This past week IP EXPO Europe was held at London’s ExCel Centre so I went along for one day to check it out. I don’t tend to go along to these events whilst, at the same time, I know that I really ought to. It’s the age-old excuse that I’m too busy to be heading off to an event in London for the day, when I could be getting loads done if I just went to the office as normal!
The reality is that my employer is absolutely happy for me to attend these events but if I don’t make the time for myself then no one is going to do it for me. Furthermore, by not going I’ll just succumb to tunnel vision when a few more ideas into the mix is never a bad thing.
I planned my day so that I would pretty much attend wall to wall presentations and of those I went to here are my top three highlights:
- Nick Bostrom – Artificial Intelligence and the FutureFrom a work perspective this was of absolutely no use to my day job, but from a pure interest perspective Nick Bostrom‘s presentation was the highlight of the day.
Based on his bestselling book Superintelligence, Nick spoke about the emergence of machine intelligence and the point at which it will surpass human endeavour. When, not if, it does it has the potential to be either the greatest or most catastrophic event in human history and Nick spoke about what we can do now to try to shape that outcome.
Fascinating albeit it some ways terrifying! You can see an abridged version of the same present in this TED Talk from 2015. I’ll definitely be buying the book.
- Panel Discussion – The Future of Cyber Security
Chaired by Rory Cellan Jones (BBC News) this discussion invited a panel of industry experts to speak about what they considered to be the biggest security threats in the world today. The panel was made up of: James Lyne (Sophos), Eugene Kaspersky, Rik Ferguson (Trend Micro), and Joshua Corman (Sonatype).Everyone seemed to be in general agreement that IoT, the latest industry buzzword, poses the greatest risk to security that we’ve seen for years for no better reason than sheer incompetence. In the mad rush to connect everything to a network no one is asking if just because we can, does that mean we should? Which all beckons a future of insecure unpatched, and unpatchable, devices providing a convenient backdoor into our homes and businesses. Joshua Corman said that he was particularly concerned of risk IoT poses to hospitals as more devices become connected – all pretty harrowing stuff!
Rik Ferguson took a different perspective on what constitutes the biggest security threat by turning to the audience to say that they are. Rik’s point of view is that the IT industry is the biggest threat through poor practises and insufficient focus on security. Elaborating further, he went on to describe the fallacy of trying to secure a network from the outside-in when we should all be focusing on the opposite: assuming that our border has already been compromised and securing the inside with encryption, RBAC and good user policies such as MFA.
I have to say that I found it hard not to agree with Rik and would think that most people in the industry would also be of the same opinion. Given the time, resource and money I can think of so many things I could improve or do better in regard to security.
- Ken Munro – Holding your office and home to ransomConveniently following on from the panel discussion above I then went over to watch pen tester Ken Munro‘s presentation on hacking IoT devices. Billed as a “live hack” it was a slight let down to find it was, in actuality, just another presentation but, nonetheless, Ken put on a good show about how simple flaws in everyday IoT items such as toys, doorbells, smart TVs, fridges, and kettles made them incredibly easy to hack. Most of the hacks were simply through the use of generic wi-if and Bluetooth components that ignorant manufacturers had failed to lock down or by using publicly available firmware as a means to get to source code from which you could identify a vulnerability.
You may ask “who cares if someone hacks my kettle” but Ken soon made it apparent where you should care is that insecure IoT devices make it very simple to steal your wi-fi password and then launch more sophisticated attacks.
Finally, he took some inspiration from Mr Robot and looked into how easy it would be to hack a network connected thermostat. Unfortunately for us this also appeared to be fairly easy in the case of some manufacturers. On the subject of thermostat hacks Ken had an interesting postulation that such devices could be used as part of a state sponsored attack to take down the power grid through the simple act of turning on everyone’s heating simultaneously. If I was to do that I reckon half-time during the F.A cup final when everyone turns on their kettle would be a good bet for the timing in the U.K!
Those were my highlights from the speakers. Some of the lowlights, from my perspective, was some of the stuff on DevOps. I like the concept of DevOps but every time I listen to someone talk about it I just end up getting annoyed. I think the problem is that most people who talk about DevOps are software developers and I never hear from ops engineers or infrastructure development engineers. What this means is that DevOps message I tend to hear is “if the DBA team let me hack around with the databases and the infra team let me spin-up servers and poke firewall holes then I could deliver a lot more quickly” which tends to piss me off as it assumes that speed trumps all other concerns. Concerns like good practise and security.
What I’d love to hear in a DevOps presentation is how to build a multiskilled team working to the same set of standards – standards that don’t necessarily have to have come from the software dev side of the fence. Rant over (^_^)v
Last, but not least, I should probably give some mention to all the vendors trying to pitch their wares who were also at the event. As ever with these events a wander around the floor replenished my desk with new stress balls and other novelty items (I also was given 2 bottles of ale and an inordinate amount of pick ‘n’ mix) whilst the various sales teams did there best to get their pitch across. Most of the products were from large vendors I already use/have used or selling similar products that aren’t quite on my shopping list at the moment but I thought I’d give an honourable mention to one in particular that grabbed my interest: Darktrace.
They present their product as an “enterprise immune system” which I’d pribably describe as an advanced IPS. From what I understood (I still need to do a bit more reading around this product) it’s an IPS device that makes use of A.I and a probability engine rather than rulesets and signatures to detect and mitigate attacks across your systems. It’s not necessarily something I could imagine implementing anytime soon but I think the concept is fascinating.