DeepSec 2019 Keynote: Computer Security is simple, the World is not – Raphaël Vinot and Quinn Norton
Information security is too often seen as a highly technical field in computer science, and one where the more technical someone is, the more right they are likely to be. But security is part of systems of life, that not only include computers and phones, but systems of living, cultures, history, politics, and interpersonal relationships. Technical knowledge is important in those systems, but on its own, it accomplishes very little — as the sorry state of the computer security in the world demonstrates. Knowing how computers work doesn’t gives us an empirical knowledge of what people do with their devices, what their job is, what context they live in, what their adversaries want from them, what their capabilities or resources are.
In this talk we will explain why listening is the most important part of practical security, and how to listen effectively and efficiently.
We will touch on practical examples from our own life experience, from helping journalists, activists, and lawyers, to students, sex workers, and survivors of partner abuse. We will explain why in the end, information security may have more in common with anthropology — investigation and analysis of practices in the real world — than it does with math and software.
We asked Raphaël and Quinn a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- More technology will not necessarily solve the problems caused by technology.
- Information security is part of a wider culture and not an end in itself.
- Investigating your user’s needs is the important, and understanding their context is the whole game.
- This means good security involves anthropology.
- Diversity of approach and background (and especially the lack of) is a limiting factor in the effectiveness of a security culture
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Both of us have worked with activists and journalists in kinetic and dangerous situations, relying on terrible technology security and security practices. Security punditry was telling them what to do, but that advice was almost never relevant. Over the years we’ve watched people jailed and driven from their homes, unable to get help from a security community that doesn’t know how to listen.
On a wider scale, we keep hearing the same stories of data leaks, system compromise, and terrible operational security that weren’t sophisticated and didn’t have to happen, if we saw the human element as part of security and not a detriment to it.
Why do you think this is an important topic?
Humans are infinitely creative. Forcing people to use specific tools or techniques will never improve security. That’s why we need a responsive security community and digital literacy education instead of more access control barriers.
Is there something you want everybody to know – some good advice for our readers maybe?
Listen to your users. Earn their trust. Meet their needs. Nothing else will keep you safe.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Less people running from one fire to the next, more communication between user and administrative communities and spreading digital literacy.
Quinn Norton is a writer who likes to hang out in the dead end alleys and rough neighborhood of the Internet, where bad things can happen to defenseless little packets. They are also places were new freedoms and poetries are born, and run riot over the network. She started studying hackers in 1995, after a wasted youth of Usenet and BBSing. These days, Quinn is a journalist, published in Wired, The Atlantic, Maximum PC, and more. She covers science, technology, copyright law, robotics, body modification, and medicine, but no matter how many times she tries to leave, she always comes back to hackers.
Raphaël Vinot is a security researcher at the Computer Incident Response Center Luxembourg (CIRCL) since 2012. Raphaël wants to increase the IT consciousness of the human beings populating the internet in order to make it safer for everyone. His day job is a mixture of forensic and malware analysis with a lot of Python on top of it to glue all the pieces together. He loves sharing and thinks everyone should contribute to open source projects.