DEFCON 20: Bruce Schneier Answers Your Questions

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I'm Bruce Schneier thank you are there any questions I'm serious look if there are no questions you're all gonna get to go early all right question over there Oh okay we can do this so fundamentally you've got you got two dynamics going on you've got the first dynamic right which is you know good cheap and fast pick any two so so you so you have that problem the other thing you have that's what makes Vegas interesting is a lot of Vegas is subsidized by gamblers but go to places that want to have gamblers that's where they're going to get the food cheap because gamblers are subsidizing it this is a very weird economy here cuz stuff tends not to be normally priced and you know that's I gave a talk a long time ago in hacking Las Vegas and and one of the ways to hack Vegas want to let actually one that your best when are your best bets for value bets is a bad word a sports book because you can go to one of those sports book rooms bet on a football game and basically drink for free for a couple hours right because the turnover is so low so for Vegas you know one best way to win is not to play too if you're gonna play and you want to you know you want free drinks and play cheap sports book is good and three if you want to play and know you're gonna lose and have fun my advice has always been the craps table because like unlike any other game you're all in it together right you all win together you all loose together the pass line is one of the lowest house edges on the casino floor they're gonna ignore all those other bets they're scary they're bad you know enough math so those are the places to go you want good food at a reasonable price you want to go places that incent people to come the second area casinos are desperate for people right the top casinos don't need to offer discounts odd question but I'll take it hi Bruce my name's Damien I I was hoping you could talk about the advancements by mist and quantum computing and the risk to public key cryptography alright quad on computing is interesting quantum computing it's it's largely theoretical right we have a quantum computer we've built that factors 15 I believe and maybe it's a little bit bigger now but it is it there's a so there's a theoretical way of doing computing that's that's non-newtonian where things happen in parallel and and the question you asked which question asked me what the hell good's a quantum computer for it's not actually good for a lot but it turns out that the easiest thing aquatic ever you can do is factor a large numbers and the second easiest thing you can do is discrete log problems so basically a quantum computer is a public key cryptography killer that's it's its core application against everything else it's hard to tell what it can do the the at a theoretical level the maximum it can do is decrease the complexity of any computation by a factor of a square root effectively that means in symmetric a photography having the key all right so if you have 128-bit key that's secured against all computers which it is someone events a quantum computer you need a 256 bit key to get the same level of security so again symmetric cryptography cronic computers are not an issue right it's really easy to double a key length against public key cryptography it is a huge big deal because it could make our basic public key algorithms obsolete right it can make factoring easy can make it linear now things aren't all bad there are a number of public key algorithms that use coding theory some of the men in the 70s and 80s a little work in the 90s largely they're only done by coding theorists and we cryptographers ignore them because it is so obscure and so inefficient can player2 RSA or diffie-hellman that we don't need them but they do exist and they would be secure against quantum computation as far as we know today so when you look at quantum computers I mean looking into into the science fiction future it does have the potential of changing things but not all that much it doesn't make secrecy go away it doesn't make a cryptography go away doesn't even make public key cryptography go away it makes certain algorithms go away and it makes certain algorithms insecure and I think chronic computing is great but I love the theory but you know is it gonna be practical in our lifetimes you know it's hard to know you know right now there are some very very severe limitations like the like making the i/o work but you know we're really good at this is this is now turning into engineering I'm gonna come back here in 10 years there might be a quantum computing room at DEFCON that'd be kind of fun I'm a college professor from Canada and I teach a survey course in security to first year software engineering students I use a lot of Def Con videos and a lot of the you know expert content because they're not overly technical at this point what advice would you have for me to try and - what should I try and communicate to the students and what advice would you give to them seeing that they'll probably be seeing this talk on video in about six months you know interesting I think hackers are an extremely valuable part of society and I wrote an essay some years ago on on the mindset of hacking and I wonder if it's something that can be taught right you can teach domain expertise