Notes From Vienna: Deepsec & BSides

It was a cold day in Vienna yesterday. It was simply wonderful to wander through the streets of the old city in search of great coffee. Soon I found myself sitting in the Cafe Central with a pot of coffee and my thoughts. This is a coffee shop that was once the hang out of none other than Sigmund Freud. Seemed like as good a place as any to reflect. In the proceeding days leading up to this point I had the privilege of being able to speak at the Deepsec and BSides Vienna conferences.

Both conferences were really well executed and an overall they were very enjoyable experiences. At the speaker’s dinner on Thursday night I found myself sitting with people from London, Paris, Rome, Krakow and others all discussing security issues. It was a marvel to me to see all of us sharing ideas with each other. What was even more poignant was that the need for us to do a better job at imparting security ideas with those outside of the sphere that we live in.

The news after the atrocious acts that took place in Paris on November 13, 2015 has devolved into political opportunists trying very hard to capitalize on the tragedy. There has been a seemingly co-orindated disinformation campaign to get the message out that encryption is a large part of the problem as it pertains to terrorism.

Um, whut?

Let us look at the information that is available to us at the time of this writing. We see that the people who launched the attacks in Paris all knew each other, communicated via SMS and discussed issues in person. Encryption, based on the information available, was NOT part of the equation. So, why do we find this conversation spinning up? Just a week ago I wrote about the problem of the demonization of encryption and VPN services. I had even spoken out against this tide of foolishness while I was on stage at Deepsec.

Now, we see talking heads like U.S. Senator Mark Warner complaining that we need to fight against encryption as it helps the terrorists. This is deliberately misleading and frustrating. As we saw with the Paris attackers there was no encryption involved (to the best of our knowledge as of publishing time). Political opportunism on this discussion only penalizes legitimate people who use security tools like VPN. The politicos want to have fundamentally broken encryption so that they can have unfettered access to internet communications. 

It’s a good thing that I didn’t see James Bond SPECTRE last night. Otherwise I’d be even more paranoid. Oh…wait.

To put a fine point on it, my friend Wim Remes commented on this on the social media platform Twitter when he said, “would you leave a key to your house at the police station? exactly. that’s why we can’t have cryptography with backdoors.”

This goes to the heart of the matter. The ones that control the message can steer the discussion. Information security practitioners need to get the message beyond the confines of our own echo chamber. If we fail to do so, we run the very real risk of finding ourselves trying to secure our enterprises from attack with duct tape and bailing wire. That is, until someone decides those are dangerous as well.