comparemela.com
  1. Home
  2. Live Updates
  3. Transcripts For CSPAN2 The Communicators 20121030 : comparemela.com

Transcripts For CSPAN2 The Communicators 20121030

Card image cap

In the zero days series is to take pieces of itand elain theundamentals and the platonic ia is that everybody from my mom and dad t congress, um, and peop around the country can undstand and so maybe start the process of coming up with ways for us to defend cyberspace better. Hos wel if look at cyberace the United States rinow, how wouldou debe surityverall . Much as we would deribe, maybe, crime or breakins in a neighborhood . Guest well in the spirit of the explanatory mission we have, you cant really talk about cyberspace in the United States. A computer user in washington, d. C. Or in wichita or San Francisco is effectively working shoulder to shoulder with a computer user in beijing or in moscow. Theres literally no seconds of difference in space and time in cyberspace. So i thought id point that out. As for the security, the reality is that, um, its almost remarkable how vulnerabl comp sysms are. And cyberspace, um, is not what most people think it is. Most people now equate cyberspace with the bear net. Internet. But if they want to think about what cyberspace is, its the gps system on the new cars, its the iphone and the droids, its jet fighters and jet planes. Anything that is driven by computers, excuse me, by computer code and is linked to networks, um, can be a part of cyberspace. And the vulnerabilities are, um, almo stunningly pervasive. Host can you ge an example . Guest well, sure. Charlie miller, who is a former government hacker who worked on the good side is now a security potentialist, one of the great hackers in the world, a white hat hacker, he last year decided to explore vulnerabilities in the iphone, and he found a vulnerability in the iphone that when he deployed it the right way, this was for a contest, it enabled him to take over a portion of that iphone. Industrial control computers run Water Systems and electric grids and so on. Last year a disgruntled hacker abroad went into a water system in South Houston in texas and got control of those computers. The list goes on and on. Theres hacks of google, hacks of a security firm, rfa. There are millions of attacks, literally millions of attacks around the world and intrusions on Computer Systems every day in the world. Probably the most phenomenal attack involves a worm called stuxnet, and in that case the United States government i think working with israel but the United States government developed a computer worm that went into the nuclear processing facilities in iran and disrupted centrifuges. Host so it was developed by the u. S. Government . Guest yes. According to some reporting by the new york times. Host and what was its purpose . Was it a defense mechanism . Was it the Defense Department . Guest no. It was purely a offensive, preemptive effort the slow the Nuclear Weapons processing capability of iran. Host well, you mentioned Charlie Miller, and mr. Miller is in st. Louis, and he joins us today on the communicators. Mr. Miller, what was your, what was your goal in breaking into the iphone . Guest well, in that particular case it was for a contest, like robert mentioned. They have this contest every year, hackers across the world enter it, and they have various devices. If you can break into the devices, you win some cash and the device itself. So that was my goal. I won that contest a few times. Earlier in my career it was more about showing that things like iphones or, you know, desktops running Apple Software were vulnerable because it wasnt believed that it was, but now its just, you know, ive shown vulnerables in iphone, ive found attacks where i can take over an iphone in the past. All these are fixed now because part of the contest is that all these vulnerables get fixed after the contest. Its a fun way to show off your skills and still everyone is protected by the attacks that you come up with. Host how long did it take you to break into this iphone, and from where did you do it . An office . Where . Guest okay. So the iphone attack, it probably i mean, at the contest it only took a few seconds, but the preparation is the important part. So it probably took me, you know, maybe a month of preparation with a colleague of mine. So, you know, a few weeks of looking for a vulnerable, a few weeks of taking that and making it into an exploit that i could actually use to attack the phone. The actual contest took place in a security conference in vancouver, and so i was actually physically in vancouver, and they had a, you know, iphone there, and, you know, i attacked it and stole a bunch of data off it, and that was the proof that i had succeeded. Host so, Charlie Miller, could you do this from your living room . Could you break into a bank, break into other devices from your living room . Guest yeah. Thats the amazing thing about, you know, cybersecurity is you dont have to physically be anywhere. You know, were all educate canned, well connected. Well, mostly. Any device thats on your phone, your computer, in the future your refrigerator, anything thats on the internet you can get to from basically anywhere. So thats one of the things that makes defense difficult, right . So you dont have to just defend against your neighbor, you have to defend against the guy in belarus, so its a whole different program. Host well, robert ohara described you as a good guy hacker, a white hat hacker. What does that mean, and whats the motive of some of the black hat hackers . Guest okay. So the white hat, the good guy hackers like was explained, so, um, were the guys who, you know, we develop skills to do the same thing that bad guys can do. So we can break into computers, but i instead of instead of stealing information and causing problems, we, you know, tell everyone what we did, try to work with vendors to make their products more secure, you know, give talks about security and how to make it better. And so were while we can break in and do harm, we dont. We just, we show how you can break in to improve security. On the other hand, theres the actual bad guys, and they have various ranges and motives from just, you know, teenagers goofing