Closing Keynote

much so we've been seeing a lot of scary presentations today haven't we you know lots of lots of Breaking and Entering and all that kind of stuff so I thought I would you know follow in that vein so the the scary thing that I'm gonna contribute is that Warren doesn't actually know what I'm going to talk about he does not know it could be anything what do you suppose would scare a conference organizer the most let's think about this so maybe I could insult all the attendees I could do a talk on cybersecurity 101 about how exciting you know and and dangerous cybersecurity is how important it is I don't know I could talk about about multi-dimensional

cryptography using music's infinite variability would you see that anybody remember that one so yeah he doesn't know what I'm gonna talk about it could be just about anything is is he sweating yet and I can't tell from over here yeah yeah you're are you scared all right here we go no I actually have a presentation and and it's kind of a little bit Halloween themed because it has the word grave in it so let's see what we can do here I miss is going to be very different from the other talks that you've seen today because I'm going to talk about how security affects us when we you know leave the office how it affects us as

consumers and all the people in our lives who are also consumers so I'm gonna start by telling you a few a few stories so first of all when my oldest was about three or four before he could read we started putting him in front of a computer and letting him play on kids websites and he would just click around you know happily and we came in one day and we found him in the middle of downloading and installing a browser plugin ah how could this have happened well we kind of figured out that what what might have happened is that he had gotten conditioned by the things that were showing up on a screen and that he saw

us doing and he even though he couldn't read he got used to the fact that a pop-up window would generally have two little buttons on it two rectangles and one of them would be outlined darker than the other and that would be the default choice you know do you want to do this yes or no stop or you know go whatever and he found out that if he clicked on the one that was outlined the darkest it would make the pop-up go away and he could get back to what he was doing so even though he couldn't read he was being conditioned by this interface as everybody is as we all are and this is the sort of thing I might point out

that can be you know exploited that somebody could leverage against us because the the you is that we worked with make us get ready to click on things if we see the right shapes in the right order we don't think about them as much doing so this is a sort of thing that started affecting my kids at a very very early age now when he got older this is an example of you know the other sorts of things when kids start getting old enough that their data has to be separated from other kids data because of you know because of regulations because of student privacy that's when they start getting assigned logins the problem though is that a kid who doesn't

know his letters and numbers and can't type really can't log in can they so again for my oldest I used to volunteer at the kindergarten and help the kindergarten teacher log all the kids in at the beginning of every class session this is the sort of thing that is just not tenable over the long haul now there are some companies that are trying to address this for example there's one called clever that has come up with a login scheme where the kids can wear a QR code on a on a badge a laminated badge on a lanyard so that they just show it to the web camera to login and that takes care of it for them so we're starting to

address this sort of thing but you know we have to think about this more in in that our kids it used to be that you know computers were something you only used at work right but now we use this from cradle to grave even you know before we are born you know I people are putting ultrasound pictures on the internet and things like that our kids are being exposed to i T you know practically from birth and all the way through so you know that they might start when they are little kids when you're putting an iPad in front of your baby and you know letting the play with something and then as soon as they get

to school they get an account and they have to start logging in they have to start using this and then as you go along how many of you have kids who have lied about their age to get a social media account yeah that that is happening that that is a happening thing so you know they're going to be using it anyway and you know what they are absorbing from us about how to be secure online it's kind of hit or miss it depends on your background so you know my kids expected that my husband and I would be of the older generation that didn't understand technology we were supposed to be and I said honey who do

you think invented the internet you know we know a lot about this stuff more than they do so that was very disappointing to them but as you go along and you get into college and you start using social media and you get a job and you get more logins and you get more logins and so on they start adding up all sorts of things to register your car you know government accounts and banking online banking and online shopping and everything now one of the stupidest things that we ever did as technologists is decide that primary credentials should be stored in the fallible organic matter that we have right here or as Chuck Wendy calls it the poetry

generating custard who thought that was a good idea I mean back when there was just one computer we could say all right memorize this don't ever write it down but now that's ridiculous we should never have told people that they had to memorize complex strings that would number in the dozens or hundreds and never write them down it you know statistically speaking from a risk perspective it is a lot better to write it down and put it in your wallet because you know you're gonna protect your credit cards and everything it's it's a lot safer to do that than to end up using the same password over and over again when it's going to be stolen and

