Merken

Quo vadis Cyber Security?

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
along with that of
men and and
have a really the not all of it yes excellent good morning sorry this morning when I Clemenceau dosages thank kick will then just tell us a bit about the work that you do so they've got a basis for accuracy so that's a good idea at so their gross I have said been growing that team in securing privacy global past 8 years that has grown quite a bit we started off around
problem around 30 people in our over 500 people and it's really been exciting because over that period of time we had all kinds of challenges that you some which you heard about newspapers yeah and the important thing I would say is I found that what really makes a difference in security and privacy team is the people that are in that the if you don't have people that are really skilled and motivated the right way and have rights active support this is an almost impossible challenge we're up against extremely skilled adversaries and it takes a really strong thing to do so I'm blessed that there really wonderful team that's been able to accomplish a lot so that's the most important thing I would say it comes this is getting the right people in and I think that's that's really been great there are also a challenging adversaries and that's partly met government yeah
has been Irish uh surveillance space agencies I think that's probably a topic especially of of interest to people here at least sets the sense I haven't talking
with some of you already and and so that's really been a big challenge and we can go into that somewhere but there are also others who may also be able to use them from the network or even modify content in the network so 1 of my 1st projects actually over the past 10 years i've been preaching pervasive crypto and I'm happy to say the world today in terms of network security is far better than it was back then we now have SSL pretty widely deployed not just a Google but in many websites and that's the measure we have given those other groups are harder time as they try to modify the content that you see you can now see that the real material that the author intended you see and not some modified version so that's good but we have other adversaries as well there criminal elements of the take over your account and do things so we're defending against a lot of different and decryption helps a lot of the other things that that help them as well so we want to get into some of the land absolutely I wanna come back to
intention 1st on ask you 1 thing investigating what you think that will is doing really well and what's 1 thing I
think Google is failing at in terms of security so as I say this promotion of high higher standard of security
both in encryption network but also in fighting off now they're making products that are more resistant to abuse has really been a remarkable costs provides a way to include well on the front where it's more challenging his giving people the ordinary consumer a clear understanding of the various choices they have and what they need to do to defend themselves against being socially engineered and we've made progress there but that's remains a challenge if I suppose it's natural and it is hard to explain technical things to a general audience so I I believe that ideally we build security in so well the natural easy way to do something also turns out to be the secure way and will keep working to make them more possible so that's where I would like to see us and to make things simpler and and also more secure at the same time they were thinking of that and there's an
announcement I follow that Google implementing and encryption and some of its products including male what the status that N and we're using it to think that going to solve the problem where the right talking the OK so that's that's a good topic and what we have and it's open source it's and get help is some code that allows you to do and then encryption directly in your browser so
that if you have a particularly well hardened endpoint and I use a Chromebook for example it's about the only thing I if you have a device like that where you're not running the command line client you can still do and and encryption where the keys are just under your control and that end point there never in any of the intermediate systems are not and Google for example and that's a workable system using PGP within Gmail for many years so that's a workable system it's not yet but only but I think it's ready for prime time all consumers to use were still iterating on different user interfaces to try to come up with something that we're confident the average person will correctly use and will be sufficient interoperable with other tools that they'll be able to communicate with
people and I think word that an ongoing research project on 1 of the leaders of part of my team
uh on which actually get her PhD thesis on justice probably why can't giant that that was a number of years ago and we're still in the problem so that were not that fortunately most people don't need that amount of encryption most people today using a system like you know have solid encryption from the browser to Google's server have encryption of data as sitting on a
desk have encryption as the male goes from Google Yahoo say if you're exchanging with others so we actually have a pretty good encryption for mail today in the practical sense 10 people on having to worry about how do I get the right public key to this person that I haven't met before so we have actually pretty good protection and if you're 1 of these dissidents in the country we're fighting against your own government and you're worried about even a court order coming to
