T.Rob Wyatt

WebSphere Connectivity Product Management, IBM
Charlotte, NC, United States

About T.Rob

Languages

English

Areas of Expertise

Network & IT security

I'm passionate about

improving the state of network security to make our digital world a safer place since we now entrust much of our lives to it.

Talk to me about

Network security - I have stories that will give you nightmares and make you think twice about who has custody of your data.

Comments & conversations

3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted over 2 years ago
Mikko Hypponen: Three types of online attack
People who are law-abiding and low profile often feel they don't have a stake in the game. But suppose you invented the next Facebook and suddenly had money and power at a level you never dreamed of. Now you are still a law-abiding citizen but with money and influence people expect you to take a side. Even if you don't take a side but attempt to remain low-profile and neutral, you are still a threat. Does it matter now whether you have privacy? Would you agree to having all mail sent as post cards and eliminating envelopes by law? Carnivore is a system that intercepts and scans all emails. Not only are emails effectively post cards, but because they are electronic, it is possible to inspect EACH one individually. Would you agree to the government recording your voting record? In order to make it possible for you to audit your e-vote, the system *must* record it in a way that is traceable back to you. People with high profiles have more at stake, regardless of whether the source of that profile is their money, their ideas or their influence. Loss of privacy becomes an imbalance of power. By the time you are impacted enough to care about it, the balance of power will be weighted so heavily against you that there will be nothing you can do about it. As Mikko said, on this there can be no compromise. We must protect privacy on the principle of the thing. The slippery slope goes vertical after the first foot or so.
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted over 2 years ago
Mikko Hypponen: Three types of online attack
How in the world do you have only 5+ TED Cred? ;-) I +1'd your comment. I wish I could +100 it. Thanks for raising awareness of this topic. In another comment I mentioned that I'd reported a web site vulnerability to a vendor who has for three years now refused to fix it. Their web site sends ID and password in the clear and they keep personal info and credit card numbers on file. My response to this is that customers need to educate themselves so they can tell the difference between a secure and unsecure product, then hold their vendors accountable for building security in. The premise is that vendors won't invest in security unless there is a positive return on that investment. I'm curious what you recommend for this particular problem. There is a direct connection to privacy in that if people don't know the difference between secure and unsecure products, the price and functionality drops to the unsecure one. Similarly, there's an argument to be made that these same consumers don't know enough about safeguarding privacy to claim reasonably that they value it. Facebook proves that functionality trumps security and privacy most of the time. How do we ask governments to not invade our privacy while simultaneously giving it away freely to corporations just to make the "Like" button work or get 5 cents off a can of beans? How does a government provide services while remaining competitive to private entities who enjoy a significant income stream derived from exploiting otherwise private data about us? Even if the government stopped directly collecting our data, won't they just buy it from the corporations to whom we happily volunteer it? I don't think we turn the tide on any of this until security and privacy enters the popular culture to the point that an average person expects it, knows what to look for and demands accountability. We've got a long road ahead of us. I thank you for walking down it and hope it's not too lonely for very long.
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted over 2 years ago
Mikko Hypponen: Three types of online attack
So what is "an asset" as used here? The balance of wealth on the earth is quickly shifting from atoms to bits. The value represented by things that can be sheltered from on-line discovery is dwindling. The remainder cannot adequately be protected. The Stuxnet worm crossed an air-gap to get at systems that weren't directly connected because even disconnected systems need to communicate with the external world somehow. How do you propose to prevent a digital asset from online discovery? The problem exists in a much bigger context. People keep framing things like the SOPA/PIPA debate as if the media conglomerates had extraordinary power. What is overlooked is that SOPA/PIPA provide governments the tools they need to invade privacy under cover of copyright protection. Until we accept that there is no way to guarantee privacy for law-abiding citizens without also guaranteeing privacy for lawbreakers, the trend will continue to be the abridgement of rights in the name of copyright or counter terrorism, the "war on drugs" or any of dozens of bogeymen whose sole purpose is to make us give up our rights in order to assuage our fears..
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted over 2 years ago
Why do we consider groups motivated by protest to be attackers?
Q: "Why do we consider groups motivated by protest to be attackers?" A: Because that is what hactivists want. Corporations can get away with skimping on cyber security because their users do not demand it nor hold them accountable for it. Anonymous wants to change that by making you realize that YOU are directly at risk. The only way this works is to actually exploit vulnerabilities and then prove the exploit by releasing confidential data. Without incidental damage to that vendor's customers, people who aren't being harmed continue to think it can't or won't happen to them. By causing harm to end users and consumers, Anonymous and other groups make the threat real so that the public starts (FINALLY) to take notice. "Hey, this could happen to me! I'd better ask my bank why they don't offer 1-time use credit card numbers or SMS login verification." Hacktivist tactics work in part *because* we consider them hostile and then demand protection and accountability from custodians of our data. The market system rewards the most efficient producer of a good or service. As long as end users are not demanding security nor holding their vendors accountable, investment in security is an unrewarded cost that makes the secure company less competitive in the market. Until it becomes cost effective to invest in security, companies won't do it. That means a majority of users need to speak out and start differentiating products based on security. To give one example, I've notified Hilton several times since 2009 of a vulnerability in their HHonors web site. I've reported it through their customer service, through hotel managers, through their High Speed Internet Access satisfaction surveys and through their marketing department. I even located someone whose account had been breached. Despite having reached and exchanged emails with VPs since 2009, the site to this day remains vulnerable. Apparently securing my and your information is not profitable. Yet.
