The law and leaky abstractions: In what ways can laws influence the security of society.

Presented at Still Hacking Anyway (SHA2017), Aug. 6, 2017, 2:30 p.m. (30 minutes)

In this talk I will show positive and negative examples of how laws can influence the security of infrastructures and society for the good and the bad. Without proper attention for lawmakers, security teams, service providers and security researchers could be positively or negatively influenced in their work. #Legal #Politics In this talk I will show positive and negative examples of how laws can influence the security of infrastructures and society for the good and the bad. Without proper attention for lawmakers, security teams, service providers and security researchers could be positively or negatively influenced in their work.

Presenters:

  • Oscar Koeroo
    I'm a technology, security, privacy type of guy that really likes to dive into the technical bits with a feel for international politics on the subjects. I currently work at KPN in the Chief Information Security Office in the Strategy and Policy team. There I am responsible for developing the KPN Security Policy on technical matters, like cryptographic principals and usage in applications, network design, Identity and Access Management, application security and other topics that are related to (information) security. I give advise on how to deal with the implementation of the policies on the infrastructure and application on which these are imposed. I love open data, open standards, open source and a transparant society. I'm a technology, security, privacy type of guy that really likes to dive into the technical bits with a feel for international politics on the subjects. I currently work at KPN in the Chief Information Security Office in the Strategy and Policy team. There I am responsible for developing the KPN Security Policy on technical matters, like cryptographic principals and usage in applications, network design, Identity and Access Management, application security and other topics that are related to (information) security. I give advise on how to deal with the implementation of the policies on the infrastructure and application on which these are imposed. I've build up quite some expertise in the (practical) usage of SSL/TLS with Public Key Infrastructure and I like talking about why this works as it does and where the shortcomings are. Previously I've work for Nikhef, the national sub-atomic physics lab. The Physics Data Processing team is responsible for various security topics and high performance networking to aid and defend High Throughput Computing, High Performance Computing, Grid Computing and Cloud Computing each in a multi-domain and international collaboration in science communities. My activities revolved around international certificate authority (CA) policies and its enforcement, responsible for the implementation of authentication, authorization and advanced account mapping tooling used for multiple large scale international and national computing infrastructures. Techniques involved we're X.509, PKI, VOMS (Virtual Organisation and Management System), detailed POSIX account mapping and privilege separation, OpenSSL extensions and plug-ins, XACMLv2 and XACMLv3, OAUTH and OAUTH2, Shibboleth, etc for computing and mass-storage utilities. Besides this regular line of work I was also part of a international emergency triage team. This team assessed vulnerabilities to scope the potential harm to the global infrastructure, before it moved towards the international collaboration of CERT teams responsible for grid computing infrastructure for the Large Hadron Collider collaborations. The most fun project was to develop three generations of botnets to train CERTs with. With minimal information the CERT teams had to follow the procedures on communications towards the incident coordinators and use their local infrastructure procedures.

Links:

Similar Presentations: