Shostack + Friends Blog Archive


Smashing the Future for Fun and Profit

I’d meant to post this at BlackHat. I think it’s worth sharing, even a bit later on:

I’m excited to have be a part of a discussion with others who spoke at the first Blackhat: Bruce Schneier, Marcus Ranum, Jeff Moss, and Jennifer Granick. We’ve been asked to think about what the future holds, and to take lessons from the last 15 years.

I have three themes I want to touch on during the panel:

Beyond the vuln: 15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end. That’s going to be challenging in all sorts of ways, some of which we can predict. First, researcher/organization conversations are going to become even harder, because some things are going to be less clearly bugs, and some will be harder to fix without breaking functionality. Second, secure development activity is going to need to drive threat modeling the way we’ve driven static analysis, and that’s hard because it involves people and their thought patterns. More on that in a second. Third, attackers are going to move more and more to social engineering attacks, and that brings my to my second main point.

Beyond the Computer: We’re going to see more and more attacks that target people, and many people going to hate those talks. The Review Board shares the idea that talks about buying UPS uniforms on eBay suck, and we don’t want them at Black Hat. At the same time, we’re going to need to go where attackers go, and if that’s people, we need to start to learn about people in deeper, and less condescending ways. (This is the end of people claiming UI doesn’t matter by saying “you can’t patch stupid.”) We’re going to need to understand psychology, sociology, cognitive science and more. At the same time as we’re learning to understand people, we’re going to need to learn to influence them. We’re going to need to stop relying on the sticks, and start learning to use carrots. This is why I’ve been engaged in games for the last few years, from Elevation of Privilege to Control-Alt-Hack and others. Getting people to want what we want, rather than grudgingly acquiesce, is going to be a key factor in our success as individuals and as a profession.

Beyond Tittering at Victims: We’ve been hearing for a year or so that we should all just assume breach. That breaches are common and should be expected. Over the next few years, we’re going to go from giggling about breaches to learning from them. We’re going to see more and more details come out about what happened, and we’re going to learn from one another’s mistakes. We’re going to start creating feedback loops that allow us to get better faster, and move away from flaming one another over opinions to arguing over statistical methodologies. My article “The Evolution of Information Security” shows how close we are to getting to a data-driven science of security, and that transformation will involve many sacred cows being roasted, and many of today’s practices abandoned because we’ll show that they don’t work, and more importantly, we’ll be able to see how to replace them.