off and trying to impress their friends to, you know, actual organized crime trying to steal money and credit card information to, you know, governments trying to, you know, commit espionage and, you know, actual cyber warfare. So theres a whole range of attackers on the black hat side. Host now, we didnt get a whole lot of your bio, but we understand that you worked at the National Security agency for a while and are now with twitter. What did you do with nsa . Guest well, i cant say too much about that, but i worked there for five years. I worked in their, you know, Computer Security, um, group, and i cant say a whole lot more than that. [laughter] host and youre with twitter now, correct . Guest yep, yep. So between that time i, basically, for the last say seven years before twitter, i just started a couple months ago, i was Security Consultant. So companies would hire the company i worked for, and we would come in and test their products for them. Basically, you know, take the role of the bad guy and break in and show them how we did it, what went wrong, how they can do better to make it where the real bad guy cant do that. Host robert ohara, were you able to get into contact with any bad guy hackers and to learn what their motives were . Guest ive talked to bad hackers, and the motives are, as charlie said, all over the place. Ive watched details about bad hackers, and we know, for example, that some of them are prepping infiltrating systems with longlasting threats in the event that theres ever a cyber conflict or cyber war. Our power grids, our national labs, um, corporate systems all over the United States are already, are already been intruded and on, and its believed that there are trojan horses that are already put on. Lots of espionage is occurring. We know that there are groups in russia and in china, for example, that work regular hours breaking into systems and stealing information. Massive amounts of information. So the motives are the same motives that you might find with any array of bad people; money, manipulation, intelligence and prepping for cyber war. Host um, Charlie Miller, for casual users, regular users of the internet who may do some online banking, surf the bear net and, you know internet and, you know, send emails, what kind of protection would you recommend to those people . Guest well, the regular users are in a pretty good place. Weve been by we, i mean the security, um, industry has been working for quite a few years in trying to make that sort of thing secure, and its pretty good. So if you just use your browser, you have antivirus, you dont just go to random sites and download things, youre in pretty good shape. The biggest risk of, say, like your phone being attacked, so we talked about the iphone attack earlier that i did, thats still extremely rare. Youre way more likely to lose your iphone in a bar and have someone steal it than to have a bad guy attack your phone. So theres the one side is if your attackers are teenagers or organized crime and you play it halfway safe and youre not a big target, youre probably okay. The more interesting thing, i think, is when you are the u. S. Government or youre google or youre, you know, the white house and theres no matter what you do, youre still a target. And your attackers instead of being teenagers are, you know, whole branches of governments, you know, militaries from other countries. And there we dont really know what to do. And so theres a lot of open questions there. To follow up on carr his remarks, cyberspace is a collection of machines and people. People are a part of the network. The very, very baddest of bad guys have taken on something called social engineering as a way of attacking. And you may not be an inherently interesting target, but you may be vulnerable to social engineering because, essentially, what theyre doing is trying to pretend to be your friend, a family member. After doing homework, they may send you an email or direct you to a web site thats loaded with the attack code. And if you are related to someone that theyre targeting or if you work at a company that the bad guys want to target, you may fall prey to this social engineering. And, um, theres almost no way to stop it because of the clever nature of it. Recently we did a story about, again, chinese hackers who are going after gas pipeline companies, intelligence contractors here in washington, Security Consultants and others, and it was all part of the same campaign, and it looked like part of an espionage effort. And it was based on social engineering messages that looked like they were coming from inhouse, but they were really coming from these chinese hackers. Host Charlie Miller, we talk about chinese or iranian hackers. Who are these people . Are they employed by the government . Where . Guest we dont really know. So we can trace back attacks somewhat, but its difficult. If a computer here in washington, d. C. Is attacked, um, we can trace back, oh, that attack came from a computer in china. But thats not to say that there was necessarily a person sitting at that computer in china. Maybe that, you know, that attack came from that computer which came from a computer in korea which came from a computer in germany which came from a computer in moscow, so we dont really know. Its very difficult to trace back attacks, and thats one of the major differences between, say, cyber war and conventional war. If someone drives a tank across your border, you know who did it. If you get attacked, you may think it was the chinese, but you dont know for sure. Was it a teenager . Was it the chinese army . Its difficult to ascertain where the attacks are coming from. We have guesses, but we dont know for sure. Guest charlies alluding to sort of the core nature of what cyberspace is. Its networks of networks. And because of the fundamental architecture of these networks, data bounces from computer to computer all the time, and when he describes somebody in germany who might be sending something through a computer in south korea that might be going through china, thats sort of garden variety hop, skip and jump for data in cyberspace. And it brings up a really interesting issue not just with cybersecurity, but with cyber war. Because if you dont know