Some of you will be old enough and have enough working synapses to remember the early days of the DEF CON hacking conference. If you think you remember the first one, which was in 1992, you would have to be one of the hundred or so hackers who attended what was essentially a private party to say goodbye to one of the founder’s (Jeff Moss AKA The Dark Tangent, mwahahaha) pals who was moving to Canada.
It’s a clever name. DEFCON is the US Armed Forces Defence Readiness Condition as brilliantly immortalised in the film War Games. If ever there were a film crying out to be remade (not rebooted) it is War Games. DEF are sequential keys on a telephone keypad and this was a nod to phreakers like Mr Kevin Mitnick, and of course CON is short for convention, applause all round.
Fast forward 27 years and DEF CON 27 (the first one was obviously DEF CON 0) was a huge sprawling event attracting 30,000 visitors, a lot of whom know very little about hacking. The rest however, do. A notable addition to this year’s conference was an Aviation Village which “welcomed those who seek to improve aviation security, safety, and resilience through positive, productive collaboration among all ecosystem stakeholders”.
Once you have gotten over the corporate speak, the Aviation Village is a very good idea. Compromising flight systems has long been rumoured to be possible and we do know that poor systems caused many deaths in the two Boeing 737 Max crashes.
Obviously, the best idea would be to do the security testing during development, and that is improving, but there are an awful lot of vulnerable systems up there with souls on board. Transparent security testing of these systems can only be A Good Thing. And that is what the United States Air Force think. At this year’s DEF CON they (the USAF) brought along an F-15 data system, which was then taken apart and hacked mercilessly by vetted good guy (honest) hackers, including infecting it with nasty malware.
So pleased were the Brass from the Air Force that, in amongst one of the biggest ‘what could possibly go wrong’ (WCPGW in the hax0r world) moments we have seen for some time, this week offered up an orbiting satellite for next year’s conference. If you have never been to DEF CON before, next year might be the time to visit. They are unlikely to bring down the satellite or any satellites it crashes into on Vegas while they are there (unless of course it is on Sky Box Office). Get your tickets here. Let us know if you are going, we would love to meet up and talk geek and all the other stuff you might do in Vegas. You never know it might even drive us out of our minds.
While we are on a geek theme, you will no doubt recall that we have been very worried about the potential vulnerabilities that may be inadvertently introduced into containerised, serverless compute or any systems that appear to be too complicated for their own good. Since this blog is not meant to be a technical lecture, we have until now, refrained from going into the detail. In fact some of you, you know who you are, have even muttered words like ‘scaremongering’, ‘luddites’ and such like.
Good news then that the containerisation community has done our work for us. One of our old greybeard, retired ninja associates brought this ‘Gentle Introduction to Kubernetes’ tutorial to our attention. Now our greybeard circle is pretty experienced in all aspects of technology and this ‘Gentle Introduction’ not only totally befuddled us, it very clearly illustrates the complexity of these systems.
Complexity is not the only issue. The example, and therefore one would presume many production Kubernetes systems, uses public repositories. That’s right, public repositories. As our old sage himself says ‘can someone spell watering hole attack’? You might remember what changing the content of external libraries did for Bitcoin Wallet provider Komodo.
You don’t have to read the whole of the very far from ‘gentle’ Introduction to Kubernetes but we recommend you give it a skim to get a sense of what we are talking about.
As the very same sage says – ‘the only people who need Google-sized solutions are bbbbeeeping Google’.
If your company is developing containerised solutions, on the bandwagon so to speak, we recommend, that like the aviation industry, you build the security in at the front end or suffer the consequences. ITC are well positioned to help you with this and will even take time out from reading satellite manuals to help you. Contact us at: [email protected] or call 020 7517 3900.