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted almost 3 years ago
If you could do a TED talk, what would you talk about?
I would give a TED talk about how Information Security vulnerabilities are this century's equivalent of toxic waste dumps. With all other factors being equal, a company who properly disposes of waste has less margin or profit than one who cheats. The practice of dumping waste shifted massive wealth and health from the future and converted it to present-day profits for the dumpers. Unfortunately, the transfer of resources this way is not very efficient because the cost to clean up is orders of magnitude greater than the cost of proper disposal and the toll in human suffering is immeasurable. Info security today is in the same position. Our banks, retailers, manufacturers and even governments and infrastructure targets are cutting corners on security in the name of higher profits. The result is a wholesale transfer of wealth from the future to a much lesser present day profit. Like toxic waste, the cleanup costs are orders of magnitude greater than the cost of proper security. Sadly, also like toxic waste, there is a tremendous toll in human suffering. In the US when your Social Security Number is compromised, that is for life. It's not replaced and never again safe. When your bank accounts are taken over, the money usually funds organized crime. When a certificate authority is breached, political dissenters lose their anonymity and can die. A breach big enough to bring down a large corporation could have impacts on a global scale. The breaches we have seen in the news recently are just the tip of the iceberg compared to the growing pool of accumulated security exposures. The frequency, magnitude and consequences of breaches continues to rise and there are no indicators that things are going to get better any time soon. The good news is that individuals like you and I can choose to do something about it if we want. My talk would be a call to action and include specific things anyone can do that will make a significant difference.
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted about 3 years ago
What the recent intensification of hacker attacks represent? There is a real threat to the prospect of cloud computing?
When I said "lack of knowledge" I was being generous. The knowledge that would have prevented many of the recent breaches exists and has for some time. Many of these were simple SQL injection or similar elementary attacks. Then in several cases the databases contained unencrypted passwords which, again, violates some very basic security tenets. So when I said "lack of knowledge" I specifically meant on the part of the developers and project managers responsible for the sites and systems that have been recently breached. My comment about lack of investment is that in some cases the developers and/or managers are well aware of the problems and make a considered and deliberate choice to not spend the money to do it right. A vendor that I use renders login forms over HTTP (instead of HTTPS) and then submits user credentials in the clear. I not only told them about it, but I also found someone whose account had been hacked due to the vulnerability and their credit card charged. The victim got his money back but the site - now 3 years later - remains vulnerable. Considering that I'm a customer of this web site, and sufficiently knowledgeable that I was able to provide them with a full description of the problem and suggested remediation, I question how effective customer requirements are. Although the impact of a breach is one or more orders of magnitude greater than the cost to prevent it, companies will continue to neglect "nonfunctional" requirements such as security. As far as competition, the companies who ignore security make more money than those who invest in security, all other factors being equal. This changes with a breach but breaches are still perceived as "cannot happen here" events. Competition is what is driving the bar DOWN, not up. Until breaches are so numerous that companies plan ON having the breach rather than betting against it then competition will continue to push security to the bottom of the priority list.
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted about 3 years ago
What the recent intensification of hacker attacks represent? There is a real threat to the prospect of cloud computing?
What they represent is a wake-up call. Many of the recent attacks used vulnerabilities that have been well-known for years. These are not due to the bad guys suddenly getting much better but rather because the bad guys suddenly got motivated. For a large corporation's web site to be vulnerable to simple SQL injection, or for them to store unencrypted passwords at this point in time, is crazy. The possibilities are that the site developers didn't have a clue about basic security or that they chose to cut costs by omitting basic security. Which of these is worse if it's *your* vendor playing fast and loose with your personal data? The threat isn't specific to cloud computing, nor does the cloud make it worse. The requirements for cloud security differ from those of traditional architectures but the real problem is lack of knowledge and investment in securing the systems. Whether your data is in the cloud or in the corporate internal network is irrelevant if the controls available to secure it are not applied.
3fb3c13b0805c666f0208b8b558938912b993346 50x50
T.Rob Wyatt
Posted about 3 years ago
Should an interface have an emotional connect with a user?
I just read a book called "The Man Who Lied to His Laptop" by Clifford Nass and the answer from his research would be a resounding "yes!" He describes many fascinating experiments in which the computer software responded with negative, neutral or positive emotional feedback and the human participants responded much differently on that basis. Apparently, we respond emotionally even when we are aware that the thing we are interacting with is a computer program. The implication is that conscious and deliberate design of the emotional impact of the human-computer interface has the potential to improve our experience with expert systems, voice response units, customer service portals and just about everything else where we must interact with automation.