Bezpieczne aplikacje internetowe to nie tylko kod

Hi, my name is Marcin Karpezo. It's my sixth time here and I'm very happy about it. Unfortunately, it's my fifth time here and I'm sick. I'm sorry that I can sometimes be a bit quiet. Today I would like to talk to you about the fact that as people interested in security or in the security of applications and solutions at various stages, we can actually try to educate and think about how to ensure this security not only with our infrastructure, not only with our secure code, but also, above all, with the thinking of the application from the beginning, with the design. I will show you a few examples of this. I have my own, privately, professionally, I am also an administrator, a devops. I'm trying to do it less and

less. I also conduct cybersecurity workshops, both for ordinary users, non-governmental organizations, for companies, for audits, this kind of things happen. And this presentation is a summary of the last year or year and a half of observing what is happening. So we will talk about the most sensitive area, the weakest point, where we have problems. What is the biggest threat? And then the way to fight this threat. Through UI, UX, communication, default settings, passwords, etc. There will be two smaller topics related to smart devices, which are also a big threat. And the weakest link is the user. What would we not do if we did not secure our infrastructure? And it's the user who did not pay attention to the email he will

receive, who will click where he should not. When our application, our service is completely secure, we have a encrypted database, we have passwords, we do not respond to attacks, I think it was the smart dolls in Germany last year, which had an unsecured password, an ASQL database, which you could simply log in to. There was a big leak. The effect was that, based on the Watchdog application to the German government, the possession of this doll was considered a spy act. So the doll was withdrawn and all current copies had to be removed, because the doll kept the voice of parents, the voice of children in this database. passwords, conversations, all the access to the box

and everything it saved. And we have more and more of such cases, here is the dangerous infrastructure. But going further, we can have our service destroyed by a social technology. Let's take such a Gmail, which, through Gmail, how many threats it hits users. Very much. How does it happen? In this way. They receive an email with part of the interface of the link. Clicking on this link leads to login to the default page of "Zaloguj się z Google". The second example is "Otwórz Google Docs". These are two images, two elements of the interface that we know very well using Gmail, as millions or billions of users around the world. And even we may click something like that, even though we would expect it to be much lower

in the interface. And these are the two examples when we can break a user with such a really simple session technique. And if we didn't have a safe Gmail, our users could be in a lot of danger. Another element of the communication of our service. And here we have a basic Zembank email. Such emails come to us, clean text, you have active delivery service, and so on. We get attachments in HTML or PDF, which can often be harmful to our computer, especially if we use Adobe Leader or simply open a code in our browser that is made in a way that hacks the user. Then we have an element, and this is already a email, this is already a social technology. Access to your account

has been blocked. We ask you to log in. And at that time this element of money and capital was in line. And in my workplace, for over 400 users, 10 of them clicked. And only 4 of them were clients of this bank. And they started to fill in there: name, surname, PSL, birth mother's name, I don't know, how your dog is barking. More and more stupid fields and some of them were falling off. but also a significant part of users have passed to the end. Of course, this type of form, as it is happening in most cases now, regardless of when we will be lost, it records this data and processes it. And this is already a slightly

more advanced technical session, although in this case we still have relatively complex, relatively complex written in Polish. How many of these mails do we get every day, where this complexity is very strong and this is what alarms us. So these two examples of a normal mail without a link, it seemed that it was quite okay if there is no link to click on the bank. With a link it is just set up and you can do better. Some banks do it by sending us an attachment to which the opening is probably done by Raytheon, for example. We also need passwords that we get every month with SMS. That we get an SMS to this We're putting a withdrawal from your account. To open it

you need this and that password. And it seems to be more or less okay. But the next leaks are really for us tragic in effect. Here I will show you, on my browser it would be a bit scattered. It's exactly about this field. In this field we have, it is a cut of a huge database from NetEase, which leaked last year in July. 18 TB of such data leaked. There are phone numbers, address of the apartment, phone numbers. It was very interesting. What do we get from sending messages? We can send to anyone. We got one big book "How to be a Polish sociotechnician". I will have to aim for you, sorry. There is one important sentence here. Among them we have

