In this special Black Hat edition of the Podcast, sponsored by UL: Parisa Tabriz, Google’s Director of Engineering for the Chrome Web browser, brought some strong medicine to Las Vegas for her Black Hat keynote speech. We talk about why her simple message was so groundbreaking. Also: Ken Modeste of UL joins us from the Black Hat briefings to talk about UL’s efforts to make cyber security as important to consumers in the 21st century as product safety was in the 20th.
Don’t be a Jerk: Parisa Tabriz’s Radical Philosophy
“Be a team player. Don’t be a jerk” These were some of the recommendations that Google Director of Engineering Parisa Tabriz laid on the overwhelmingly male and notoriously ornery security experts in her keynote speech opening this year’s Black Hat briefings.
The speech was remarkable for a number of reasons. For one, Black Hat made its name by celebrating cyber offense. It is a show that regularly makes headlines with eye popping software exploits, from Barnaby Jack’s famous “jack potting” attack that had an ATM machine spitting out cash on stage to Charlie Miller and Chris Valasek’s remote takeover of a Jeep Cherokee. But Tabriz squarely represents the perspective of a defender. But the talk was remarkable not only because of what Tabriz said, but because of who she was: a 36 year old female engineering lead at perhaps the world’s most important and consequential technology company.
In an industry known for bluster , Tabriz’s message was also a departure. Talking about Google’s efforts to improve the security of its Chrome browser, she spoke candidly about the obstacles her team faced both internally and externally as they worked to make Chrome more secure.
Rather than presenting security improvements to Chrome as foregone conclusions, she spoke about the practical and cultural challenges that confronted even simple changes, like warning users about insecure websites. As an example, she talked about how the introduction of Chrome’s Site Isolation feature trickled down to affect even basic functionality like the “Control – F” search feature.
At a show known for its bro-culture and in your face attitude, Tabriz emphasized the need to humanize security work: celebrating those in the audience who do the hard work of securing software systems and talking about how Google’s Chrome team found motivation in personal stories of friends and relatives affected by browser insecurity and used everything from poetry slams, to stickers to cake parties to celebrate their successes along the way.
In all, a project to secure Chrome that Tabriz and her team slated for one year took more than six and required a massive investment of time and resources from Google the company and from Google’s many employees. The lesson is that better security won’t come from a team of ninjas repelling into your company to ferret out and fix all the flaws. Rather, it will be a longer, harder and much less sexy scene: a group of dedicated professionals in khakis and jeans, working tirelessly to overcome technical, cultural and economic hurdles” respecting each other, working together as a team. Learning from their mistakes. Fighting and winning internal battles and – most importantly – not being a jerks. That’s a really powerful message.
Ken Modeste of UL on the Challenge of building a Culture of IoT Security
What is Underwriters Lab, the venerable product safety and testing firm doing roaming the halls of the Black Hat briefings? Ken Modeste, the Director of Connected Technologies at UL, says the 124 year old company is on mission to do for product cyber security in the 21st century what it did for product safety in the 20th.
While solid product safety guidelines mean consumer goods like lamps and electronics these days are unlikely to burst into flames or leak corrosive chemicals on your floor, there are no such guarantees for the security features of connected products. That’s why hackers have found consumer and commercial technology like IP enabled cameras and home routers easy prey.
Modeste said that consumers are already trained to discern product quality and make smart choices in favor of quality and safety. They just need an easy way to discern one from the other. That’s what UL is up to with its Cybersecurity Assurance Program or CAP. IN this podcast, Ken and I talk about CAP, UL’s growing and evolving 2900 cyber security standards and what message his company is carrying to the hackers and security pros at Black Hat in Las Vegas.