more than you need to go to this more extreme measures and encryption there's a downside to go if you to turn that on the news things like translation and I find that I'm not looking German I get an e-mail in German and it's just great that I can push a button and I see in English well enough that I can actually communicate with someone or we don't actually share language I think that I mean the history and consequences that in terms of so that's a tremendous value that 1 loses if you go to the the end and encryption so I don't ever think that in in captions will likely take over 100 per cent of male and but good protection what's there and that as an officer of higher protection option is coming so making good progress that they are any any estimated 88 block the the just goes out there now so that the plot argues that today and we have these various experiments were going on inside and I
don't I will I will predict when that would be available I actually was delighted when I 1st got to google to learn that we have this engineering culture that we don't promising events when the engineers feel
code is ready then chips and not until the end if you don't upon yourself to date that you don't force yourself to find something something before it's that on this the by then ask the subtle little bit about the struggle between in wanting to ensure that one's secure but
also using some features in as and from an engineering perspective how do you feel that there are other ways in which Google is forced to compromise between providing user security and making money so I don't really see I don't see the compromise sampling at all actually as
so this idea that and I can subscribe to Gmail from paying so much per year and Google offers that service and its engineered in such a way that the cost to google supplying services very well so enter something don't even come into it and no need for adds to to be part of the subscription service works just fine here and I think that shows that no there's not a conflict and on the
contrary we think that it's portents that we add security and privacy they were actually probably further on that front just because of the passion of people might think Van that demands coming from our users it's it's almost like we are sold costly seeing these threats more clearly than than our users to were probably ahead of our users and trying to handle those extra protections so of no I I actually feel conflict at all come across all the products what would you say I think Google is doing to raise the cost of intrusion by state actors such as the anything any any state accurately just 1 and say I not to read the they we come back to which governments the but so what we do the the simplest way to people can get access to all of you data today is to trick you entered giving them your login credentials that's probably the number 1 way that people who should you know when when there was a celebrity photos have that's apparently how it happened right that the lot credentials to it get correct that had not use google thank goodness and I try to make sure that things like that had ever happened but that is still the biggest problem arms which have and it's it's as we say it's not our fault but it that's the issue then it's of problems so we try to improve the ways in which people can authenticate to keep that kind of account hijacking from happening in future and hearing effort that and so on passwords are a thing that we wish people
didn't have to use because their innocence like security support and because of their token like that it's inherently insecure various technical ways in which it's just the thing that you can accidentally loose not notice so we've we've switched to things that are stronger and for some years now you and should J something we call security so this is now a consumer any anyone with a Gmail account should absolutely protecting it with a security that by security I mean useful acoustic curves of public key cryptography really works dramatically better than passwords so using modern cryptography and you can authenticate securely from a distance in a way that can Richard never going to be able to achieve as long as you're still using a password we're offering other things like recently announced the password work where you can load an extension of a chroma and if you by accident type your password in the wrong place 1 and then you can go change past and we've been using that within Google for employed population for several years and I can tell you how many times people will just by accident tied their corporate password into a corporate sigh they just it's usually not malicious usually it's just figure memory you know intersectional entitlement passes long window but we also have been able to stop some phishing attacks groups in the Middle East that have been trying to break in by sending phishing e-mails to employment and those e-mails are sold well done but it would work even against members of my team for more security-aware than the average person on the street it's really hard to avoid that so these these 2 things the security in this conservative practical use stock as far as we can tell practically stop fishing in woods so I'm enthusiastic for the fact that same technology is now available to just the average consumer with just the 3 Gmail can make it
on and should we have quite a few entrepreneur text in what kind of advice coming from a huge companies and people what kind of advice could you provide to smaller companies are trying to ensure the security of their their platform the site but also the use of force law I appreciate the challenge of the start of this on the they have in a limited time window they have very limited sharing resources if they spent a lot of time and security
