 secretion nightmares with Ron and Frank very good. Thank you. Not too dark, please and as Has been said already we would like to have the cyber We'd like the audience to whisper the word cyber cyber cyber. Thank you Thanks a lot, right now This is the 20th edition in decimal anniversary For those that like decimals I've almost forgot. I almost forgot Last time we were using octals and then sometimes hexadecimal numbers and then suddenly I Didn't realize until I noticed oh 20 that is kind of important to as well. So That's why we have a 20-year look back shortly, but that will be an exception. We won't do that every year Who here is here for the first time? Okay, nice What was that a third? 20 to 25 percent who was there at the first time? for those that can still calculate this that was in 16 C3 at the house. I'm currently in park in Berlin who was there. Ah, yeah, five Imagine that and then who wasn't born by that time more Actually, if you go back 20 congresses including this one, it would be 17. Okay back then in the house at Curnish Park There were about half as many people as Are in this hall just in this hall right now. That was the overall audience in 1999 Before the turn of the millennium that was the first time we used the NNC3 acronym or abbreviated acronym and the second Event and the house of Curnish Park in Berlin very nice location and We had half as many people there as fit into this hall alone And that was in the whole house and it felt rather full Yeah, because you have to know that the house of Curnish Park had a large hall and that could Fit so many people as many people in as would fit into the whole of the Eiderstetter Burger House the first location in Hamburg Could someone just do the calculation there where we will be in 20 years from now Okay, but we are post growth now we notice that these growth thing is difficult The planet is going to be exhausted at some point. So we'd better not grow anymore right okay, and The Congress was only three days back then So you could do this in one go Without sleeping Who of you have tried? In the four days, come on. Yeah, be embarrassed. Well, they're not here. They're just lying around anywhere dazed right, I Can remember when I was at a four-day Congress for the first time and I thought oh that can't be true That's just an attack on your health Yeah, I think this correlation we went to four days and assert grew massively. I think that is no coincidence But at the end it's good right four days Who believes that it's a crime to hack at him to be kicked out after four days? So that's half of you who would like one month of Congress in in a row Okay, right So that's two-thirds again or something like that Yeah seamless transition from camp to Congress That is Good idea because 1999 was the year when the first camp to place who was there Yeah, five again, right Now those are the veteran Spectators or no, not just spectators. So what was the big issue in 1999 and that was of course the year 2000 Who still regrets the purchase of a generator? Well, no not regret. I Didn't pay it for any way because the company bought it Boat it simply went bust in January and they had ordered it And didn't pay the pill so next year will be a leap year so if you If you're going to be Saying overnight from the 28th to the 29th of February to the 1st of March take an extra roll of loo paper Yeah, the year 2000 what was one of the first topics where this dependency of IT kind of entered the public conscience because of that panic and Until now it's not quite clear whether that was a panic that was unjustified or whether the panic made sure that enough energy and time and money was spent to prevent it from being a problem and I think up to now that is has not been clarified and we are all Looking towards the year 2038 with great glee which is coming closer So 2038 is closer to us now then the first security night miss are away from us by now just as a point of reference right so we were sitting around there and Listening to Professor Brunstein's talk with a certain sense of horror Who would we explain to us how the world would end and well right those were the days Right the shocking thing is that the years from 1999 to 2019 Can be summarized in a single image a screenshot Warning the document your opening contains macros or customization some macros may contain viruses that could harm the computer If you're sure this document is from a tercid source click enable macros If you're not sure about to prevent any macros to click this able macros macros when we prepared We were kind of miffed by the fact that in those 20 years. We haven't had any real progress on this front Which what we had is massively this year was several ransomware attacks which for the largest part still are transported via Office macros as a transport vector and that was and was not any different in 1999 in between It was a bit less But by now we're back at the very same issue and we have to ask is this human humanity actually capable of learning How many out there in in business? Will vomit if they hear dear Microsoft for the sake of humanity just switch off macros completely and The problem with that is probably Quite a few bullshit business would break all this reporting sheets and those 400 megabyte Excel documents that large corporations are run with it's not a joke Living Excel documents they change Which change when you put something in and 15 sheets along something else changes you have to react to that So that's not a rare experience out there So if you think if those were all gone not too many people will die, I think Although I don't know hospitals maybe have office macros macros to so people might those might only die later or something Yeah, so you shouldn't make too many jokes there. Oh come on kick them while they're down Right now About the regular program of ten years ago That's a regular issue ten years ago We were talking about cloudy computing and thought