There is a misunderstanding that hackers are all-powerful and can do anything they want with your computer. According to Vince Romney of SK2Tech, however, a lot has to align for an adversary to gain access to any given system, especially with the current trend moving towards a distributed world from a technological standpoint. Vince is an avid proponent of security-as-a-lifestyle and takes every opportunity to advance security within every environment. He has been a student and practitioner of IT security for over 20 years across military and civilian organizations. On today’s show, he joins Warren Whitlock to discuss whether distributed architecture is more secure, cryptocurrency versus the fiat, the transparency concept, and more.
Listen to the podcast here:
Is Distributed Architecture More Secure? With Vince Romney
Our special guest is Vince Romney. The topic we’re going to talk about is the future of distribution and whether or not that’s most secure. Welcome to the show, Vince. Tell us a little bit of something about you.
Thank you, Warren. I have been a technologist all of my working life. It was bent towards security starting in 1999 when I started working in the FinTech environment. I was also a reservist in the Air Force. As I went along both of those careers, about 2005, things aligned where I was in an information operations flight and we got tasked with a mission set that functionally was cybersecurity. We stood up a cybersecurity cell, not realizing that we were among the first in the military and the first in the international guard to stand up a cyberwarfare cell. We approached that naively and tried to do our best, learned, and failed. I did a lot of those early mistakes before doctrine, training and things like that existed.
The evolution of that was as we began to become more formalized as a military environment for cybersecurity and cyberwarfare, we brought in people that had gone through the formal training. Once 24th Air Force stood up and all the air training command processes were there, to bring people in and formally train them. We ended up with a couple of guys that knew what they were doing and they helped us and we helped them. Fast forward to 2013, we had done everything we had been able to our cell. They were moving our unit to Florida. I retired and I decided to stay here. Since then I’ve had the chance to work in private industry and as well as defense contracting and I had a good experience.
They’re hearing about cyberwarfare either in a futurist talk or sci-fi. What’s the biggest misconception we’ve got?
The misunderstanding has been that hackers are all-powerful and can do anything they want with your computer. There’s a lot that has to align for an adversary to gain access to any given system. It’s not like in the movies where it’s clickety-click and five seconds later they’re in and they do their damage. It’s a long process with a lot of recon and footprinting upfront. Often like nation-state attacks, designing exploits that are specific to what you footprinted and figuring out how to make those work. It’s a long process. When people get the emails that say, “I know what you’ve been doing on your computer. I’ve got a password to prove it. I’m going to sell this information to your friends unless you pay me some amount of money.” People fall for it simply because they don’t understand that that’s not reality because they’re giving the impression that hackers can do whatever they want whenever they want.
If it gets to the point that somebody does know enough to have that, they’re organized enough and it’s been enough time and they have your password, it’s too late.
The funny part is they demonstrate that they have your password yet they didn’t get it from you. They got it from a list. There are roughly six billion username-password combinations for sale or use on the dark web. Odds are one of those is yours that you’ve used in the past and may unfortunately still be using.
Do the math, we all have passwords. The other thing we hear about in the midst of it is that there are a lot more sane ways to look at it than I’ve got to keep my laptop in the freezer and then get into the freezer anytime I want to use it. The idea is there is some big central database where you can steal everything. Since I like to talk about distributed, tell me about that. How many places do you need to be unsafe? Is there one central place and are we getting away from that? What do you see happening?
One of the frailties that we have is that we still continue to look at security from a centrally managed environment. If the trends are right, we’re moving towards a distributed world from a technological standpoint. Certainly, a zero trust architecture which has the security architecture that most forward-thinking companies are trying to evolve towards is based on a non-centralized secure model. Security is implemented across the entire ecosystem rather than at a central location. Once you get through that checkpoint, you’re free to roam. That’s what makes it possible for threat actors to be effective is that in a centrally managed environment, I break through one barrier, a username and password. From that point on, I can operate throughout that ecosystem as if I was that person. Zero trust changes that and as does any distributed model.
