closing keynote - hack in the box security conference › hitbsecconf2018ams... · closing keynote...
TRANSCRIPT
![Page 1: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/1.jpg)
CLOSING KEYNOTE
Security is what we make of it: blockchain & beyond
@AmberBaldet | #HITB2018AMS
Amsterdam 2018
![Page 2: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/2.jpg)
$whois Amber Baldet
Previously: ➔ Executive Director, JPMorgan
(Blockchain Program Lead)
➔ Chair, Financial Industry Working Group, Enterprise Ethereum Alliance
Currently: ➔ Unemployed
Lectures, panels, etc: ➔ Defcon, Empire Hacking, SOURCE
➔ MIT Media Lab, Wharton, Duke, Harvard Business, NYU, Columbia
➔ Money 20/20, American Banker
➔ Hyperledger, EEA, Consensus, etc.
Likes: otters, memes, otter memes
Dislikes: patriarchy
© Hello Louis, cryptopop.net
![Page 3: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/3.jpg)
How Blockchain could help us take back control of our privacy
The Cambridge Analytica breaches show the dangers of leaking personal, sensitive data online – but there’s a way to avoid this
Bitcoin Transactions Aren’t as Anonymous as Everyone Hoped
Web merchants routinely leak data about purchases. And that can make it straightforward to link individuals with their Bitcoin purchases, say cybersecurity researchers.
![Page 4: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/4.jpg)
Hahaha, why don’t you just use a database?
Do I need a blockchain?
No
![Page 5: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/5.jpg)
Usually, you can
![Page 6: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/6.jpg)
And sometimes, you could, but there are human reasons why centralized solutions failed to gain traction
![Page 7: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/7.jpg)
And in other cases, we have, but they are inefficient, expensive and/or have failed disastrously
![Page 8: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/8.jpg)
It’s not just a database...
![Page 9: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/9.jpg)
It’s not just a database...
There is no cloudIt’s just someone else’s computer
:(
![Page 10: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/10.jpg)
It’s not just a database… it’s worse
There is no cloudIt’s just someone else’s computer
There is no blockchainIt’s just all of our computers
:( :( :( :(
![Page 11: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/11.jpg)
And yet...● 7 Ways The Blockchain Can Save The Environment and Stop Climate Change● How Blockchain Will Save Freedom Of Speech● How blockchain could save lives by getting medicine where it’s needed● The Blockchain will save healthcare and shipping billions● Here’s how blockchain can reduce inequality● Can Blockchain Help Solve the Housing Crisis● 5 Ways Blockchain Could Save Humanity
![Page 12: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/12.jpg)
“Blockchain” means different things to different people
![Page 13: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/13.jpg)
Maybe try listening once in a while?
![Page 14: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/14.jpg)
Businesses are experimenting
Distributed Database:➔ Closed, single operator
➔ Trust among nodes
➔ Fast, capable of strong consistency
➔ Store of mutable state
➔ Resiliency & DR assumptions
PublicBlockchain:
➔ Open, multiple operators
➔ Trustless, censorship resistant
➔ Slow, eventually consistent
➔ Log of state transitions
➔ Antifragile
MutualizedInfrastructure
![Page 15: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/15.jpg)
Choose two:
Flexible,Resilient,
Performant
Accessible(Open)
Confidential & Secure
![Page 16: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/16.jpg)
Business concerns
➔ Data privacy➔ Compliance➔ Governance➔ Dispute resolution➔ Performance➔ Settlement finality➔ Resilience
![Page 17: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/17.jpg)
Isolated networks
Public Networks Enterprise Networks
![Page 18: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/18.jpg)
Isolated networks
Public Networks Enterprise Networks
Security risk level:
Schadenfreude
Security risk level:
Boring
![Page 19: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/19.jpg)
Hybrid networks
PrivateP2P
Gov 2 Gov
Banks + Gov
Gov + Citizens
Smart Home
Supply Chains
Public Networks
![Page 20: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/20.jpg)
PrivateP2P
Gov 2 Gov
Banks + Gov
Gov + Citizens
Smart Home
Supply Chains
Public Networks
Hybrid networks
Security risk level:
OMG
![Page 21: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/21.jpg)
How Blockchain could help us take back control of our privacy
The Cambridge Analytica breaches show the dangers of leaking personal, sensitive data online – but there’s a way to avoid this
Bitcoin Transactions Aren’t as Anonymous as Everyone Hoped
Web merchants routinely leak data about purchases. And that can make it straightforward to link individuals with their Bitcoin purchases, say cybersecurity researchers.