reused so that was on us we made a mistake there we need to start doing better now as you get older there are people you know you become temporarily incapacitated or you become permanently incapacitated as you go along there are people who are disabled who may not be able to use something online completely they might need assistance with it the one big thing that we don't have is a good system of delegation so I ran into this problem when my parents started getting older and they became less capable of managing their affairs but they didn't want to admit it they wouldn't just say fine you take it over they insisted that they could continue to do things so think about this for a

minute you know maybe some of you haven't had to deal with this with your parents yet but if you yourself were hit by a bus tomorrow you have all of your life being managed online how would you let somebody else do that for you especially if you're using two-factor authentication how would somebody else do this for you do do you have to tell them all of your passwords do you switch the 2fa over to their phone do you give them you know the the hard tokens what if they are hundreds of miles away or thousands of miles away how does that work the delegation is a big problem so my to go back to my oldest kid again

when he turned 13 I was informed by our pharmacy benefits provider that now that he was 13 he had to set up his own account and he had to give me permission to manage his prescriptions and so I said oh he needs his own account okay and I set up an account for him you know with a separate email address because I figured they might check but all of the authentication demographic information that they asked for to make sure it's really you I knew date of birth I was there so I set it all up I logged in i authorized myself there we go went went right back to it so you know that this

is the sort of thing that has not been very well designed yet and we need to work on that when my parents got older when my father had a stroke I had to break into his computer and break into his email accounts so that I could reset the banking password so that I could continue to pay the bills for my parents so technically speaking I probably violated the u.s. Computer Fraud and Abuse Act but if you've ever tried to get access to something not not after they're dead that's a little bit easier and it's not as much of a rush but while they are still alive but they're not capable of giving you what you need in

order to to get access it's a good thing my father didn't believe in security because I was able to log in and you know Brett he had cashed his passwords than I was able to get in and all kind of stuff but if you think about this you know what are we going to do about this in the future I ran into another problem when I took over my parent's gmail accounts again so that I could manage all of their shopping and their affairs for them and I set up an alternate email address because there's a function for that I put my home address you know which is Wendy at nee through comm into into the alternate

address field for each of these Gmail accounts and I figured it was you know so that if I needed to reset something I could get the reset email sent to my account but it turns out that's not really what that alternate email address is for Google wants to associate you with that email address so that you can send email from either one so it identifies you with both addresses and as a result anybody who used Gmail who tried to email me at Wendy at Nathan comm and again that's not a gmail address yes I ran my own email server don't tell anybody I'm not running for president so it's alright any time they would try to email me at Wendy at Nathan

comm Gmail would say oh you mean Wendy's mother or oh you mean Wendy's father so I would get an email say you know and as part of my board of director duties for another organization and it would have my email address but it would have my mother's name as the the full name on it now that's pretty creepy especially after my parents passed away and random strangers would be emailing me and they would have my parents name on it there was somebody who was trying to contact me about about some breach disclosure issues and he didn't have my address although he didn't realize it he started typing my name into Gmail on his phone and Gmail said oh you mean

Wendy at Nathan calm and handle he filled it in for him and when it got to me it would the name it that had attached was my parents private nickname for me now that's just that just gets you that really gets you so you know I I realized what was going on and I tried to delete my email you know from the alternate address and I contacted Google and I said this is a problem and they said no it's working as designed and I said well you didn't explain fully what this was for and what was going to happen if I used it and this is the other thing that we need to be able to do I mean I've

been an IT for years a really long time and if I couldn't figure it out that it was intuitive you know what was going to happen when I did this there are lots of people who can't do this it used to be that you know 30 years ago when we were writing this stuff it was a very small community and we all had pretty much the same level of knowledge the same background so we could say oh that's intuitively obvious or we could say RTFM because everyone was assumed to have the same level of knowledge that's not the case anymore we write for the world we write for our friends for our neighbors for our teachers for everything for

people in countries we've never seen wow this is the sort of thing that we have to think about now and we can't say these things are intuitively obvious we need a way to explain to people in plain language if you do this in our interface this is what's going to happen here are the you know ramifications down the line are you sure you want to do this and we need to do this for it with delegation I got I was able to set myself up as an alternate for my mother's banking account so that I could have my own account so I could do that online but in order to revoke it I had to send a paper

letter what that doesn't make any sense so again that there is nothing that is consistent across the board that you know everybody can figure out what to use and how to use this so as this goes along and we go through to our lives we have to think about how are you going to delegate it and under what circumstances in at least in the United States especially in Texas there is something called a durable power of attorney and you can sign it and give somebody else legal access to your manager affairs and there are two ways that it can take effect one of them is upon immediate effect as soon as they sign it you are you know good to go