It does seem like it’s counterintuitive a bit because if there are a thousand servers involved, only one of them has to be weak but then with a consensus model, it’s the opposite.
A consensus model doesn’t have to be DLT. In zero trust architecture, you’re not leveraging DLT. You’re leveraging the concept that everywhere where two systems interact, a validation reoccurs. You’ve had an initial validation say identification, “Who are you? You’ve been authenticated against a system.” It continues to authenticate the use that takes place within that user’s context. If it breaks out of that context, it’s no longer authorized.
It’s an interesting premise of the sci-fi scenario that in order to be able to hack into something, you have to do certain things. I’m thinking about a Marvel show I’ve seen where they have to decloak to be able to do something. They have to put some frailty in there or the story doesn’t work. That is a good metaphor for the way security works. Is there something secure that it will always be secure?When everything's visible, it's much harder to make something fraudulent or nefarious occur. Click To Tweet
I had the opportunity to work on the ground-based strategic deterrent which is the replacement for the Minuteman Missile System. I was contracted with BAE Systems as the Software Security Architect and looked at all of the software that came in and analyzed it from the two competing prime contractors. The two primes were submitting their plans for how they were going to update and refresh the Minuteman System so it can continue to provide that ground-based deterrent. Without getting into any serious detail, there’s a layer of that network that cannot be unsecure in any way, shape, or form.
You can get to a point to where the effective security. Others are like, “Could I come up with a way to breach it?” Yes. Many things would have to fail in the process of that breach. That it’s completely intractable that that could ever happen because every one of those things has to fail. That includes physical security and cybersecurity. It includes timing and all of these things that have to go into it. For that bottom layer of security for that network, there are many things in place that you virtually cannot hack. To your point, is there a way? Yes, but could you effectively do that? No.
There’s a way to beat the Kobayashi Maru. Reprogram the entire system. When they do something like maintenance, working, or upgrade on a system like that, those points that can’t get in but legitimately and no one would get away with doing a clandestine way.
What it comes down to is that you architect an environment like that in a way that everything that happens has to happen in a visible way. The way the system is architected, you couldn’t covertly access say a silo. There’s no way to go to a silo and similarly the network infrastructure itself. You simply can’t get to it covertly.
If I was writing you in my movie, then I would say, “There is only one way to get in there. We need Vince. He’s the guy.” How does that work if somebody could corrupt you?
We had a joke in the world where you’re carrying a high clearance, TSSE, and above with all the various levels that go with that. There was always the joke that the only money that would matter is your own country money. When you can become your own autonomous country, that might be a discussion, but until it gets to that level, no. That’s why we’re always baffled by these guys that turncoat and betray their country for a $100,000 or maybe even $1 million. You’re thinking, “What crack are you on?” It’s insane to think of those kinds of numbers when that prison in Colorado is your future.
The ability of the government to come after you far exceed your budget to hide from them. That’s another myth from the movies that somebody can hide in plain sight like, “It’s going to be okay. I’ve got to go back. I have to go and see my girlfriend. I left her without telling her.” Reality is a lot more like Edward Snowden. You say, “Goodbye. I’m going to work.” He went to work for the day and never came home. There’s politics even on that story. I saw some clip up, he was going to explain something simple on YouTube. I didn’t play the clip and I’m going like, “After all these years, he’s still in hiding and if the politics were right, he wouldn’t be in hiding.” If they wanted to get him, then they’d have their vengeance.
The reality is that the damage he’s done is done. He’s in a position of non-extradition. He’s maintained some potential way to make a living there.
Being the guy that did that, I guess that’s what he is for life. The majority of the world’s population manages to live outside the United States. There’s that going forward. The reason he’s alive is because the government has decided, “The rules are legally, we’ve got to leave him alive.” If they want to catch him dead or alive, it would happen. Let’s get something a lot more practical to our audience which is the basic FinTech argument. Why is a cryptocurrency safer than fiat?
The concept of safety is something that has to be defined. Fiat is safe within a certain sphere. If I put a $100,000 in my bank account here in the US that I have acquired legitimately that is insured under the FDIC, as much as I want to trust the FDIC to be able to ensure that money should a collapse of the economic system occur, I have some recourse for that amount of money to the government. I don’t know that we can adequately say that that is tested and going to work exactly as planned, but that’s there. I have an implied security with my fiat currency up to a certain point. I think the limit is $250,000 per account or something like that. With crypto, I have a different type of security which is I own the security of that account to a certain level. I have my credentials for that account for my wallet as long as I maintain control of those credentials and do not do anything stupid with them like posting them online. In theory, that wallet is secure. Therefore, any currency that I put in there is great.
Until I have an exchange that has a backdoor that then gets compromised and during a transaction spree, all of that information is siphoned off to a separate account. Therefore, my cryptocurrency gets pulled out of my wallet and put into something else only because I was sitting in a hot wallet on an exchange that got compromised. It’s called Risk Transference. I have a certain amount of risk and I’m going to transfer some of that risk to the exchange or another entity to say, “Yes, you’re going to hold that responsibility and I’m going to trust you to do that and then I’ll hold my responsibility here.” Hence that’s where the cold wallet became a thing. I’m going to pull that completely out of that even and I’m taking it offline so I have it all by myself. You can make anything 100% secure by not using it by making it unusable. If I break your laptop, all the data there is totally secure. It’s also unusable, but it’s secure. It’s not going anywhere.
In the basic premise of whether it’s safer than the government or fiat, it’s the full faith and trust of the government, not the gold anymore. As long as you have faith in the government, you’re okay. If the government inflates the money supply, everybody’s money is worth a little bit less. It becomes a policy situation. I guess our crypto is about as safe as Edward Snowden’s life as long as the government wants to make it safe.
There are certainly powers that would prefer that crypto not exist. We’re aware of that. There’s also a large surge of support rightly for the concept of a distributed economic system that allows us to transcend those borders of fiat and that lack of interoperability to a higher level. I think crypto is going to become the norm, but it’s going to be a fight to get there. The factors around who plays in those critical roles and what controls are around those roles. When I say critical roles, things like exchanges, places that are providing hot wallet services. Here in the US, we have banks that spend a ton of money on security to try to make sure that nobody can come in and wipe out savings accounts or compromise checking accounts and take them over on the middle of the transaction. Does that mean no bank ever gets pawned and has a loss? No, that happens all the time. It’s that they cover it because they need to maintain that sense of faith and performance to their customers, us. That same level of control scrutiny and good faith has to exist on the crypto side for it to become equal or become equal with the fiat world.
I’m thinking about credit cards. The common thing is I started taking credit cards online. We have been taking a lot of phone calls, taking a credit card that way. We’re able to start to get them on the internet or me using it or even reading it to us on the phone saying, “How much security is this?” Compare it to where you normally use your credit card because back in the day, you’d want to use your credit card. You would go to a restaurant, hand it to a waiter and a credit card would disappear for ten minutes. You don’t know what happened. It did happen to me once that I used a credit card. Interestingly enough, it was at a gas station where I bartered with them.
I sold advertising. We had a barter thing. I had a credit account of which I could use X number of dollars of gasoline or whatever else I wanted to buy. I never bought anything else. The gas was the deal, it’s what we needed. I got to the end of the month and needed gas, but it was past my allotment. I pull out my oil company card and I hand it to them. Months and months later, I see this bill in the mail. I’m past due on a few hundred dollars from the day I bought tires. I traced it back and sure enough, with a month I’d made that deal with the gasoline trade. Somebody was dumb enough to think that they could try to take my credit card when I was the person that came in there all the time. Not only a regular customer, but I hung out with the owner. That all ended me. I showed up for the trial and the other I didn’t. Apparently, he had gone to jail by then. It sticks in my mind every time I think about what we trust with people. If you give your kid a credit card and let them make a purchase, you don’t know what’s happening with that.
