Fear and cybersecurity musing en route to Las Vegas
SOMEWHERE BETWEEN SAN FRANCISCO AND LAS VEGAS—I was going back to Vegas. And like Hunter S. Thompson before me, I had no choice.
In Fear and Loathing in Las Vegas, amid the lurid accounts of recreational-pharmaceutical use, Thompson tucks a moment of realization important to him and to the sympathetic reader. In discussing “the energy” of the 1960s counterculture, whose epicenter was San Francisco, he describes “a fantastic universal sense” that the forces of Love and Peace and Understanding were finally winning against their long war with The Establishment.
“We had all the momentum; we were riding the crest of a high and beautiful wave,” he writes. “So now, less than five years later, you can go up on a steep hill in Las Vegas and look West, and with the right kind of eyes you can almost see the high-water mark—that place where the wave finally broke and rolled back.”
The moment I realized I could see cybersecurity’s own high-water mark was on my way to the annual Black Hat and DefCon hacker conferences. I’ve been covering the shows since 2009, but this was the first time I rode my motorcycle there, taking the scenic route east through the Sierras and then south into Las Vegas. It was Day 2, and along with my riding companion, Internet pioneer and Farsight Security CEO Paul Vixie, I pulled my bike into a gas station in Big Pine, Calif. It would be the last one we would encounter for 133 miles.
READ MORE FROM BLACK HAT AND DEFCON 2017
Behind hackers’ love affair with unofficial conference badges
Yes, your life-saving medical devices can be hacked
For decade-old flaws in voting machines, no quick fix
Kasparov talks calculated odds, AI, and cybersecurity (Q&A)
OPINION: Kronos malware indictment highlights the risk of trust
Congressmen at DefCon: Please help us, hackers!
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
Parallax Primer: What’s in a banking Trojan?
On a good day, my 1995 Honda Magna, with its 3.6-gallon tank, could drive 115 miles on a tank before limping into a gas station on fumes. And it wasn’t looking like a good day: The next leg of our trip, through the intense summer heat of the desolate “bat country,” as Thompson put it, was a mix of straight freeway and sharp, technical turns that generally sap fuel and velocity.
We grabbed a beverage in a glass bottle from the gas station’s fridge, planning to use it to transfer some of Paul’s fuel to my tank en route to Beatty, Nevada. Caffeine- and sugar-laden drinks would be the only Fear and Loathing-style drug experiences on this road trip. Heavy drugs and heavy machinery generally end poorly for all involved.
The scenery on those 133 miles was breathtaking. We wove our way through the eastern Sierra Nevada and Inyo National Forest, past the Ancient Bristlecone Pine Forest, around Deep Springs, across the Lida Pass, and then into the expansive Nevada desert, where the temperature was 108 degrees Fahrenheit.
I wore a lightweight armored mesh shirt to let my skin breathe a bit, and I kept an eye on the tripmeter. Eighty miles, 90, 100, 105 miles, 115 miles. The meter, to my amazement, kept ticking up. At 121.9 miles, as the bike sputtered, I switched to my reserve tank, and 14 miles later, we cruised into Beatty.
“Why it’s hard to move the needle? You need to convince them that what they’re doing is running bare-ass naked through the forest, coated in honey.”—Paul Vixie
As I refilled my tank, I contemplated this new motorcycling reality. I had ridden 18 miles farther than I thought my bike was capable of going, and with more than a half gallon left in the tank, I could have kept riding. When I explained to Paul why we hadn’t needed to pull over, he looked at me and gave the slightest of shrugs.
“That’s weird,” he said. “Sometimes that happens.”
No rider possessing common sense would go through that experience and think: Hot damn, I can go much farther than I thought. Next time I’m on a trip, I’ll push it just as far!
That’s a mentality that could easily lead you to pushing your 550-pound bike along the road for many miles, I thought. It’s also one you don’t desire in a riding buddy—nor in a company that possesses your personal data.
At that moment, as I looked at the varied mountaintop hues in the distance, I visualized the security industry’s high-water mark. It was the crest of a wave of change that peaked in the years following Edward Snowden’s document dump. And it was a beacon burning since November, when cybersecurity failed to protect U.S. elections.
Logical decisions seem to be escaping many players in the cybersecurity industry, as threats—and the adversaries behind them—get more difficult to stop. But the robust business of protection, amid an onslaught of attacks exploiting human and computer vulnerabilities, still defaults to fearmongering and hand-waving instead of focusing on effective solutions.
Snake oil solutions, such as appliances that supposedly protect corporate networks from intruders, or “artificial intelligence” that supposedly stops phishing attacks, sell because many corporate security officers have budgets to experiment with them, Vixie says.
“Why it’s hard to move the needle? You need to convince them that what they’re doing is running bare-ass naked through the forest, coated in honey,” he says.
Building an effective cybersecurity tool or system can take years. Whether focused on creating a message encryption app for consumers, helping government agencies craft guidelines to protect critical infrastructure, or educating people to stop reusing passwords, computer security experts have long, hot roads ahead. And they don’t know how much gas they’ve got left.
“These are hard problems,” Vixie says, requiring deep thinking about threats—and why current threat deterrents aren’t effective. If this “were easy, somebody else would be working on it.”
