Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
And so the next presentation is by my colleague and famous sea level gentleman from, from the UK, the leader of the Osaka security advisory group. Mr.
Sing, who's going to talk to us about the heart bleed problem. Thank you very much, Omar. Thank you. Thank you all for being here. I'm not gonna waste too much of your time, but I like a lot of interactivity. So if I may start, who loves to save money, please come on. There's gotta be somewhere who loves to deal with the procurement department. Excellent. Who loves freedom? I guess we all do right. And I guess that's where, you know, this whole topic is gonna, you know, come across and something happened a few months ago that shook me to the call.
So, and which is why I'm really passionate about this. So I'm gonna start talking. If you have any questions, please do interrupt. And basically Part of the issue with what everyone knows happened, I'll come to what happened anyway. But open source was shaken to the ground. The whole foundation of open source was shaken to the ground. To what I believe is now open source. I truly believe that there is a, a shift. Me personally, I used to love open source. I'm gonna ask a question who actually likes or used to like open source. I used to like open source.
I still kind of like open source, but what happened recently has definitely shaken a lot of, you know, the whole foundation on what open source was built. And this question is very important, but I'm coming to this. And that's part of why I asked the question is everyone has to deal with these guys. We love them to bids, but the question to how popular open source, this it's very interesting 50%. And this is in 2011, done by the source starts with G anyway, Gartner 50% surveyed have adopted open source software as part of the ID strategy. This is in 2011. I remember it.
It's probably us focused, right? You can imagine what the stats would've been before. What recently happened? 33% cited. If I may rephrase that, we don't have to deal with procurement possibly. Cause open source is free. Most likely just go and download it and use it. And any respectable procurement department, I hope there's no one from procurement here makes it an obstacle because of understandably governance and all of those kind of questions and faster because you don't really have to do too much due diligence.
You know, you don't have to go out to market and ask it, ask three or four people to bid for it. Now, interestingly who here has any open source policy in place. Okay. Expectedly, not that many, you know, I know many people probably don't have it in place because one, no one really knows who is using open sources becomes an interesting challenge. And until recently again, during the open source, you know, revolution almost era freedom was an interesting point. Cause it allowed a lot of freedom.
It allowed the developers, it allowed businesses to change and to shape the product to their customers liking or that's what they told us, I guess, but coders and developers just loved. They probably still love open source way more than closed source. Or as some people call it cots off the shelf software. That's the wrong paper until recently, this was actually, this is still on The website, which I downloaded credit to open SSL, which basically says why buy an SSL toolkit as a black box when you can get an open one for free.
And that's the key message that they've always, you know, put on their website and they're not saying anything wrong. It's actually 100% correct.
You know, if you go and buy a cots product, it is going to cost you a significant amount of money. And until recently the righteous way, I know many people can get very, very passionate about open source. It wasn't the right way. It was the righteous thing to do because you were not supporting the money grabbing commercial outfits. You are supporting opensource. Not really sure if anyone, I mean, there, there are people who offer services in opensource, but opensource, the concept was complete free, open to use with a certain thing.
And it was freedom from the big, bad, you know, corporations, freedom to add, to make, to remove stuff without actually being sued by the corporations. But more importantly, in some cases, in many cases, there was good security and practices in place, but in many cases it never did happen. I found this when I started off in my career, I'm not that old yet, but I found this, that open source was, and is still a religion, Almost type of a religion. There is a dedicated fellowship followership believe in open source, you know, and that has had its consequences, which we are gonna touch on.
But open source had trust. And I'm gonna check if Wikipedia has changed anything on trust.
Sorry, but what trust reads? I left my phone there. Excuse me.
No, I found it. I found it, sorry. I was gonna read what trust Wikipedia has to say on trust and Wikipedia is the source of truth, right? No it isn't. But trust is the firm belief in the reliability, in the truth or ability of someone or something. Right. And open source recently until recently, I don't know about now. And that's what we are here to, I guess, discuss. But until recently, open source has a lot of trust.
I mean, I trusted open source. If anyone put your hands up, who trusted open source until recently hopefully many people did. Interestingly, my cousin, brother lives in the middle east in Dubai actually, which is probably one of the more modern middle east countries. And he it's quite quite rich.
So, you know, the bankers opened the door for him at eight o'clock in the morning. And he invited me in. And what I noticed from a technology perspective, this is many years ago. Now what I noticed was they were all running Linux And believe it or not the bank manager, I asked him, so you guys don't like windows, oh no, it's, you know, they're gonna spy on us.