that malware and the cloud would converge and Who of you have seen this come to reality become a reality? Yeah eight The message was I think that a lot of malware would be migrating into the cloud and the cloud in its Perhaps non-security would become a problem But in fact, I think we've observed something else It looks a bit like if only the cloud is the thing that can be defended or at least Many try to create that impression right well on the other hand All those antivirus snake oil things went into the cloud. They are now all selling cloud antivirus and And they all are selling cloud everything cloud everything. Yeah Hypervisor root kits is something that we announced at the time We just had debated this for a while How did we actually reach that impression and we then found that yes, of course they exist There are some tool kits with which you can break out of those hypervisor frameworks but in the wild they are quite rarely used because the necessity of Such a hugely elegant solution simply it doesn't isn't there because the thing that's within those virtual machines is So bad that it simply is not worth the effort to go that go through that Go that go that long way and That's how wrong you can be so realistic assumptions about self-equality I think we've learned that shitty secretion at mess never Turned into reality. That's right. So the question is if Office macros would no longer be around what we have this instead This the search engine user profile obfuscation The idea here was that you were sitting in front of your search engine and asking one question after the other and that of course is Every question to Google is an answer to Google. That was the motto And so how do you obfuscate yourself and I have to say I haven't seen any plug-ins that simply Is searching for Britney Spears in between or whatever is current at the time something harmless I think if you would search for Britney Spears these days a bizarre fetish would be assumed So that was ten years ago. Of course. That was the message then right Street view was an issue ten years ago That Kept Germany that burnt Germany so hard that Google now would rather not publish anything and Everyone else didn't take part either My impression but that's maybe just my filter bubble my impression is that Everyone's kind of regretting this that everything is just rotting there in street view and nothing's updated Well, actually, I think that is quite interesting To this is a kind of living archaeology. You can see how it looked like a few years ago. What has changed since then Well, right the problem is that Street view by then was state-of-the-art and these days we have When we looked in preparation current aerial imagery The platforms have a 10 centimeter resolution so you're not quite there with reading number plates yet, but not that far either and What is actually fascinating here is I think it was this year that we had the discussion What's it like about aerial images? They are always getting better and I think Bing started this say How did they call it bird view and Apple is calling it flyover or something and they really have good data there and Nothing is pixelated at least I didn't find anything and This outcry that went through Germany back then I Have to pixelate my house that seems to Through those aerial images that just seems to have evaporated did we have anything I think that has two reasons the one reason is With the aerial images you have the top view Maybe a bit of a side view, but you can't really read Writings the number plates you can't really recognize faces that way and the algorithms that That they put in about Pecalating faces and number plates They do need some time to to get there There was this whole thing I'm going to pixelate the whole storefront, but I Think that the development will be quite quick if fixed 5g is rolled out. Yeah, there are devices that say okay 5g huge bandwidth we can put in this this 360-degrees cameras and put them on taxis or Been collecting trucks and have a live update of Street View Just streamed out via 5g and then Paste it there and of course then we will need those algorithms to pixelate images because of data protection and paste the pixelate faces and that opens interesting perspectives because With your storefront if you don't want to be in that live stream you have to take the font that is used for number plates and Set up your storefront with that and That will automatically get pixelated and that will then lead to number plate wallpaper that you paste to your house perhaps to make it disappear and clearly It's not over yet. The issue has just been dormant the live-street view thing will come and The air images are one pathway that they are sneaking in now The flash mob renters And our bot herders the bot net defense federal care people That was just an announcement at the time So that was the bot free dot-dee bot free dot-dee will started just a year later And the reason of course was that that was the year of the confecate virus and We were told that five percent of Business PCs are infected and Germany was on the second at on rank two with of countries with the most botnet infections and then the things were done and Few years later Germany was out of the top ten and Until now It isn't in the top ten now either So the whole thing was kind of scaled down And the interesting thing is that Japan last year the in Japan the government Authorized itself to scan for iot's and they started this year. I think I haven't seen any results yet. I assume that they are trying to Catch people that have bad passwords with iot devices and contact these people as we've seen with infected system Systems, so I think next year we'll have an update on that Yeah, we already had that topic back then it was about intelligent electrical meters the discussion of the conflict between the environment and data protection the The question is if we want to save the planet is it justified to