comments related to telemarketer conversation. It was a database that contained formulations that were running for years in NetEase when a user wanted to order something online or to order a contact online, wanted to order a service without contact with a telemarketer or if a telemarketer talked to someone about resignation, update and then moved him to a new service. And from this third record, exactly from this comment, without details, I will wait, We learn that with a certain lady about the service Internet up to 100 megabits per second, the conversation lasted an hour, because there will be a little further, Emil, I'm aiming badly, I'm sorry for this waving, but you can just believe me, here

is information about when the conversation started, when it ended. It lasted an hour. For an hour we can talk to the lady about anything. If after an hour of conversation about the service, we will wait without details, we can return to it. There is a man who, from what I know, didn't use the Internet in his life, he had it for his daughters. And in addition, the record related to his conversation is the resignation from the service. However, what leaked about him? Of course, the e-mail address, the mobile phone number, we will also find the address of the apartment, the home phone number. And these are just three records of 18 gigabytes of data that leaked. So at this point sending

Please, start. I just wanted to start my presentation. It doesn't matter which one. I've already broken it. Great, thank you very much for your help. Where are we? We are here. So, regardless of whether we will send encrypted contacts, whether we will send SMS, we have a very big problem. This is something where I am not able to present a ready-made solution, how to do it well, so that when being a bank, send billing to your user. or a listing of his operations from a given month. Because it would seem that it's a great encryption, but it's not enough. We can approach everyone in this way. What about Giodo? Giodo is terribly behind on this topic.

Giodo has no solution for this. Giodo will not present you with a "do this and then everything will be safe". Of course, we have to register databases, we have to store information according to the law, but Giodo There are no penalties for such leaks. And even if, a good example is from this slide, two more Yahoo, Dropbox companies. For these companies, and this is a very interesting conclusion from one post from last year. We learned that 500 million users leaked from Yahoo over the years. They didn't boast when exactly, in what way. They said that so much leaked in general. And everyone was shocked. Interestingly, this greatly affected the value of the Yahoo action. Because suddenly users found out that a falling company,

which we hear only when A something closes, B someone wants to buy them, most often Microsoft, we heard about them only then. Suddenly we find out that they have 500 million users and everyone is now asking for a change of password. What a miracle. It was very much a reaction to the top. Second Dropbox. I'm listening. For example. Second example is Dropbox. Here we know a little more. Last year 26-28 million users were exposed to threat, their data leaked. How did Dropbox fall? Someone from the accounting department, in fact, very similar to Netia, these are two nice examples, very similar to Netia. Someone from the accounting department got an infected connector, opened it and then,

when the computer is still acquired, they walked on the network until they found someone available to the database. The database leaked, they published its content. Netia was also leaked. In the case of Netia, we have additional circumstances, because there were Belarusians who wanted to protest. By the way, there was probably also Obama in Poland. We can talk a bit about such a modern attack on the bank of the 21st century, because in the same exact time Netia server had a fire alarm in Warsaw. And 90% of the data is exactly the same as when the 18 GB of data was transferred from NetEase. So with a great probability, Ukrainians, holding them somewhere near someone, called a fire alarm and having a smoke shield, transferred the data so that

no one would notice. After all, NetEase reacted. For a very long time, it denied that something like this had happened. It's nice to see how you can see this post on Niebezpiecznik. So first the media informed, the security guard informed. Then Netia admitted it, but she didn't inform her users. Meanwhile, they started to get a lot of information on this number. "We're very sorry for your data leak" or e-mail. "We're very sorry for your data leak, we're very sorry. We've prepared a special offer for you, which is in this link, in this zip file, in this doc file, in this PDF file." One and a half years after this leak, they still get such e-mails.

And in case of people in our age, not talking about our level of technological development, but in case of a regular user, it is a very big threat. It concerns older people, younger people, people in middle age. There we have information in this release that I showed you before, from which browser, from which IP address someone used when filling out the Internet form. You can do a lot with it. If you just want to hurt someone, get access to it, you have one encyclopedia on how to hack a Pole. and it's not necessary to try hard. And this is the situation we are in now. And it's not like we can do something with it, of course for infrastructure protection, we can do it, we can

work on it, it's our task. But we have to think about how, by launching new services, how, while still proving our users' services, we can ensure their safety. How can we raise this safety? What can we change in the interface so that it doesn't happen again? Or if it happened once, to protect them from such things. And now we will go back a little earlier to our Gmail. What can we do when, for example, we have this Gmail, our data leaked, we have such a big problem, of these basic elements of the interface and in the case of Gmail it's quite difficult to say that we will change the interface because at this point we are reaching millions and billions of users who

have very big habits and from what I remember, even the smallest change in the interface is really difficult to pass. So we can't just, I don't know, remove something with a red strip, throw it somewhere aside so that it is outside the message. If we had something new, great. Let's do it exactly like that. Let's make this type of element, despite the fact that it looks like an element of our interface, so that it is placed in such a way that it will look completely out of place in the message. However, in this case, the simplest action seems to be something they do especially on Android or in mobile applications, particular applications such as Instagram,

I think Facebook also slowly has it, for sure it has it Pinterest. If you click on any link, they will display an additional window with a notification, display the address you are going to and open the external browser. Something like that can also be used here if we click on the link that comes out outside of Gmail outside of Google and it's really not an added service. You'll get a microphone. It's great but it works like there's some kind of JavaScript installed there. Probably when you turn it off it doesn't work but if you find a link to any on Google it shows the original original URL. Yes, but you do network there. I mean, watching this network traffic, it's first super ultra fast

to Google and only then to the original page, so they can also display such phishing or something. Yes, but such things are constantly passing. It's not very old. In this case, exactly what I think about is not using it, it's more a browser mechanism, that when you drive for a while, hold it, you see the original link, it's something that should be used by users from a young age. Before you click something, wait for those two seconds to go to light up. But what I'm talking about is the additional window display. At the top, on this one. This is your address you're going to. If you definitely want to go through. It can be a

bit annoying, but security raises really, really high. So that the user will see and make sure that, well, I don't know, there's no Google there. There are still emails like this that come from the translator. You've probably been in touch with this too. And then we have a little bit of It's a more difficult task to see the domain of Google Translator. Bing, something like that. It's a bit of a sleepiness when we see the name of a big brand in the domain. It's quite problematic. It's not a field where we have a lot of solutions for a huge number of problems we encounter every day. That's why I think and I draw your attention that it's not just code. That's why I think and I draw

your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's

why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention

that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's why I think and I draw your attention that it's not just code. That's The second solution is to make your own application. This is very often used, we already

have it in every bank. Sooner or later, in fact, I think most banks have joined. Some joined better and worse. Blik is a nice solution, how can you do it better. But it's not entirely safe either. Especially for the user. Because basically the security for the user of this type of application we can ensure when it has at least a password to unlock the screen, preferably a code, not a bar. We know that the slug is the worst way to protect our screen because we have dirty fingers. So if someone gets to our phone, we can guess the most frequent movements on the phone.

In Poland, there is no law of the life, but in the US, if you have a slug, the police can force you to unlock it, because it's not a code or something like that, but if you have a PIN, they can't force you to unlock it with official legal means. I don't know how it works in Poland. In Poland, we are safer, but worse in the UK. In the UK, if you have a encrypted laptop, And if you don't decrypt it, they have a chance to lock you up. They have full right to lock you up in prison. So if we don't travel much abroad, it can be difficult. But we have to try to

protect ourselves. There is something else than blocking the police request. And there is something else than protecting our phone before leaving it in a cafe in a cafe. for a moment because we will go to this one at this point someone will get to our phone already there I hope that I will use some applications but more that I will install something for us which is not a very big achievement so that such things are done we have to use and think a lot creating any application internet, computer, mobile whatever we do we have to think a lot about the default settings and what more when we add something new it can't be an option to raise your security, configure your window, confirm your address, but we

