Pieces of wisdom from Dr. Taher ElGamal in 2010 on the future of Internet

This talk took place in November 2010. Already some years and months ago. However, given the relevance of the presenter, Dr. Taher Elgamal, and the currency of the content, "the past 15 years and the next 15 years of security", I suggest that, if you find no time to watch this 100-minute long lecture, linked here, at least glance through these learning points:

minute 8 - 15 years later, we have not solved the authentication problem.
minute 12 - everything that starts social ends up being up business.
minute 12 - USD 350 billion - the amount of fraud in e-commerce is one order of magnitude higher than in the physical world.
minute 13 - 1.2 to 1.4 % of the transactions are fraudulent - so around 3 to 4 USD billion of fraud is generated every year - and this economy is the fastest growing economy in any country.
minute 13 - e-commerce size is 3 or 4 or 5 % of the overall economy - imagine it becomes 50% of the world's economy.
minute 14 - we cannot afford these losses if we would like e-economy to grow.
minute 15 - 98% of authentication is by someone remembering a password.
minute 15 - 22% of e-commerce transactions get manually looked at - this is crazy!
minute 17 - the credit card system does not know how to handle security in e-commerce.
minute 19 - we invented a (faulty) security model after having connected our LANs and created the Internet.
minute 19 - the future is an extension of the past - it is not disconnected.
minute 20 - we are ignoring the end user - security is sold to big companies.
minute 23 - we forget requirements when using technologies.
minute 24 - we forget that we have connected everything together.
minute 25 - it is much easier to build incremental changes in a system than to change completely.
minute 26 - security technologies that require user actions are generally not sucessful.
minute 27 - the reason SSL is really 'successful' is because it is hidden from the user.
minute 28 - things that work are things that we use (not things that technically work).
minute 29 - users use the same password for sites with very different profiles (banks and leisure).
minute 29 - 10% of people would send their password if requested.
minute 31 - we are just putting technologies in companies without looking at the threats.
minute 32 - we will see as much growth in connectivity as the last 15 years.
minute 33 - the size of the device is purely a function of the display size nowadays.
minute 33 - the number of phones is an order of magnitude higher than the number of laptops.
minute 34 - we want to always reduce hardware costs - cloud is just using hardware in a more effective way.
minute 35 - social networking will change business behaviour.
minute 36 - we are actually connecting things to the Internet.
minute 37 - a smartphone has multiple channels to connect - and they are fundamentally different.
minute 38 - we should avoid trying to solve tomorrow's problems with yesterday's solutions.
minute 41 - we will be doing business through social networks - a new layer on top of the web layer.
minute 42 - the power grid - the number one infrastructure that an attacker would compromise.
minute 44 - a billion mobile Internet user (IDC numbers).
minute 44 - 650 million laptops in 2010.
minute 44 - in 2020 the billion will become 1.6 billion - pc and laptops will be a 2 billion number.
minute 45 - in 10 years smart meters will be everywhere in the world and servers will become consolidated.
minute 49 - current e-commerce relies on the fact that most people are OK - this is not going to be scalable.
minute 49 - almost every country has their own definition of a digital signature.
minute 50 - governments literally need to stay out of things that we have not put into real use.
minute 52 - it is really hard to secure connections through a firewall because we are connected through different means simultaneously.
minute 53 - distributed security is the way to solve infrastructure security - not between networks (minute 55).
minute 56 - the fabric needs to be smarter to identify attacks.
minute 57 - the right place to do encryption is within the application itself.
minute 58 - the threat model is important to consider when securing an application.
minute 59 - information is the value to secure - we have protected the network but not the information.
minute 59 - identities, directories, roles - let's apply the right ones to secure information.
minute 60/61 - just by delaying the delivery of information for 30 minutes - especially in the financial industry - the loss would be high.
minute 62 - in the health industry is not only timing (e.g. availability of information in an ER - minute 63) but also data confidentiality.
minute 63 - in utilities the important thing to secure is the infrastructure - not really data confidentiality.
minute 64 - we don't teach security correctly in our globe.
minute 65 - before doing a pen-test, sit down and ask your customer what do they do? find out the threat model beforehand.
minute 66 - the 80/20 rule - identify the priorities before starting because the project will be done 80%, not 100%.
minute 67 - integrity is actually the top security problem by far - more than confidentiality.
minute 68 - priorities in security are very important.
minute 68 - identity theft is not yet mainstream but it will be a very important topic.
minute 69 - for those unix guys - the idea of a user being able to do everything in a machine at the same time is a crazy idea.
minute 69 - 90% of the really really bad security issues happening in the last 10 years had to do with a super user account.
minute 72 - a single security model will not solve all security requirements - it will be very expensive.
minute 72 - what about building authorisation rights in the data files themselves? (more a dream than reality).
minute 73 - do all your security checks at the backend - not in the browser!
minute 77 - security has not been solved yet - the center of all this is make things smarter.
minute 77 - networks were made to allow hacks! (can you believe that?).
minute 78 - life will have changed in the next 15 years as much as in the last 15 years (we are a very young industry).
minute 79 - cyberwar may actually happen though - any country can hack any country - not only neighbouring countries.
minute 82 - security is a business process - not a problem that requires a solution.
minute 85 - security vs privacy - we should not put them in a unique ranking.
minute 86 - information that is not meant to be shared is completely unimportant.
minute 87 - a law on privacy without understanding the circumstances makes no sense.
minute 90 - the vast majority of web transactions are less than 50 euro - SET was an overkill (in terms of cost).
minute 93 - PKI: you don't need to have a universal trust model.
minute 96 - the infrastructure should be more intelligent - to ease tasks off the users.
minute 96 - I still haven't sent a secure email (other than to my friends to have some fun).
minute 97 - usability always wins (to security).
minute 98 - quantum computing - if government funding stays, in 15 years computation could be done in different optical? ways.
minute 99 - quantum computing will not break all cryptography - it will change some methods we use - nothing is really ultimate (minute 100).
minute 100 - quantum crypto - there are some implementations (optical crypto keys) - they are not useful unless there is enough number of computers using that technology.

As you can read, age does not prevent us to be revolutionary (and creative?) in our thinking.

Wisdom needs time

 Happy viewing!



0 comments: