 Session I have a quick show of hands before we start We are all of us came to this hacker event Whom of you decided to install some software updates before you decide to come here So I see quite some event So now keep your hand raised if you could do this for all the stuff you you brought here Still still some hands same same thing at home No, no, so do any of you own devices which are not able you are not able to update I have some in my pocket even so so we have a bit of a problem Which which really? Fits the next speaker well Let me update you on on on Reo, who's our next speaker? Reo is a privacy advocate. He works as a policy analyst He works for bits of freedom the leading Dutch digital civil rights society as a policy advisor He's also the co-founder of freedom Inc. Where he fights for your fundamental rights But tonight he will talk about talk to you about patching our approach to software updates So please give a warm hand to Reo's anger Well, thanks for having me I'm Reo Zenger and I work for bits of freedom a digital civil rights organization in the Netherlands as you've just been told It feels special to be here as bits of freedom has been resurrected from a winter sleep Eight years ago at an earlier incarnation of this event Eight busy years by the way, you may have heard from us in our fights against the introduction of a Power to heck for the Dutch police NSA-styled dragnet surveillance provision for the intelligence services and making sure that our government opposes the weakening of encryption None of which I will be discussing During this talk by the way And if you've been following bits of freedom for some time You have noticed that we have a brand new website and a new logo and of course that comes with the obligatory new t-shirts That's a hint anyways In this talk I will list a number of updates We need to apply to our updates or more accurately update the process of deploying security updates Traditionally we are focused primarily at delivering a product and not Not the aftercare If we think about updates, we think about rolling out new features and not about fixing the vulnerabilities in existing features And that usually comes as an as an afterthought And whenever we look at the process of deploying security updates, we mostly do that rather narrow-minded We have a look at the part of the process where we can directly influence rather than looking at the Total at the entirety of the process And we tend to fix the issues for ourselves, but we'll get to look at the other stakeholders relevant to the process But works for me is I think just not good enough It's not good enough if we want to have a reliable process where we can deploy security updates If you have fixed your part in the process, but further down the chain There are still some issues the process of updating is far from optimized You may provide security updates quickly, but if the user doesn't trust those updates your updates will not be installed And your product remains a vulnerable So here we have 12 updates fixing some of the common issues surrounding the process of deploying security updates But first I'll start with a few words on the need of a reliable process where security updates are made available and deployed Swiftly upon becoming aware of some of some vulnerability I'll keep that brief as all of you in this room are fully aware of all the risks that come with Fundabilities in fact much of what is happening right now has been foretold by many of you After the short introduction, I'll discuss the 12 top most important updates to the process of patching vulnerabilities Of course, it's easy to describe the vulnerabilities, but it's much harder to actually fix them So in the last part of this talk, I will highlight the roles and responsibilities. We have we all have in this process And to be honest, I would be surprised or maybe even disappointed If I would tell you something completely new But only rarely I hear someone piecing all of this together and as already mentioned That is urgently needed because the process of deploying security updates is as strong as its weakest link Many of today's technologies are said to be disruptive and in most cases what is meant Is that these new technologies can turn a market quickly and completely upside down? But digital attacks of this year have shown that technology can easily disrupt our entire society For example, the one a crime malware forced hospitals to close down even though the malware was aimed at holding data ransom for money Anyone who has doubts about the potential impact of such disruption only has to look at not petia attack When the disruption had been only a little bit longer than our supermarkets would have been unable to stock at least for some of the products and such disruption doesn't have to be directly aimed at society It can be a political weapon as well or a weapon of let's say a drugs cartel abusing the chaos of the container terminals in the port of Rotterdam We have been come utterly dependent on our digital infrastructure Oddly enough we behave differently While swiftly resolving vulnerabilities in this digital infrastructure, it is tremendously Sorry, while swiftly Resolving vulnerabilities in this digital infrastructure is tremendously important The deployment of security updates seems to be something of the lowest priority As an example one of the vulnerabilities that was abused by both one a cry and not petia Was a vulnerability that was kept secret by the NSA apparently for years But even when the patch was available many sites wouldn't or couldn't install that update right away We should do better and here are some ideas In the Netherlands the government has a long history of failed IT projects and a legislation that is passed often Doesn't meet the needs for a secure digital infrastructure However, there are exceptions and the National Cyber Security Center is one of them They are acting like a computer emergency response team to