have to unlock it at the start, because the user won't do it for us. And we have to think a lot about it and experiment as much as possible, it's also a terrible problem. Because often we have to, having a problem related to our falling users, we have to act quickly. Often under stress or tension, the longer we delay the action, the more users it is. You can make a stupid decision, or do something that from the point of view of UX will destroy the use of our services. It will be safe, but users will stop using it, they will move elsewhere. And so we can also make a mistake. At this point, the fact that there are drops of Dropbox, Yahoo, T-Mobile, and I

think it was yesterday that 70 million users' data leaked, it doesn't move us anymore. It's normal. For these types of companies, big and small, it's all about the cost. It's cheaper for them to have a leak than to combine it with increasing the security of their cloud and their applications. And we have to accept that. And we often deal with this, working with large or small companies, about security. When we propose how we can raise the security of the solution, it is a list of quite expensive steps to take and purchases, and to do and development. It's just expensive, but to make it safe, you have to do it. And then we can look at the big ones and see if it cost them

that much, if it cost such a leak. that in case of being a big company, even a net one, the penalty from Giodo will not harm our financial situation. You know what, you will get a microphone. And what about GDPR and the penalties that are already set there? This is 4% of the entire group's income, not only from the department. - The turnover, but the turnover. - Yes, turnover. Okay, this is a more sensitive penalty, at most. - The bill related to GDPR or RODO. The first project is a month ago, and there are still consultations. It's possible, I don't even know the term. So, to sum up this discussion, we're talking about a solution that may be very

touching, but it will only come. We don't know how it will be executed yet. On the other hand, let's go back to our NETI. A company that was hit by someone's negligence in accounting. And at this point, punishing the company is of course as fundamental as possible, they had a very big outflow, but on the other hand, what can such a company do, apart from educating its employees even more, and at the lowest levels, to raise its security? This is really hard work on the foundations, it is not almost the safety of five servers crossed. These are really big things, and here we are talking about a very large corporation, where introducing something like, I don't know, from now on we block all the links, PDFs,

docs, can be very painful, especially in the bookkeeping. But it can be easier in smaller ones. From today we only download files from our walls, from today the whole post traffic is still going through an additional antivirus server. This may raise security, but still, if we land on some address where we have to fill out a form, and there are also non-governmental organizations that have not lost a lot of money, because by submitting applications for funding or some grants, They found a website that was similar to the website of the unit to submit applications. They managed to fill out the entire form and only after confirming the consent, there was an additional window that they did not expect that they would have to pay 10% of the grant in

the external company for the fact that it was trying to get the application for them. And it was really not much to do something like that, to mark it with a habit, because, after all, consent is consent. And we go on. We submit an application and at this point, instead of applying directly to the body that admits the grants, they would apply to the company that would do it for them. They would still have to pay for it. And the company did not show up. Really, when they showed me these pages, they were similar to each other, they really didn't differ much. So these are things we deal with every day and which become more and more painful, because this organization has decided to realize, this person

has realized, and yet in the case of submitting a report, the person must realize that he or she can do something, that he or she can submit a report, that he or she may make payments, rather an important person in the organization. If such people fall there, then what else, who else can we educate, what else can we do? At this point, really, thinking about services, we must take care of it, so that it was Maximum impossible to do. And we have to pull out basically the whole arsenal that may come to our heads only because we have few of these solutions from the hands that are good, because a green pad is also not a way to confirm our identity. At this

point, the pre-published pad, maybe Internet Explorer is not the best browser to show you this. Do I have Chrome or Firefox here? Yes.

The green pad is already the least protection for us. Because we will go to the Orange headquarters or to most companies. After all, at this point, the purchase of software, and above all equipment, such as Fortinet, Fortigate, and this is just an example of another company. There are much more of these companies. But we can put a block in our company for 30,000, which is basically non-service. It serves the internal network, serves the entire traffic and protects our users. But also when we develop such a pad, Let's see the security information. I don't have it on my computer. This is the smallest one. So this is also a big problem. We have it in Firefox and everything is fine because it

shows us who issued the certificate. We have to think a little more. Again, a bad problem from the UI. But we have information who issued the certificate. If we went to Orange, we would go to a company that has this type of software. We will not see here a company or a website for which it would be displayed, but there would be a certificate that would be placed. Which of course also gives a green bar. Less Encrypt is great for us, but it's a knife that we can use to grease our hands or cut our meat and have a nice dinner. But we can also use this knife. It's exactly the same. It's not a bad tool in the

sense that the nose is bad. It's in the sense that you can use it for bad purposes and they do it very often. People got used to the green pad, we put a service, generate a certificate and we have a Google Docs website that after clicking like this, it still gives us a green pad. Log in. Paying attention to it is basically pointless.

