Charlie Miller On Hacked Batteries, Cloud Security, And The iPad

So, What's Our Call To Action?

Alan: Usually, at the end of the interview, I ask security experts what end users should do to be as secure as possible. I know that one recommendation I’m making is to abandon the traditional thinking of "don’t update your software right away, so that other people can be the beta testers and figure out the compatibility problems." It seems more prudent to always update to the latest version to keep yourself patched against the newest vulnerabilities and deal with the compatibility issues as they come. But it seems like in today’s world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony. From a criminal organization, it’s far more effective to try to attack large databases rather than individual systems. What should be the call to action in 2011?

Charlie: Yes, as individuals we are pretty powerless. Even enterprises have to rely on the security of their devices and desktops, which they have little control over. Enterprises buy IDS, AV, etc., but still can get attacked by zero-days and it’s all over. So what we really need to do is force large vendors to do a better job writing secure software. Either lobby our government to hold them responsible when their bugs cause us financial loss or vote with our pocketbooks. Refuse to buy software that has problems, require the software to be audited and fuzzed by some independent organization. Besides that, all we can do is wait for the inevitable and then try to react as quickly as possible to to limit the damage.

Alan: As always, I really enjoyed talking with you and appreciate your insights.

Charlie: Thanks. I enjoyed it as always!

We thought Charlie's recent keynote at NATO's International Conference on Cyber Conflict was pretty interesting. Check out the full discussion below.

  • Darkerson
    Pretty interesting read. Keep up the good work!
    Reply
  • pepe2907
    Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.
    If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.
    Reply
  • DavC
    interesting read!
    Reply
  • mayankleoboy1
    No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.

    exactly
    Reply
  • mayankleoboy1
    if only software could be people-proof.
    Reply
  • jacobdrj
    mayankleoboy1if only software could be people-proof."A farmer notices his chickens are getting sick, he calls in a physicist to help him. The physicist takes a good look at the chickens and does some calculations, he suddenly stops and says "Ive got it, but it would only work if the chickens were spherical and in a vacuum."" - Big Bang Theory...
    Reply
  • slicedtoad
    So is it safe to say that as an end user we shouldn't be over concerned about personal computer security?
    Here's my checklist. Don't download unknowns, don't password reuse (for the important stuff anyway), get a decent av (like eset) and keep your computer up to date.
    Multi-layered security on a home pc doesn't make sense, nor does 15 character alpha-numeric passwords (in most cases). No one is going to specifically target you or your pc.
    Reply
  • weaselsmasher
    An awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.

    What's this article really about, security or celebrity?
    Reply
  • christop
    Enjoyed this..Wish I had a few 0days sitting around to sell..
    Reply
  • PreferLinux
    pepe2907Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.Yes, but whether that is fully legal or not is another story.
    Reply