Well, see what happens. But the bank manager had a very strong view on why they were using open source products because they trusted it. And they trusted the fact that their governments and their, their organizations could wrap amount of security that maybe the likes of Microsoft or apple couldn't. And this is going back 10 to 10 years ago or more. So it's very interesting, many, many middle east countries have a, I read about an article. I can't remember it right now, but there's a place a local county.
I'm not sure what the Germans call it in Germany that has run a very supposedly successful open source Linux implementation. I dunno Which one. Right? And they were doing an interview. I've saved it. It's very interesting because apparently their users are not complaining about anything and everyone's very happy. It's good.
You know, and, and one of the comments made in that article was the person who led the project was surprised why many people had not done the same thing. So I, I'm not sure why that, you know, what answer I would give to that gentleman in the article, he was raising a question of why people have not followed his footsteps of getting rid of commercial software and bringing everything in as free. And then I guess if I was in America, I would've had some fake blood and I would've thrown it on myself, but This Is, this is Europe. So I won't do it that way.
But Honestly, this has gotta be the best logo. In my opinion, whoever came up with that logo did it really well and a brilliant website. Also everyone, anyone being to the hard bleed website, Hopefully Everyone, if you haven't please do go. It's actually a very good website, loads up really fast, very easy to understand simple communications, right? And you gotta give them credit. They managed to become the most, the best advertised exploit on the planet.
I mean, my son who is 12 came to me and said, so what is heart bleed? You know, he was talking in context about some, his teacher telling him something about heart bleed. And then what's really interesting is my, my wife asked about heart bleed and that means everyone knows about it. God bless her. But Yes. And I honestly feel it is amazing.
You know, the amount of publicity I think is good, but it raises a lot of questions. And the question is, why did this happen and how did this happen? And that's one of the things that I really wanted to know. And the scale of this problem, I probably don't believe that figure. It's probably higher. This is some point in time after the hard bleed thing happened. And I don't think that 66% also includes the internal sites that people are running and they haven't changed.
Now, one quick story. One, what really worried me is, and I don't have an opinion, I guess you guys will have an opinion, a very good friend of mine. He's the CIO of a large organization, no names. Obviously he called me and said, don't worry my guys on top of it, they've switched off HTTPS. I'm not kidding you. I really couldn't believe it myself. And I had to say, buddy, you know, don't do that.
Either switch the service off the full service, if you really want to, or just keep monitoring, you know, and that's part of the problem is people didn't understand HTP TPS anyway, and this was an excuse for them to switch it off. I wonder how many more people have done that maybe internally, you know, because they feel it's too much of a headache. And what was possibly quite secure internally or externally may no longer be secure at all.
So there are a lot of implications of what has this happened, you know, and going back to that opportunity about 50% of that stats that we looked at had adopted at that time. And we are in 2014. Now that's a huge, huge number of people believing and using open source. And this does not include stuff like embedded open source. Has everyone heard of showin?
S H O D a N, please go and look up showin, S H O D a N a brilliant website, the best friend of several hackers on the planet, but you should use it also, what it does is it shows you everything that's out there on the internet in terms of connected devices. And there's one of, I mean, I won't say any product names right now, but if you know of a product that you are running or manufacturing and you can find out how many thousands and thousands of people are using it on the internet.
And there's several stats out there, which I can share with you later of how many embedded Linux routes or routers as Americans call it. And so many other devices that, that run SC that are still not patched. They probably will never be patched. And by the next month, they'll be heart bleed 2.0. So they'll forget about heart bleed 1.0. So it it's entrusting the consequences of this exploit and the ones that are coming down the road are gonna be really catastrophic in my opinion. And as an observer, as an industrial Analyst, it's pretty scary.
And if everyone here can do one thing is seriously, look at this problem. Don't, don't, don't give up because hard bleed 2.0 comes up or, you know, they might call it arm bleed or something. I don't know. It's good to name every exploit under a body part. Right? I dunno. And the problem is that was very exploitable. This is credit to XK CD.
If you, again, don't know of XK CD, it's it's good humor. Very good humor. You must visit it. I should I put the sauce there? I'm talking about it now, but in the end, if you think about it, the last box is the attack is limited to data stored in computer memory. So paper is safe, which is very funny to me.
Honestly, our imaginations are safe too, until they're in memory sometime or the other in the future. You know? So if you don't, if you do have some time, I'll update the PowerPoint with the link.
You know, if you do, if you want humor, that's quite funny. Sometimes you should check XKCD. That's another one, not this one. There's actually another one there. I guess the question is, did these folks, and that's not the Nigerian security agency, actually. It's not because actually a friend of mine works in the Nigerian security agency and they're called NSA too. And they're very proud of it now, But the NSA in America, I don't think they did anything really unexpected.