precisely whos attacked you what theyre calling attribution then how do you respond in kind to prevent attacks in the future in and thats one of the great dilemmas that our military has; how do you hold them accountable for stealing, damaging or what not . Now, one has to believe and hope that the nsa and i do, actually has cracked this problem to some degree. But the attribution problem for corporations, um, and many Government Agencies is a very real thing, a very difficult problem in this digital age of ours. Host robert o harrow, you write about a series called tritium. Why do you do that . Guest theyre a company that came up with a really interesting idea not long after the web browsers back in the 90s were released and use of the worldwide web which lays over the top of the internet makes it really easy. We all take it for granted now. It was becoming common. And what they did was they realized that the web browser could be like a universal Remote Control that could direct devices anywhere in the world that were connected to the networks. So, for example, the Security Camera. You could use your mouse to have the Security Camera look left or look right. You could be sitting in washington and controlling a camera in San Francisco. Heating systems all over the place. You might be controlling five buildings, highrises, elevators, medical devices to some degree, um, and also Access Control for security. Lets say at a pentagon facility, which is a real example. But it turns out that tritium became so popular and moved so quickly host and profitable . Guest well, its, its financials arent available, but one assumes. They were acquired by honeywell several years ago. But theyre very popular, and they grew very quickly, and their system is used in 52 countries now. But it turns out that it was vulnerable to a very well known, rather old vulnerability that hackers knew about, everybodys known about for years. And so i thought the story was valuable and instructive because it showed that the gee whiz component has sometimes blinded Software Makers and manufacturers, and the profits that lay, you know, within reach have sometimes maybe blinded them or clouded their view of risk so that they rush forward with the technology before its as secure as it probably should be. Charlie has given some terrific talks about the incentive structures for Software Makers and whether or not theyre properly in balance to make sure that theyre secure with their software before they release it. But ill let him speak for himself on that. Host well, mr. Miller, if you would speak to that. Guest sure. So were in a situation where we all run code that was written by a vendor like microsoft or apple or cisco or whoever. Um, and the problem is its very difficult to write secure code, code thats perfect with no vulnerabilities. And its hard to measure whether a code is secure. So even an expert like myself, its very difficult for me to tell you whether if given two programs, which one is more secure than the other. So its hard to measure, and people dont want to necessarily pay for that. So we all want to buy the latest gadget, the latest iphone or whatever, and we dont really think to ourself how secure is it . Maybe i shouldnt buy it because its not secure. So companies, you know, theyre out to make money, and, you know, thats what theyre there for. So they want to push products out the door, beat their competitors, have the newest features, but they dont insly want to take the time it takes to make sure their products secure. And consumers so far havent demanded it. So we all use the software, and were all vulnerable because the software is written in a way that was, you know, intended to maximize new features and profit and not intended to, you know, maximize security. Guest charlie just raised a really interesting issue id like to just underscore which is consumers, people, have not asked for more secure products for the most part. Thats related in part to the fact that very few people really understand cyberspace and how it all works. We all love the benefits. Its miraculous. Were i would venture to say charlie is among those who are thrilled with the miracle of the internet and all the networks and the Computing Power and the benefits it brings to all of us and society. But the fact is many people are afraid to actually confront the tradeoffs that come with all these benefits. And one of the things that were trying to do at the post with zero day is not to scream the sky is falling, because its not, but to try to make clearer those tradeoffs so that people can start making better decisions, um, and can start asking for better security. And in some ways maybe, eventually, ask the companies that are making technology and writing code to shoulder the full cost of doing business which i would argue involves creating a secure product. Host Charlie Miller, what about when it comes to social media and the sharing of information that we as consumers do with google, facebook, etc. , etc. Is that, does that lend itself to less secure networks . Guest i mean, it doesnt affect the network per se, but what it does is it puts a lot of our information, sometimes private information, out there. So if you had never connected to the internet, no one would insly know what you liked necessarily snow what you liked or if you were dating someone. Its still out there on some server out there, so some bad guy could get to it if they wanted. So i think if you consider that a while ago no one would ever agree to carry around a tracking device, right . But now we all carry around cell phones which you can inherently track. And no one would ever have posted, you know, let anyone read their email. But right now a lot of us use gmail, and all of our mail is stored on a server at google. So its just interesting that we as a society have given our information out. Whether we want it to be for everyone or just for a few people, its out there, you know, on someones server, and so people can get to it. And thats sort of changed the well whole way of privacy in this age. Host so are you finding as a Security Consultant that the social medias of the world, the facebooks, the twitters, etc. , that they are leading in security precautions or not . Guest