they may not make it to the main objective so I get on the flipside when I'm purchasing the product from ups I have had to actually Yanks some software out of our because we discovered vulnerabilities so let us start up schemes too much insecurity in their product that can be bad for their the direct business so step 1 is the off make sure you don't introduce blogs and that's especially true of Security started its extra embarrassing secured start up social software that is interesting more evolvable believes the blocks and and we observe for a start up that's not selling a product reviews something else it is a challenge as they can afford to have the size I have so to some extent they can benefit from my team by deployed to the cloud they get a
lot of protection would say denial-of-service attacks are a very common problem the average company even a large company cannot defend against the scale of denial of service attacks that we now see coming from some countries in the world it's yeah it it saturated fibers it's really dramatic fortunately if you're in a large club
provided they have so much bandwidth they can soak up these attacks and just don't you just benefit from that had more sophisticated actors who were using statistical techniques to break-in may also be the knocked down by by the club by so I can see some advantages to many companies in moving things in the cloud and through outsourcing part of the security to us and we're happy to to help that it doesn't solve my so the problem if you're getting fish due date is getting lost because you're giving a profit of people that could be true even in the cloud but if you take advantage of the buildings we offer them yes we can make things pretty secure for and send out some questions I collected from Twitter but
I've got 1 more personal and I'm theories about how do you from engineering team how do you work with designers to ensure that the user failure is not part of the equation in terms of security very hard problems and very important like I was saying we we often
find that's where we are we're stuck because we built a solution in the security industry people the solution that so complicated and the average person doesn't know how to sell the knobs and they give up in frustration and leave things of the fault or they they said they thought was secure only they actually got it wrong so we hire people who are experts in in user interface design and we run experiments and of a good example would be in the browser's today when you go to some website and certificate is not valid it it's expired or itself signed over its using weak crypto mean there's lots of ways in which companies to get the Security long the browser can help you out it can warn you put that connections not secure and we know the actors who will exploit your connection if you don't have strong security How can we give a message to the user so that they can understand and do something with me that too many of our masses has really been cryptic so we put a lot of effort into iterating where we actually but certain message we see how people click through that the click with this the warning and understand what it means and over time we're getting better messages so it's were not done by the means but actually hire people who have focused
on that and giving them the resources to actually iterate this is what makes a difference in the and seminar talk to some of those and add questions and for the most of which do you have to do with state actors in the name of the man so that of this is a cop out but and so 1 of the questions that came to me with that what Google stances toward Tor exit nodes a purification with that little bit of rate unrelenting and mean path of indication at the surface of the bag this right when I'm trying to grab using toward sometimes come across from each that's for that so 1 of the problems I see in in the popular media and books and so forth the talk about these
problems as they don't appreciate it because in it's natural that are written by people who runs large services they don't appreciate the magnitude of the abuse problem out there if you want to service today I promise you there are a host of people who will be looking for any loophole to take advantage of that service to you to break into your Service water to just leverages service to attack some innocent 3rd party and so anything you deploy today at scale has to think about how it can be abused and that's a real problem in I just and I can I can convey how would a serious problem is to people who are running these things scale and that's what's challenging about all accidents there can be lots of people who tried to hide their identity through a tour and I'm all in favor right I mean I'm probably 1 of the more passion that privacy advocates even in this room i think that's saying something that you have which if we talk about that individual things that we do as people I think you you discovery our characters pretty so OK I'm fully get why 1 would want is point the trouble
is you now have the same identity as far as we can tell on the server you coming from
the same IP address you have the same use region all the characteristics for you look the same as this person who's trying to use us to attack someone else so it becomes a challenge how do we know which is you just know that if you're computer or and you're logged in as you or something fun we know where you are and we can do the right thing but if it here at the very early stage where you haven't even authenticated yeah we really can't
