The Broken System: AVG’s Chief Research Officer On Cloud, Paying Hackers and The Biggest Threats of the Next Five Years

In part one of our interview with Roger Thompson, AVG’s Chief Research Officer, we talked about how people can protect themselves, whether the government should play a role in informing people, whether Sony handled the hack correctly and much, much more. In part two of our exclusive interview, we discuss whether Sony should pay hackers for help, how they should react to groups like Anonymous and if the internet itself is flawed.

Previously, Sony sued George Hotz for jailbreaking the PS3, and recently went to war with Anonymous, so they have had quite a chequered history with the hacking community. Do you think there’s a fine line between going too much after one hacker, and ensuring that you get retribution?

Yeah, well I think you have to do what’s right for the customer, and what’s right for the company. You can’t be scared that Anonymous might come after you. You’ve just got to do what’s right, there’s no doubt about that.

But some people speculate that this was caused because they disturbed the hackers, and meant that they were noticed…

I think that the very worst hack of all is the one you don’t know about, when you know about it at least you can fix that. It must really suck for Sony because they make a lot of money out of the gaming network. They’ll lose revenue, but they’ve got to put on their big-boy undies and face up to it and they’ve got to fix it, there’s no doubt about that.

Say there’s no more hacks, how long do you think it will be before all the data will be sold off?

I don’t know, I’m just thinking and imagining, it’s simply hard to sell off that amount of data. It certainly wouldn’t be a quick thing, but they are probably out there trying to sell it now. It’s unfortunate as it means that people have got to cancel their credit cards and get new credit cards, and that’s a bunch of work for a bunch of people – but they’ve got to do it.

Is the place of anti-virus providers, and security providers one of the most important things in today’s society?

Well the cheap answer is yes! Yes, that is exactly right [chuckles]. That’s the gratuitous answer, and its certainly true to an extent, but anti-virus software wouldn’t have prevented this attack, and anti-virus software won’t help the people who have had their credit cards stolen, so its not always the answer. There needs to be layers and layers and layers of things built in.

So security, security, security then?

Exactly, there’s no nice answer.

It’s a worrying future we live in then.

It is, yeah. I’m not sure if you’ve paid attention to Stuxnet, that was the most sophisticated attack that I’ve seen in 25 years of doing this stuff. The interesting stuff about that… see what made that interesting was that the virus was a rootkit on multiple bits of hardware and it used a whole lot of zero day vulnerabilities to spread. It was clearly a state-sponsored attempt at cyber warfare. So we’ve got that that we have to contend with, and then you’ve got things like this hack into a gaming system that was just not thought through well enough and defended, so these are the sort of things that are going to face us – espionage, both corporate and government espionage, and these big hacks on corporations like the Sony thing, and the Stuxnet kinda thing. These are the things that are facing us over the next 5+ years.

So try and keep as much hard copy and physical data as possible then?

Yeah, and grow tomatoes on your back deck in case you need them [laughs].

And when you look at things like this, you say Sony’s security wasn’t good enough, do you think that Sony should actively talk to the hacking community: “Can you find any vulnerabilities? Help us patch it up and here’s some money”

You know, that’s a very interesting question too, and I think… I think you’re probably right about that. One of the smartest things that Microsoft did in the last 10 years was that they encouraged responsible disclosure rather than full disclosure of vulnerabilities.

Responsible disclosure is tell us first, give us time to fix it, and then tell the world and take credit for your discovery, and we’ll even pay you a couple of grand, even 10, 20 grand for the bug. And prior to Microsoft making that step, which I think was an incredibly cunning thing to do, they were getting slammed by brand new, zero day stuff on really critical products like internet explorer every other week, and it was hurting their brand. The full disclosure model was always – you tell everybody at once, as soon as you know about it, and then the clever system administrators can take whatever steps they need to secure their systems, but the downside of that is – Microsoft has, I dunno, 500 million users or something, they can’t just roll out a patch on 24 hours notice, they need months to test it otherwise they break more things than they fix. So that was the problem with the full disclosure model – yeah the system administrators could do something, but most of the world aren’t system administrators. So Microsoft made, in my opinion, a very cunning move, which was to encourage people to go for responsible disclosure – tell us first, give us time to fix it, we’ll roll out a patch – I mean, Microsoft has no fewer vulnerabilities than they used to have – every month, “Patch Tuesday” still rolls around and they still patch 15 or 20 things, its just that they know about it first, so Sony should probably adopt the same thing. Pay a bounty, pay these guys a couple of thousand dollars – most of these guys are probably 18 year old kids, and a couple of thousand is serious money to them; they could buy a whole new mountain bike or something.

I think that’d be a smart move, Sony and anybody who is doing cloud services or anything else should be prepared to encourage the responsible disclosure model and pay a bounty to be told first.

But do you think that should work for hackers who have already done full disclosure, who have abused the system?

I think that responsible disclosure should be encouraged, even if it’s someone that’s poked you in the eye before to be honest.

Should we be prepared for more constant updates – the PS3 only has a few a year?

All software has bugs, and it’s only a matter of what people are looking at and where they can make some money. Somebody asked John Dillinger once why he robbed banks and he looked at them as if they had said something stupid and said: “Well that’s where the money is.”

Apple’s in the same bag, it’s not like they are much less vulnerable than Microsoft, it is less vulnerable, but it’s not perfect. It’s just that most people are running Windows machines and the bad guys are focused on Windows. But if they think they are going to make a buck out of Sony? They’re gonna do it.

Say, over the course of the year, Amazon got hacked, Xbox Live got hacked and every major cloud and online company was hacked – what do you think something like this would do?

That’s not entirely out of the question, I think we could both comfortably bet folding money that anybody who wasn’t thinking about it before is now going “Oh, I wonder if I can do that to Amazon? Or I wonder if I can do that to XBL?” So they’re looking at it, and I think that would sting a bit if a whole bunch, or any, of those clouds got hacked and it would behove any of those providers to start thinking about it now, and start the responsible disclosure game.

So is the whole system flawed really?

Oh shoot yes mate! It’s all built on a trusted open architecture, so everything since then is a band-aid tryna hold it together.

There’s no way to change that then?

Not that I can think of.

Take down the internet for 2 weeks, do a Sony and rebuild it.

[Laughs] Yeah, that’s right. We’ll go back to pages and landlines.

Be sure to read part one of our interview with Roger Thompson, and remember to follow his important steps to protecting yourself, not only in the wake of the PlayStation Network security breach, but in general.

In part two of our exclusive interview, we discuss whether Sony should pay hackers for help, how they should react to groups like Anonymous and if the internet itself is a flawed system.