So we really have to find a way to do it, especially we as people connected with security. When we have to deal with teams, for example, we have a cut of people from designer to developer, we have to look for it, pay attention to it, figure out how to do it, so that our mom or dad doesn't click on something that might touch us in the end. We go on, on, on, on, on. We have this application, we have these default settings. There is also a cool idea - the first password. We bought a new router and a new camera. We talked about it in March this year at the Warsaw Diary of Informatics, that if we buy an internet camera, such as a monitor that we can watch

on the phone, it takes less than 65 seconds to be hacked if we leave it with the default password. And it happens automatically, there are already robots that go, scan and do it. So the first password, OK, cool, but it has to be done wisely. It has to be so that at the first launch, for example, we buy a router, we buy a camera that we released, or we released from some smart device as a start-up, it will not connect to the Internet, it will not allow us to do anything until we introduce a new password, which is different from the one on the box. Whether we can use it for the first login, but

any possibility of using the service only after creating our own new password. Because if we don't do that, we can end up with UPC. It is one of many websites, there are applications, there are no more in the Play Store, but you don't have to look far to find a mobile application that will allow you to hack the five closest available UPC networks in Warsaw, or here where we are standing. Because it is very easy to guess the constantly changing key with which these names are generated and what password can be assigned to it. And 90% of users will not change it. And this is how we will be studying with our applications and services. And this, in fact, can be

called a generally understood design of our solution. I say that maybe it was good to change the name of the network in the case of routers, because you changed the password, but on the other hand, it's UPC, so you know right away that they have such routers and maybe there are other vulnerabilities. I know, it's about operators, so they can force the user, apart from changing the password and changing the SID, to something like "my mom likes cats". I don't know, on this basis. Yes, here we have again such a quarrel with the UX approach. What is the result of the fact that we have the default password, we have the default network name and

it seems safe? Because users didn't do it anyway, they got the admin password for many years and they still don't want to do it. How can you force it? You can block all accesses until you change the basic data. But in this case, I'm telling you this because you will soon be able to enter it as a security specialist in a company or in another company. We will go, we will do a presentation for UPC and they will change it. Ok, but if someone is 80 years old and you need to change the name of the network or password, it may not work, right? In this case, you also have, I think that in most

cases, when a company comes to you and sets up the Internet, it is the technician who will do it for you, or he will tell you and give you new data that do not cover and you will write it on a piece of paper. So I think that the problem of 80-year-old person is disappearing a bit. Because this technician is always there and assists when you start. So this is also a basic UX of getting the internet from the provider. The technician comes, installs, we would change this data either ourselves or with the technician and we would be much safer, we would not be at all subject to it practically.

Of course, there are still vulnerabilities, but it's already hacking, it's not UX anymore. Someone has to try to find out what router we have or know what router we have and try to find a hole and do it, but we won't do much. But this is a difficult thing to change. But much simpler. We will now work on releasing a startup that will do something cool. There is no additional application, or another smart vibrator, or other things like that, or another smart vacuum cleaner that will run and vacuum. And we have to think about such things. When you want to connect to the Internet, you should not allow yourself to connect without changing basic data,

because otherwise it will just fall. We had Mirai, I don't know if you've heard of it, I bet you read all the pages about security. It was exactly like that. And after thinking a little earlier, at a earlier stage, we are able to prevent such things as people creating solutions. We also have TV and Smart TV. Here, in fact, a completely different topic in the form of Wikileaks, NSA, CIA and the rest, which are basically a short story. CI created and demanded installation of backdoors and listening apps on Samsung TVs. Wikileaks published this data and we had a big problem. Because on the basis of this we had attacks that touched... Of course, TVs are the smallest problem of all of this. There were much more spy,

