![Motive
“While security for the user might
mean the repulse of `evil hackers […]
security for the vendor means
growing the market and crushing the
competition.”
– Ross Anderson, "Security in Open versus Closed
Systems - The Dance of Boltzmann, Coase and
Moore", Open Source Software : Economics, Law
and Policy, Toulouse, France, June 20-21, 2002.](https://image.slidesharecdn.com/opensourcesystems-171210145134/85/Open-Source-Systems-Security-EiTESAL-Digital-Transformation-Role-of-Open-Source-Event-29-11-2017-8-320.jpg)
![French Weapons in the Falklands
• France manufactured the Exocet
[…]
– France also provided a vast,
virtually unprecedented
amount of technical
assistance, including
information on how to combat
the Exocet missile, which
could well have been
decisive in assuring a British
victory.
http://en.wikipedia.org/wiki/Exocet](https://image.slidesharecdn.com/opensourcesystems-171210145134/85/Open-Source-Systems-Security-EiTESAL-Digital-Transformation-Role-of-Open-Source-Event-29-11-2017-20-320.jpg)
![Opportunity
CRA, November 2003, [unsolved] grand challenges:
● Economic
● Epidemic
● Engineering
● Human
http://archive.cra.org/Activities/grand.challenges/security/home.html
– The Economist, November 2015:
● “The cost of immaturity”
– Average time to breach detection 205 days
– Estimated global cost of 90m cyber-attacks: $575 billion
● “cyber-security industry is booming”
– Market: $75 billion a year now [...] $170 billion by 2020
– 2016:
● cloud, mobile, social media, and more: “Cybersecurity is terrible,
and will get worse”; IoT “will be a security disaster”
https://www.lightbluetouchpaper.org/2016/02/22/financial-cryptography-2016/](https://image.slidesharecdn.com/opensourcesystems-171210145134/85/Open-Source-Systems-Security-EiTESAL-Digital-Transformation-Role-of-Open-Source-Event-29-11-2017-30-320.jpg)
Open Source Systems & Security - EiTESAL Digital Transformation "Role of Open Source" Event 29/11/2017
- 1. Open Source Systems & Security Sherif El-Kassas
- 2. OSS & Security ● Outline: – Principles, Motives, & Opportunity – Trends and attitudes – Case and examples (The small matter of Mr. Snowden) – The way forward
- 3. principles
- 4. Design Principles • Well known set of principles – Saltzer, J.H.; Schroeder, M.D., "The protection of information in computer systems," Proceedings of the IEEE , vol.63, no.9, pp.1278,1308, Sept. 1975 – Smith, R.E., "A Contemporary Look at Saltzer and Schroeder's 1975 Design Principles," Security & Privacy, IEEE , vol.10, no.6, pp.20,25, Nov.-Dec. 2012 – See also: http://www.cryptosmith.com/book/export/html/365
- 5. Saltzer & Schroeder 1. Economy of mechanism 2. Fail-safe defaults 3. Complete mediation 4. Open design 5. Separation of privilege 6. Least privilege 7. Least common mechanism 8. Psychological acceptability
- 6. Saltzer & Schroeder 1. Economy of mechanism 2. Fail-safe defaults 3. Complete mediation 4.Open design Kerckhoffs (19th century) Shannon: “The enemy knows the system” 5. Separation of privilege 6. Least privilege 7. Least common mechanism 8. Psychological acceptability
- 7. motive
- 8. Motive “While security for the user might mean the repulse of `evil hackers […] security for the vendor means growing the market and crushing the competition.” – Ross Anderson, "Security in Open versus Closed Systems - The Dance of Boltzmann, Coase and Moore", Open Source Software : Economics, Law and Policy, Toulouse, France, June 20-21, 2002.
- 9. opportunity
- 10. Reflections on Trusting Trust Ken Tompson Communication of the ACM, Vol. 27, No. 8, August 1984 Opportunity
- 11. Reflections on Trusting Trust Ken Tompson Communication of the ACM, Vol. 27, No. 8, August 1984 Opportunity “The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” http://www.cs.tufts.edu/comp/98/Ken_Thompson_84-Reflections_on_Trusting_Trust.pdf
- 12. What if we don’t manage trust & ignore scrutiny?
- 13. Lastupdated6July,2011 The Two Faces of Hackinghttp://spctrum.ieee.og/static/hacker-matrix
- 14. dependability of the connected world
- 18. War stories
- 20. French Weapons in the Falklands • France manufactured the Exocet […] – France also provided a vast, virtually unprecedented amount of technical assistance, including information on how to combat the Exocet missile, which could well have been decisive in assuring a British victory. http://en.wikipedia.org/wiki/Exocet
- 25. the way forward
- 26. Physical vs. Digital world • what Morpheus might have said – “Do you believe that my being stronger or faster has anything to do with my muscles in this place?” • mediation, proxies, and trust
- 27. ● Stallman: How Much Surveillance Can Democracy Withstand? “Robust protection for privacy must be technical” wired.com/opinion/2013/10/a-necessary-evil-what-it-takes-for-democracy-to-survive-surveillance/
- 28. R&D agenda
- 29. R&D agenda • Trustworthy technology – Build our own? – Open source strategy – Open scrutiny – Certification program to ensure quality ● Note worthy: • People • Ensure no harmful shortcuts are taken
- 30. Opportunity CRA, November 2003, [unsolved] grand challenges: ● Economic ● Epidemic ● Engineering ● Human http://archive.cra.org/Activities/grand.challenges/security/home.html – The Economist, November 2015: ● “The cost of immaturity” – Average time to breach detection 205 days – Estimated global cost of 90m cyber-attacks: $575 billion ● “cyber-security industry is booming” – Market: $75 billion a year now [...] $170 billion by 2020 – 2016: ● cloud, mobile, social media, and more: “Cybersecurity is terrible, and will get worse”; IoT “will be a security disaster” https://www.lightbluetouchpaper.org/2016/02/22/financial-cryptography-2016/
- 34. Kill switches!
- 36. trends
- 37. 2013 2014 2105 .00 500,000.00 1,000,000.00 1,500,000.00 2,000,000.00 2,500,000.00 3,000,000.00 3,500,000.00 4,000,000.00 4,500,000.00 insider unintended physical loss portable device stationary device “DataBreachesbytheNumbers,”http://www.securityweek.com/data-breaches-numbers
- 42. What can be done about trust?
- 43. Only the paranoid survive!
- 44. “Anything that happens, happens. Anything that, in happening, causes something else to happen, causes something else to happen. Anything that, in happening, causes itself to happen again, happens again. It doesn't necessarily do it in chronological order, though.” --Douglas N. Adams, “Mostly Harmless”