implement Surveillance state kind of initiative and do we need that in order to Comply with environmental regulations that are important and the societal movements that are advocating for that kind of thing Might have to have a stronger discussion or a more focus discussion on this topic If you look at the political spectrum on the very on the green Part of the so the environmental parties They may not hold the data privacy aspect in as higher regard if the trade-off is against the environmental Issues that we're looking at so this is a topic that we will have to discuss some more in the coming years and there will be It will be hard to find a consensus in that regard it's if we were still worried about the Very Data protection aspects for the citizen We had malware with update cycles of weeks or one week back then we're down to the question of an hour or Sometimes even less. This is a good progress obviously We thought that the electronic health insurance card is dead You may want to just have a look at the talk At the Congress this year. There was a talk on the electronic health insurance card and build your own opinion on that There's the internet normality update for 2019. We're just gonna throw out a few numbers For example, there was this Microsoft RDP vulnerability. It was called blue keep When it was published or put out there There was roughly a million system that were immediately vulnerable. That's roughly the order of magnitude. We usually talk about even though a lot of malware is still Replicating quite happily even if you only just have a few 10,000 systems Then there was Gantt Crab It was a larger number In the matter of how much money was earned. It's in the ransomware corner Those numbers are put out there by the group who published the exploit so this is interesting because it was only running 16 months and They claim to have earned about 160 million US dollars The question so the the other side the victims claim that they had almost 10 million in damages so those numbers don't really match up and It's The question is this is really profit After after calculating the numbers if did you discount all the effort you had to put in all the money You spend along the way. This is proper bookkeeping. You're doing or did you round up or down? It's clear that the company say it's Vastly more expensive because they had to do something New while they were or basically they pushed in something that they wanted to do all along and they this was just an opportunity that they had now so they had The the numbers just don't match What's your view in this did where you affected did you have? Do you have a friend of a friend who was affected by ransomware? Oh, so few people That's at most a hundred people So who knows a company that was affected by a ransomware attack No, that's a vastly larger number So who knows a person or a company that actually paid up That's not actually few maybe 15 And how many stars would you give their support system? Customer service five stars So the The industry will have to explain how you reach them they have a lot to do and of course Yeah, the question about customer service did the data come back Who knows anyone who got their data back? Yeah, so customers port is has room for improvement Yeah, there were numbers that we saw I found Basically jumped out of the internet at me. It was an office in Florida that has paid up 600,000 US Dollars and Ransom there were a few others that paid roughly 400k Did any money year of a larger sum than that? Is it official? It's not official, but I heard I know of people who have are tasked with dealing with the fallout with this and cleaning it up They claim that There was one company at least that basically just took their share of the of the revenue that the company generated So they took something like two percent from the numbers that they have in the balance sheet and use that as the demand that they put out in the ransom notice so if you think about it if If you have an outage in production and it lasts for a day Then maybe that's roughly a percent in cost that they incur or lost revenue. So The ransomware topic is One of the points where the the claims that we made in the last few years actually were pretty spot-on Was the the mail actually affected to oh Nice a postcard. Thank you a very nice postcard Time travel is not a crime Yeah, we'll talk about that later This These ransomware attack not all of it is ransomware some of it is actually targeted attacks on companies were it's Then spreading out they're looking for the weakest point in the company. They attack that spot for example something that Sends parcels or something and you for example you you you kill that fulfillment position or maybe it's the finances you to hit them where it hurts and You can see that all the technological depth you have incurred of the years that you've been Keeping around and you don't solve it's basically coming back at you now And we've been asking ourselves why of the last few months. There were so many ransomware incidents that have affected hospitals and similar universities and similar endeavors those have the oldest IT systems with little hope for betterment So basically they're the weakest her members of the herd and they are being called They obviously they they have to Discounted in their credit in the balance sheet But in the end they're more willing to pay because it's easier. So these ransomware attacks now They create an intrinsic motivation to take care of your IT system So maybe it may have positive effects in the end for the individual ball office or company The ransomware infections rose in over 350 percent the bug bounties are rising as well apple also joined the game with 1.5 million US dollars for a zero-day in 2019 we had 19 zero days that made it into distribution In 2018 it was only 12 So maybe for some of you this year was a little busier than usual but Maybe not as much as in 2017 when it was 22 the