Chimeras, Snake Oil and … Buy My Magic Amulet and You’ll be Fine

I recently heard of a consultant advising a company to upgrade their encryption to 256-bit AES, and they said that 128-bit AES encryption…

Chimeras, Snake Oil and … Buy My Magic Amulet and You’ll be Fine

I recently heard of a consultant advising a company to upgrade their encryption to 256-bit AES, as 128-bit AES encryption keys had been hacked, and could easily be broken — nothing could be further from the truth . And so it took me back to a word that a heard in a presentation a couple of years ago … chimeras.

After attending so many talks on cyber security, where you feel scared to leave your home, and people talking on TV about cyber hackers, and scaring people, I loved a talk by Dr Ian Levy from GCHQ, and where he outlined …

…world-plus-dog were trying to flog security defenses to tackle “advanced persistent threats,” usually you see photos of hoodie-cloaked blokes poised over a keyboard with Matrix -style green lettering in the background. But such figures — seen as untouchable, unbeatable, and untraceable — are chimeras, and it’s just “ adequate pernicious toe-rags” who are doing the hacking

So here’s the picture I sometimes start presentations with … yes … that is me with a hoodie:

and here’s a couple of our students … not being serious …

So while Dr Ian Levy was heckled by one attendee for plans to filter content, you really had to talk note of:

“We are allowing massively incentivised companies to define the public perception of the problem”

Wow! Tell it like it is! And one of my favouriate quotes is …

“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘ you lot are too stupid to understand this and only I can possibly help you — buy my magic amulet and you’ll be fine.’

Superb … it takes a bit of guts to say something like that.

And after we have spent so long in trying to articulate the problems in cyber security, and inform the general public about what cyber security is.

It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

Behind his talk, too, you there’s strong message for companies:

He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination,

And for companies he wants “active security”:

… active as in “getting off your arse and doing something.”

Superb! Love it!

Well I am away to polish off my magic wand:

As a profession — if we are one — we need to get better at not scaring people, and try to focus on building better systems. We need to build more trusted systems, and we need to tell our governments, our CEOs, and the general public that the days of 1980s technology have gone, and we need to build for the 21st Century.