get, how well you understood the technology really controlled your next paycheck
• Generalists outclassed: Could never get that deep
• Changed: “I think that’s changed”

Current View:

• LinkedIn comment: Person looking for job, toning down aspect of being generalist, saying “I feel myself as a generalist, I’m good for those hard to fill positions”
• Not negative: “I don’t think is negative aspect at all”
• Much needed: “Having deep generalists in key positions now is much needed because we have good specialists, we’ve been having good specialists, now we need to sort of glue them together in a strategic way”

Research Talk Reference:

• Idea: You can either be generalist or specialist
• Specialist position: Pinpointed focused - does not mean going to run the entire thing
• To run entire company: Not only need pinpointed focus, need generalists
• More than ever: Need more generalists around
• Generalist is way: People should be looking for
• Other angle: Including part about working nine to five, investing time in other things
• Creative process: Can also draw inspirations which are not from infosec world
• Examples: Do gardening, do something else - that can give you inspiration to do better job in current work area
• Being generalist: Being able to explore other areas could be another good thing - not something you should not be doing

Surprise:

• Surprised at audience response: Know plenty of people that have shifted slightly throughout their career
• Surprised: So many people who said “I’m a specialist”
• Question: “I wonder whether if they look at their career, whether they have done different versions of a thing and therefore also have this broader skill set”
• Follow-up: “How many people have been doing the same specific area of work throughout their career?” - 2-3-4 people

Centralization vs. Decentralization:

Centralization Benefits:

• Economies of scale: Get efficiencies, one spot to monitor
• Example: Russia invaded Ukraine, Ukraine has certain infrastructure on Microsoft - Russia now has to battle in Microsoft’s territory
• Great: Those economies of scale in centralization for their infrastructure

Centralization Problems:

• Convenient places to be regulated: When everybody ran mail server, harder - if there’s like five dominant mail servers and they get some order to filter, nobody can ever send email to China or something
• Convenient for regulation: Centralization breeds what lawyers would call “attractive nuisance” - very attractive to regulate it

Internet History:

• Began decentralized: Economic models forced centralization
• Hope for decentralization?: Thing people point to is DNS, but look at what’s happened there - Quad 1, Quad 8 - it’s centralized again
• Even time services: Are centralizing
• Question: Should we get over that? Should we stop telling these myths of internet being designed to withstand nuclear war? Or should we actively be trying to create more decentralization?

Perspectives:

Federico’s View:

• Hacker in me wants decentralization: Want people to have autonomy over their data and over their servers
• Internet speeds: Have gotten so great that benefits of centralization have decreased to point where it’s less noticeable
• Olden days: Was very noticeable, but maybe we’re fast enough now
• Multiple angles: Internet speed has increased, gave more access to people, resources more prominently available
• Not everyone: Don’t expect everyone in world running their own - that’s impossible
• Technically capable: People who are technically capable - running web server from your home on Raspberry Pi is not problematic affair
• Spend few hours: Can get things moving, exploration
• Creative aspect: Whole creative aspect that could be the input
• Indie Web: Whole idea about setting your own websites, having your own blog, not being controlled by central authority with whole moderation
• Excites me personally: But it’s dangerous - if forget to apply security updates, might lose your data
• Choice: Can now choose - do I give all my data to Microsoft/Google/Apple, or do I host it on my own and now have to check every day “is there a security update, have I been breached, is my data now with the big companies but did it not get to anyone?”
• Maybe: If more people self-host, will auto-check for updates faster
• Cynical angle: “It’s the cynical in us which says hey I’ll get hacked, I’ll get compromised, things are going to go bad”
• When centralizing: “Are we 100% sure things are not going bad there?”
• Examples: Cloud service providers with whole responsibility were running like five-year-old software
• Not just moving responsibility: “It’s not like just moving the responsibility on the other side is just going to cover everything”

Moderator’s View:

• Romantic idea: “I am a sucker for the Grassroots Uprising” - could be from reading Shockwave Writer or Neuromancer or whatever
• Early days: Very kind of romantic - power of the individual
• Early days contributions: Individuals made the largest contributions, the breakthroughs
• Cypherpunks: Movement of punk cryptographies in Bay Area that really moved the needle on privacy and anonymity
• Died out: As .com bubble grew, they got jobs, things became more commercialized
• 10 years ago conversation: “I want to cause some chaos, what can I do as an individual? Can I run a remailer? Do I run Tor nodes?”
• Response: “You know everything’s done in teams now, you need like a team of people to develop the software”
• Depressing: “The time of the individual making a big contribution to privacy of security is kind of over” - really depressed for about 3-4 years
• Realization: “No they’re wrong - some of the contributions are still being made by the individuals by individuals”
• Much harder now: To just do your own, and it’s more based on luck - “I think you’re sort of at the right place at the right time when people need that thing that you’ve built”

