Blackhat, Day 1: Keynote
by Derek Vadala
1. They circumvent the security feature-- this is pretty obvious. He used an example of a malicious email that rewards the end user with "dancing bears", noting that most users will do whatever they need to join in the shared experience of the dancing bears reward.
2. They become so paranoid that they deny legitimate access to data-- think of desktop user firewalls where users are given a choice to deny or allow access to programs on the fly. If the user denies a valid request for data, the result is probably a help desk call to revert the policy and recreate the event, and in turn the rule. In the meantime, you have a user at a potentially open location recounting access control information to the help desk, but also to a multitude of folks in an airport, hotel lobby, etc.
3. The user simply won't use the technology in either a secure or insecure way. He used the personal example of PKI and email (meaning key ring management and handling encrypted email), explaining that he generally ignored encrypted email until an out of band event caused him to pay attention to the data contained in it. For example, a phone call or coworker screaming at him in the hallway.
He tied this breakdown in security mechanism to the concept of the OODA-loop (observe-orient-decide-act)-- the user needs to optimize this cycle, but bad security policies, decisions, and software interfere with this optimization.
All of this boiled down to his notion that users need to share good, reliable data in an efficient way--"information superiority"--, and often security interferes with this, usually at the expense of the end goal-- making money, fighting terrorism, seeing the dancing bears.
In general, an okay keynote, once it got moving. He touched a bit on DRM and the need to index everything (i.e. search engines) whether it was useful or not.
I'll update more throughout the day, including some notes on David Litchfield's and Dan Kaminsky's talks.
Anyone else out here?