average cyber damage in Germany is around 2 million euros and Every a German company was affected by some form of cyber attack. Those are numbers where you're saying every 8th that the others not read any emails or these numbers just off or Strange these numbers coming from industry political agencies They're saying the total number of damages to use the cyber attack are in the two-figure billions How are they calculating it? You really have to ask yourself so it's more interesting to look at what else is in there and Yeah, the Basically the calls for help from the industry that's someone maybe not the state was gonna go out there and regulate that whole thing so Maybe that's just the growing despair of the security officers and the companies that they're not getting the money from the CEO or the board or whoever and They're basically looking at other Branches of the industry that are more heavily regulated and they're kind of jealous because they're hoping for more regulation That would allow them to get the budget for the security that they need So let's look back at 2019 So the Chamber Court of Berlin they Had a terrific task of D dusting fax machines actually know that I don't think they had to de dust them. They were perfectly maintained If anything is properly maintained and de dusted is the fax machine did they increase the lines by 10 By a factor of 10 or get something out of the basement or what did they do? Well, they didn't have one stack of paper, but a whole palette and They put the people there to keep putting the paper in the fax machine There's this stupid phrase from lawyers that goes The electronic transfer of documents made it possible to make legal papers Escalate in size so much because otherwise you'd earlier you had to get it through in time So there was a limit on how many hundreds of pages pages to get get transmit in a few hours So if I'm if I keep myself short, I can hide it in later Right Now the e-voting isn't really going away in Switzerland we had the attempt to Which badly failed also thanks to the great work of the Swiss CCC members And applause and the same company that was the Spanish company skytel then what they are these Zombies they just don't go away They do this web server based e-voting and the German social Democrats Were enticed to do that when they asked their members who should lead them this year Who should be the next leader we criticized it heavily and they always respond to our command So it's not just a real election. It's just a survey of members opinions, which the party will then implement And that won't go away. They will go on zombying around and the question now will have to be asked one of our Predictions is becoming true if you have digital voting votes How can you prove that nothing the election has been tampered with and we've seen this in Bolivia in Bolivia, yes the president was Voted out because they ran an election With a digital system and someone said this election was tampered with There was an electoral fraud and no one was able to say no there wasn't it was impossible You could only determine that the system was as broken as all the other digital systems and and that Narrative of we know that's that's that's been that there's been fraud came about so as soon as you have Digital voting and someone later says electoral fraud you've lost Yeah and then this fascinating topic with those ring cameras the issue of password quality and software vulnerabilities, but Much more exciting was what happened in the u.s Where there was this unholy alliance? between police forces local forces and The makers if I understood it correctly and You are Being made to give the police access to cameras to your own cameras And I think what can be foreseen here is that this will be so an issue of social pressure we have These neighbor associations in the better Better of American suburbs and there are rules there how you should design Keep your house and garden intact in order to not degrade the value of the other houses in the neighborhood So don't have your lawn grow any longer because that will degrade the value of these surrounding houses And that's not on and it's completely foreseeable that soon we will reach a state that these people say oh come on We are a ring neighborhood. We all have these cameras and they will all be linked up to the local police department and You can then imagine the black men is it mirror scenarios that will come from that Someone runs away and then the cameras in the neighborhood will watch if that face is picked up somewhere and so on so these The cameras that stream directly to the cloud That is a phenomenon That we should really Keep in mind that we've been warning about this for many years and now it is really happening in the Asian area Asian region You have companies that sell you a camera that swims into the cloud and out of all video images it they Cut out everything that looks like a face and put it in the cloud And if any face is recognized and and it's feminine that's this person was under suspicion as a shop lifter Shop owners will get a message saying hello the person that you've seen on your camera has been Recognized as a shop lifter somewhere else and that is a service that is being paid for and and the state of course has access to these data and Can also feed data into the face recognition whether that is only 50% correct or not It doesn't matter as long as the system looks as if it would add value and this integration of state surveillance and private surveillance with the companies that build technology and These are for our forming a kind of conglomerate that that is something we will see much more And we have to get used to the fact that this state versus interested thinking is not going to be applicable anymore It's going to be a one huge conglomerate and If security is so bad that you cannot make sure that every second image will be one of Donald duck That is going to be the challenge