Maybe we trust our kids or we know where to find them, but we don’t know what friend they were with or what dumb move they made to be able to do it. Life wouldn’t go on if you weren’t able to trust people at some level of a transaction. A real trust future is moving away from that. Being able to do things that trust is based on the system, isn’t that what a smart contract is supposed to do that I know it’s going to happen? I can trust everything except for the guy who built the black box and who may or may not be running a scam. In the distributed future, you’re trying to buy something and it’s not going through some central authority. The reason I brought up the whole credit card thing is you could lose $50. I don’t need to go to the government for redress when my credit card goes bad. “I’m not going to pay this.” They take over. They have an acceptable loss. They know how well they can pay off some of the things. What are these fraudulent charges? Somebody came in and took a checkout in the middle of my box of checks. They came back and said, “It’s not worth our time. It’s $20. We wrote it off.” I said, “It was at a gas station. You’ve got security cameras.”
The self-regulation concept is something that we have some patterns for this. If you look at Visa. It is all-powerful as a processing entity and a credit card agency that they effectively have political clout that allows the US government to provide support for PCI regulations. Visa as a self-regulator they say, “If your credit card gets compromised and you alert us. You won’t have to pay all that stuff that was fraudulent.” They push that responsibility over to the actual merchants and they say, “Mr. Merchant, you need to make sure that you’re not taking fraudulent cards. If your fraud rating goes over 0.2%, we’re going to put you on notice. If you go over 0.7%, you’re done. We are not allowing you to transact on Visa anymore.” They’ve transferred their risk to the merchant and said, “Mr. Merchant, it’s your responsibility to make sure of that.” You’ve got to get a service that will pre-qualify a card that’s being transacted on your website to ensure that that is not a fraudulent card.
With PCI rules, it’s no longer the responsibility of them to show that there was a fraud. They don’t care whether it’s a fraud. There’s a certain percentage. They can stop paying.
It’s an interesting model. I’m intrigued to see how distributed technology picks this up. As different models of cryptocurrency come out through more common usage on daily transactions, we’re starting to see people use crypto in difference to fiat. At that point, what happens if fraud occurs? What happens if I find a way to mess with your wallet and I’m able to pull a Bitcoin out? I take that and I use it fraudulently. I spend it on your account. Who owns that responsibility if I’m living somewhere that you can enforce law on me? Is it a total loss or is the transaction company going to end up being held responsible for that or the merchant who took that going to be held responsible? That’s undefined. In reality, it may never get defined because crypto is such a different animal as far as the transaction process.
I started looking about, how are we going to regulate it? I know you’re looking at how do you regulate barter? There can be every law on the books but still if I mow your lawn and you watch my kids, transactions that happen in the neighborhood. I want to get down to that level. I think there’s more of it. I can remember when we had small children being in a babysitting co-op and the amount of paperwork that had to be done to keep track. They weren’t fights, disagreements, and discussions. Me listening to my wife talk about it was way too much hassle. When we stopped using it was for that reason. I know what it was. We’d have kids for the weekend, which would get up all the hours. I’m going like, “I’m home from work for Saturday and Sunday and we’re watching kids.” It’s so much for a day off because that’s when we use up the hours. That allowed us to use it whenever we want it.
I think about little simple things like that in the future that we’re going to be able to do. My favorite being the drill. How many drills in your neighborhood? Probably one in every house. I think in the future we can work out those kinds of things where the biggest reason why I don’t want to lend you my ladder, my grill, lawnmower or whatever is that I’ve got to worry about getting it back. When we put a community shed in each neighborhood that is secured and locked for the people there. You don’t need a homeowner’s association in our office to keep track of it. You can set up an ad hoc sharing network instantly. There would have to be standard rules that if the ladder is stolen, the first responsibility is the last person that used it. If that person moved away or we forgot what it was or for whatever benevolent reason decide to do it, how are we going to pay for the replacement ladder? There’s got to be a rule for that. I think we’re getting sophisticated enough that a lot of these things can be easily codified and make the need for a universal currency a lot less.
