I attended the RSA Conference in San Francisco recently. I guess that is going to turn out to be the last conference that I attend for some time. All the other events in my plans have either been postponed or canceled. RSA is the name of a security algorithm, a company, and a conference. It is actually the initials of three people, Ron Rivest, Adi Shamir, and Leonard Adleman. Two of the three of them (Rivest and Shamir) were on the cryptographer's panel at the event, which I'll cover in a separate post.

The theme of the conference was "The Human Element". One reason for this is that it is well known in security that smart attackers don't try and break the cryptography, they focus on the people. One of the most common ways to do this is through phishing (sending emails that look like they are innocent) or spearphishing (sending emails to specific individuals that look like they come from, say, the CFO of their company). You can read a lot more about phishing in my post from last year's Black Hat conference Black Hat: Phishing on Gmail. Another approach is simply to call people on the phone and fool them into giving up valuable information. This is known in the security industry as "social engineering". You can read more about that in my post Social Engineering. This mostly covers a presentation by Jessica Barker from Arm TechCon a couple of years ago...she showed up at this year's RSAC to give one of the keynotes.

George Takei, Oh My

Every RSA conference opens with the lights going down, and a voice in the darkness announces a surprise celebrity to set the scene for the upcoming four days. This year it was George Takei, most famous for a part he played over 50 years ago, as Sulu, the helmsman of the USS Enterprise in the original Star Trek series. You can watch his introduction (six minutes):

Rohit Gai

The first real presentation at RSAC is always by the president of RSA (the company). RSA is actually in a state of transition since Dell Computer (the owner of RSA) had announced just a couple of weeks before the conference that it was selling RSA to a group of investors led by Symphony Technology for just over $2B.

Rohit talked about a survey of security professionals and 76% of them believe that cyber risk will increase in 2020. The top three risks being cyber attack, dynamic workflow risk, and data privacy risk. The mainstream media still depict this as a sort of spy-vs-spy technical conflict. But in fact 71% of threat actors in breaches are financially motivated. This is not people doing it for fun.

I mentioned above that professionals focus on the people, and Rohit said:

Most incidents occur due to very basic things or unforced errors.

For example, despite their reputation for being much more technically skilled than us older folks, "millennials are not cybersecurity savvy and are more likely than boomers to get phished".

He wanted us to build cyber resilience in the digital world. "Reclaim the narrative, reorganize our defense, rethink our culture." Quoting from Henry Ford he siad:

If you think you can do a thing or think you can’t do a thing, you’re right.

He feels we've let the media tell our story, and since we only share our losses (not our wins), we are regarded as losers. We need to show our wins and the losses of our adversaries.

He told the story of Typhoid Mary. She was an asymptomatic carrier of typhoid...but worked as a cook and was suspected of transmitting typhoid to dozens of people.

We need to consider the people who cook the food, not just the end-users. We believed that market forces would naturally punish the software makers who do not reduce the attack surface, but this has proved to be wishful thinking.

Wendy Nather

Wendy Nather of Cisco echoed some of the same sentiments. "What were we thinking?" she started. "We were thinking IT professionals would be the only ones using this security technology, and you had to know how to program to use it. We were masters of the universe." But:

The laptops have left the building. As a result, we have an unsustainable security model and we need to break it and put it back together. Tech is being democratized and it is time to democratize security.

A big issue is ease of use. When iPhone only had a four-number password, only 35% of users set a password and used it (not including Steve Jobs himself). When biometrics were added, first fingerprint and now facial recognition, that went up to over 85%. The smart thing was putting the recognition on the home button that users were going to press anyway.

But for security, we need "a consumer-grade experience, not an engineering-grade experience.

We have to stop thinking of ourselves as wizards and users as muggles

Hugh Thompson Show, with Penn & Teller

There was a whole RSA Conference after that, some of which I've covered in recent posts and some are still to come. As is traditional, the show wrapped up with the Hugh Thompson Show. He is the Program Committee Chair of RSAC but makes a great straight man. He usually has a guest to actually talk a little bit about security, and then a celebrity guest who manages to slip a little security into their usual schtick.

This year the technical guest was Lorrie Cranor of CMU. She talked about password selection, and which passwords are stronger than others in terms of ease of brute-forcing. She does experiments comparing one password with a similar one. But I'm increasingly of the opinion that you need to avoid the obvious passwords like "123456" or "password", but otherwise it doesn't matter. Remember, the smart people go around the crypto and don't bother trying to break it. Much better to steal all the passwords, or get some via phishing, or by social engineering. For more on that topic, see my post Passwords and Multi-Factor Authentication.

Next up were Penn & Teller, who carried on the password theme with a trick where they guessed everyones PINs and passwords, ending up smashing a glass bottle that had been suspended over tthe stage throughout the whole performance.

Hugh then got to interview them. And by them, I mean both of them. I've never seen Teller talk before, not in real life, but not on television either. Actually, I have seen their act when it involved Mofo the Psychic Gorilla, and I know Teller supplies the voice (but from offstage). Hugh seemed equally surprised, but I find it hard to believe he wasn't in the know. After all, Teller did have a microphone.

He got a big round of applause the first time he unexpectedly answered a question. "I think I'm getting far too much credit for something you can all do just as well as me."

One thing he pointed out was that old technology lasts longer than you think. Nothing in the password trick they did, Penn pointed out, came from post-1900. Somehow tricks involving phones and screens just aren't as convincing. For my take on old standards lasting essentially forever, see my post Why Do Layout Designers Say "Stream Out"? (and find out why we board planes from the left despite the sternpost rudder having been invented over 2,000 years ago).

No video of Penn & Teller, I'm afraid. You had to be there. Or you can see them most nights at the Rio in Las Vegas (although the Rio has just been sold so they may move).

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.