It’s All About Trust at Swiss Cyber Storm 2018

Trust is a funny thing when you think about it. Trust means giving up control and relying on the actions of another party. You place your trust in the competence and benevolence of another person. This confidence is a base for all human societies. It leads to social interaction and higher productivity. The other party is more competent and more efficient when it comes to performing the task at hand. This frees yourself to work on things where you are more competent. Without trust, interaction becomes cumbersome and unbearable.

There is a classic cartoon by Peter Steiner that appeared 25 years ago in the New Yorker. It shows a dog explaining the impersonation problem on the internet. You are never quite sure whom you are talking to in the virtual world. There might be a man in the middle, undermining the confidentiality of your conversation, or worse still, altering the conversation and thus thwarting the integrity of the message. And even the availability of your conversation partner is not really guaranteed on the internet, when you think about it.

When you go to your bank and you enter the building, you are sure you are now facing a bank clerk that you can trust. Or, at least, one you can trust your money with.

When you open the bank’s website, you trust that your browser implements the TLS server authentication in a competent way and that none of the dozens or hundreds of root certificate authorities that your browser trusts by default has abused that expectation. Go and look up the list of trusted root CAs in the settings of your browser. You’re likely to lose faith in PKI.

Humans are hard-wired for trust. It’s imprinted into our brains and we should not be surprised that users fall for scams and social engineering attacks: Users want to trust other people. There are more paranoid people in our industry and they trust no one. Of course, other people notice this and find dealing with them awkward.

This results in a situation where the most paranoid security officers fail to be effective. This is because they are not able to build up rapport – in other words, a trusting relationship – with developers and system engineers. Projects avoid them actively, instead hiding their dirty secrets in order to meet deadlines. The trust problem goes much deeper than fake websites.

Hardware and software is running everywhere now and we trust it with our lives. This has been the case for over forty years with ABS; the first microprocessors installed in cars. It is now the case with medical devices (IoT!) and soon will be the case with self-driving cars on a street near you.

 

In last year’s keynote address, Paul Vixie explained that we should not trust hardware. If that was not enough, the last bit confidence in relying on computer chips melted away in January 2018. The big chip producers still have not been able to fix Meltdown, or especially Specter in its many variants, let alone restore trust. We developed encryption in order to communicate securely over untrusted networks. We are now in a situation where we need to develop methods to run code on insecure hardware.

I could go on and on and bring you more examples where trust is at the center of almost every problem we face in the IT security industry. This central role convinced us to make trust the main theme of Swiss Cyber Storm 2018. Join us to take a look at trust from various angles and discover hidden trust issues where you would not expect them.

Swiss Cyber Storm 2018 will take place on October 30 in the Kursaal in Berne. Lucerne was lovely, but we grew a bit tired of it over the years and Berne allows for a fresh start. It also allows us to connect with the Romandie in a stronger way and we know that the view from the terrace at the Kursaal is just as splendid as it was in Lucerne.

I invite you to register for Swiss Cyber Storm 2018.

Trust me, the program will be spectacular again!

Christian Folini, Program Chair