At least looking at where crypto sits, cryptocurrency can easily be more secure than current models. What has to happen is the industry itself needs to learn from all of the mistakes traditional fiat banking has made. Look at those areas and say, “How did the last hack that was an ATM hack where they went to the backend, unlocked a bunch of accounts, and then had their money mules put the fake spoofed cards in? Pull all that off. They’ve got the clone cards, paying out the money. They run away with the money and then that gets passed back up the chain. How did that happen?” How do we make sure that a wallet equivalent cannot happen? We have the technology now to do that, but are we implementing that? In reality, the banking industry could implement that too. They could make it that effective, but they’re not willing to do that investment. If crypto can get to the point where they can show as an industry has invested in ways that took advantage of the inherent security in a DLT, then has evolved that to become user friendly and effective, I’ll be the first in line to go, “I’m not even touching fiat anymore.”
I almost entirely do everything digital now, but there are many gotchas. If you’re a PayPal merchant, you can lose access to your fund and you can freeze them up. I’ve had somebody come back on a rather large transaction that was all done and then gone to PayPal, which had my merchant account. They asked for zip and money came right out of my banking account. It’s a large enough amount, do you notice? On the other hand, we’re doing hundreds of transactions a day in small amounts and I can’t pay attention to it. I traced it enough to understand that when we took over the company, if it’s off by dollars, I’m not going to try to balance it. I guess the last topic I want to get is, are you familiar with triple entry accounting?
Not by that name.Hardware is the one thing on the food chain that is the hardest to compromise. Click To Tweet
I’ll briefly describe it. I don’t pretend to understand it. Look back at the history of what accounting was doing. When we were able to write down numbers and keep track of what happened that allowed merchants to survive, thrive, prosper, and brought about business. When business took off was when we got double entry accounting. If you record the transaction happen, you know that the inventory went down and the cost of goods went up and all of the things that make double entry accounting. I did spend about an hour reading on triple entry accounting one time. The idea is it comes pre audited because now with a distributed ledger, every time I write down that something happened, it’s written down in many places and secured. Quick to point out that it doesn’t mean there can’t be any fraud. If I put a palette of sixteen units on a truck and when you receive it, it’s a palette of fifteen units, there’s still that possibility for fraud. We can’t say, “You must’ve written it down wrong because we’ve all agreed in the smart contract that the amount is the amount at every stop.” I guess I’m not sure if I got to a question because it might’ve been something you’d read about before.
I’m thinking about how the security of that If I always know what’s happening. In my time, we did some carbon copies on, the truck showed up and there was press hard. You’re making five copies and then lots more with NCR paper. Every time we had something arrived, they were writing down stuff. Tracking numbers, things like that with UPS. When I had that as daily service, there are many mistakes that could be made and were made. Where’s the recourse? I’ve got a company I advise that was working on a snow crab. It’s worth $110 a pound. If you drop the palette more than a couple of inches, you probably killed some of the snow crabs to be delivered alive at any place that you transit it. It gets from the field, whether that’s an ocean or whatever. They catch the crab, they put it in a box that’s packed in ice, and then it’s moved several places. It goes on to truck, to a train, to a port, a boat. One sloppy maneuver with the forklift and you’ve killed thousands of dollars’ worth of snow crab. I said, “Between IoT and the ledger, they’re now able to tell exactly where that happens.” It doesn’t keep somebody from miscounting how many they put on, to begin with, or perpetrating some other kinds of fraud, but it’s not going to be an accounting fraud. Doesn’t that change everything?
You’re hitting on one area that I think DLT is a huge boon to and that’s the supply chain. We talked about doing some of that in the military. I have heard through the grapevine that some of the stuff that we laid down a foundation for it has been acted on. Without going into real solid detail. It’s making sure that everything that is written in code is validated throughout the entire process so that the code itself never changes without being observed. It goes back to that visibility concept. When everything’s visible, it’s much harder to make something fraudulent occur or something nefarious.