![Page 22: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/22.jpg)
The future is coming…
What will it look like?
![Page 23: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/23.jpg)
Blockchain + IoT + AI = Skynet(and so many consulting white papers)
![Page 24: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/24.jpg)
China Russia Venezuela
![Page 25: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/25.jpg)
Next-gen encryption wars
![Page 26: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/26.jpg)
Public blockchains are world readable data lakes
![Page 27: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/27.jpg)
Increasingly, the anonymity of a part depends on the motivations & operational security actions of the whole
![Page 28: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/28.jpg)
Businesses need privacy
Drive adoption of significantly stronger encryption and data privacy standards
Share primary records without
➔ surrendering information ownership to third parties
➔ creating centralized data lakes
Transition from a perimeter network security model to record level security
![Page 29: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/29.jpg)
“One particularly interesting partnership to highlight is between Ethereum, Zcash, and innovators at JPMorgan.”
-Peter Van Valkenberg, CoinCenter Director of Research
Testimony to US House Energy & Commerce Committee, 2017
![Page 30: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/30.jpg)
Businesses need privacy
Drive adoption of significantly stronger encryption and data privacy standards
Share primary records without
➔ surrendering information ownership to third parties
➔ creating centralized data lakes
Transition from a perimeter network security model to record level security
![Page 31: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/31.jpg)
And real people do, too!
Monetize your data
➔ Opt in sharing of personal data with enforceable licensing
➔ Microtransactions via cryptocurrency
➔ Secure hardware can bring algos to your data rather than sending data out
Take your records with you, forever
➔ Move records between doctors
➔ Prevent diploma fraud
➔ Prove your credentials & credit history when you move countries
![Page 32: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/32.jpg)
Human RightsDecentralized, private, open, interoperable, accessible, secure, & sustainable
3
Human Effort
Functional,convenient,
& reliable
2
Human ExperienceDelightful
1
Ethical Design
© ind.ie [CC4.0]
Respect
![Page 33: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/33.jpg)
How Blockchain could help us take back control of our privacy
The Cambridge Analytica breaches show the dangers of leaking personal, sensitive data online – but there’s a way to avoid this
Bitcoin Transactions Aren’t as Anonymous as Everyone Hoped
Web merchants routinely leak data about purchases. And that can make it straightforward to link individuals with their Bitcoin purchases, say cybersecurity researchers.
![Page 34: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/34.jpg)
Smart contract testing is maturing
Analysis Tools:➔ Manticore
➔ Echidna
➔ Ethersplay
➔ Mythril
➔ Porosity
➔ Solgraph
➔ solcheck
➔ SmartCheck
➔ Oyente
➔ 4byte.directory
Auditing Services:➔ Open Zeppelin
➔ Trail of Bits
➔ Securify
➔ Hosho
➔ New Alchemy
➔ Authio
![Page 35: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/35.jpg)
Otherwise, security be like ¯\_(ツ)_/¯
Public:➔ Hacked exchanges?
➔ Compromised hardware?
➔ Fake donation scams?
➔ Literal 51% attacks?
➔ Non-mining consensus?
➔ Bespoke crypto schemes?
➔ “Faux decentralization”?
➔ Patch management?
➔ USABLE PRIVACY???
Permissioned:➔ Identity & Access mgmt?
➔ Secure hardware as panacea?
➔ Shared governance tools?
➔ Delegated cloud mgmt?
➔ Integration into existing risk
management processes?
➔ Veracity of data oracles?
➔ Patch management?
➔ USABLE PRIVACY???
![Page 36: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/36.jpg)
Hope...
Hum
an
sent
imen
t
Businessincentives
Regulatory
pressure
Technical capabilities
National
defense
![Page 37: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/37.jpg)
But we need YOU➔ Intrusion detection➔ Red team ➔ Blue team ➔ Pentesting➔ Risk & threat modeling➔ CISO / CSO➔ Applied cryptography➔ NOC➔ Cloud security
➔ AppDev➔ QA➔ DevOps➔ UX➔ Business Analyst➔ Product Manager➔ Political scientist➔ Economist➔ Defense
![Page 38: CLOSING KEYNOTE - Hack In The Box Security Conference › hitbsecconf2018ams... · CLOSING KEYNOTE Security is what we make of it: blockchain & beyond Amsterdam @AmberBaldet | #HITB2018AMS](https://reader033.vdocuments.site/reader033/viewer/2022042310/5ed72e9bc30795314c175996/html5/thumbnails/38.jpg)
Where will we go from here?
@AmberBaldet