hacking, breaking passwords apps. And it was that month, those weeks when hospitals in the UK were falling, when FedEx got its share, a whole bunch of companies started getting their hands on someware. The software that was being processed based on what came out of Wikileaks was developed for the CI. There were people who tried to... The first biggest failure of this attack was, if I remember correctly, a security specialist found a kill switch in the form of a ransom referring to an domain and if it didn't exist, it worked. So he just bought this domain and only looked at how many hits there were in this domain and managed to stop the first wave of attacks. Is my time running out? Okay. and stopped

the first wave of attacks. But then, because the code was already open, there were more modifications and it is getting harder. It happened that in June I was still sitting in the pub and around 3 p.m. 10-15 people appeared, they ordered a lot of beer because they told them that they got a ransom and they were going to go home. And they worked in Warsaw Spire. So it seemed that the company that was responsible for the security was quite large. But here we have a problem of such a built-in device that is almost at home. Here the problem was that this TV, despite being off, that is, displayed us in this place a red light, which we all expect. He was recording everything that was happening

and transmitting it to the Internet. Very unkindly Samsung tried to inform one user earlier on how much he could legally and released an update, if I remember correctly, of security policy. related to TVs, where he pointed out that it's good not to have private conversations in the presence of Samsung TVs. Their problem was that when NSA, CIA, etc. came to them, they would get a document in which they would say: "You will give us everything and do what we want you to do, but we don't want to tell you about it." So they were looking for a way out. But of course it wasn't enough, because who reads the security policy? There was a bit

of news about it, because someone read it and found it, but it was still very little. It's not something we find on the main website. So we have Wikileaks and we have CA. The big problem with doing this is that to break this ransom, the easiest thing would be CA, which created it, or the name of the company that created it. published some form of a warning for the system or some form of update that would allow them to decrypt this ransom. But they can't do it, because then they would officially admit that it's from them. And they deny it. And they will deny the death sentence. So very often, in the case of solutions

that land on our computers, on our TVs, in our homes, in our apartments, in the event of a threat, we are basically under the control of a fairly large policy. which we will not do much with. And here, too, you can just think about it, it's more about paying attention to the problem, wondering how to do it so that this type of device can signal in some other way that they are turned on. Or how such a device can be created so that the user He was more aware of what was happening to him when some new software was installed, new updates. How to do it without installing updates? This is mega hard. How to do it to install updates, especially larger ones, and inform

him so that he would read it? What could have changed there? Yes, the 0:1 connector, that would be an option. Maybe you could do a quiz, if you don't answer, you won't watch the movie. I saw some users who come to work after a hard day and just throw a TV out the window. You walk down the street and you see those TVs flying through the window. What my friend suggested, which already existed, if you played original Amiga games, you had to type a specific word from a specific page of the manual. So it worked, so you can go to that page. So it's like a sentimental journey. In the form of a game. Maybe we can look a

bit further, what we have when we see on Chrome, When we had this game on Chrome with a dinosaur jumping from a cactus, we could use it to make sure no one would get bored. It was a jump to the actualization. We installed it and it brought security here. We need to think and figure it out. We have few solutions for it. I can't start the presentation again. - Shift F5. - Shift F5. - How do you say it? You'll get the microphone. I have a question. How to stop such movement from Samsung TV? I have to admit that my TV is not smart, not connected, but if I wanted to watch movies from YouTube, It's obvious that there are 15 different CDNs, some other shit is coming

out, these pages are alive. So whitelisting is not an option on firewall. Are the signatures of this movement detectable to hack them at all? Or there are billions of different domains generated randomly and not to be detected? Here we are dealing with the HTTPS problem, which of course is already a bit of a pain in the ass in detecting it. But the solutions I mentioned, which provide their own certification, i.e. they distribute SSL, which comes out of our Internet, they allow such things, because in the case of such a solution, being its administrator, you are able to block the user from sending a messenger link. You are able to block the user from posting images via Facebook, i.e. detect what kind of traffic it is. Yes, but

