LAS VEGAS — Dan Kaminsky has two central concerns: that the Internet isn’t secure enough, and that efforts to make it “secure,” in the wrong way, are going to destroy it.
Kaminsky, a well known security researcher, chief scientist at White Ops, and frequent speaker at the Black Hat conference, opened this year’s Black Hat with a kinetic and often rambling talk, peppered with random bits of prickly, amusing opinion. (Sample: “Internet networks are the Internet without Google.”)
It was part rallying cry to white-hat hackers and part rant against attempts to exert control over the Internet. The core theme, though, was that the Internet is “the greatest economic driver since the Industrial Revolution, and we could lose it,” as he said during a post-keynote press conference.
Here’s a summary of his big-picture points, using bits from both his keynote and the press conference.
1. The Internet Won Because It’s Free
Kaminsky likes to say “this Internet” as opposed to the Internet. There have been alternatives, such as the Minitel terminals in France in the 80s or America OnLine. Now, they’re all gone, replaced by the Internet.
“They all tried to become kingmakers and gatekeepers. This Internet won because it was actually designed to have no one in charge,” Kaminsky said. “It was not designed to make anyone billions of dollars, and all these guys got distracted by that concept.”
This is important today. “You cannot imagine how many people want there to be someone in charge that they can call and say, ‘Take that down,'” he said. He noted that this was a key misperception during the fights over U.S. policy efforts such as the Stop Online Piracy Act (SOPA), and it’s at the center of the debate over encryption. It’s tantamount to “abandoning the vision which, you know, is sustaining the largest companies in the world right now,” he said.
2. Security Shouldn’t Be a Secret
The rest of industry should take the same approach, Kaminsky said. “Maybe we should start releasing the code that we’re doing. Nobody competes on security,” he said.
Part of the reward would be time saved: Finding an answer on Google or on Github rather than developing it from scratch, he said. Sharing would also create the multiplier effect that open source code has, namely, that more eyes on a problem can lead to a solution faster.
3. The Cyber World Needs Its Own NIH
There needs to be some organization that’s taking care of the “boring” stuff to secure the Internet, Kaminsky said. He doesn’t want an exact analogue to the National Institutes of Health, but he likes the paradigm of having someone sort the snake oil from the real medicines.
It has to be a public-sector entity, because the problems are going to take a long time to solve — and that kind of sustained concentration eludes private companies. It’s going to take something like a 10-year effort without major distractions. “The way you don’t make it happen is the way we’re doing it in Infosec today, which is: the spare time of a small group of hackers,” he said.
4. Programming Languages Can Learn to Change
It’s important to note that programming is a language, not a calculation. Its purpose is to translate a human’s intentions into something a computer can execute.
But it’s becoming easier to create new languages — that is, to run programs that can craft new progamming languages. That could be used to our advantage by tweaking languages to be inherently more secure.
“We have kept, as a constant, the language, and forced humans to adapt,” he said. “We can do it the other way around.”
5. You Have to Care About the Users
“People think it’s a zero-sum game. If you’re going to get security, then everybody else has to suffer,” Kaminsky said.
Part of the problem is that network and computer security are the domains of experts who talk to other experts. The stuff needs to get translated into simpler form.
“The real magic comes when you take the expertise you have in security and you transform it,” he said. “Don’t be afraid to take the knowledge you have and make it available to vastly more people.”
Check out our other Black hat coverage here.