now data wealth All kinds of data wealth this year of course, it's clear the remarkable thing perhaps That was two issues One that 30 terabytes of data from the top three antivirus makers were carried out That is quite a good achievement Whether they are not using their own products. Could that be maybe the license expired? And the other thing that I found quite crazy was that some security researchers found a pot of data that Wasn't probably probably secured it contained data from 80 million u.s households all complete with date of birth Address GPS data and income and things like that and that it seems was lying around in a Microsoft cloud thingy and With those data they could not determine who it belonged to it was just hmm That's data large file The format was published on on the website Reducted and there was a call for people to help to find the source and the only thing that happened was that Microsoft quickly shut down the server and those That were going to get billed for that server were notified But they didn't say who that was who that was so that question is still open and unresolved And this will happen more often you can be sure that this will happen more often and data will appear and people say wow That could be long to a bank. Maybe not maybe a tax at counseling company Whatever right so maybe that will be a new classic as well How do these things come about Someone needs a bit of backup space and the IT says Well, the new network attached artists will only be completed in four weeks, but my deadlines next week So what do we do? We just click us a bucket somewhere and upload it there We don't need any crypto. We're going to do it for two days anyway And we don't need security either because it will take longer than and we'll delete it surely and Then on Friday night someone says have you deleted the data yet? I'm going to do it soon. Yeah, and then the coffee cup is knocked over and he's dealing with something else And then goes on holiday and he's gone and the data remains right and Depending on what credit card this is someone will notice or not and such a lot of things will disappear that way And you won't know what it is one of the things that we're Very We're showing this zombie like characteristics this year again was the discussion about increased back doors increased and severe Severe and back doors in certain software and the plot usually works like this The the government or some one of their the organ says we don't want the encryption to become any weaker Because obviously we have attackers like the Chinese or the Russians, but we want some of the companies like the the larger Basically you can Google Amazon Facebook the the regulars They should build their encryption in a way that it has a back door that enables the law enforcement agencies to take a peek and that Basically, they shouldn't build it build anything special But rather what they're saying is maybe just add another key You don't need any special access method another key for example would be fine that the government has access to and then they can Just take a look and the discussion is Rather rather severe in the US The representatives of the companies feel pressured and put on the spot and They're being forced to come up with a solution for this and There's they don't want the responsibility and The government basically said yes all the problem. We don't care, but they also put timelines on it There's deadlines for example by the Senate where they were grilling Apple Facebook Maybe some more and the demand was clear Well relatively it was it was crystal clear If you don't Enable us by the same time next year Some way to do this we're gonna regulate you Well, we're here next time Same time next year and then we can take a look what happened So the discussion is also going on in Germany There's also a bit of a row between the law enforcement agencies and some companies to enable them and It is not so much a matter of What it looks like in the specific countries it will be a little different For example, if you have a chat then They should for example put in a ghost participant in the chat who will just read and Whose key will be? added to the conversation so they can later on look at what was said and The problems that are showing themselves here Are that over the short or long term? Encrypted communication made available by commercial companies that are not Regulated or that are regulated even Cannot be viewed as secure anymore if they submit to this kind of regulation for example Apple Google whatever and They have so many million users that are being affected by this then these companies Are not actually allowed anymore by law to create actually secure encryption. So People who are in need of secure communication actually need to utilize offerings by smaller companies that are unaffected by regulation and The the issue is Basically the state is not happy with the state as it is even after the the leaks made available by Snowden that showed us what what happened and We're still discussing this under the topic of responsible encryption We probably need to speed up a little bit so some some more interesting stuff That we want to discuss We can learn More from the reports from the beaches There were several of those Probably more than over the last few years. So if you're interested maybe Google their specific Companies that were affected for example data breach report for the company's Equifax mask It's very interesting some of the other companies noticed that it's nice for the marketing and for For keeping the customer relation intact if they're very open about what happened and how they reacted to the cyber breach And it is very very Insightful to look at what they put out there and you can learn a lot from it. There was this super critical ira security Gap that was called checkmate in the bootloader that Apple probably won't be able to patch and is only fixed starting iPhone 11 and