• tl;dr sec
  • Posts
  • [tl;dr sec] #5 - Stepping Up Our Game

[tl;dr sec] #5 - Stepping Up Our Game

[tl;dr sec] #5 - Stepping Up Our Game (Black Hat 2017 keynote by Alex Stamos)

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. See past issues here.

Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone

Hey there,

I hope you've been doing well!

This week is the annual infosec pilgrimage to the desert, where livers are tested, friends reunite, and vendors spend money on parties for introverts at expensive venues with flashing lights and too loud music.

I'm excited for all of the great talks, so I decided to write a summary of Alex Stamos' 2017 Black Hat USA keynote. See below for some key takeaways and read the full blog post here.

Some Cool Vegas Events

BSidesLV: "Cover Your A**" by Suchi Pahi

Come see my mentee, a security and privacy-focused lawyer, cover the legal side of being an independent security consultant- the documents you need, their purpose, and how to (probably) not get sued. Tons of great info and useful links. 3pm Wednesday Proving Ground track (schedule).

NCC Group is Giving 14 Different Technical Presentations 🙌
Including 4 from the Bay Area offices on advances in DNS rebinding, unpackaging .pkg files, a transparent network tap for red teams, and examining the privacy impacts of iOS robo-call blocking apps.

🔗 Links

Mozilla released

Grizzly, "a browser fuzzing framework that has enabled us to quickly and effectively deploy fuzzers at scale."

Azeria has some great articles on


Starting Up Security by Ryan McGeehan - "A collection of information security essays and links to help growing teams manage risks."

⭐️ New Summary: Stepping Up Our Game- Re-focusing the Security Community on Defense and Making Security Work for Everyone

In this Black Hat USA 2017 keynote, Alex Stamos discusses how the world has changed around the security community, some ways we're focusing on the wrong things, and how we can do better.

Times have changed, but the community and industry has not. We haven’t changed our attitude towards what kind of responsibility that puts on us.

Here are 3 ways the infosec community can improve:

1. We focus on complexity, not harm.

We glorify the complexity of a hack, when in reality attackers will do the simplest thing that works.

The vast majority of actual human harm occurs outside of the space we generally consider "infosec": abuse; that is, using legitimate features to cause harm. Doxxing, for example.

The day-to-day issues that cause people's privacy to be violated are generally not technically complex (e.g password reuse). They're the issues we've had for decades.

2. Our field punishes imperfect solutions in an imperfect world.The modern technology landscape requires people to walk on tightropes, and we haven't built users a safety net. "Don't click that link/open that doc. Cert warning? Just use your knowledge of X509 to know if it's safe."

We have a problem with empathy- "I found where the problem is, it's between the chair and the keyboard." This is dangerous, because it makes it easy to shift the responsibility of building trustworthy, dependable systems onto other people.

Some examples:

  • Early highly technical talks breaking trust boundaries via hypervisor/GPU bugs => "public cloud isn't safe!"

  • Facebook made tough design trade-offs to bring E2E encryption to 1B people on WhatsApp => "backdoor!"

3. We don't engage the world effectively.

During the Department of Justice vs. Apple case after the San Bernadino terrorist attacks, there were many Twitter infosec hot takes that assumed that if someone wants a solution to the "encryption problem," it must be because they don't understand how crypto works or because it's part of a mass surveillance conspiracy.

Coming from a different community, the trade-offs can look quite different.

As the Facebook CISO, part of Alex's job is to go around the world and engage with government and law enforcement. As a community, we need to have empathy with people who disagree with us.

Doing this will allow our voices to actually be heard and demonstrate that we are adults willing to engage in a difficult topic.

What The Infosec Community Should Do Going Forward

1. Focus more of our attention and innovation on defense.

Facebook is putting up $1 million in 2018 for the best new defensive research in the Internet Defense Prize.

2. We need to broaden what we consider our responsibility.

A huge amount of harm comes from areas outside what we traditionally consider our domain. We've spent decades thinking about how technology can be subverted and abused, we can help!

Alex and several of his colleagues wrote a whitepaper about Facebook's observations about the U.S. 2016 election and more broadly what a modern information campaign looks like that attempts to subvert another country's democracy using technical means.

To properly handle these threats, we need to leverage people's expertise from other domains.

3. We need to support the diversity of people, backgrounds, and thoughts in the infosec community.

The members of the security community need to be representative of the types of people we need to protect. This is the only way we can foresee the challenges people are going to have with technology and understand which solutions are actually possible in a specific cultural situation.

4. We need to retain the talent we already have.

One way to create an environment that's open and welcoming to diverse people and diverse viewpoints is to diversify the management team. This helps with finding talent as well as providing an example for how you can raise through the ranks even if you're new to the field.

Call to Action

"I'd like us to focus on fixing. I'd like us to have empathy for the people who use the technology we build, and I'd like us to foresee the ways they may be harmed, and to move quickly to mitigate it.

Be careful of how we talk to people in our companies and around the world, because it really does have an impact on our ability to be heard.

Let's work to make this a community where everybody feels they can be a part of making the future more safe and secure."

It’s a critical moment: we’ve been asking people to pay attention to us for over 20 years. And they are. We have the world’s attention. What are we going to do with it?

Alex Stamos

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

Also, if there's anyone you think who would find this newsletter interesting or useful, I'd really appreciate if you'd forward it to them.

Thanks for reading!