I've been at South by South West (SXSW) for the past five days here in Austin, Texas. After several days of non-stop marketing and media bombardment, and more overstimulation than my brain can handle, I'm sitting down for what seems like the first time in 5 days to just sit quietly and think. It's no coincidence that I'm at the airport getting ready to jet home to Boston, MA -- it's really been that kind of trip.
I started my trip to Austin with the excellent people at BSides Austin. I was at the Rapid7 table for a little while, which means I got to speak to a lot of you as you asked questions or asked for one of our amazing Metasploit tshirts (keep your eyes peeled for the next design contest!) I did take a break to listen in on the fantastic debate -- Red team vs Blue team -- that happened midday. Three folks representing each 'side,' with questions from the moderator and audience asking for their points of view on both, no holds barred. I was encouraged to hear a lot of discussion about understanding user behavior and better enabling user education -- "know what's normal" came up as a mantra quite a few times.
Now, the debate was two hours long so I am not going to try to summarize everything they said, but instead a highlight for me: Towards the end a high school student attending asked the panel point-blank which 'side' he should get in to, which lead to some incredibly insightful advice and discussion from the panel about getting more people into infosec, and dispelling misconceptions (good and bad!) about the profession. Which team has the 'sexier' work -- the ones keeping a nation-state out of your network, or the ones trying to 'break in' to someone else's? Really wish I had heard this discussion when I was a high schooler trying to figure out how to translate my interest in compsci into something more concrete that wasn't just limited to "programming."
Security in a SXSW context
At a conference like this, where eveyrone's looking for the Next Big Thing and trying to be the earliest-of-early adopters for all the shiny new tech, it can be a little tricky to work security into the conversation. SXSW targets such a wide audience that may or may not have some security literacy, so you need to do basic education around why security needs to be part of the conversation, and what the potential security concerns are. (A basic proof-point to how much security isn't really on the radar for many here -- how many unattended and unlocked laptops and cell phones left alone on tables did I see in just one day? Way, way too many.) Another thing to consider is that at SXSW, the term "hackers" is usually used to strictly refer to black hats, or to the hardware tinkerers and makers, so even the basic terminology can get muddied. Another risk you run -- when everyone's dreaming of a big, bright, tech-enabled, Star Trek-y future -- is with this audience, and without proper context, security can be seen as a bit of a buzzkill. We want our tech to help us make incredibly smart computers, transport anywhere in an instant, and fight the Borg. Talking about security isn't always as sexy. ("Captain, we can't go to warp because engineering needs everybody to stop what they're doing and let the OS updates run.")
But we do need to be a part of these conversations. Not to wag fingers or to take away from the fun and the awe of what's possible, but to help deliver on those promises for the future. Absolutely, let's make a cool tech-enabled future happen, and let's do it in a way where services and devices work safely, the way we want them to, and not in unintended or even dangerous ways.
The natural segue to these conversations were in tracks devoted to privacy and to the Internet of Things (IoT), both of which were plentiful at SXSW this year. And thankfully there were a number of panels which helped set the scene for why security matters to everyone, and what's potentially at stake if we accidentally (or purposely) leave it by the wayside. A few notes on some salient sessions and events I attended in the past few days:
Nick Percoco's talk "The Internet of Things: Who Will Save Us?" on Friday was a great start to this discussion about security in an IoT context (I was livetweeting it under the hashtag #sxswsaveus in case you'd like to see a bit of the play-by-play). I'm hoping he gives this talk again in the near future, because it was quite a fun ride -- it was all about the devices we could only dream about just a few decades ago, and their unintended consequences once they became real. We dreamed about videoconferencing in the mid-20th century -- being able to see the person you're calling, imagine! -- but we didn't imagine malware along with it. And then looking ahead: What happens when your self-driving car BSODs? What if an implanted reality augmentation device gets hacked and holds you hostage? What other things are we missing when we think about the future?
And to answer the "who will save us?" question, there's no single savior here. It's going to be all of us, as security researchers and informed consumers, educating our communities, working with legislators and with security advocacy groups like builditsecure.ly and I Am The Cavalry.
Ben Wizner of the ACLU and Bruce Schneier spoke about "surveillance's threat to liberty and privacy" (#libertech) -- it was a standing-room crowd, to no surprise. While government surveillance is a concern that many look to the tech sector to help curttail, Schneier and Wizner pointed out that privacy advocates often call upon the government to curb private-sector zeal to obtain and retain as much data as they possibly can, for as long as they can. It's a delicate balancing act, and making sure consumers have a right to know who is using their data, when, where, and for how long, is not an issue we've solved yet. Bruce is optimistic we can tackle this as we have other tough issues, but certainly it's an ongoing battle.