onwards and that is actually really Better for us It's not the last time this is gonna happen. That's for sure. It only lasts for a while usually the next discussion that is really interesting is And It has been Almost emotional Is DNS over HTTPS so encrypted name resolutions In my view, it's similar to TLS forward secrecy Crypto is becoming better well even communication as a whole the transmission of data Encryption a lot of people say yeah, well, that's annoying. I have to buy something new in order to Take a peek and I need it for my security and I Some people say they need the money in order to support their business model to sell the data which may for example for DNS be quite relevant for the ISPs in the US in Germany It's not allowed at least talcars aren't allowed, but Yeah well for Enterprises, it's more of a nuisance. They can sort of adjust their way of working and put out a better method of distributing software or have policies in place or some other method but the companies that are really affected by this are the data traders and Some other ones that are pissed off about this are the companies edit the governments that want to listen in on the conversations and Yeah, that may not be a bad thing So I Want to throw in just just for a little bit the first Recall of an of a piece of medical security Gadget, baby sickly It was 2017 By the FDA It's crazy how long this takes so this particular radio insulin pump That where we only had a voluntary recall the security researchers Had to be persistent about this for two and a half years in order to To put pressure on them to get the FDA to do it and this is only the tip of the ice book We really don't know what's out there that should really be recalled because it's unsecure We're also observing that the topic of automation and distribution of work Among the malware producers so the Basically the industry in the dark sector is pushing themselves to new heights and Frank already said that the weakest ones are going to be polished off But yeah The one that got removed recently wasn't actually the weakest but still So the companies are gonna take a look and they're gonna evaluate what they really need and they're gonna say okay We need to recover the systems faster Maybe we need an active directory as a hot spare that we can just throw in the network when it's needed and maybe You can already Take the stance That if you have a smaller or a medium-sized incident you can basically say okay We're not gonna pay anything. We don't care go for it. So industry is Seeing these this these trends and they're increasing their efforts from ransom to blackmail so basically before they encrypt them they're taking the data out and They're not just saying if you want your data back if you wanted you need to pay us X amount of bitcoins But their companies are saying yeah, well, we're still backup. We don't care and then the the ransom where Folks are just gonna say yeah, we also have your backups and maybe other people are interested in what you have in your backups so what you what they're doing is basically a torture by a thousand cuts where the affected company is It gets to the point where they're saying maybe it might actually be better to pay up instead of being Hurt anymore. It's a rather traditional model of doing business But it's coming back at in these in this new way that we're seeing in the ransomware sector So we're gonna just skip this. Yeah stealing metadata Interesting is there are now products with more than one backdoor Because During production of the product more than one person was involved or agency actor Maybe that all put in a factor So there's there are several Companies involved in the production chain or in the development life cycle for example the hardware companies the software all of them Are leaving their own trace in there their their own sent even it's There are for example, Chinese companies that are trying to You They put out these IPT cameras in the sub $50 range, which is a very nice and she Gadgets and there are hard-coded passwords in there multiple of them strange strings a lot of This is a lot of entertainment for very few bucks and And Yeah, along the production chain. It's very interesting to see who else was involved This might be something you want to try out in your own hacker space Where you use something from the the sundry money and just buy one of these little gadgets and take a look What you can find All right now to the weather forecast a Short remark last year. We did already say that everything that can betray you will betray you everything will receive a chip everything will be given some memory and record things and will have a sensor and There there will be hardware that will record at which temperature you've charged the battery or did not charge the battery and Things like that and whether it was too warm or too cold and that surely someone will try to use against you by saying no no warranty You are keeping things too warm to cold the battery went too cold the classic with e-bikes, right a modern e-bike was Be left outside at minus 10 degrees and the bike would not work and the maker would say oh come on We can offer you a new one, but there's no guarantee anymore That's stupid But well just data it's maybe something you do about it something do something about it so what you need is the log file stylist and Something that will become stronger is the distribution of the market into privacy business models there will be the lower end so the Sectioning of the market the the Asian cheap business models that have never really heard about data protection Or privacy, so they will give you the low prices and finance those by pre-made apps So the model is you have a phone which costs surprisingly little and there are about 30 apps on that phone everyone buying each one of the app makers has paid something between I don't know $25 around So these are all system apps They have access to all the