governmental institutions on a national level. They do really good work Anyway, the NCSC organizes a yearly conference. It's named the one conference This year they had 11 year old Ruben Paul on stage The boy was playing around with his teddy bear and hacked the poor thing via its bluetooth connection Of course this talk has seen a lot of headlines in all the large media because everyone admires an 11 year old hacking his teddy bear But there was much less attention for the fact that a random toy can be hacked without years of training And this tells that this is that this is telling for the way we deal with security of the things connected to the internet All it takes is an inquisitive mind Another thing that seems to have been missed by all of the media the fact that someone has found the vulnerability doesn't Suddenly and by magic make it secure The manufacturer still needs to be able to push an update to the teddy bear That is possible, but only if the manufacturer visits all of the homes of the kids with this plush toy There's no way of installing a patched version of the software running inside the bear using some other means than physical interaction And that obviously is not realistic. The device may be smart, but the manufacturer is definitely not So there should be a process in the first place to update The only solution that remains is to throw out and replace the device when a vulnerability is discovered And that's not a very sustainable solution A more sustainable solution would be that it becomes not done to sell Products that are connected but cannot properly update it as a consumer. You should not you should expect nothing less And of course, it is it may be cheaper for a manufacturer to not to provide updates and Not to provide a mechanism for updating, but that should become a liability Of course, it's easy to blame companies running older and sometimes even end-of-life versions of windows For not having upgraded to a more recent version of the operating system The same holds true for my friend's dad who still is using a computer with windows xp And despite all the warnings and interrupting his workflow many times. He still hasn't upgraded He rejected the idea when even when there was a new version of windows made available for free Nor could today's user friendliness of ubuntu change his mind For my friend's dad an upgrade is much more than just upgrade to a newer version of the software It's also adapting to a new look new icons new functionality and getting rid of old habits So how do you encourage someone like my friends dad to take such a big step? How many warnings? Is he allowed to just ignore? And what about industrial environments for a large factory with many dependencies things may not be that simple Upgrading the operating system on one component of the robot may entail a costly replacement of all the robots Maybe there should be something as a rule that a computer running an outdated operating system may no longer be connected to a network Let alone the internet or maybe the computer should no longer be able to boot after its operating system has expired Um, I don't know how we should solve it, but this needs to be needs to be different, of course It's it's I think also a difficult dilemma for the software manufacturer Um at a certain point software should be allowed to become end of life And you really cannot expect the manufacturer to provide software updates for eternity So no security updates, uh without considering the upgrades as well Just looking at the process of updating does not resolve all the issues surrounding security Uh vulnerabilities If we truly want to make a difference there, we also need to look at the process of upgrading How to make sure that the company's robots or the computer of my friends dad is running a recent version of some operating system If the barrier for upgrading is too high Um, there is no point in making so there's no reason that making a point about lacking deployment of security updates I think is futile And here's another obvious point one of the reasons the hospitals in the united kingdom were affected by the WannaCry ransomware Was that people are exceedingly cautious cautious about making changes to a software of systems where we have a high level of dependency And that's of course understandable Um, if the software isn't thought out well enough, uh, there's such an update could make the system crash And you don't want to have that happen in a hospital a police station or at the air traffic control Therefore such institutions test updates thoroughly before installing them And that requires a thorough investment in capacity and time Probably it's much more efficient to collect a number of updates and do the testing in a single run But it also adds to the time it takes before a security update is actually deployed So security updates shouldn't break a thing that has to change it It uh, security updates should be install should be installable quickly, especially if the potential consequences of a vulnerability are large That means the manufacturers should minimize the risk that the patch breaks something For example by making the patch as small as possible and the patch should therefore only do that patch the vulnerability It also means that manufacturers should inform users well about the nature of an update The potential consequences of applying the patch and possibly even assist where the software is used in devices upon which lives depend In a professional environment, that means a manufacturer may need to take a more active role than he is used to up until today It also means that the users should be explained in a meaningful way that a particular what a particular update actually contains This one from Spotify is an example of how it should not be done Basically, it repeats We are always making changes and improvements to Spotify and repeats it as a mantra every change is just that Meaningless change logs should be something of the past One of the more prominent victims of the not patch attack has been the logistics giant maersk You know them of the containers in the port of Rotterdam At least two of its container terminals in Rotterdam were seriously hit The cargo could not be unloaded ships had to be diverted and trucks could not pick up or deliver containers The damage is estimated to be in the hundreds of millions of euros and nearly a month later maersk was still struggling with the fallout Internal documents of the company reveal that the company has been warned many times about its lacking security over the course of several years Apparently, there was no network segmentation. No firewalls. No monitoring and no virus scanners in place The response of the management in 2016 We will not fix these vulnerabilities as updating and reorganizing means downtime Lazy and stupid, of course I'd say it's better to have a short and scheduled interruption than an unexpected and longer disruption at maersk, of course, is not an isolated example So sometimes process related problems are the cause of a slow installation of updates Some companies are required to have the entire infrastructure to be re-certified before they may take it into production again If such organization has to go through the entire certification process every time they install a new update It is no surprise that the company chooses to collect all those updates in a single run The result longer periods of vulnerabilities What also happens an organization depends on an external company for administration of their computer systems And if they don't have time right away The organization has to wait for them as well So an update should update of this process should not Be just talking about the updates, but also about the process around it. It should update all of the related procedures So it it means that the process of applying those patches should also be structured differently Something else. How much did your mobile phone cost? The answer that most of us will give probably is a few hundred euros Sometimes even up to a thousand For most of us the data on a mobile phone is fairly is a fairly complete reflection of one's lives It includes your holiday pictures your most intimate chats your internet banking and a continuous record of your whereabouts Therefore, I'd say it's not unreasonable to expect that the manufacturer of your phone Um to support it for to to expect the manufacturer of your phone to support it for at least a couple of years Maybe four, maybe six especially if you include secondhand use And if a vulnerability with impact on security of your data comes to light during the time It's reasonable to expect to receive an update to resolve that vulnerability The reality is different Some mobile phones were already unsupported on the data phone was sold as new And it's not just me who is worried about this. The Dutch consumer organization Consumentabond has started a court case against Samsung It has asked the court to order Samsung To provide all of its smartphones in the Netherlands for a period of four years after their placement on the market Or and or two years after the time of the sale by Samsung or through a retail channel with updates that repair these Foundabilities in the software In my opinion those two years are still very short, but it's better that it's definitely better than the current situation So security is something that is an ongoing Concern or there should be an ongoing concern I strongly believe that the manufacturers should provide security updates for as long as the reasonable lifetime of a product That can't be too much to ask, right? And this is the easy part the support for just a couple of years But once we have connected everything to the internet, we are talking about a lifespan for Of a decade for some of the devices that are available All the cars and fridges should also receive those updates It will be fairly dumb if a car could no longer be driven safely just because the manufacturer does not want to provide the necessary support In a case of a mechanical malfunction your local garage your local garage may be able to help out or you can hack your car yourself But because the source code of the software the car is running on is a company secret that is becoming increasingly difficult And from the viewpoint of environmental sustainability It is also a complete disaster to have to replace a car after 10 years just because security updates will no longer be provided And here's another complication that remains unanswered for now What to do if the manufacturer has meanwhile gone bankrupt? I don't know actually I know one thing for sure if I myself need to check regularly for security updates. I'm vulnerable most of the time This becomes less of an issue if my connected devices look for a new updates on their own and then notify me if there's a new one If there's a new update available However, of course often this notification is shown at moments. I don't have the time to deal with it So the apps on my phone, however They are almost always up to date. It happens automatically and I hardly notice it Once every few days I check what has changed and I'm convinced that for the vast majority of users and devices this works perfectly Especially if the security updates are just that security updates So I think that normally automatic installation of security updates that should be the default um And of course when someone suggests to introduce or to enable automatic updates There's always someone saying that you don't want to out that you don't want automated changes to a running system And indeed there is of course a risk of a crash when a running system is updated behind the scenes My response is twofold Firstly the solution should not should then not be to disable those updates But to improve those updates the manufacturer should be able to say We have so much confidence that our product still works after an update that we do