Excuse the language and think bigger than Porn

UPDATE:  Tom Scott posted a really great example of this on his YouTube channel.  Please take a look.

Motherboard, an online technology magazine, recently posted an article (excuse the NSFW language) discussing the development of artificial intelligent (AI) to face-swap celebrities into pornographic videos.

Clearly there are significant ramifications to celebrities, who will now have numerous fake pornographic videos online.  There is also a threat of blackmail of adults and kids with this new technology.  All of this is very troubling.

Another concern, which should get everyone thinking, is that this technology will not be limited to pornography.  Like many technologies, the porn industry leads the way.  This technology will eventually find its way into the mainstream.

So what does this mean for the political world?  Will “fake news” really become fake news?  At what point will we no longer be able to trust our own eyes?  Can we put Gandhi and Kim Kardashian into a meeting together discussing the benefits of Kobe beef?

It now seems clear that fake news had an influence on the 2016 elections.  How will we be able to discern fake news when the video evidence is right in front of us?  It will become easier and easier to perform the historical revisionism envisioned by Orwell or simply make up events and statements.

Revenge porn” laws exist to protect individuals from malicious disclosure of intimate activities.  Will AI assisted, fake pornography fall under the same protections?  Will we be able to develop laws or protections that protect the citizenry from AI assisted fake news videos, or will those same videos fall under 1st amendment protections?

I don’t have an answer but, even if I did, would it really be from me…?

Take care this holiday season

The holidays are upon us and with them a whole range of security issues.  The local news will tell us that car break-ins rise during the holidays as thieves look for Christmas presents left in vehicles.  I’d like to point out a couple concerns that might not seem intuitive.

Watch out this time of year for more, and more convincing, phishing attempts.  With the ubiquitous use of online gift shopping, scammers will use fraudulent Amazon or UPS emails to get people to click links.  Imagine you’re waiting for your child’s Christmas gift and get an email from UPS that it can’t be delivered until after the 25th.

Also on the phishing front, holiday emails from friends, clients, vendors, etc. give an attacker another vector.  This is an especially worrisome method of installing malicious code, since many will expect animated messages.  The animation can easily hide code executing in the background.

Skimmers are also prevalent at this time of year.  Not only gas stations, but the self-checkout lines in retailers are susceptible to criminals installing devices that capture credit card information.

The holiday season is a time for family, friends, and food (not necessarily in that order.)  We just need to be extra vigilant this time of year to protect ourselves from the people who have none of those.

 

 

Translation services available

When I was a penetration tester I struggled to adequately express the importance of the vulnerabilities I identified.  For some reason, I couldn’t convince the business and legal teams that the vulnerabilities had to be mitigated and that the business had to spend time and money on the effort.

Like many young and excitable IT and security people, I couldn’t understand why no one could grasp why this was important.  “Are they idiots?”, “Don’t they get it?”, “They just don’t care about security!”

It turns out it wasn’t their failure, but mine.  I wasn’t speaking in the right language.

I dropped out of the security world for three years and went to law school.  When I enrolled, my goal was not to become a lawyer, but to learn to think and write like a lawyer.  I enjoyed law school and took full advantage of the opportunities presented to me.  I was able to work as a research assistant for one of the legal research and writing professors (Thanks Mike!), serve on the editorial board of the Law Journal, earned a fellowship in the Center for Terrorism Law, and leveraged my IT skills to get a job in the Westlaw lab.

I really enjoyed law school.

After law school I returned to security, this time with a different language under my belt and a better understanding of how to present my concerns.  I couldn’t think in terms of security vulnerabilities anymore.  I had to speak another language.

My big discovery was:

  • Security thinks about vulnerabilities;
  • Executives think about risk; and
  • Lawyers think about liability.

While they sound similar, they are distinct ways of approaching a decision.  In order to communicate the importance of security to different audiences, I had to adapt to them and not expect them to adapt to me.

So need additional funding for a security project?  Write up your proposals geared toward the audience and how they think.  Does the lack of a security control create risk to the organization?  Will the organization breach a duty and become liable under a contract, law, or regulation?

These subtle shifts in thinking may help drive the discussion forward and lead to better understanding and better security.

What qualifies a CISO?

Since the Equifax breach a screenshot of the CSO’s music degrees has been floating around the Internet.

 

As a Classical Civilizations undergrad, I take issue with the implications.  During college I built networks and databases and worked on systems of all types.  I also spent my summers on archaeological sites in Israel.

After graduating from college, I worked helpdesk support, moved into system administration, started securing systems and networks.  I eventually became a full time pentester.  Midcareer, I dropped out of InfoSec and went to law school.

After law school I went back into security doing product security, working with DoD networks, and securing a $20 billion enterprise.  I eventually served as the Chief Information Security Officer for the State of Texas.

So I was the CISO for a state of 28 million people with degrees in Classical Civilizations and Law.  Does that make me unqualified for my job?  Should I have stuck with my life in archaeology?

I know a loooottttttt of people in InfoSec with no or unrelated degrees.  In fact there was almost no university offering a security degree when I or my friends were in college.

What makes a security person?  Curiosity.  Grab all the degrees and certifications you want, without a natural curiosity of how things work (and more importantly break) you won’t make it in InfoSec.  Making things work in unintended ways is the fundamental tenant of security.  The most important word in InfoSec is “Huh?”.

So was Ms. Mauldin qualified to lead Equifax’s security program?  I don’t know, but I won’t make that judgment base of her degrees.