海角大神

LAS VEGAS 鈥� Ashkan Soltani and Terrell McSweeny have big jobs: Protecting the nation鈥檚 consumers from deceptive or unfair business practices. And they want help from hackers.

The Federal Trade Commission鈥檚 chief technologist and commissioner聽told the Black Hat and DEF CON conventions in Las Vegas that hackers鈥� research to uncover security flaws and privacy offenses could play a big role in the government鈥檚 investigations and technology policy. 鈥淭he security researcher community shares a lot of our concern about protecting consumers鈥� data security and privacy,鈥� Ms. McSweeny told Passcode. 鈥淥ur missions are sort of aligned.鈥�

On the sidelines of the hacker confab, the pair spoke with Passcode about bridging the divide between hackers and the government. Edited excerpts follow.

Passcode: In your Vegas talk, you refer to a 鈥榝lip phone caucus鈥� in Washington. What鈥檚 that?

Soltani: So many people brag that they don鈥檛 have any technical expertise 鈥� but they鈥檙e still making policy. So many people have been like, 鈥淚鈥檓 not a technologist, but...鈥� or 鈥淚 have no idea how this stuff works, but we should have this thing 鈥� something that鈥檚 technically not feasible.鈥�

Passcode: Will members of Congress get more tech savvy?

Soltani:聽A few of the committees have good advisers that are technical. Some of the congressmen in the recent encryption debates bragged that they had computer science backgrounds. The question is: How do we raise the status quo for everyone? Because they鈥檙e all chiming in on these technology policy issues.

McSweeny:聽You can use a flip phone 鈥� as long as you take the time to talk to the technologists and understand the technology. Plenty of congressmen who are on the flip phone caucus are taking that time. The point we want to make is: It doesn鈥檛 matter if you鈥檙e a user of that technology, it matters that you talk to people with the technical expertise.

Passcode: So how can the security community help the FTC in its investigations?

Soltani:聽We are monitoring academic conferences, security conferences, press. We get complaints from consumers. But if you write an article about a really egregious practice that we decide to take action on, I can鈥檛 call you and say, 鈥淗ey, did they do X or Y?鈥� or 鈥淗ow could I replicate that?鈥�

Some researchers are like, 鈥淗ey, I found this thing [such as a vulnerability] and I鈥檒l do a blog post about it.鈥� No follow up. No details.

I could spend a month trying to replicate their findings, but I can鈥檛 do much with that. Another researcher will say: 鈥淚n scenario A, with these facts and that software, here鈥檚 this bug here鈥檚 a screenshot and here鈥檚 a script to run it.鈥� I can spend 20 minutes to replicate it and pass it on to the attorneys and say, 鈥淗ey are we interested in this? I verified the findings. What鈥檚 the law? What鈥檚 the analysis we want to do?鈥�

If you want your work or publication to be more valuable, here are some details you might want to include: How do [you] produce it; how you came to that conclusion; what were the caveats or the qualifications for inclusion.

Passcode: Ashkan, before this job, you contributed to The Washington Post鈥檚 Pulitzer Prize-winning reporting on the Edward Snowden surveillance revelations. Has this government job been a big adjustment?

Soltani: The work I鈥檝e been doing for the past 10 or so years has always been the same: To clarify how things work and where are the policy issues 鈥� whether it鈥檚 for reporting or the FTC.

My past tendency 鈥� and I think a lot of [the security] community is like this 鈥� is to think all the details matter. That you have to know how the entire thing works to have any insight into it.

As a reporter, you know there are things that resonate with your viewers, or policymakers 鈥� then you can hook them and bring them into the rest of the story. But how you structure the lead and the headline, that鈥檚 also how someone who鈥檚 really busy and has a different frame and maybe doesn鈥檛 understand this issue, [gets] engaged.

Passcode: What advice would you give security pros who want to talk to policymakers or start a career as a technologist in government?

Soltani: You need to understand the frame they鈥檙e operating in. Before I talk to someone about [the Computer Fraud and Abuse Act] or about FTC law or anything, I鈥檒l first listen to the policy arguments, Capitol Hill briefings and debates, and hear what are the things that they鈥檙e debating. I鈥檒l find the technical fact that鈥檚 going to inform what they鈥檙e are arguing about. Without that, I鈥檓 just going to give them a bunch of facts that aren鈥檛 relevant to them, and we won鈥檛 have a dialogue.