tell whether you're an attacker for a good guy and that's that's the sort of the engineering challenge of anonymity on the Internet and how to build systems that preserve anonymity which and definitely strongly in favor of and yet don't enable large-scale use in and it's a challenge so 1 of the ways in which we can do that as I said if you're well authenticated then we know you're not a bad guy authenticated Google doesn't mean we have to know your real world identity you can be anonymous you can make up an account no connection to your real world then you can give us a tuning Newton gives you true vocation anything on the internet you that should not even have to give us a full member we have some internal debates about where phone numbers the right things and so forth phone numbers came in to deter abuse that's actually what's up we want a phone number 2
call you offer something new we don't have enough manpower to pick up the phone call you right that that this was just the way we found we could knock down the number of people creating fictitious
accounts just use them to cause harm to somebody else and that's gonna be a better
way than asking for a phone number but OK you you can replace of that way with a better
way you can't just throw away all of that so that's what I would say is sort of the incident we have tried to work with the folks from the Tor Project to see or something better we could do so as to enable them but I'm not satisfied with where we are right and so I will keep that that way they act as thing that they're even now I am things tension there between the ability to create anonymous
account with a phone number it becomes an impediment anonymity and or so to the extent we you can find some of in inches and the while keeping you use them I think it's good because of the 2nd part the question about how the length of time cyanide and it's that idea then the other question of how 40
characters and also and hadn't you asking questions on how another
wanting to the other is a great quote from a uh congresspersons the days ago I attended not on in the sense that it is clear to him that creating a pathway for decryption only for the guys is technologically stupid would you agree with that and what that I I got a charge out of the that usually I thought and the and the
50th anniversary of the founding the computer science department at stanford so we were just together many things to get what we all of our so people that have anything about sitting policy
kindersley that the result sort this out OK so he's he's right it is really
hard to design a system that can be used by the good people and not minded people assist intrinsic so finally we were in agreement I think yeah that whole issue has been kind of overblown I think law-enforcement hence pretty good methods for getting the data they need to do their investigations without all of this stuff breaking encryption stuff so I just I disagree with your so long for done on this particular topic but were having a healthy discussion you know books come to campus we see them we go through this exploring we tried explain the try to just sort of blindly push back the water trying explain what the gin problems are and genuinely understand what their needs are to the genome so you know there actually even people world so when there's a kidnapping or child abuse or something should we do not want using assistance to do that so were
actually trying to figure out ways that we can help law-enforcement staff really bad behavior that kind that kind of stuff this repugnant to all mankind that's clear cut what force sometimes bundles that together with other kinds of things they want to do they're not quite as clear-cut and that's why we need to have this people sometimes call front or back right we optimize team's goal
is to build such strong engineering methods that law-enforcement or criminals or anywhere else cannot break into the decide if they want the data they go to a judge make the case and come to us with a warrant properly narrowly scoped are worth look at that and say yes very good case for that data OK we turn over the I think that's the basically right way to run the world so actually here Mr. Fred and Afghan know
we've only got a couple minutes left to that you questions added accurate Europe its question and since you brought that up and I recall that last fall and Google Library was involved in conversations with that politicians in the EU and around curbing terrorism and specifically on on that and more social platforms about and what do you feel about those states of conversations that does seem as tho politicians both in Europe and the US and probably elsewhere are trying to push for something more algorithmic a proactive rather than just that the government last yeah I I don't believe that
it's within our power to prevent poulterers in the world in the Google's good this class but that that's not that's reason it's I I think it's it's something that we want to try and we don't want folks using our systems to do real harm in the world so no fundamental conflict there I don't think it's necessary to weaken security in order to enable them and that's that's where we'll continue to stand and and we stand
firm on that so governments to get from the
pushy and all Governments I don't mean just the US and European governments come to us and say we demand you put our class white box on the network or in your data and I just absolutely finally said under no circumstances we have never done that we're not going to do that that's not reasonable if you have a legitimate the for something that tells me that this and let's talk about how we get to that data problems go but the notion that we're going to give you some sort the tap direct happen that's that's a non-starter not going to do that and I know that we
almost out of time and I don't have time for audience question the mask 1 more question of do that and I recall that you're going to be available to people and please tell us where that we observe forgotten exactly but other than that the