sensors all the data and they monetize the data directly from the phone So there is no platform involved anymore the apps are doing it immediately or they're building their own platform that way So there's the staircase Starting from that low end and then you have something someone like Apple who say we don't want your money So we don't want your data because we already have your money so the small amounts we could kind of Express from your data. We don't want that anymore And then there's everyone in between such as Google with the pixel phones who say oh It's nice that you've given us your money and now we want a bit more from your data as well When we want all your data, but don't worry we will do no evil, right? They're just for us and And this differentiation according to privacy scales That's something we will see more of in the next year and it's worth looking closer there and to see what the actual Foundations in terms of privacy are and the sad thing is that there will be people that will claim they have Privacy and are there for claiming a higher price, but that don't actually have anything There was this publication there was this notice at heiser the you will learn German IT publication about apps for children and you just You couldn't believe if you read this how they treat the data What they claim their products to to not do and then what they then actually do The cloud is now getting all the data So the motto of course is it's only secure in the cloud and Therefore it becomes the single point of whatever Including the previously mentioned blackmail. So door locks heating says the slide If you as a group operator you have a Company that makes door locks that are connected to the cloud and they have 5,000 customers and you open those doors and you could say Well, we could say we could wonder whether the locks will open for every customer or would they get broken or would you just stay shut Stay shut and get broken at the same time. You could run a scaled business model there and We wondered Whether in the next year we'll have the first large case of API obsolescence whether that will occur This started because in my family I had questions like, oh You know, isn't what's up now going to stop in the next year If I'm still having if I still own an iPhone 4 or an Android, whatever And the answer was well, it doesn't really matter does it but many people do not see it that way and I Then wondered right. Well, what is actually the reality and reality seems to be that Certain things will no longer be supported by certain platforms. No one wants to do a 16-bit anymore things like that and Will that mean that as soon as someone changes something in their API for security reasons That's suddenly a few million end devices will no longer Tick because they don't receive any updates anymore to the new API Yes, and we then thought a while and then we said no probably not maybe they just would not dare or try to Still keep things running on the server side in a way that the old devices can still Use the old API and the new ones will use the new API and they just try to filter out certain things and do this or whatever and We've had enough problems already that was solved in the net and not through updates of the GSM phones for example So maybe nothing will happen ultimately well these Data mountains that will disappear there are two points Where things are developing that will get stronger and one is the official digitalization that is happening We heard about we were laughing about the electronic health card in Germany, but there are other things there The Lawyers Mailbox for example that was a huge fail in Germany So people want to do more and more digitally and use less faxes and send less snail mail and then We also have the issue that the notaries inbox Existed and what you can see what you can read in the media is will gently blow it will simply blow you away I think a journalist asked Kindly even someone from politics. I think Whether an IT security audit had been made and the answer then was that they didn't see a reason to do that Because the makers are trustworthy so if you summarize it the digitalization strategy of today is tomorrow's data wealth and Who of you works in an institution or an? company That is busy developing a digitalization strategy one of the interpreters is raising his hand so about a third or over so that seems to be a thing and Who of those that did not show up? Believes that companies Should have a digitalization strategy their companies, but haven't really started yet ten percent right so the incredible You have this incredible approach That we've just talked about there is no reason to Verify a security then the outcome will be inevitable, but the other side is The invisible data mountains of shadow digitalization Are you shivering yet? This is your aunt everyone who's using digital devices without really knowing what they're doing and Who still have your data and process it and share it and then leave it somewhere and This started with digital photography where you take photos and photos and photos And then you don't weed them out But you simply put them on some disk somewhere that you have lying around and the disc Suddenly is on the local network and then suddenly through a small mistake It synchronizes to the cloud and it's and when it stays there unless the makers change their business model And the fact that storage is getting cheaper and cheaper This is not just happening in the homes But in companies too more and more data is being stored and put somewhere and people are not looking after the cleanup because well so There'll be unbelievable things coming together there and if there is a dam breach and the data lake Data lake nice, right? Data lakes exist in industry Where they collected all kinds of data without throwing it away and then hope that machine learning might extract something and then they realized that Sadly the data aren't that