CSID had a panel with Tiffany Rad and a representative from the Secret Service discussing why firms and governments are having a hard time recruiting black hats into the white hat world (#hackstar). I think the issue with working for the government is pretty obvious when you look at potential culture clash there -- not many people I know relish in doing a 9-to-5 in a suit all the time, especially not the tech-inclined. The private sector has a leg up here, especially when we're talking the potential salary ranges, but in a lot of cases there's a basic lack of awareness that security is even a viable career option. One point I thought was especially salient came from Tiffany on the educational models that we use to engage tech-inclined kids and get them interested. She believes that our traditional educational models are increasingly outdated and failing many kids would might excel in our field as they get older. It's an urgent call to action that we need to figure out how to engage those kids before they tune out completely.
I went to a fascinating panel with a rather bait-y title called "HoloGramma: How tech can bring back our departed." A lot of the conversation focused around hologram and augmented reality technology advancements, as well as firms that archive family photos and video and how they're creating a huge database of our family experiences over time. Theoretically, you combine the huge amount of family data with hologram technology, and you have a virtual grandma. (Yes, sounds a bit like that episode of Black Mirror.) As Star Trek-y as this was, in theory, I'm glad a few people asked who would be custodians of this data. Couldn't a stalker create a hologram version of their victim? Could we really trust companies to store data sets that allow us to be re-created digitally after we die? Doesn't this get creepy really fast? Yes, yes it does.
At the health & tech stage at SXSW, Jay Radcliffe spoke on Monday about his experience as a person with Type-1 Diabetes investigating the security of his own insulin pump (#hypohacked)-- he found that the wireless capabilities of the pump could be easily used by someone with bad intentions to change the amount of insulin delivered. And terrifyingly, that can be deadly. That discovery led Jay to forego his insulin pump and instead self-inject the insulin he needs to live with a syringe, 10 to 15 times a day. While the insulin pump is a huge convenience for people with Type 1 Diabetes -- I have certainly seen it make a huge difference in the lives of many people I know -- Jay felt that until medical device manufacturers and regulators stepped up and made security more of a priority, he didn't feel safe using them. Jay now spends a lot of his time investigating and advocating for greater security in medical devices. In his own words: We must make sure there's security in the transaction between our bodies and the devices that work with them. Right now there is none. We do not want to be handcuffed to life-saving technology that is fundamentally insecure.
A few other sessions and experiences I wanted to give a shout-out to:
The Robot Petting Zoo! It wasn't just drones (not that there's anything wrong with drones), but there were a lot of teaching robots and search & rescue robots as well. I loved that this was hands-on too of course -- I got to try my hand at driving a search and rescue robot on a bit of an obstacle course. Looked easy, but spoiler alert: I didn't do so well. But hey, any day I get to drive a robot is a good day.
I got to listen in on a healthy discussion about being part of a robust open-source project and community. Metasploit's community is truly incredible, thanks to the many contributors and staff who have been working on it for years and years. Open source projects involve a lot of passionate people with serious opinions -- and yes, conflict resolution is inherently part of the game, as is acknowledgement of the fantastic work that so many bring to the table. It was great to be in a room full of folks who are heavily involved in this kind of work (in a variety of roles, not all developers), to talk best practices in the care and feeding of open source communities. Our excellent Metasploit team doesn't need schooling here but I absolutely do -- I'm glad I was at this session to listen in.
The NASA booth in the expo hall -- for one thing it was huge, comprehensive, and had a ton of giveaways for space nerds like me. Also, I got to try an Oculus Rift to look around the surface of Mars, how cool is that? But they weren't just staffed with marketing staff -- they had actual NASA propulsion engineers there in the booth answering questions. I knew only a little bit about the Orion mission to Mars before I went in to the booth, and came out of it a lot better educated about the mission and its timelines. What a great surprise at SXSW!
SXSW 2015: Everything's the same, everything's different
The biggest cliche of them all at SXSW is to complain about how it's such a sell-out/corporate event now. And yes, it has been for years -- I went to SXSW in 2012 for the first time, and this year I didn't see nearly as many tiny startups trying to make a dent. Content-wise, then as now, it was a trying-to-drink-out-of-a-firehose experience. If you've never been, SXSW is an overwhelming, fascinating, and exhausting set of days: Lots of walking, lots of lines, lots of interesting ideas, lots of unexpected experiences. (I mean I'm a huge space dork and I got my picture taken with a real NASA spacesuit. Didn't expect that.) As with most giant conferences, the best advice is to have an idea of where you're going but to not plan too much, and truly LineCon/HallwayCon/HotelBarCon can be the best part of it all.
Until next time, SXSW! And keep on keeping it weird, Austin.