right I can teach networking right I can teach lock-picking I can teach how airline security works but the mindset of looking at systems in that certain sideways way I think it is almost an eight the example I was left to use I didn't hear of the uncle Milton's ant farm it still exists during the drought and I was a kid and it's just a little plastic now thing and you filled with sand and you put ants in it you watch them big toes it's kind of cool when you buy uncle Milton's ant farm but you can at any hobby store it comes with it doesn't come with ants cuz that would be kind of weird now it comes with a little certificate then you mail in to the company and they send you a tube of ants right so the normal person looks at this and says whoa I can get a tube of ants I look at this and say mean I can send it to of ants to anybody I want what a great country that's thinking like a hacker things but how can I take this system and make it do something that it's not supposed to do that it's not intended to do that the organizers didn't the critters didn't envision it to do and I think this is something you walk around the world doing now I remember when I was a kid going into a voting booth of my mother you know them yay tall and I'm looking around and saying I could cheat this machine right you don't have to do it but you have to think that way so I like exercises that flex that muscle Yoshi Cano teaches a course in in hacking University of Washington and he has his students kind of keep a blog together on hacking systems and one of them writes a post on what it's like to return a car to Avis in ways you can hack that and someone else is looking at you know some of some other random commerce system and then it almost almost doesn't matter what right and you know how can you get more food of the Thanksgiving dinner table and you're supposed to just ways to think about how systems work how they were how they fail how they can be made to fail and all else is domain expertise at all else and that's gonna change I mean the talks we're seeing here at Def Con this year are not the same types of talks we saw 15 20 years ago I know the world's changing but that way of thinking doesn't change right the badges get weirder but right it's all about you and the badges are started out to be a little arms race between people who wanted to fit Forge the badges and people who didn't want the badges forged now they kind of taken a life of their own so you know and I've written a couple essays on this and I sort of urge urge you to look at them and give them to your students but you know thinking like a hacker and and it's a valuable tool for all life not just for hacking right advertising is hacking politics is hacking but how can I subvert the system from my personal aim and look at how to do that I think is interesting all right so as inside people who ask questions you might notice you're being given an envelope the envelope is has my initials on it and has a number on it those of you who have one save it it will become valuable later those of you who don't might want to ask a question I wanted to hear your thoughts on the TSA patent process and the potential for us for it to make us less safe I'll give you a quick example so when I opt out I don't go through in each scanner not even a metal detector and I'm walked past already priests key screened fliers or passengers so there's a potential that I could drop something off or pass something off to an accomplice at that point because the line is great between cleared and non cleared passengers and and then once I am patted down they often don't check the bottom of my feet and some other areas it's funny I've noticed this too enough people have where you know right now when you go through the full body scanners you're allowed to opt out and I really recommend you all up out not because the radiations going to kill you but because if we don't exercise our rights to opt out we lose them and yeah and I opted out and I opted out not to have a private room you gonna do this to me in public so people can watch and he makes a realistic point that I've noticed so the way this works is you stand in front of the Machine and the guy says go through and you say opt out and some I've been told never happen to me that sometimes they ask you why and try to convince you to do it they would never do that to me they just say ok they go with a little microphone and say opt out mail and then some guy comes and Pat's me down and he's right they don't send me through the metal detector they take me around both machines a full bite of scare in the middle attack there and do a manual pat-down which for any of you in law enforcement knows is kind of a joke because any pat-down that is not personally embarrassing is actually not very effective and I have I have asked TSA people and not gotten a good answer why when someone opts out you don't send them through the metal detector and then Pat them down the metal detector is right there it's being used they're shutting people to A or B and I don't have a good answer and I think that that does make you a lot less safe because it's really easy to send something through a pat-down I mean so I either the pass off scenario I think is gonna be less likely I mean you got to rely on you know getting lucky and things moving at the Wrights but you'd and if and if you get