Perceptions of risk

At Blackhat & Defcon recently I was once again surprised by the number of security professionals who refused to touch a networked device for the duration of the conference. Yes, the risk is elevated and people might have zero days. But the risk is also high in airports, coffee shops, and hotels in far-away places. People in some parts of the world live at a constantly high risk of zero-days in their own homes.

How can we be expected to help defend our users (who at most have a small fraction of the security knowledge that we do) in hostile environments if we can’t defend ourselves? Some have called this attitude cavalier or attributed it to hubris, but that’s missing the point.

The point is that either we are overestimating the risk at Blackhat, or underestimating the risk the rest of the time. If a security pro can’t defend themselves in a highly hostile environment, then I claim they can’t defend their users in a moderately hostile one.

6 comments

  1. Interesting. So the threat model is precisely the same at Blackhat as it is in a coffee shop or airport, because the threats and attack vectors are the same. The perception of risk is very different though. Maybe that perception is accurate, maybe not. I’ve seen plenty of passive and active attackers at airports, hotels and other public places (unrelated to security conferences).

    Maybe some people leave dull lives and have nothing to fear, but I think we have seen that the environment can change drastically. From 0-days on the Nobel website to the recent spate of attacks against CA (and resulting widespread MITM in Iran), basing your security posture on whether or not you trust your local “Free Public WiFi” or whether or not you can run into an 0-day in the wild, is risky. Do you really want to click that link in Twitter? In your email?

    For example, how many of you are running Cert Patrol and would have noticed a DigiNotar cert? Is all your software (esp. plugins) up to date?

  2. That’s like saying why don’t good software developers always write their internal tools to be perfect and never have any bugs.

    I wouldn’t care about using my devices because the cost-reward is relatively bad. I don’t _really_ care about using my devices and nobody is giving me a sack of money telling me I should care. Securing your devices is great if you want people to erroneously attribute that to your ability but crap if you want to spend your evenings with your family.

    If I properly secured all my personal systems assuming high priority threats all the time, whilst doing a full time job + researching and authoring, I’d never get any sleep or have time to eat!

    Secondly the threat model is entirely different at Black Hat to a cafe, since the threats are distinctly different even if the ultimate risks are the same. Ergo the calculation of how much resource to dedicate to the problem is different.

    My question to you would be: If you hired a security expert and he spent his days securing his personal devices on the basis that he’s off to a conference next week, wouldn’t you be a bit pissed and consider it wasteful? Now lets say he wanted to borrow your testing department to make sure they were secure. And wanted a budget to hire external pen testers double-check his iPad was safe. And then have the network support team sign off on all the software on his computer. And buy licenses for his tools…. etc, etc.

    Of course you wouldn’t accept that – but how else is a security researcher supposed to get access to those things? Unless he’s a millionare, he’s not going to get it. Minimal assets means minimal ability to react to threats. Closing off surface area is an appropriate response in that circumstance if the cost is low (and seriously, who the hell needs an iPad that badly?)

    To use another analogy, how many expert architects live in their own personal skyscrapers? …. That doesn’t mean they’re not expert architects. It just means they don’t have sacks of cash and oodles of time to throw away on looking good. Their work speaks for itself – not how much of their own free time and assets they’re prepared to throw away on posturing.

  3. i agree fully with lucas. security experts not using stuff at defcon are just frauds.
    being an expert doesnt mean not using stuff u dont get hacked.

  4. I’m fairly sure the risk of that shady guy in Caffe Nero having a zero-day exploit that will bypass the defenses on my laptop is close to zero. I’m fairly sure the risk that one of those shady looking characters at Defcon having a zero-day exploit that will bypass anyone’s best defenses is distressingly high and worth accounting for. The threat agents are different, so the overall threat model is different. The risk-reward ratio is radically different as well, so therefore the decision to take action reflects that.

    Defcon/Black Hat:

    o High threat (Threat agents are dangerous and likely to hit within small window)
    o High cost-to-resource ratio (My free time is precious and my personal devices are not intended to be highly secure)
    o Low reward (Do I really care about using my phone that badly?)

    Hotel:

    o Low threat (Threat limited to few agents, mean skill is low, likelihood of encounter is low)
    o Low cost-to-resource ratio (I’m probably there on business so the machine will hold at least some data worth protecting. It’s company time, so the resource is there to spend on securing it)
    o High reward (I would die of boredom without internet in a hotel)

    They are different circumstances with different threats and risks. To pass them off as the same (required to make the ‘overestimate/underestimate’ statement) doesn’t strike me as valid.

    Perhaps a similar question would be why does Firefox have a privacy mode? Shouldn’t Firefox have privacy as standard?

    The funny thing about that question is I’ve actually had people ask me that in all seriousness :)

  5. I think you’re overestimating how hostile the normal environment is, at least for my part of the world (the UK).

    Yes, that open wifi might be a trap to steal my passwords, but far more likely it’s just a cafe owner who wants to sell more coffee. Would you be willing to make the same bet at defcon?

    There are loads unpatched vulnerability out there, so surely the fact that they’re not being exploited more shows that there aren’t that many people trying to exploit them.

  6. They are afraid because, you know…
    “The cobbler always wears the worst shoes”