I'm talking specifically about spyware from CAA. In this case, we would most likely need a similar solution that will split packets. Because this is a move that is done by HTTPS. I would suggest the other way around, that is, to block domains, because there is a limited number of domains with which this device connects to its control servers. In this case we can also encounter a problem with Windows 10 update. I don't know if you remember it, but Windows 10 was installed and we had Windows 7. First, we sent a very annoying message, then the system started to download without our knowledge. Finally, there was only one confirmation and he wanted to install himself, which of

course slowed down the system so we started to suddenly magically feel the need for updates to the 10 even more. And a part of the solutions that blocked such actions of Microsoft was also created. And Microsoft also reacted to it. The first basic action was of course blocking communication with control servers. What Microsoft did was make these servers also respond to other important things in the operation of the Microsoft system. So companies like that will also react in this way. It was a basic action that broke their marketing, broke their possibility of implementing a free solution, so they reacted. Microsoft updates are more likely to be installed more often than software updates on TVs. Yes,

so in this case, changing such a link would be harder. But I suspect they could also start reacting if there is such a threat. Especially if we blacklist servers that are updated. Do you have any questions? Please, put the microphone in the back. It will be more of a skeptical comment. I don't know, I'm a little skeptical today. I will say this. First of all, from my experience, and this is my subjective opinion, so first of all, we never solve the technology with socio-technical problems. We've been trying to do it for 20 years and it's not working. It's understandable because these are two separate domains. Secondly, the attempt to change user habits is a fight against windmills. Imagine that one

of you has a car. You go to the mechanic because something is not working. And this mechanic says to you: "You know what? When you're refueling a car, you have to stand on your right leg, lean on your left hand to the car, load the gun with your right hand, and you also have to wear a green shirt to make it work the way you want it to. And in addition, it's the car's manufacturer's fault that this car doesn't work. None of us will do it. Or almost no one. The third conclusion is very unpopular, especially among people responsible for security, that educating users makes no sense. Or it makes sense to a certain extent, and again, analogy. It's a bit like in school, children

are learning and if there are several students in a class who want to learn something, we will have a positive effect of education. However, most of the students in this class will not acquire this knowledge. And it is exactly the same with education of users related to security. For me, the conclusion is very sad, but I have accepted it a few years ago that there is no solution for it. And you have to look for In the course of the attack, you have to look for a solution, and not worry about whether the user will click phishing or see this green card and some red light will light up. How would you solve the phishing problem on the

next page? It all depends, but looking from the point of view of the company... We can talk on our Gmail if there is any problem. I work with my clients and I put the most emphasis on detection. Yesterday, Borys told about a story that administrators who discovered phishing wrote some scripts that started to dedos phishing. For Boris, it was unreasonable and I agree with him, but by modifying this technique, we could have done something different. These administrators could have written these scripts and instead of dedosing, i.e. trying to make this page unavailable, they could have loaded false data to this phishing page and then Fischer wouldn't know what is true and what is false. We automatically increase its cost attack,

because instead of 20 passwords it will have 20 000 and if it is determined it will try to check them. On our side of course we can write an automaton, we can react to it by blocking IPs after 10 wrong passwords etc. So it's always a game. That's it. So... I'm not sure if I answered correctly, but I'm more concerned about what you said. I'm on the side of those who have hope in educating users, because when they come to my workshops, they are often scared before the first break. And then we work on what to do to make it a little better. The effect of my workshop is that they come out quite calmly. If they

encounter any problems, they can always write and we can solve various problems. Regardless of whether it will be workshops for librarians, how they can protect children from using the school library, whether it will be the activities of the non-governmental organization. It seems to me that more aware, and this is really aware of those who want to be aware, and not all of them at the top, like religion at school. Because it won't work. We can only try to make people want to educate themselves, not to be forced to do it. Because of course when you get a permission to do training for 200 people on the subject of security, so that they get scared, there

is no chance that it will work. You have four hours, you have to talk to these people about what you have to scare them, sit in front of you 200 people and what do they have to do with it? This is a lecture of religion at school. Such things don't make sense. Comment to comment if possible. In other practice, there is always a level when further security makes no sense, because the company doesn't exist to be super secure, but to take money. If it costs more security than losses caused by a hole, then we stop security and it makes sense. But when it comes to awareness, especially the example of accounting is good, because where