not even have to ask you Um, if it gives you any shit then, um, they will come to resolve it Secondly there may be exceptions in specific cases Some people in this room may have to deal with a threat model that requires you to take a different approach Therefore automatic updates should be the default but at the same time you the user should be able to opt out And yes, there are still some unresolved issues. What if the security updates requires a reboot or interrupts the user's process? We need to find some clever solutions around that But as a general rule automatic installation of security updates are good. I think So what is it what most users will do if their browser interrupts their workflow with a pop-up Window that urges the user to install an update to prevent losing files And would that decision be any different if the user sees the message right after hearing about a worldwide attack with ransomware? There's a good chance. I guess there's a good chance that the user will click the install button But there's an equally good chance that the user is not installing a security update But malware the user just wanted to prevent from being installed The point is in many cases the checks on that then this the open update are not done well enough And then you get the question. Is the offered update actually coming from the manufacturer or is it from someone else? So we need to ensure that the deployment of security That the security update is installed and not just the malware Systems should be designed in such a way that the user only installs the security updates from a trusted source And I think that for a large part this can be done Um, this can be enforced technically by signing and verifying the update encrypting the payload and the use of certificate pinning and other other means like that Of course, this means that the manufacturer needs to make an even bigger effort in protecting its own infrastructure This has been perfectly illustrated by the not petia attack Both the initial attack pushing the backdoor as well as the push of the malware were done by using the host's regular update Check And obviously There shall be no exceptions for our governments to abuse the security update process seems quite trivial trivial If you want to place a backdoor in say whatsapp Suppose law enforcement Wants to read the whatsapp messages of a specific user They are unable to read the chats in transit due to the end-to-end encryption So suppose law enforcement doesn't have access to that device Then law enforcement might enforce As we might force whatsapp to push an update to a specific user that disables the encryption of all messages to and from that specific that one user Or they can covertly add an additional Key to encrypt all the messages to that will make the chat comprehensible even when intercepted in transit And of course the first time that will be very very effective and maybe the police can use this to prevent a couple of murders But what this also prevents is that into What it also prevents internet users installing security updates Users will no longer automatically install security updates if they can't trust those updates They need to be sure that governments are not abusing the security update process for their own gain So we need to make sure that the trust of users in security updates is maximized Our governments must make courageous statements Speaking against abusing the process of security updates for offensive measures That will be hard but not impossible I think Take for example the Dutch government that last year published a statement in which it said that it finds the weakening of encryption undesirable That should be the same for using security updates for offensive attacks And while talking about governments, here's another one security updates and zero days That doesn't work together Manufacturers must be made aware of every vulnerability found especially if such a vulnerability potentially has an impact on the digital security Of the general public and with this audience This doesn't need any more explanation But governments should not keep vulnerabilities as a secret governments should not participate in the market for unknown vulnerabilities And they should renounce the purchase of devices that exploit those zero days Here's something else Apple's announcement of the new version of their mobile operating system Garned quite some attention because of its facelift of the so-called lock screen and notification center A new design new settings That's nice for those who want to have these new things But anyone who is happy with the current functionality may decide not to install the update Although the choice is understandable it is not without undesirable consequences Because if you do not install this update, you are sooner or later also deprived of any security update that builds upon this unwanted update So I think security updates They should be separated from the feature updates So manufacturers should distinguish between security updates and other updates Users should be able to install security updates that resolve vulnerabilities without being forced to accept changes in functionality That's something that is done by Ubuntu quite well There you can choose to have your computer only install security updates while ignoring all non essentials Or to put it more strongly Every hurdle that hinders the installation of an update of a security update should be removed where possible That means that the availability of a security update may not should not depend on the contractual agreements between the manufacturer and the user Or that the user may be forced to pay for an update that resolves the vulnerability And the same holds true for other changes in for example a smartphone An update that comes with changes in a setting or permissions Or change in permissions that an app requires will also prevent the quick adaption of that security update So these are 12 changes. I think the 