Effective security solutions need to focus on a “trickle-down security debt,” says Allison Miller, a security strategist at a major Silicon Valley company, who gave a keynote address this year at the Security B-Sides Las Vegas conference, concurrent with Black Hat and DefCon. She coined the term to describe how a major breach at one company can have catastrophic effects on many, or even all, of the other companies it works with—not to mention its customers. (One such example: a breach at a air-conditioning company led to hackers infiltrating Target in 2013.)
“One of our biggest problems is, we are unable to determine the quality of the products in our industry,” she says. “We have created a game for ourselves where there are 100,000 ways to lose, and no way to win. We focus on trying to articulate exposure as kind of an expected value, and we’re trying to minimize loss.”
Miller advocates “a more sophisticated approach”: Have “really mature conversations with folks like CFOs who understand about forecasting, and understand you have an expected return that you’re trying to match to it. And you manage variance and manage to expected values.”
The security industry is plagued, on one hand, with money in search of products. On the other hand are unresolved problems stretching back decades.
“We have created a game for ourselves where there are 100,000 ways to lose, and no way to win.”—Allison Miller, security strategist at a major Silicon Valley company
Ransomware now threatens aspects of our critical infrastructure. And account hacks remain rampant, despite increasing availability of password managers, two-factor authentication, sophisticated account security settings options, and education about phishing attacks. Most people aren’t taking advantage of these tools simply because companies aren’t mandating them (sometimes with good reason).
Companies responsible for protecting data “are unable to provide, in a repeatable fashion, real security for real people,” says Gadi Evron, CEO and founder of security company Cymmetria, which focuses on cyberdeception. “With the data breaches happening all the time, we have to try something different.”
Evron’s proposed approach involves using so-called honeypots to attract, and essentially catch, hackers intent on infiltrating networks. If an attacker tries to install or run any software on the honeypot, a virtual machine designed to look like a real one, the owner receives an alert.
“The strategy has been around since Sun Tzu,” Evron says, referring to the ancient Chinese warrior-philosopher who wrote, “All warfare is based on deception.”
Attackers rarely get to their targets on the first try, Evron says. “And the attacks are predictable: Attackers get in and look for intelligence. They try to follow your path. They collect your information, meaning that if you control the information they collect, you can control where they go. That is the essence of cyberdeception.”
Honeypot entrapment isn’t the only pre-hacking technique security experts are trying, amid concerted efforts to tackle decades-old cybersecurity problems. And it clearly isn’t the only one enabling progress.
“With the data breaches happening all the time, we have to try something different.”—Gadi Evron, CEO and founder, Cymmetria
Building interpersonal bridges led two Congressmen to promise, on the stage of this year’s DefCon, to hold Congressional hearings on electronic voting machine hacking. It also convinced lawmakers to consider the impact of international trade agreements on security research. Providing consumers with free and easy-to-use messaging apps that employ end-to-end encryption has dramatically improved the popularity of privacy protection. Using high-profile demos to decry the risks of adding Internet connectivity to “dumb” devices has encouraged people to think twice about using router-connected door locks or toys. And organizing bounties and contests has gotten security researchers excited about solving security vulnerabilities in popular software and IOT devices.
Hackers will continue to be tech’s canaries in the coalmine, serving as the Internet’s immune system. And while solving decades-old problems like phishing and ransomware is hardly as sexy as blasting headlines about theoretical hacks or so-called foolproof AI solutions across the Internet, the snake oil buyers are still going to get pissed off when their data gets hacked.
Forty-five miles south of Beatty, Vixie and I turned off of 95 South to take State Route 160 through Pahrump before hitting Vegas. From Beatty, Vixie had said it “looks like a set from a zombie movie,” and I had immediately agreed to the detour.
Pahrump is one of the largest unincorporated towns in the United States, with a population of just more than 35,000. Later, I would learn that one of those residents is Ronald G. Wayne, the Apple co-founder who bet his role in the company was worth only $800. Art Bell, the radio host who indulges late-night America’s most paranoid fantasies, also lives there.
In 2006, Pahrump passed an ordinance, still on the books, mandating that its residents speak English and that any foreign flag flown in the town must be accompanied and topped by an American flag.
Pahrump was as desolate and empty a town as any I’d seen across America. I couldn’t tell whether a man inside the gas station mini-mart was tossing coins into a gambling machine out of desperation or boredom. The main drag through town was not only empty in the twilight, but its street lights were far enough apart that each one hung above our heads like crumbs of moldy cheese.
The heat had edged off slightly as the sun began to set behind the Last Chance mountain range, only adding to the post-apocalyptic vibe. Pahrump seemed as good a place as any for dreams to live out the end of their lives. It wouldn’t be hard to see the goal of a safer Internet shambling about here, either.
“The old-mystic fallacy of the Acid Culture,” Thompson writes, is “the desperate assumption that somebody—or at least some force—is tending that Light at the end of the tunnel.”
We have this same sense about cybersecurity. But if the security industry doesn’t allocate an adequate amount of the billions of dollars it takes in every year to tackle our oldest, most persistent problems—the ones that cause real havoc for real people—then it is gambling on a premise that at some point it won’t be able to afford.