He concluded with a bit of a charm offensive. "You are the greatest gathering of technical talent anywhere in the world … I want you to help us make (the NSA) better," he said.
That produced what one report called “warm applause” at the end.
“Remote Exploitation of an Unaltered Passenger Vehicle” – Charlie Miller and Chris Valasek, 2015
There was some excellent advance notoriety for this one as well, along with proof that there is no such thing as bad publicity. Weeks earlier, Miller and Valasek had demonstrated what they would be presenting. With Wired reporter Andy Greenberg at the wheel of a Jeep Cherokee, driving 70 mph on a public highway on the outskirts of St. Louis and the two hackers sitting, miles away, at their computers, they were able to control the radio and air conditioning, kill the hazard lights, cut the transmission and put a picture of themselves on the car’s digital display.
This was a test of the research the two had been doing over the past year – the use of a zero-day exploit to take control of a car’s functions, including steering, brakes and transmission, through its entertainment system.
Readers of Greenberg’s account weren’t the only ones criticizing the danger of the stunt. He was as well, observing while in the car that was slowing to a crawl while traffic piled up behind him, “this is (expletive) dangerous.”
As all good white-hat hackers do, the two had shared their research with Chrysler well in advance, which allowed the company to patch the vulnerability ahead of the conference. All of which led to the predictable standing-room-only audience and weeks later, a change of employment – Miller, who had worked at Twitter, and Valasek, who was at IOActive, were both hired by Uber, to work for the company’s Advanced Technologies Center. Miller quit Uber earlier this year.
“Keynote: Cybersecurity as Realpolitik” – Dan Geer, 2014
Geer, one of the most incisive minds in the business with an ability to explain just how difficult it is to answer difficult questions, delivered what he promised – a series of recommendations on difficult issues presented “with all humility, (which) does not mean timidity.”
The CISO of In-Q-Tel, a not-for-profit investment firm that supports the CIA, confronted 10 of the cybersecurity world’s most vexing issues including mandatory reporting of breaches or other failures (above a certain threshold of severity), source code liability, striking (hacking) back, the right to be forgotten, internet voting, the open sourcing of abandoned code bases (think crowdsourcing security for Windows XP), and convergence.
Geer had “yes” or “no” answers for very few of them. As he had noted at the beginning, there are four harsh realities of government:
- Most important ideas are unappealing
- Most appealing ideas are unimportant
- Not every problem has a good solution
- Every solution has side effects
Sign up for CIO Asia eNewsletters.