it wrong now you've got the thing in your hand and that's kind of awkward but in general I kind of think these measures are in the noise you know I mean you always see it me we had we had a newspaper story this week about some but some thirteen-year-old who got in a plane without a passport and out going through security and my Scotland or something yeah those things don't really bother me because you can't build a plot around them because they're not reliable I mean right now we know that I mean we don't we don't know the numbers the ETS doesn't report them but some percentage of guns get through airport security right they run tests and airport security fails to catch some sketchy guns and some larger percentage of knives right in a sense that's okay because you can't build a plot net compare I am a gun to a bottle of water right if if the TSA agent catches you with a gun he's gonna call the FBI and at the very least he's gonna ruin your day if the TSA agent catch you with a bottle of water he tosses it in a trash and you go right through what that means even a reasonably good percentage of gun detection is enough to foil a gun plot but anything less than 100% perfect water detection system is useless because you can keep trying until you get in there's no penalty for failure in the water case as opposed to the gun case right so I definitely agree with you that that's a very weird TSA procedure about not sending you through the metal detector when you opt for a pat-down but I'm not that concerned about it because of sort of the dynamics of the whole system hope I answer that question that's actually an interesting one hi Austin hope we met earlier Hey okay earlier he had a few when the may like I was ever known as one of the differences you're taken and we were gonna do like no talks but just pictures but that's doesn't scale as well as this does I've got a question about application security so we have commercial software or any type of product I think it's important not to blindly trust the developers claims that it works the way it's intended they claim it to work for access control any of the security functionality a current way that that's being done internationally is there's security evaluations that can be done on the software the common criteria is the current international standard wasp has the application security verification standard my specific questions more about the international standard that's used today common criteria which work between countries do you have any recommendations on how to improve the current system and make it better I don't know what are your thoughts and I think it's becoming worse I mean I think you said something very wrong in the beginning you said that you know we're taught not to trust things and then and may not trust manufacturers claims we're stuck doing that we actually have no choice but to trust manufacturers claims and and you know when I when I started doing cryptography I had some vision that we as a community or as individuals would analyze code ourselves and make sure it works and you know never done that ever you know sometimes it's claims of a trial but I trust more I mean I know the people who wrote PGP and I tend to trust it more but generally operating systems Co even security code we are always we have no choice but to trust claims of vendors of writers and I write something called password safe I mean I used to write it now it's now it's being written by a Rory Shapiro hacker in Israel I'm trusting him you're trusting him you are trusting me we're all trusting each other right as soon as society gets specialized right at a very real level we have no choice but to trust each other so what my latest books about it you know I'm gonna drink that bottle of water and I'm gonna trust that it's not poisoned even though it's been opened but I'm gonna do it and and it's getting worse right in the beginning we built living in like their way began we built our own hardware then we bought harder and wrote our own software but then we bought sports off to I wrote our own applications on top of it then we bought applications right now we're in the club and actually on anything i wit trusting at at such a huge level my gmail don't have any freaking clue at operating system Facebook uses anybody care right we have to trust it so one of the ways we trust things are through these standards right and the thought is that there are some independent verification or auditing and and so Common Criteria is a standard there are ISO standards there are nist cryptography standards right you know and we look at a product or service and it has a bunch of buzzwords do we say oh those are good ones and and you know in a sense they're all sort of equally mediocre because all the standards ever do is secure the system against a known list of attacks right yes it does this yes it does that or you can never have a standard of is it secure you can have a standard of is it not insecure in this particular way right but when you look at a new attacks new ways of thinking new and new threat models so you know I like standards but I don't get too wrapped up in which one because what a standard does is it forces the vendor to have someone else pay attention and that's generally good so you know I don't know if it matters that much I'd like a better answer I mean this is actually truly hard problem