Tim's Blog

Last week I attended Thotcon 0x9 in Chicago and heard a few presentations that made me think. The first was the keynote by Cory Doctorow entitled “The war on general purpose computing is an existential threat to infosec – and the world!”. He made an excellent case for the work of the Electronic Frontier Foundation (EFF) and has changed my opinion from one of little respect to one of strong need for their efforts.

The second was by Wendy Nather entitled “Denial of Trust: The New Attacks”. During this speech she raised the idea that companies (or corporations) consider the loss of data to be akin to Acts of God. This reminded me of a time when some people banded together to fight the deaths of 30,000 Americans per year due to boiler explosions – which the manufacturers attributed to Acts of God. Their efforts formed the American Society of Mechanical Engineers and ultimately led to the National Boiler Code and the licensure of Professional Engineers in the United States.

The third presentation by Karen Elazari was titled “Hackers: Still the Internet’s Immune System?” She makes the excellent point that hackers may be the most effective group opposing the domination of the Internet, collection and access to Big Data, and manipulation of the People today. At some point I heard the question of who will hold governments and companies to account if not hackers? The follow up becomes whether hackers are willing and able to organize in some way in order to maintain their effectiveness.

Lastly, “the Hacker Community Must Always Exist” by Chris Wysopal gave an enlightening history of the adversarial relationship between hackers and industry. He questioned the continued effectiveness of this relationship as technologies such as medical devices and blockchains are deployed, and whether there can be enough hackers to keep up with new technologies.

Altogether these speakers have motivated me to become a better Security Engineer and to make some effort to help find the answers. I see many parallels in the development and use of steam power 140 years ago and our problems in technology today. The scale is huge, but if enough people work together I believe that the answers can be found.

An article in the November 2017 issue of The Internet Protocol Journal raises the excellent point that IP addresses have been replaced by host names in defining coherence to a network.

This week I’ve discovered that IP version 6 reserves an address space that is intended for local communications, normally within a site. This space is defined in RFC 4193, and goes on to explicitly state a design objective: the addresses are not designed to aggregate.

Our IT brethren are being driven away from aggregating addresses by the rise of mobile devices and the internet of things. Within the commercial IT world, host names are replacing addresses in allowing technicians to find specific assets, troubleshoot particular problems, and maintain environmental awareness. Our controls IT world is still working with aggregated addresses and organizing our systems using the addresses.

If the controls environments continue to use Commercial Off-The-Shelf components and to rely on Corporate IT for design and high-level support we need to begin migrating our designs from system organizations built around addressing and shift to comprehensive naming and name resolution services.