I work I usually find a team where the lady writes like on a machine, that the keys are flying out. And it's hard to explain anything to them, sometimes they need to be helped to turn on this equipment, they don't know what's going on. But there is a level of training, especially in bigger company, which makes sense. And then we do it actively. The biggest success was the invitation to Facebook, or LinkedIn, by fake president. We were looking at who would do it, how would they react, the coverage in the audit was 100%, which was the biggest success we had, but later, the next levels or editions of the same exercise were getting better and

better. People were clicking more and more, you were announcing the trends, it was some bullshit to check what it was. And it works, even today, with Mrs. Krysia, not bringing anyone close, they were coming to us, saying "I have weird things here, and you were talking about the herring when I clicked". So if someone takes it, it will work, but it is possible to reduce the level of security, that if it happens, it will mean a big bad luck, and not that we gave our bodies somewhere. Maybe another comment. From my experience, I can say that it will be a bit rude and maybe vulgar, but some people are just idiots and we will not

skip it. Speaking of Krysia, my friend once said that in one company you can work for maximum 5 years and you just need to change it, because people are burning out etc. Maybe it's not a matter of us not securing it, but people who keep people in wrong places for too long. That's also one option. Let's say that some driver who has been doing the same job for 30 years, he has already around 60 years and he has everything done, he's been doing it for 30 years and he claims that he's always doing it the best. And we don't educate such people. It will be worse in case of drivers with family companies or state ones. State ones

require these changes more. Family companies were a big problem or some other corporations? I have a comment to two comments. Regarding training, maybe it's the same with training people as with training children. If we learn something and don't use it, we just forget about it. People will forget about security the same way. So it's important to repeat the material, because it's important. So to teach as much as possible, of course, if it's profitable. And two, you have to give, like in schools or somewhere, practical tasks. So give them the opportunity to use the knowledge they've learned. So do tests, enter the building behind someone, take something out of the printer, send some phishing mails. It works for people and it actually works. Regarding Mrs. Krysia and the comment that

people are idiots. Ok, let's assume that people have some limitations. For such people, for example, the ideal solution is, I don't know if you have seen, Boris's training. I started it in my company. I launched this program, I pushed people to do this training for a whole year, because they had a new lesson every month, there are six lessons. I will tell you that people like Krysia came to me and said: "God, I didn't know about it, but it's so cool and now I'm going to tell my husband how to set the password." It works, there are drawings, there are simple things and I think that Boris is thinking about how to do this training

to get to this level. Maybe we are able to educate users at the base so that it makes sense, or to make it work. And comments to comments to comments to comments, and in fact the answer to comments. I think it's very short. I will repeat my thesis yesterday. It is easier to secure a small company with 100 people than one with 100,000 people. Even if the company is small, it does not have any money, but from a determined administrator, And this is also known as autopsy. It was much harder to get to a company that had a paranoid, really paranoid, when it comes to IT, than a company that has several dozen thousand employees. The same will be with programs, and here,

what you said, educational programs, through practice, everything, I say, but the scale kills. Do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it,

do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it,

do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, do it, What I wanted to say, and I always repeat it to my clients, is that security consists of three processes. Protection, which unfortunately everyone focuses on, including bug hunters, etc. But there are also two elements: detection and response. These two processes suffer the most, and we should spend at least the same amount of time on them. as well as patching, changing passwords, policies, educating users, etc. Thank you. Thank you very much for your comments, answers to comments and answers to comments. For me, it's the end, because the time is up. So the last sentence. There is a lot of work ahead

of us, and we still have to do more conceptual work. We can look for hours and find more examples where we fall into the design stage, and it could have been done better. Thank you very much for your attention. If I'm sick for a while, I'll be here. You can write to me at imiemałpanazwisko.pl. See you next year.