you know I mean but in this is the second vistas you know computer science we can't even prove programs terminate right let alone are they secure I mean all we can say is and this isn't bad right I can't break it and all those other smart people can't either and they've tried for a month but we don't know what happens if they try for two months night you all know this is this is what hacking is about and this is why a new person and go to an old problem and look at a new way and and and and figure out a way in thank you hi Bruce my name is Pete I have a couple of TSA related questions first one is it seems to me that forever the US Congress has routinely exempted themselves from all the crap they pass on to us taxes insider trading health care or whatever but in this case they're being subjected to the TSA pat-downs there's a lot of YouTube and other traffic about very bad scenarios with congressmen and I'm wondering is that indicative that there's a new gain taking over or something you know it's interesting I mean pilots had this issue too I mean and and some very Patrick Smith who writes that he asked the pilot column was very vocal about you know why are you screening pilots when they're controlling the airplanes aren't here you're not thinking this through and I argue that actually he's not thinking it's true because the issue isn't screening pilots the issue is screening people who have pilot IDs so either I have two choices right I either build an entire subsystem on pilot ID verification or I just freakin screen everybody you know and I think the same kind of dynamic is working with with with Congress I'm assured you know Obama doesn't get screen isn't fly commercial the that it's just building in the exceptions was such a big thing and they and they did airport security so fast you know if this becomes institutionalized then you'll see you know fast lane right now we have the TSA PreCheck program I'm sure all of Congress is in pre-check right you know so those sorts of of bypassing aligned systems only happen after something becomes institutionalized when it first showed up it was we need to do this quickly so so you didn't have that but yeah it's an interesting point because you're right they do exempt themselves you know and maybe it is that screening is just so quick and it's not like you know taxes which which really you know matter it's it's some financial level the way you know pat downs don't thank you the other question is you know get two envelopes you know oh I'm sorry hey my name is Andrew I had a couple questions related to that age group of kids I think you get one of them and well I've got a 10 and a 14 year old and my brief story is you know I sat down on my son's computer in the kitchen to you know check some news websites and his Skype logs open and I see the message don't run this file Josh and you know there's a message says Oh Josh while you were cleaning your room I wrote this little batch file that would open up terminal windows until your computer ran out of resources so don't run it you might not know how to stop it when I got home I thought it was a bad idea so I wanted to tell you don't run this file so based on your research for be on fear in your new book - and you know about self regulating groups and how they you know self enforce and things like that I wondered if you'd comment on you know how that age group learns to be responsible with technology and things like that so I I have long said that the internet really is the biggest generation gap since rock and roll and and fundamentally the the young people are the one I mean in any generation gap the younger generation wins cause older generation dies and whenever you see things like you know young people to understand the Internet that's nonsense right I mean they're the ones who are defying internet they're though they're they're the ones who create the Internet they're the ones who figured out the old people who don't so I to me young people have a much more intuitive grasp of the Internet of security of the way things work in ways that we don't and ways that scare us maybe think about you know the I don't know that I don't know the rock and roll the generation gap mean what are the old people say whether the big problems right it was you know drugs and sex and and and no women forgetting their place and you know death of marriage and they kind of pretty much nailed it and that's actually what actually ended up being pretty good so the young people tend to be right the greeley good person or anyone has virtually teenagers the ethnographer Dana Boyd I truly recommend reading her stuff she has a blog she's written papers and a number of her speeches are online about how young people use the internet and about how they assimilate a lot I'm looking at this audience and then you know a lot of you guys know this but your parents don't and and I think it really is it's got to go the other way I mean I'm a little a lot of computing security conferences where you know a bunch of innocent people talk about how young people don't understand privacy I mean do you forget young people care a lot about privacy right from their parents from their peers probably is a huge deal when you're 16 I think I mean people are still people but the into the intuitions are different because and Richard theme talked about this an hour ago people are