Mastodon Example:

• PR part: Mastodon existed, got the PR when some other disaster happened (Twitter mismanagement)
• People were working on it: It’s not like no one else was working on it - work was going on, it was not promoted, it was not publicized
• Mastodon: Most popular version of federated service on ActivityPub protocol
• Been around: For 5 years, only until somebody starts mismanaging Twitter, waves of people look for alternative, Plan B
• There it is: Plan B, all of a sudden they have their moment
• For 5 years: They were not definitely not having their moment - neither they were interested in promoting it, nor anyone else was interested or incentivized to actually talk about it
• But they kept working: Despite that, they were still working because they liked working on it
• Now: Gonna have like 3 years of development in the next 6 months - gonna get so much attention

Future of Decentralization:

• Dawning of movement?: Is that then the dawning of potential movement toward decentralization?
• Somebody will improve: Some VCS and the value will say “I’ll do a better job”
• Or one-off mutation?: Is this just like the one-off weird mutation, then we’ll go back - when next person who runs Twitter, we all go back to our centralized ways when next person buys Facebook or LinkedIn

Concerns:

• Worry about centralization: Around DNS, around RPKI, or the holders of the keys that control RPKI
• Trade-off: There’s the trade-off and there’s the regulation
• Question: “What can hackers, what can we get, what can we do for our own Plan B, or do we just say you know what there’s no more Plan B, we’re just on whatever”

Solution:

• Keep making efforts: Like said about Mastodon - need to keep making efforts or the entire ActivityPub because there’s so many softwares around it
• Incentive or internal incentive: Comes into picture - if you feel that you have something that’s different, work on it

Mastodon’s Difference:

• Lack of algorithm: Interesting thing with Mastodon is there’s lack of algorithm
• Twitter/social media: Optimized to generate interactivity - that algorithm is missing
• What happens: With it missing, how do people behave differently?
• Not race: It’s not a race to get maximum likes, it’s not constructing attractive post that gets you most retweets
• It’s different: Downside though is there’s no monetization, there’s no influencers, there’s nobody to get paid, there’s no way for administrators of these servers to get paid yet
• Feeling: “I have a feeling we’ll see if a decentralized model can work, we’ll see introduction of some monetization”
• Server operators: Can get paid - not getting paid means there’s million teeny instances
• If can get paid: They’ll be larger, better, more professionally run instances
• If can monetize content providers: Somehow then you have professional creatives coming in, more likely to share
• If can do that: Without the toxicity of the algorithm, then I think you have a viable thing

Incentivizing Administrators:

• Like to see: Something that incentivize administrators of Mastodon nodes to host good services
• Now: They’re not getting paid essentially, they do it for free just because they want
• Another spin: On monetization aspect is not only on content production aspect but also on platform and infrastructure management

Community Service Providers:

• Question: “Who here runs any kind of service?”
• Examples: Defcon runs Tor nodes, runs a forum for over 20 years
• Who runs something: That helps the community? ~20 people
• Thank you: “Thank you for that, everybody who’s taking advantage, give them a round of applause”
• Way forward: “I think that’s the way forward - the people who want to can provide the services”

Key Insights:

• Security community is in middle - don’t create policy, not at manufacturers fixing things, but get all the blame
• We admire the problem - point flaws, never have solutions
• Need to build solutions, not just point problems
• Community vs. industry - need both, shouldn’t be hostile to people just doing the job
• Generalists needed more than ever - to glue specialists together strategically
• Decentralization possible but requires effort - Mastodon example shows it can work when right moment comes
• Monetization needed for decentralized services to be sustainable
• People who want to can provide services - that’s the way forward

Important Concepts:

• Certificate Transparency: Google’s approach - tell you after horses have run out of barn
• Certificate Pinning/DANE: What small businesses want - secure barn door
• ActivityPub: Protocol for federated services
• Mastodon: Most popular federated service
• RPKI: Resource Public Key Infrastructure
• Quad 1, Quad 8: Centralized DNS services

Actionable Takeaways:

1. One-to-one communication at workplace is most ubiquitous way to raise security awareness
2. Have conversations with policy makers - most significant changes fed down through policy
3. Don’t just point flaws - build solutions, build POCs, focus on solution aspect
4. Don’t be hostile to people just doing the job - need both passionate and job-focused people
5. Generalists needed to glue specialists together strategically
6. Keep working on decentralized solutions even if not getting attention - right moment will come
7. Run services that help community if you want to - that’s the way forward
8. Monetization needed for decentralized services to be sustainable
9. Don’t accept arrows that don’t belong to us - should go toward manufacturers
10. Focus on building solutions, not just admiring the problem