12 fixes for issues with the current process of deploying security updates And it's of course very easy to identify them but deploying that is a lot more difficult So how to deploy these updates? A good thing is none of these changes require a complete overhaul of the architecture or the principles on which we work It does however require a change of attitude and habit And because of the interests of the stakeholders aren't aligned. This will be a big challenge. Nevertheless It seems obvious to look at the manufacturers for of heart and software for help After all, they are the ones that develop and maintain most of these systems that we want to update when necessary However investing in the update process is not something the show shareholders will cheer on It costs money and yields very little especially in the short term So I'm afraid that manufacturers are not going to deliver the solution Of course companies benefit From users that have a great trust and digital infrastructure they use But the benefits are of increased trust are not directly visible or easy to monetize It has to come from the entire industry So you can be of course the only company that produces a secure connected teddy bear Which then comes with a higher retail price and will make which will make it more difficult to sell But if the rest of the industry is not following you trust will not grow And as we all know it is not realistic to think that an entire industry will suddenly start to show corporate social responsibility No, we shouldn't expect much from manufacturers and that means that the government has a role to play here The government the common interests are simply too large to just let the bad outcome happen We should force manufacturers with laws and regulations, unfortunately And even though I have a preference for small scale rules This is something that needs to be done on an international level The Netherlands for example depends far too much on foreign manufacturers for our systems Moreover, even if you would have a very secure product in the Netherlands If the rest of the world attacks us we're still doomed So ideally we therefore regulated this at a global level and that may be a little bit too far fetched and taking too long So this has to be put on the Brussels again agenda soon Compared to safety belts and cars mandatory because the society because of the societal Damage and deaths that we would suffer otherwise And the good thing is the safety belts also allowed us to drive even faster with great without great risk Such rules should enforce a few things Manufacturers should be forced to use secure protocols standards and default settings Security researchers who discover a vulnerability in a responsible manner should be able to report it without fear of repercussions And companies should be forced to Should be forced to provide security updates quickly and adequately The new rules should also ensure that companies are liable for the social damage They call societal damage. They cause if they are sloppy about the security of their products And of course not only rules, but also strict enforcement And if the rules are violated But the government should also consider its own policies It cannot be the case that the government participates in the market for zero days Or that it hijacks the process for installing security updates to create a backdoor And last but not least we need to convince the internet user to ask hard questions It helps if the users are aware of the risks So if they are aware of the risks They need to think about the risks of what happens to their most intimate photos created on a device that has many Vulnerabilities and no security updates available And i'm afraid that we will need to have some more of these disruptions before users truly understand the potential risks But even then awareness amongst users will not solve all Of these issues You cannot expect the average joe to to correctly consider all security aspects of a device Which is not a reason why it's time for the government to step in So the takeaway we need users Of any kind to trust security updates to get there We need to look at the entire process not just at some isolated components In this talk, i've mentioned quite a few of those components And i'm very happy to hear if i missed one or two But i'm convinced we need to update the process to the entire process of deploying security updates It will be a challenge that we cannot do without And that's where i want to leave it Question everything, please. Thank you So please if you have a question line up on the front or the back You suggest that the government should Should regulate This behavior that you are in favor of But let's say that in europe this would happen We all know how many devices come from china and they will not be subjected to anything because people buy them and get delivered Get them delivered without any interference of any government any i think Yes, how do you look on that? So i'm not sure whether Regulation will solve all of the issues. I I I guess there still will always be Insecure devices of course, but i do think that That we can regulate For the especially for the more impactful for the more important Devices we can regulate this You can have We also have for other systems. You also have some Regulation that requires to Have devices meet Some standards if the device even if it's made in china doesn't meet those standards It is not allowed on the european or the dutch market And i think we can do something similar with this as well It will not solve every issue because of course you still can buy and connect Insecure devices From abroad, but i do think that for especially for the more important Devices we can regulate this Please go ahead ireo first of all Thanks so much for the work bits of freedom has been doing in the netherlands and for Proponing digital rights in the netherlands. That's awesome. Thank you Um, i'm a bit surprised that you're