and at his talk where the the the technology at which you come of age the technology you find normal and the technology you're good at this whole nonsense about child predators kids know who would who who adults are group tend to be kids they're not fooled it's the congressmen who are fooled please my question is how do we secure those internet-based applications where authentication is critical and what are your thoughts on cloud computing well you know I mean the two answers right as long as we don't and one as we we do I mean we largely do write you know internet banking works pretty much okay right it's not perfect there are problems but we know we're good at authenticating things where it does matter my gaming works pretty much okay now any of you work for big companies you probably have some kind of secure access token that works pretty much okay you know there's no magic bullet lots of ways we can do it better we're always fighting usability right nobody wants to put their thumb on a device nobody wants to learn to play guitar hero if people follow that news story from last week of implicit passwords I mean you know people just want to do their thing and it's getting worse and and cloud computing is a really good example of this right instead of might of my my data on my device my data is out there somewhere but this is the future you know people who are now you're talking about young people again they are used to getting their content on the closest available screen right that they're housed at school at their friend's house right that's the way it's supposed to work right people like it when they lose their iPhone they get a new one push a button and all their stuff magically appears on it and and again if you start interviewing teenagers they kind of don't really understand where their computer ends in the net begins because that boundary doesn't actually matter anymore it's disappeared and I think one of the actually I sort of lunch in this a little bit I think one of the fundamental things going on in computing right now is this loss of control right that we are losing control over the endpoints right I don't I have no say and I went whether this updates or not basically I have a Kindle it's even worse right yeah I can't even write a erase your program for this thing because I can't get to the memory right so we're losing control of our of our endpoints and we're losing control of our data you know I run Eudora but I'm a freak right everyone else is on Gmail right their mail is on Google's servers so suddenly my authentication which was I put this in my pocket right and I'm the one who's touching it basically so I can get by with just a password because the password plus the fact that I'm not gonna lose it or it's in my locked house now becomes just a password so you need more authentication we're not getting it because usability people don't want it and they're gonna be a bunch of issues here and their loss controls a big deal other ways maybe it's being used third parties are at getting access to it for advertising from marketing law enforcement it goes across borders and then suddenly the NSA gets in it's in a computer in Utah I mean all these things are happening because giving up control is such a powerful consumer thing I mean people want that my mother does not want her photos on our computer she'll screw it up she wants Flickr to have them when her computer crashes the photos are saved it's a Christmas miracle and ice and this is unfortunately a dad I think it's unfortunate this is gonna be a much harder future to secure because security is about control and I talked about trust now we have to trust all these entities and you have no visitation of try calling Google customer service actually Google has great customer service the problem is you're not customers might become a Google customer and appetizer and they have customer service all over the place so it me was seeing these these non business relationships this loss of control all of which force more authentication but you have the the back push of users not wanting it now I can't you know but we've made some progress right the most common password is now password one instead of password but that took a decade which means you know in 10 years were password one-two-three-four where the a is an at sign because we're all speaking leet now hey this is ed this stuff's hard please good morning Bruce yesterday general an Alexander gave a presentation as far as building a better relationship between the hacker community and government agencies such as the NSA I assume he didn't buy any of that right well largely he failed to address a lot of the issues with trust which as you know is a huge factor as far as a building of these relationships how do you see the relationship beat between agencies such as the NSA and hacker community community developing an x10 but it seems more like they lie to us to be more believe and we buy it I'm not impressed I didn't go but someone said there's an NSA recruiting booth in the in the dealers area they actually the Enigma school go see it I have the but then some Batali's actually which team tell me this that they have a list of attributes to the NSA on their signage and one of them is transparency right maid meet me clearly we're inventing new meanings for words here and too much of Alexander's talk was like that you