usable for their purposes But they're still lying around because you know you never know something might happen and they may have they may find something to do with that data and the Popular format of business areas and crypto and sport This is the popular section in security nightmares now more companies have a cyber than Had last year So industry has understood that Help is possible and there is incident response and Emergency of this and emergency that's and people you can call if you had a cyber and they will help you to Kind of exercise the cyber and there's so much more connected to that You don't have to be an IT person to join in Cyber emergency Helpline for people that Have been affected by cyber incidents and if you listen in on the industry and how they're mitigating it and There are a lot of companies that have to do professional cleanup after this for example data data loss reclamation strategies Digital digital sorrow or digital grief In including restructuring the whole mess afterwards At mask they said well the IT was gone and the emails didn't work anymore, and then we just migrated to what's up So we're organizing ourselves over what's up afterwards and then we created groups there and in the groups we tried to keep the business running and afterwards We were actually Wondering if this might actually be our new company structure the what's up group Maybe we don't even need to turn on the mail service anymore. They didn't say that Anyone who wasn't in the what's up group was terminated later on so there's still a lot to watch out for in the future and You also have the problem that how do you tell these kind of problems to the public? How do you? Spread the word so there's no really really good Way to explain it to the lay person because it's just gotten too complex You can try to find analogies that are so broad that they're not really fitting and you could also try another way and Look at it from another angle if it looks like magic maybe explain it like magic So maybe do a fantasy novel it has similar terminology and you You basically have You were breached by a ransom gang and In you could create a whole cyber fantasy about it. You demons Have breached the outer ring of the the castle They could scale up the walls and go into our rooms and we now need to find brave people to go into the dungeons and Hunt the demons and purge them from the castle So you need professional writers who make a living out of explaining this In a way that makes sense for other people like fantasy and magic So at dawn you now have to You'd not have to slaughter more cyber geese But only at the full moon So Then Kaminsky likes to say data wants to lie to you He wants you to be wrong Data wants to lie to you and not a lot of people have understood this that their data lake is actually out to get them and This is important to understand and to train yourself in in Realizing that there is distortion in your own data Coming out of the sensors out of the way you gather your data From the sources that you use and you have to train yourself to Find these to watch out for them and it's basically the opposite of what happens today Where people are being told yet as great things in your data and they're looking at the noise so long Until they see a pattern in there, which is clearly bogus So we have the phenomenon here that the migration to IPv6 took a lot longer than before initially and Now it seems to happen very suddenly and most of the devices nowadays Seem to actually understand IPv6 in there and in there Do you see a lot of packets on your network and you're saying well wait the monitoring in the firewall Don't know IPv6 and your router doesn't and you suddenly have all this this these practice on there And now there is this new job of an IPv6 Exorcist in trying to purge these from the network and later they have to retrain as the IPv4 Exorcist in order to get rid of the old system and the old frames and messages Turn around I forgot to turn on the cut the crypto Did this this is a thing did everybody understand by now that it's important to Have crypto to encrypt everything that it doesn't work without crypto of graffiti That it's necessary for basically everything. No one Demands anymore that there shouldn't be any crypto. They usually just want a factor and an extra key but the question is is it actually on the whole time or Is it just there and not turned on or if it's misconfigured or does it have the wrong parameters or maybe on some of the time or some of the connections or Did your software update break it again turn it off or maybe fiddle with the parameters or This is there's probably enough software out there That's trying to figure out if the cryptography is still on and the question is if yes, how many of them and We think we really should do something for the IT security Click on each attachment in each area for science We're usually saying you should watch out for it and We're usually saying that the problem exists between chair and keyboard But the problem is actually that the software is crap Every software that I'm using these days should be able To send data via email to not blow up your computer to not put it out in the internet and encrypted to so the question Basically that the message of saying Don't click the attachment and don't click every URL. This is just victim blaming and it's wrong and we need to stop it now So maybe we should talk to the unions and We should tell them that clicking every attachment in every URL it gives you more free time or earlier Close-up business during the day So this is a clear case of we can't keep going on like this and we need to escalate the situation to a fair degree So now from now on click every attachment click anything you can find basically use macros Well, maybe maybe not maybe still turn off the macros So that is basically our appeal to you and this we wish you a lovely New year in 1984 and we see you again next year this