proponing regulation here so much Because regulation is slow and if we look at the practices of regulation recently by the dutch government And european government. I cannot say i'm a big fan. No Then next to that A regulation is always a little bit too late So aren't we going to regulate and say that uh, what are the best practices today? They might end up in regulation in five years at with at which time those regulations are going to be outdated So we're going to say that you're going to use all standards that are then already practically insecure So shouldn't we actually be using standards bodies for that or How would you approach that problem? So that's a good question and i'm not in favor of even more rules just like you so Yeah, i do understand the question I do think so i think that in Um The regulation is some kind of a last straw. We are holding on to because Um, i'm not i don't believe that this will be fixed by Those companies Producing those devices themselves And the reason for that is something which i already mentioned is that i think that they It costs them too much to make it really secure Um, so they don't have an incentive to make it secure and that will um, that will not change unless there's some external force Forcing them to do that And of course there are There are many ways so regulation would be one standard bodies would would be another one Um, i'm not sure whether if it if it if there will be standards then Companies will still apply those standards. So I think that There needs to be some external force in order to have those companies make secure products It's not something which I like but I I don't see this happen otherwise because companies will not do that themselves. I'm afraid I I fully agree. Can I ask a follow-up question? Or am I the first first? Sorry, just interrupt you again And that's one more thing you also mentioned the the role of our governments in the netherlands and in in europe Um, I also think it's very very important to look at their role themselves because they Also play an important role in how we Secure our digital infrastructure. So for example, the dutch government recently said the government wants to Have the dutch police to be able to hack into a computer via the internet. Of course thank you, of Of course, they need to have a vulnerability for that So you could say the dutch government has an incentive to keep those vulnerabilities secret so My my plea will be for additional regulation But my plea will be also to have governments doing the good things and not introducing Legislation that would that is an incentive to keep those fundamental vulnerabilities secret To have him ask another question. Sure. So in the back Uh, you you had a follow-up question, right? Uh, yeah, so, uh, uh, the question is At what if we start regulating this for instance in the netherlands We've seen proposal regulation on security of iot coming out last week in the u.s. Ron Wyden Came up with this idea that iot devices should be updateable Should not have hard-coded Passwords in the firmware which all sounded very reasonable. So If we have different regulations in different countries, then we end up with a regulatory mass in which we end up in further Breaking up of fragmenting the internet. That's that's a serious problem So if you would like to think about regulating at what level Would you propose and do it and would you say? That the un has a role in that or would you then rather put it to the standards bodies because we've seen that in the general assembly security council or even worse in the itu The favor is more towards the china russia block than towards people more in favor of So I think it will be for companies it will be very convenient if There were the same rules just about everywhere But unfortunately, I'm afraid that if we want to do this globally it will take too long to build those rules That there's a process that will take Tens of years that's way too long so That's why I was saying that I believe that this should be done on a lower level So probably like in on a european level for a starter and maybe the europeans can Have a conversation with the u.s. And we can seem to align those regulations, but I think it's way too important to To have to have those companies produce secure devices Then to have then to make sure that everywhere in the world we have the same rules because that would take too long So that's my preference would be as on a higher level, but not too high that it takes too long Yeah, the gentleman in front Hi So you talked about liability of The people who create the software What are your thoughts on the on the liability of the people who write open source or my preferred term free software which often comes with sort of the The text that you can't assume that it does anything basically Use it at your own peril. Would that be okay? Is there an exemption? What are your thoughts? Well, at least there's one very huge Difference between the closed and open source software. So with the open source software, of course, I don't have to explain it I think Someone is able to look at the code. Someone is able to hack the code to change it And to make it make its own adjustments. So I would say that the liability Obligations would be should be higher on the closed source software And lower on the open source software. I'm not sure So I'm I'm not sure whether Liability should be totally gone with open source software because I think that Even with open source software, you may have some responsibility But I do think because it's open source, it's of course, it's different. Sure Any other questions from the room? Don't be shy And if not, let's give a warm round of applause Yeah, just wanted to add so if people are shy, we'll be talking on a much smaller scale In the 10th next to this one It's called the exploded teepee and it's just right next door. So please be welcome to join the radio there And let's give him a warm hand for his talk. Thank you