Friday 26 September 15:30 - 16:20, Green room.
Chester Wisniewski Sophos
Nick Sullivan CloudFlare
Daniel Schwalbe University of Washington
David Jacoby Kaspersky Lab
In theory, if you find a software or hardware vulnerability, things are simple: you tell the vendor, work with them to get it fixed, and get rewarded with $10,000, a t-shirt or a friendly email from the CEO. After a patch has been released, you write a blog post bragging about your finding, and the world has become a little bit more secure.
In practice, things are a lot more complicated. Not only are vendors often not as cooperative as they should be, in many cases there is a real chance that the vulnerability will be exploited in the wild. Especially when it concerns critical infrastructure, it is not only the vendor that will be affected. It is important that information on the vulnerability is shared quickly with as many affected entities as possible, while at the same time making sure that the information is shared with as few people as possible, to reduce the risk of (further) exploitation before affected systems have been patched.
How should the security community deal with this apparent paradox? Are existing frameworks and networks enough to keep our systems secure?
Moderator: Chester Wisniewski, Sophos
Chester 'Chet' Wisniewski is a senior security advisor at Sophos with more than 15 years experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more accessible to the public, media and IT professionals. Chester frequently writes articles for the award winning Naked Security blog, produces the weekly podcast 'Sophos Security Chet Chat', and is a frequent speaker at conferences and in the press.
Nick leads the security engineering team at CloudFlare, where he is working to build a better and more secure Internet. He is a respected security expert and digital rights management pioneer, having built many of the content security mechanisms for Apple's multi-billion-dollar iTunes store. He previously worked as a security analyst at Symantec, analysing large-scale threat data. He holds an M.Sc. in cryptography, a B.Math. in pure mathematics, and is the author of over a dozen computer security patents.
Daniel Schwalbe is the Assistant Director of Security Services in the Office of the CISO at the University of Washington in Seattle. He has worked in the information security and privacy realm for 15 years, much of it in 'hands-on' jobs such as Lead Security Engineer and Digital Forensics Investigator. In his current role, he directs the efforts of the University's Computer Security Incident Response Team (CSIRT), and is responsible for managing cyber threat intelligence resources. Daniel is an active contributor and speaker in the information security community, and is the University's main point of contact for trusted information security partnerships in the private, government and higher-ed sectors.
David Jacoby was born in Sweden 1981 and as a kid he had a passion for breaking stuff - at least that's what his parents say. David's professional career started when he was hired by various companies in Sweden to break into their systems. In 2001 David started to work as 'Chief Hacker' at the automated vulnerability scanning vendor Outpost24, where he worked for seven years before he went back to breaking things as head of R&D at TrueSec. During his time at TrueSec he was recruited by Kaspersky Lab, where he now works as a security evangelist and is head of research in the Nordic, BeNeLux regions. David is a known face and name in the IT security industry around the world, mostly from his wild and provocative presentations, and his unique presentation style. When he is not doing IT security stuff, he collects horror movies on VHS, and renovates old retro computers.