In this inaugural episode of the O’Reilly Security Podcast, I talk with Allison Miller, a product manager at Google and my co-chair for the new O’Reilly Security Conference. We discuss her evolving understanding of the nature of risk and fraud in complex systems; the role of humans in technical systems; the cultural downsides of security by obscurity; and the new conference we’re putting together, which is squarely focused on helping defenders.
Here are some highlights from our conversation:
Emergent risk in complex systems
Early on, I thought of risk as this very vague thing, which I still do. I thought of it as misconfigurations that could be exploited or bugs that could be exploited, that sort of basic thing: something is set up wrong and then someone can abuse it. As I was studying, I started thinking it is really more like a system dynamics problem. I started to get a little more deep into how fraud manifests or industrial espionage or those types of crazy things, that it was not about the underlying technology system but the overlying social and economic influences that really would bring in different types of risk. The systems that I work with—payment social systems, online platforms—they're so big, you must be able to aggregate them and try to look at them at a macro level as well as from that more micro, under-the-hood level.
Humans in the machines
If what's all around us, what we engage with [in our daily work] is technology, then it seems like the problems that are posed to us by the technology require technical solutions. If what you're given is "this software is broken," then you assume that the solve you need to put in place is a software or technical solution. If we think of the problem as being an interaction between me and you, then we would probably realize that it's a human solution versus a technical solution that's going to be needed for those issues.
Open vs. obscure
Companies are less interested in having their defenders go out and explain how they do what they do. There are a lot of cases where it would be perfectly safe and perfectly fine and help everyone if some folks who have figured out how to do things can share what they've learned. The folks who are doing the defense, they don't have anything to sell, so they're not necessarily motivated to go out and shout about what they're doing. We don't really have anything that's a big splash. What we have are people who are diligent and they're working hard and they have things to share.
Focusing on defense
For the most part, conferences in the security space try to bring together a mix of what's new and hot in understanding threats and vulnerabilities, and tools and techniques—in that way, [the O’Reilly Security Conference] is the same, but what makes it different is that it's focused on defense. Another thing that makes it different is that it's not really about new research, per se. It's more about things that can be applied, that can be helpful. Folks who have a new paper that's peer reviewed and going through academic circles—we would be interested in those topics, but only if there's a takeaway that is really going to help someone improve the defenses of the system they're trying to protect.