the other one is upon incapacitation so that means if you want to get the that power you have to go and declare that person incapacitated legally which can take months and it will ruin whatever relationship you had with them so it's much better and it was much better for me to be able to have it take immediate effect and just be able to say my mom you know you look tired do you want me to just log in and take care of this thing for you and she say oh yes thank you and so I just did this more and more and more until she stopped asking and you know and then she passed away but I

was able to do that so what do we really need here we need something that goes across all of our accounts all of our interactions with IT as consumers from birth to death and you know we don't have that today this is something that I want to challenge everybody to work on a secure intermediary that covers our digital lifespan again it shouldn't have anything to do with your job because people move jobs it should be something you can take with you all the time it should be usable no matter how old you are and we're starting to see the beginnings of these we're starting to see password managers which are the start of a programmatic interface that

shields users from the malignant growth of passwords you know we're it used for your passwords you go to a website it puts in your password for you this is a later you know in a few years we're gonna look back on this and say oh this is a really crude start but you know we have it it's good it's starting we're starting to do more things like web often and and and an emerging root of trust which is guess what the cell phone so the idea of web often is that you authenticate to the device and then it does the rest of the authentication for you so that again it shields you from having to do all of this and the reason

why we can do it now and we couldn't do before is now you know we have secured storage modules on the phones that will allow us to perform secure cryptographic functions that we need for authentication so we're getting there there's just there is a big problem with this as a root of trust though oops did everybody just cringe hearing that are people getting scared pick it up pick it up oh my god don't step on it this is the scary part for you it's a very expensive and fragile root of trust not everybody in the world has this and even if they have one they may be sharing it so it is not what we

need that will cover our entire lifespan you know you're not giving one of these to your kid I hope I certainly didn't and we and and we went through a couple of dead soldiers over and over again before they they stopped doing that as kids with their own phones so we do have to work on this this is where I want everybody to start thinking about how we could build something like that and it's got to be more than just authentication it's got to help you with security decisions like do you want to delegate access to somebody else and if so for what reasons because password managers are going to get you into trouble yes

password managers today will let you share your passwords with a loved one you can login as them but that means you run up against the fraud detection measures of that website especially in banking because their whole purpose is to try to figure out if you're not the right person logging in with those credentials so that's not going to work logging in as your loved one you need delegation that's got to be audited officially you know Granta bowl revocable revocable how do you say it here revocable revocable whatever you got to be able to take it away and it's it's got to be something that you can do with everything that you have it's got to help you with privacy management

because nobody's gonna read the EULA that what happened with my kid you know who was you know getting stuck with the browser plugin is he finally got to the EULA and there wasn't a default outlined box for him to click on you know it was like agree and disagree or something like that he couldn't read and he didn't know what to click on so that's where he was sitting when we found him and that's where he got stuck so you know nobody's gonna read you as you need things presented to you in a way that you're going to understand so that you can make those decisions a lot of the privacy decisions that we offer today through

user interfaces assume that you the person in front of the screen are the owner of the data and you're making those decisions but again in the schools a lot of times you know for kids who are minors it's either the parents or the teachers who are making those privacy decisions so again we need you know something that's age-appropriate to help the right decisions be made by the right people and then again we need delegation so we need something that is going to be more than identity because there we never have just one identity we all wear different hats throughout all of the accesses that we have it's got to be something that encompasses and conforms

with regulations across the globe which is going to take really long time it's got to be provided by an entity that everybody trusts now good luck with that that's going to be very very difficult to do it's probably going to have to be an entity that has no other skin in the game that does not have any agenda other than providing this sort of service so that they'll be trusted they can't be selling the data they can't be you know promoting anything else they've got to be able to do that and it's got to work at the speed of bits and bytes not at the speed of legal documents that's the other really big thing you can't wait

for weeks for something to happen so that's the challenge what if somebody here in this room is going to be the one who starts this maybe it's you but we're waiting we're waiting go ahead and do it it's maybe it's you it's got to be somebody and you know as Brian was saying this morning we've got to fix some of these security things and at my age I thought he was gonna say this but I'll say it we better hurry and fix it because at my age I can't wait around much longer so it's it's got to be you folks and you know this may be one of the greatest challenges of our generation hydrogen at

our collective generation this may be the biggest challenge for us so if you want a really big challenge let's do this but first let's have a drink thank you you