McSweeny: When you鈥檙e speaking to someone like me who doesn鈥檛 know how to code, there鈥檚 an entire jargon and lexicon that I don鈥檛 understand. So you have to also be able to literally translate the acronyms and some of the technical talk.

Passcode: At these hacker conferences, you have some examples of stunt hacks 鈥� such as when two researchers took over a Jeep Cherokee. If everyone鈥檚 talking about a video, does the alarm go off at the FTC?

Soltani: The researchers and media are getting better at is making the issues salient. If I told you, 鈥淚 can tunnel to an [electronic control unit] and change the settings to let me access the gas and pedal,鈥� you鈥檇 be like, 鈥淭hat鈥檚 interesting 鈥� what does it mean?鈥� But if you see someone shut off a car, it would resonate with you.

McSweeny: Obviously, we look at the paper and read media reports and look at all kinds of things trying to understand what鈥檚 happening to consumers. But we don鈥檛 go on buzz.

Passcode:聽This could have real-world implications for people鈥檚 physical security. Does that factor in?

McSweeny: As policymakers and enforcers, we need put things in perspective. I don鈥檛 know how hard it is to do big stunt hacking of vehicles. But I suspect it鈥檚 quite difficult.

That doesn鈥檛 mean we shouldn鈥檛 take it seriously. But a lot of what we look at in the [Internet of Things] space are security practices that aren鈥檛 reasonable at all 鈥� that make things very vulnerable in a very easy way for people who might want to exploit them. And those are the kinds of things that deeply concern me.

Passcode: Are you going to look into the Jeep issue specifically?

Soltani: We鈥檝e said we鈥檙e going to look into connected cars. And we have been prior to that stunt hacking. The topic is interesting 鈥� so are drones, so are cameras. There [was] a talk about rifles, the algorithm you use to do sighting. If you can affect that and use that to shoot five feet to the left, those are interesting things.

Passcode: So, Terrell, to your point, does the probability that someone will be able to replicate the hack affect whether the FTC looks into it?

McSweeny: It鈥檚 not a factor, so to speak, for us. The legal test is reasonable security. We鈥檙e not talking about perfect security. We鈥檙e talking about engaging in best practice 鈥� having processes and procedures in place. We understand there are people who have [best practices] in place and get hacked anyway.

Passcode: What鈥檚 the top emerging issue you believe is going to be a big issue for the FTC now?

McSweeny: I see a wide range of terrific innovation, a wide range of consumer-facing products 鈥� and also a wide range of security practices. I worry about the implications of that. I鈥檓 talking here about the Internet of Things 鈥� specifically, about IOT-connected consumer devices: Things we鈥檙e putting on our homes, wearing on our bodies, driving.

We could be introducing vulnerabilities into our home networks and that could be very problematic for people. A lot of the adoption, the success of this technology is going to hinge on consumer trust, and key pieces of consumer trust are going to be people feeling like this stuff is secure, or can be secured.

Passcode:聽The prospect of hacking a toaster makes for a sexy headline. But if you tell somebody that their toaster may be compromised, will people care enough to say goodbye to their toaster?

McSweeny: I would put that slightly differently: The future consumer needs to think about whether they want their toaster to be connected at all.

Because if it is 鈥� 聽you may only get a few years out of it, depending on how long the tech is supported. Whereas your old-school electronic one might last for 20 years. We鈥檙e going to need to make sure consumers have that kind of information [for the] choices they鈥檙e making. 聽

Soltani: For a $50 toaster you keep around for 10 years 鈥� the question is, will you receive patches, and updates, and security support, for that toaster?

People might say, 鈥淪o what? If they hack my toaster, I might not be able to make toast.鈥� Well, actually, it鈥檚 a computer. You can launch a denial of service attack. You can hack into a network. If it has multiple antennas, you can bridge from the outside into an internal network. You can use it to surveil people on their home network, and collect information they use in their home.

So, it may be a toaster you can keep around for 10 years 鈥� but the computer part of it may not receive support and it could leave you vulnerable.