well, some of them certainly are. Google makes a show, for sure, for having a pretty secure web browser in chrome, but right now, not too long ago they were attacked by they think the chinese, and they were able to get in their networks and steal a lot of data. And so even the best get hit. Another example is microsoft. About ten years ago, they started a program to try to produce secure software. So back when windows 98 was out, it was really awful. But now the newest version of windows is quite good. So theyve really spent a lot of time trying to make it better. But still theres, you know, every month when you have to download a new patch, thats because someone has found a vulnerability. So still we have a long way to go, and we all rely on the software, and were all vulnerable because of the software. Host robert . Guest a couple of thoughts, and this is a thread that im pursuing right now as part of my series. It turns out that a lot of people have heard of Electronic Medical records or health records. Im just now learning that a lot of those records that are being created as part of Health Care Reform are being kept on remote servers. In fact, the doctors that have the Electronic Health records system dont have the records anymore. Theyre being kept by contractors on servers, and charlie triggered that. The other thing thats really interesting is i think the Software Makers and the vendors really get credit or ought to get credit for improving security. Things are much better on a lot of products and software than five or ten years ago, certainly. What ive been hearing lately over and over again is that the bad guys are getting faster than the good guys are getting better. In other words, the attack methods, the cleverness, the ways of evading detection are improving faster than security, um, on the good side of things. And, of course, thats very troubling in part because when you boil out all down, no one still fully understands what happens when billions of people and billions of devices interact in many cyberspace, and the bad guys take advantage of those clouds of uncertainty. Host Charlie Miller, whats your message to congress, to department of homeland security, to dod . Guest well, i guess it would be that we spent a lot of time, you know, were a lot better than we were ten years ago. Were less vulnerable in that softwares a lot better, we have a lot more protections built in. So if you want to run a, you know, a company and keep out the average hacker, we know how to do that now. But what we dont know how to do is secure, you know, military systems that get some attacks by other governments. So some wellfunded, very creative hackers still can beat us, and we need to figure out whether its holding the vendors to task, whether its building new defenses we dont know yet, we need to defend against sophisticated hackers which is something we dont know how to do right now. Host robert o harrow, your series which, by the way, is linked to our web site has gotten some response from dhs, and often when you write, the next today theres an official announcement. Guest right. Theres been some reaction to it. Its thats more typical of an investigative series. But im trying to merge the homework with mentors like Charlie Miller and officials in the government, officials out, hackers, i mean, these young guys that are breaking into things sort of teaching. So theres been some response, and thats gratifying. I think that our mission at the Washington Post here is to, is somewhat platonic in the sense that we really want to teach people so that even is on the same page generally speaking so good policy can grow out of that. Were really not in a position of offering policy suggestions because its so complex, its so difficult. But i do think that congress, if i had one recommendation, it would be really good if they immersed themselves in the subject and then came up with some plans for making things better. May i note that were trying to contribute further to the education. The post has a conference with some very senior former intelligence officials, hackers and others coming up at the end of the month, and they can find out more at washingtonpost. Com. Host and is that open to the public . Guest itll be open to the public, and its going to be a fascinating day because youll have, as i said, people who are directly involved in helping to establish policy or formally running, for example, the nsa or Cyber Command and so on getting together to discuss these issues and going through some scenarios. So, um, like i said, thatll be at the end of the month at the Washington Post. Host well, as i mentioned, robert oharrows series in the Washington Post is linked to our site at cspan. Org thecommunicaters. And Charlie Miller is a Computer Security researcher and twitter employee, also known as a good guy hacker. Hes been joining us from st. Louis. Mr. Oharrow, thank you for being on the communicators. Guest thanks for having me. Cspan is bringing you debates in house, senate and governors races. Coming up tonight on cspan2, the ill 10th illinois 10th district debate between robert dold and his democratic challenger, brad schneider. Thats followed up by the new york 19th district. On tomorrow mornings washington journal well talk about how new Technology Challenges the polling industry. Cost keeter of the Pew Research Center is our guest followed by our battleground state spotlight on colorado with Curtis Hubbard of the denver post. Then a look at how mitt romney and the republicans are campaigning across the state with republican strategist sean tonner, and later an analysis of president obamas strategy. Our guest is rick palassio. Washington journal is your phone calls, tweets and emails live every morning at 7 30 eastern on cspan. These are the stories your textbooks left out. Their Great Stories about real people in american history, very important moments that we dont know about. The first pilgrims in america came to, came 50 years before the mayflower sailed. They were french, they made wine, they had the good sense to land in florida in june instead of december in massachusetts, but then they were wiped out by the spanish, but weve completely left out

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.