know the NSA needs hackers I mean the NSA were the original and the other the original modern hackers so they are going to be you know a stole a one-way conduit for information I mean they want everything we can do they will give us nothing they can do but you know this community is turning more and more legit this is not the DEF CON of 15 years ago it's really not and so now you have a place where the ADA instead of spot the Fed the Fed now puts a sign up where the Fed come visit us I think so so like the cryptography community there is this this information exchange that works one way now in the 1990s the NSA start a common crypto aircraft now Brian snow is the first one to come and he wear a badge of said NSA other people of common they'd have badge to say DoD or you know Fort Meade Maryland you know I think they would they would you know I'm secure who they when they sit in the back and never ask questions and presumably right I mean they learned a lot from the academic community but they never gave a paper they never presented anything so and that's relationship now because now the NSA realizes is that so much of intelligence gathering is not crypto related right that it's a computer security it's network security its hacking it's physical so you're gonna have this back and forth with no fourth and that is the way it will be I mean we know we're not gonna ban them from coming because because I think that's that's wrong too and you know they can always pretend they're from someplace else but you know a lot more people here are legit than were 15 years ago so I'll bet the NSA recruiting booths you know is pretty popular and there's often some B's they have cool swag actually so you know it might be worth seeing what they got you probably can't take the Enigma machine unless you're really fast and get a distractor or maybe three of them so we should talk later this builds on it that a couple of questions ago with the Yahoo hacks and and you know the hack of the week whatever that releases passwords of stuff we like you said that the passwords aren't getting that much better and I see when I try to talk to my not less technical friends and relatives that convincing them to you know do things like use different passwords on different sites and use more complex passwords and not click on that link from you know the guy who swears is your buddy that that it just becomes so complicated for non-technical users that they just kind of give up and don't care about any of it you have any suggestions or ideas on how to make that so I think this is a failure in our part I mean that there's a whole lot of in our industry blaming the user right the user chose a bad pass where you deserve to get it I think we in the community are failing because we are expecting the users to choose good passwords and they can't for all the reasons you talked about right they're not going to and I think it's our job in security to make security systems that work with actual users that educate the users a mistake I mean think of automobiles right the first automobile was sold with a repair manual and its toolkit but automobiles didn't really take off until you know my grandparents could buy one right or in computers until my mother got a computer my mother is never going to do anything right the only reason antivirus on our machine is I put it there but that antivirus has to work magically without her knowing about it I even know I want to actually upstream in our ISP why in the world does she get malware and spam should be blocked at the ISP yep so I want us to build better security systems okay or you know and Microsoft is actually has some really good work now being done on unsecure 'ti dialogues you know scary dialogues the dog comes up and says you know if you're a normal person that says complicated technical gibberish make this button go away yes/no right that is a security warning to an average person and whenever we do that we are failing unless we truly believe the user has a piece of information in order to decide which button to push and we tell them and Microsoft has a really good work on this where the trend is with dialogues here's a situation here's what you know that we don't here's why it matters and here's what you should push depending on what information you know that's a good dialog box instead of you know I'm the programmer I have no idea what you should do I'm gonna I'm gonna give up and make the user decide because it's not my fault all right so so we did we need to get better we need to get better at that psychology of security need to get better at user interface need to get better at automatic security and it's spam is a really good success story you know anti-spam happens at the isp largely and I don't get any spam anymore really okay get them get almost nothing I mean and spams an enormous amount of Internet traffic but it just works magically my mother doesn't get spam when is nothing she did right that's good that's what we want the more we can do that the better we'll do morning so I think one of the things that I find very useful about your writing is analogies bridging the non-technical and and technical worlds and literally net so one thing that I wanted to ask about was BYOD and specifically you know mobile device security as you can see there's many talks around mobile security here what are some useful