of the group there's a will boost the up outside there'll be at and we have the we have secession think later today also talking a little more technical detail about some of these theories 3 things into a but all the rest of this stuff of this have to talk with the title and of my final question what's the 1 piece of advice in 2015 you would give you the average
user and to improve their personal security absolutely if you have a Google account turn on
two-step verification ideally also given the securities but least tournament that that's that's your best way of telling us that you really care about the security of your account and it measurably helps against hijacking we definitely observe that so you can certainly protect yourself well that when you have 1 on Google thinking of a number of things yeah probably keeping you're whenever device to use hatched up-to-date is the single best thing you can do to fight off now is that we observe the time from when of vulnerability is published to when that I start exploiting it is getting faster and faster and so staying constant really important we try to get as much as we can because again as I say the ideal security doesn't require the use of anything it just happens on this so we try to do that of of the but to some extent you you participate so don't give way faster than state
that they think so Martin Amis available to guide you want appetite of left on it but that
the the
and
Hypermedia
Cybersex
Bit
Konvexe Hülle
Basisvektor
Besprechung/Interview
Computersicherheit
Computeranimation
Subtraktion
Datenmissbrauch
Rechter Winkel
Computersicherheit
Besprechung/Interview
Frequenz
Raum-Zeit
Autorisierung
Web Site
Subtraktion
Datennetz
Computersicherheit
Besprechung/Interview
Versionsverwaltung
Gruppenkeim
Ubiquitous Computing
Element <Mathematik>
Term
Computeranimation
Chiffrierung
Kryptologie
Projektive Ebene
Inhalt <Mathematik>
Einflussgröße
Chiffrierung
Arithmetische Folge
Datennetz
Natürliche Zahl
Computersicherheit
Besprechung/Interview
Biprodukt
Term
Auswahlaxiom
Standardabweichung
Subtraktion
Benutzeroberfläche
Browser
Open Source
Besprechung/Interview
Physikalisches System
Primideal
Biprodukt
Code
Client
Chiffrierung
Gamecontroller
Vorlesung/Konferenz
Schlüsselverwaltung
Hilfesystem
Chiffrierung
Browser
Mereologie
Server
Zahlenbereich
Wort <Informatik>
Projektive Ebene
Physikalisches System
Statistische Hypothese
Public-Key-Kryptosystem
Gemeinsamer Speicher
Güte der Anpassung
Formale Sprache
Besprechung/Interview
Plot <Graphische Darstellung>
p-Block
Term
Konfiguration <Informatik>
Office-Paket
Chiffrierung
Arithmetische Folge
Translation <Mathematik>
Extreme programming
Ordnung <Mathematik>
E-Mail
Einflussgröße
Bit
Forcing
Besprechung/Interview
Code
Ereignishorizont
Dienst <Informatik>
Pay-TV
Perspektive
Computersicherheit
Mereologie
Besprechung/Interview
Vorlesung/Konferenz
Public-Key-Kryptosystem
Datenmissbrauch
Computersicherheit
Mathematisierung
Güte der Anpassung
Gruppenkeim
Versionsverwaltung
Zahlenbereich
Biprodukt
Login
Kryptologie
Digitale Photographie
Festspeicher
Datentyp
Bildschirmfenster
Ablöseblase
Passwort
Energieerhaltung
Abstand
Spyware
Maßerweiterung
Kurvenanpassung
E-Mail
Figurierte Zahl
Aggregatzustand
Web Site
Web log
Gemeinsamer Speicher
Computersicherheit
Soziale Software
Besprechung/Interview
Nummerung
Biprodukt
Systemplattform
Gesetz <Physik>
Objekt <Kategorie>
Forcing
Softwareschwachstelle
Bildschirmfenster
Inverser Limes
Ultraviolett-Photoelektronenspektroskopie
Maßerweiterung
Streuungsdiagramm
DoS-Attacke
Zentrische Streckung
Exakter Test
Computersicherheit
Mereologie
Gebäude <Mathematik>
Vorlesung/Konferenz
Bandmatrix
Urbild <Mathematik>
Einfach zusammenhängender Raum
Expertensystem
Web Site
Benutzeroberfläche
Digitales Zertifikat
Computersicherheit
Browser
Ruhmasse
Gleichungssystem
Term
Physikalische Theorie
Arithmetisches Mittel
Geometrische Frustration
Kryptologie
Mereologie
Message-Passing
Zentrische Streckung
Datenmissbrauch
Bit
Subtraktion
Wasserdampftafel
Besprechung/Interview
Bitrate
Arithmetisches Mittel
System F
Dienst <Informatik>
Rechter Winkel
Flächentheorie
Nichtunterscheidbarkeit
Hypermedia
Größenordnung
Indexberechnung
Metropolitan area network
Aggregatzustand
Nichtunterscheidbarkeit
Server
Charakteristisches Polynom
Netzadresse
Einfach zusammenhängender Raum
Reelle Zahl
Nichtunterscheidbarkeit
Güte der Anpassung
Systemaufruf
Zahlenbereich
Physikalisches System
Quick-Sort
Internetworking
Besprechung/Interview
Zahlenbereich
Vorlesung/Konferenz
Projektive Ebene
Inzidenzalgebra
Quick-Sort
Dicke
Mereologie
Besprechung/Interview
Zahlenbereich
Maßerweiterung
Chiffrierung
Besprechung/Interview
Informatik
Resultante
Chiffrierung
Wasserdampftafel
Besprechung/Interview
Notepad-Computer
Physikalisches System
Quick-Sort
Forcing
Stab
Gebäude <Mathematik>
Besprechung/Interview
Kontrollstruktur
Vorlesung/Konferenz
Schnitt <Graphentheorie>
Faserbündel
Umsetzung <Informatik>
Computersicherheit
Versionsverwaltung
Vorlesung/Konferenz
Physikalisches System
Ordnung <Mathematik>
Leistung <Physik>
Aggregatzustand
Quader
Klasse <Mathematik>
Besprechung/Interview
Quick-Sort
Mittelwert
Gruppenkeim
Physikalische Theorie
Verdeckungsrechnung
Turnier <Mathematik>
Softwareschwachstelle
Computersicherheit
Programmverifikation
Zahlenbereich
Ideal <Mathematik>
Maßerweiterung
Aggregatzustand
Hypermedia
Besprechung/Interview
Computeranimation

Metadaten

Formale Metadaten

Titel Quo vadis Cyber Security?
Serientitel re:publica 2015
Teil 96
Anzahl der Teile 177
Autor Grosse, Eric
York, Jillian
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/31878
Herausgeber re:publica
Erscheinungsjahr 2015
Sprache Englisch
Produktionsort Berlin

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Eric Grosse from Google’s Security Team in conversation with Jillian York from the EFF about Cyber Security.

Ähnliche Filme

Loading...