Build a Better Monster: Morality, Machine Learning and Mass Surveillance

Location: Salon C
April 18th, 2017
4:00 PM - 5:00 PM

The tech industry is in the middle of a massive, uncontrolled social experiment. Having made commercial mass surveillance the economic foundation of our industry, we are now learning how indiscriminate collections of personal data, and the machine learning algorithms they fuel, can be put to effective political use. Unfortunately, these experiments are being run in production. Our centralized technologies could help authoritarians more than they help democracy, and the very power of the tools we’ve built for persuasion makes it difficult for us to undo the damage done. What can concerned people in the tech industry do to seize a

Maciej Ceglowski

Founder, Pinboard

DevSecOps: Lessons Learned from Inserting Security in to a DevOps World

Location: Salon D
April 18th, 2017
2:45 PM - 3:45 PM

The topic of DevSecOps is starting to percolate in the technology world’s brew. There are presentations, manifestos, blogs, and conference sessions all dedicated to the practice. As humble practitioners of the DevSecOps craft, this talk will focus on the Starbucks efforts to securely develop, deploy, and support a unified commerce platform for one of the world’s largest merchants. We will review Starbucks approach to security by design and provide examples of how we use infrastructure as code to configure security policies, perform continuous audits, embrace containerization, and inject security checks into our CI/CD pipeline.

Scott Schwan

Director of Cloud Engineering, Starbucks Coffee Company

IoT, DDoS, and the DNS: Development Models for a Hostile Internet

Location: Salon B
April 18th, 2017
1:30 PM - 2:30 PM

This talk will provide an overview of the internet of things (IoT) distributed denial of service (DDoS) landscape. The number of known vulnerable devices continues to grow and, with it, a potential platform for malicious activity is also expanding. At the end of October 2016, Dyn was the target of a DDoS attack fueled by compromised devices distributed around the world. By November, bot herders were already seeking new devices populations via TR-064 & TR-069 protocol vulnerabilities. In December, the Java API for Remote Method Invocation (RMI) was added to the mix. Vulnerabilities and devices, details aside, are the "how"

Chris Baker

Manager of Monitoring and Analytics, Dyn

Building data breach and subpoena resistant applications

Location: Salon D
April 19th, 2017
2:45 PM - 3:45 PM

Now is the time for a new approach to protect the covenant between an application’s owners and its users. Present threats are too numerous and varied and the battlefield too complex to defend with existing methods. In particular, technical defenses have limited effectiveness against non-technical attacks. The techniques presented here protect against attacks on all fronts, including from within where a privileged operator is compromised. Together, we’ll examine an application based on cryptography and messaging that sets a new expectation for data security.

Martin Snyder

CTO, Wingspan Technology, Inc.