analogies I can use to get across some of the risks to my senior management you know and I think new ideas again this trend of loss of control might be why I mean--it people know this buzzword it basically means your employer doesn't know long gives you a computer and says here's one thousand dollars by a computer and you know why because you've already got a computer but he got a cell phone you don't actually want the corporate stuff it's more to carry and it just annoys you right but then once that happens you get the loss of control so so this is I think this is an important trend this is a trend that is going to reduce security train that's not going away because getting out of the provisioning business I think is is valuable to companies and then I actually want to give their employees cell phones and and you know analogies I really think of it as loss of control because now as an employer I no longer control that end point it's very similar to home banking customers in some ways because you can imagine that banks could give each one of their customers an iPad right you must bank through this and I can and I control it nice at the patch levels and you can't do anything else on it so I can make it secure but instead I say you know go to your browser and log in from anywhere right but that's then that and banking works that way more and more of corporates IT is gonna look like that it's gonna look like Facebook right it's gonna look like you log in to us this site and and the way that works I mean why banking works is you get a very very limited number of things you can do but you don't log into your banking website and get a command line that'd be cool right you get a bunch of options same thing with Facebook's anything we do with all of these sites so I think we're gonna see more of that less free form which is okay because most people don't need free form they want to do certain things are they going on they're going across website to fill out forms to get some stuff to read to share documents to send and receive messages so think of it more as a social networking site and that's so I think the effect of BYOD right I mean I think I'm doing quicker answers now because I'm running out of time and no one asked me about sha-3 what was wrong with you people hi this question is about your book liars and outliers and with a reference to the previous panel which was talking about philosophy history and politics which I'm thinking might be a trend now here that we're going to get into other things so it says in your flyer that you quote Thoreau and Socrates and as a former graduate student in philosophy and being familiar with Plato's Republic one of the diatribes and the Republic is about people that are experts in other fields thinking they can do philosophy so is wondering if you could expand or whether you think it's appropriate don't shoot the messenger for hackers to become leading leader thought leaders and other fields yes I just hacking is not a domain hacking as a mindset 100% yes hacking is a way of thinking hacking is a way of looking at the world we tend to be hackers in computer science we could just easily be hackers in biology right we could be hackers in model trains which original hackers were so Ito yes simply because hacking is a way if the hacking actually is a philosophy and you know then there are some things which can bleach in other domains law is like that because law is a way of looking at the world so lawyers often write about very different topics we need to get a law professors read law journals running on all sorts of things because it's a Economist also it's a way of looking at the world so in in that we can bring our mindset to other problem spaces I think it's valuable what I try to do in my latest book is to go the other way right to say here is what philosophy and sociology and psychology have to teach us and computer-security right I'm not trying to go there and tell them their stuff I'm trying to go there and say what do you got that's useful for me in my field and that was a really interesting thing to do and I had a lot of fun writing this book because I'm trying to you know what because security is fundamentally about people's about technology only a little bit it's really about people and lots of disciplines try in their own way to understand people they do it differently I started a workshop four years ago so called the workshop of security human behavior the day was to bring all these different disciplines together who worked on the same sorts of problems from very different perspectives have been talk to each other and that was way cool interesting thanks good answer Thanks dodged that one morning Bruce my question to you is with the advent of social media and how people are blogging and on Twitter there seems to be a large percentage of people who have this sense of futility and fatigue when working in the security industry I was wondering if you felt that that contributed at all to actually solving some of the bigger challenges in the security industry you know I actually worry about fatigue also because it's so freakin hard especially when you're fighting you know fighting for privacy fighting for security there's so many forces arrayed against it I mean these days I worry less about the criminals and more about the legitimate forms right in the corporation's the government's