Is Online Privacy a Thing of the Past? Big Data and Security at Web Summit 2017
Big data and security were such hot topic at Web Summit this year that I thought they deserved a blog post all of their own, so feast your eyes on this! (For the rest of what I learned over these 2 days — and there were some pretty awesome things — click here).
1. How as developers we can make our applications more secure
Chris Wysopal from Veracode spoke initially about using open source libraries while keeping our apps secure. Apparently 96% of applications contain open source components and these contain 46 open source libraries on average, comprising 80–90% of the codebase. Given that software rots over time and that vulnerabilities in code can sit around dormant for years before being discovered, it therefore pays to stay on top of what libraries you’re using. He gave us the following tips:
· Use fewer, better packages.
· Use packages that are proven to work and which are vetted by your security team.
· Keep track of which libraries you have.
· When downloading modules, watch out for modules which are named similarly to popular ones (but e.g. have a hyphen different) and which sound legitimate but are in fact malicious.
Window Snyder, CSO of Fastly, followed up, saying that essentially, compromise is inevitable and it’s impossible to remove every vulnerability, but that resilience is about how quickly you can a) detect you’ve been attacked and b) respond to this. Her advice for reducing our apps’ vulnerabilities (besides encrypting everything):
· Don’t be a single step away from an attacker getting into your code.
· Research what security threats might impact your platform and where you’re most vulnerable.
· Isolate components that do something sensitive or dangerous — this reduces the attack surface.
· Delete any unused code. Unused code provides a larger surface of attack, so therefore this can be a risk to the business.
· Consider what data you really need to store and don’t keep anything you don’t need.
· Deploy critical patches as soon as they become available — once a patch has been released, the vulnerability is known and therefore hackers can use this knowledge to find a way in.
There followed a brief discussion in which Wysopal stated that strict regulations need to be in place when it comes to security breaches that would impact personal safety , for example devices that could cause harm like self-driving cars. However, Snyder argued that regulations stifle innovation and that good guidance was the key, as innovation is necessary to be able to fight against such security breaches.
2. Is big data a threat or an opportunity?
In a talk led by Ondřej Vlček from Avast and Chess Grandmaster Garry Kasparov (who I think gave my favourite quote of the whole conference — ‘If you can’t beat them, join them!’ — as someone who actually did lose to IBM Deep Blue), it was stated that whoever has the best data and the ability to accurately label it has the best AI. I hadn’t thought about it in those terms before, but it absolutely makes sense because this technology can only develop based upon what we feed it. Therefore the more we feed it and in the most accurate terms, the better it will be. They also made the point that the algorithms used in machine learning were developed back in the 70s and 80s, and that now, the field of AI is more about processing huge amounts of data in order to make it ever more efficient. However, although big data can be used to find and deal with threats, the very same algorithms can be used to attack. This led to a brief discussion about data security, where it was stated that
“the only solution to the problems caused by today’s technology is tomorrow’s technology”
and also that we need to have ‘good online hygiene’ . Much like the Tuesday talks (you can read more about those here), they stressed the fact that the right moves can only be made by setting the right goals for our technology. Admittedly, I’m not massively reassured. Who is really going to be setting these goals? No one really knows, and while certain parties are taking responsibility for themselves and the technology they create, what about the people who aren’t?
3. Should online privacy be considered a basic human right?
On the topic of big data and online privacy, I attended a discussion between David Gorodyansky from AnchorFree and Jane Zavalishina from Yandex Data Factory. Gorodyansky believes that privacy needs to be considered a basic human right, that companies need to be more transparent about the data they’re collecting, and that it should be very easy to click a button to signal that you don’t want certain data to be collected. He predicts that the next tech company to reach 1 billion users will be one focusing on user privacy, but Zavalishina disagreed, saying this was never going to happen. She made the point that you can’t necessarily trust that just because you had ticked a box, your data would not be collected. Furthermore, many people even now are choosing convenience over privacy, with so many of the apps and websites we use automatically collecting information about us. I must admit from a personal point of view, this automatic collection of my data does not sit easily with me, but at the same time I want to be able to use all of this technology and it seems like this is the price I have to pay.
4. If you don’t have security, you don’t have a business
Werner Vogels, CTO of Amazon.com, pushed the idea that we needed to protect our customers and our business, because if you don’t do this, then you don’t have a business. We can’t just think of this as an added tax on development anymore, but as something integral that we have to do, especially when using continuous integration and deployment. He also gave us this little quote which I rather like:
“Dance like no one is watching; Encrypt like everyone is”
5. Big data — a massive crystal ball?
One thing which absolutely blew my mind was the scope which big data has. Kalev Leetaru from Google proposed that it can help us tell the future — but we have to get the information that we’re plugging into it right. He made the point that by listening to what people are posting on social media from everywhere around the world in all languages, it is possible to predict where conflicts will arise — however, clearly if you’re only getting tweets written in English, you’re literally only getting half of the story about what is going on in Yemen, for example, or any other non-English speaking country right now. He also stated that older sources such as books and TV need to be processed because the data gleaned provides a historical context against which one can compare the present state and allow us to analyse the mistakes of the past to prevent the same mistakes being made in the future.
6. Big data — too much messy human input
Christian Beedgen from Sumo Logic had a less optimistic view of the possibilities of big data, stating that it necessarily lacks human empathy and understanding and pointed out that as analytics are made by messy humans and final analysis processed by messy humans, it is well to still use one’s instinct in dealing with data driven analytics. He also pointed out that Max Tegmark from the Future of Life Institute has said that the average human brain can store about 1 TB of data in its synapses, which is sort of cool to think about in those terms, but is also sort of sad in a way because in the grand scheme of things, that’s really not all that much!