What you’re seeing right here is what’s normally referred to as transparency. I know sometimes transparency, people think, “Transparency, like Facebook is transparent.” If you post, everybody can see. This is transparency that somebody can see it, the proper person can do it. I can still keep the record completely confidential. With the right key, you can see that. The interesting thing was we got asking about having a large mailing list. Can somebody be unsubscribed or with the European right to be forgotten? Somebody asks about that and we went to the guy that designed the system and says, “How are we supposed to take care of all our unsubscribes?” “I don’t know.” Correct me if you know this answer better than me. It isn’t that you can put encrypted in such a way that what we do is we burn the key, we can never go back and look at it.
It’s called crypto shredding. You’re taking something, encrypting it with heavy encryption and deleting the key. It’s useless. It’s a brick of data.
It’s more privacy instead of a question of whether or not it’s private. Once it’s gone, it’s gone. We can’t decide, “I’m going to be clever. I’m going to use a different server and spam these people. How dare you unsubscribe?” I’ve been a mailing list for a lot of times. I thought of every deviant behavior. I have thought of everyone mentionable, “How dare you want subscribe? I’m sending you spam.” I brought that up and thought I knew about it and you’ve taught me something. You’re in an age where all the cryptography and everything in the distributed ledger is going to make things much secured. You’re into securing things with hardware. Tell me why is that still relevant?
Hardware is the one thing that is on the food chain, the hardest to compromise. If it’s done properly, hardware as a functional element of authentication is a piece of the puzzle that a remote actor has to gain physical access to that key or that device to make a change to the authentication protocol. As a quick concept here, we’re talking about three-factor authentication in what I’m involved in. One factor is something that generally we accommodate throughout our normal life. It’s a username, password. It’s something we know that the generally accepted three factors of authentication are something you know, something you have and something you are. It’s difficult to duplicate the last two.
The something you are could be duplicated. If I can do a man in the middle of attack and I can grab the dataset that represents, say your fingerprint, I can inject that into my own authentication session with that server and pass the dataset that your finger print. It affectively thinks I have you. Granted, it’s a complicated attack. This is not the simple thing out there, but a physical device that has to communicate back and forth with an authentication server, that’s a much more difficult thing. Emulating that is challenging, particularly when there’s a complicated set of algorithms on both sides. That’s why in the military, we always had key generators. We had a physical device that allowed us to function as if we had some element that an attacker didn’t. That was that key generator. My approach to it with our team has been different.
It’s the descendant of an Enigma machine.
You’re effectively taking a hardware device to create something that makes it difficult to go backwards through.
Anything else you want to tell us about that?
We’re hoping that in the next couple of months, we can go public with it.
If somebody wants to follow you and what you’re up to, what’s the best place to connect?
Aside from what I read in the news, Romney is not that common of a name.
If you’re a politician, it’s apparently common.
Let’s do this again. When you have a question about security, we’ll do a segment here again. I’m saying Vince will make himself available and we’ll do an Ask Vince session sometime in the future. I’ll have Vince back on the show and we’ll do an Ask Vince. Let me know or find Vince and we’re the people that answer our email and answer questions. We’ll look forward to doing that again.
About Vince Romney
Vince Romney is an avid proponent of security-as-a-lifestyle and take every opportunity to advance security within every environment. He is been a student and practitioner of IT security for over 20 years across both military and civilian organizations. Currently wearing several hats, including the CTO of SK2 Technology leading the development of high-security, session-based data-at-rest encryption applications. Vince has worked with both public and private corporations heading IT security and regulatory compliance efforts as well as secure software development programs for a variety of development organizations.
Vince has spent several years exploring the security of Distributed Ledger (DLT) environments, and strongly believe securing the periphery of DLT environments will be pivotal to their success. I regularly teach both technical and non-technical audiences about the application of security principles to their environments.
Vince was a US Air Force Cyber-Warfare Technician and served as Senior Cyber-Security Analyst for BAE Systems on a $20 Billion national defense program, now leveraging that experience across multiple engagements in the private sector. A CISSP since 2012 and Vince writes a weekly commentary on the state of security in the hope that those who read it will take action and improve their own security profile.