who are using political and economic systems to force technological changes to make us less safe and and it is really easy to get discouraged and you know I have no good answer for that I mean we know we in sometimes the best we can do is lose slower and there's there's a quote that that is sort of always stuck with me by Martin Luther King jr. who said once that the arc of history is long but it bends towards justice I mean what he's saying is that in the short term we can lose and lose big right but a hundred years ago you know half of us in this room couldn't vote right two hundred years ago a bunch of us were slaves right that history does get that we do improve even though you we hit you know some local minimums that look pretty bad so I mean that's that's the advice I have for not losing heart it's easy I mean luckily they know more and more of us come up right and do things so so people get tired can kick and sort of sit back but I feel feeling I've been writing the same essays for 20 years sometimes I mean a CNN asked me to write about the Aurora shooting what am I gonna say I flip back I wrote a long essay about the the Fort Hood shooting I said basically the same things about whatever University's shooting that was Virginia Tech right you know so I mean I can read I can take the same si cross at Virginia Tech and write Aurora movie theater it's just as relevant but I feel like I've said it already how do you give me the problems don't change right we're still fighting the same battles and it seems like we have to win every time and the bad guys only have to win once so no this is hard I mean I mean can't you ask an upbeat question can't sue sorry Bruce so I have to end soon okay you so it's two minutes so okay yes or no questions go okay I will freeze it as yes no question first I was gonna ask you about what political hack were missing but since you said the solution is lose slower I've got the answer with regard to software it seems that Chrome for example auto-updates and that it's been a very good thing for computer security in general I think a lot of people in this room probably opposed to software automatically updating and a lot of users are opposed to it because historically it broke functionality so my question is at this point in time have we reached the point where effectively all software should update automatically based on a trust relationship yes hang on hang on okay how many envelopes you have left no no don't count them just to justice take them and go back along the line and hand them out in order cuz I'm sorry so so a couple of things will happen now I have out here so I should cope with this I mean I'm now going to a book signing this is my book tada it's available at the bookstore and I'll be going there and doing a signing I have this which is the book flyer it's kind of a thin version of the book it doesn't have as many words but on the plus side it's free and I have piles there and there so if you'll feed a grab one those of you have cards this is the galley of the book now that what a galley is before the book is published the publisher prints these and gives them to a book reviewers basically so those of you with cards if you come here I will give you a galley the galley has more typos than the real book so you got to sort of accept that and I in return I ask that you mention blog tweet anything something that that you read the book I'd really appreciate that so that's the plan for now I'm gonna go right here with this boxes and then I will go to the book so I think I could stop at the QA area first and say hi so I'll do that so I'll do that for like 15 minutes then I'll go to the book signing and then the rest of our day will continue and we'll all have fun thank you for coming thanks got me Def Con
Info
Channel: Christiaan008
Views: 15,689
Rating: 4.9298244 out of 5
Keywords: DEFCON, security conference
Id: dJh0mIJn6kE
Channel Id: undefined
Length: 47min 52sec (2872 seconds)
Published: Thu Nov 15 2012
Related Videos
DEFCON 20: Bypassing Endpoint Security for $20 or Less
Christiaan008
256K
Click Here to Kill Everybody | Bruce Schneier | Talks at Google
Talks at Google
36K
Bruce Schneier: The Security Mindset
ieeeComputerSociety
16K
Jon Kabat-Zinn - "The Healing Power of Mindfulness"
Dartmouth
5.1M
Steve Jobs Insult Response - Highest Quality
Jonathan Field
10M
Daniel Goleman on Focus: The Secret to High Performance and Fulfilment
Intelligence Squared
5.6M
Billionaire Mathematician - Numberphile
Numberphile
3.2M
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
11M
Ana Vidović - FULL CONCERT - CLASSICAL GUITAR - Live from St. Mark's, SF - Omni Foundation
Omni Foundation
2.7M
Denzel Washington's Life Advice Will Leave You SPEECHLESS |LISTEN THIS EVERYDAY AND CHANGE YOUR LIFE
Grow Successful
11M
String Theory and the End of Space and Time with Robbert Dijkgraaf
Science & Cocktails
2M
Neil deGrasse Tyson: We Might Be Living In Higher Dimensions…But Our Senses Can’t Tell Yet.
DW360
6.5M
How to Unlock the Full Potential of Your Mind | Dr. Joe Dispenza on Impact Theory
Tom Bilyeu
8.7M
Admiral McRaven Leaves the Audience SPEECHLESS | One of the Best Motivational Speeches
MotivationHub
23M
Inside the mind of a master procrastinator | Tim Urban
TED
43M
EMPATHY - BEST SPEECH OF ALL TIME By Simon Sinek | Inspiritory
Biograflick
3.7M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.