You know, everyone who is in the know we I've been in the know for some time. Many people know it's nothing really miraculous that they did, but they do have unlimited funds and some very good brains, which a lot of us as end clients, we cannot afford those good brains. Or we can't just find them when they're in the university, doing all the bad stuff, which is why a lot of them get hired by NSA. Cause NSA does a lot of good stuff, I guess I dunno or not. And the question is, you know, going back to NSA, what are the legal headaches of messing around with open source?
And there must be many lawyers here, you know, hopefully they don't disagree with me, but there aren't many that many legal consequences of messing around with open source code three and eight. Anyone question, no, I'll move on very quickly. These three numbers are very important. Two numbers in the open SSL. When I last checked, maybe they suddenly hired many more. I don't know, or maybe many of them left after the whole heart bleed issue. Three people in the core team, eight people in the dev team that's open SSL, that's it. According to their website.
And the question I keep asking myself is could it be because in open source in these development approaches, there's no accountability or responsibility, right? In commercials, we can still try our to take the developer to court. I don't know if anyone has taken open SSL to court. Anyone know of that. I don't know. Right? Could it be because actually open source is not sexy enough for training and awareness and that's the reality, right? Let's be Frank here. How many people, I don't know of that many it, people who wanna learn open source because they necessarily feel it's a badge of honor.
They are no, not that many certifications in open source. And a lot of it, people chase certifications. There's no awareness of open source. You are expected to know it. When I started off in my career, I was ex expected to know how to build a DNS server.
And if I, if I didn't know, they would say, just go and check the manual. You know, whatever the help command was on Linux, that's it full stop?
Well, it's actually, if you have a commercial product, your employee joins and then you'd send them or for training. So it could be a lack of training and awareness. There's several things. Employees are expected to be knowledgeable, sorry, on open source products. So maybe that could be an issue. And a lot of times the question is, is open source secure or are cot more secure cots being commercial off the shelf products?
I don't, I don't really have an answer to that, but what I have done is in perspective, I'm sure Google is more than 12 employees in security. I couldn't get a figure on time. I do apologize that maybe someone here can tell me how many hundred Google has in security. I emailed the C I O I know in Google hasn't responded. And that was a few days ago. Facebook definitely is more than 12. Facebook gives money to, you know, the bug Ty, even Google does give bug Ty programs. I don't see many people giving bug bounty for open source.
There is good stuff happening every time Lockheed Martin Lockheed Martin recently started to support an open source initiative on sharing thread intelligence. But the key thing here is I, they did not give any funding to that project. They just put their hands up and said from next month, we are going to share our intelligence that we see with this particular intrusion detection product. It's good. But if that product doesn't have the funding to make it secure, to make it relevant, you know, what, what is actually gonna happen?
Finally, I guess the question is who is the victim apart from the 300,000 websites that are still unpatched, that's a huge number, 300,000 official kind of scan. If you do, how many of them are patched 300,000 as of last week, or this week, Monday was still unpatched running the open source, open SSL, heart bleed vulnerability. In my opinion, to me personally, I am starting to trust open source less. It's quite sad because I actually built my, a lot of my career in open source.
But when you compare the amount of funding that folks like the NSA or any other government actually has, there's no way a few people, unless there's again funding. And that becomes a commercial interest, right? I don't know.
I mean, I'm not, I'm not imposing my views on you. I don't know if people definitely are more and more than happy to be entitled to different views. Maybe you don't think, I mean, can I take a quick poll here who actually thinks trust has eroded my trust as eroded in open source? Anyone else? Okay. So not many interesting, which is good or bad up to you is your perspective. But for me personally, I think there has been a slight erosion in the trust would I buy or there's no buy, excuse me, I don't have to deal with procurement.
Would I use open source products for business critical applications? I really can't say yes or no at the moment.
Well, maybe a year or two ago, three years ago. I probably would've said anytime do it. And this is just, I wanted to do, you know, the tip of the iceberg photo, but everyone has used it so much.
I thought, no. So I just said what lies underneath the surface, but you can imagine if you like the tip of the iceberg metaphor, this is just the tip of the iceberg. Please follow me on LinkedIn. And that is something that happened last week that I've, I kind of shared on LinkedIn co redirect vulnerability found in open source. Thank you. I'm done. Thank you very much, Chama. That's very good.
So one, one question. Do you drive an open source car? Not yet. Not yet. Okay. So thank you everyone. And now the next thing is we move on to the identity award ceremony. So I'm going to hand over to my colleague Martin Kaki.