Anthony Zboralski on the illusion of security.
“I think the level of expectation in me by businesses and my friends due to my reputation was good luck. I had to study and work a lot more. I tried to make a place for myself until my work became second nature and, like a good butcher, I could find the right place to insert the blade and make the meat fall apart”.
On bank security:
It’s exciting at first, to test the security of systems, but after a while you think “what am I doing?”. It doesn't have any meaning because you go to the bank, you test their banking system, you hack their mobile banking app and everything, and when you tell them they have to fix it, and that they need to address the root cause, and give them security training, teach the programmers, you come back a year later and not only has it not improved, it’s worse. Even more products are insecure, the people are still incompetent in terms of security”.
Anthony asserts that we do not have privacy and the concept of security does not exist:
“Of course we have regulations and compliance issues, we have privacy rights. But they are not there, that is, they are there to protect us from honest people and organisations; the bad guys don't have the right, they take the left. And the government, they always complain about it, but they buy zero days from companies and they're probably reading our email”.
On the blurred lines between intelligence and security:
In France many directors of security in the big groups, they're all former intelligence officers, ex police, and they're always loyal to their former organisations. In fact, one of the reasons they’re hired is that they apply the same skills to their new job. And they habitually gather information and share it with their old associations.
On trust
There are too many trust dependencies, you never know who to trust. You think you can trust in one person, one business, but you're trusting a bunch of third parties, contractors etc.
And trust, I believe, is one of the biggest problems in security because most people don't even know what the definition of trust is. The question comes all the time from my clients “you're a former computer criminal, how can we trust you?”, and I tell them “look, the people you trust are the problem, not the people you don’t trust”. If I want to hack your bank, steal your money, I wouldn't be talking to you, I wouldn't be asking to sign a contract, I would already be taking the money.
The dictionary definition of trust:
When you look at the dictionary and look at the definition of trust, it says “Firm belief in the reliability, truth or ability of someone or something”, and then, “Acceptance of the truth of a statement without evidence or investigation, and so, if we recurse little bit, the definition of belief is also fun, it’s “An acceptance without evidence that something exists or is true, especially one without proof”.
Quotes taken from Anthony’s speech at nosuchcon.
