All Episodes

July 29, 2016 55 mins

Every year, programmers write more than a trillion lines of code. How could automated cybersecurity systems help our technology stay safe from malicious hackers?

Learn more about your ad-choices at

See for privacy information.

Mark as Played

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Brought to you by Toyota. Let's go places. Welcome to
Forward Thinking. Hey there, and welcome to Forward Thinking, the
podcast that looks at the future and says, if you
should get it an email with the subject stinky cheese

better of protecting your chances under no circumstances should you
open it. I'm Jonathan Strickland and I'm Joe McCormick, and
I'm not gonna ask about that. Let's move on to
the topic today, which is cybersecurity. Yeah, we wanted to
talk about a recent story about the idea of automating cybersecurity.
But before we even get into that, let's talk about why.

You know, I'm just gonna set the groundwork of what
cybersecurity is all about and why it's such a huge
challenge in today's world. So, really, when you think about it,
cybersecurity experts and hackers have always played kind of a
tick talk game. Really, the hackers, you could argue, Yeah, exactly,
it's it's it's it's very much a reactionary kind of relationship.

So it starts whenever a developer releases some software into
the world. Operating system upgrades would be a major example.
So let's say that you know, Microsoft releases a Windows
update or Google and Android update, that kind of thing.
Hackers then start to look at the operating system and
start to explore it, probe it for vulnerabilities, things that

could be exploited. Um. And the reason for that is
the way a computer works, the way it executes code.
If you're able to exploit vulnerabilities, you can get access
sometimes to very important elements of a computer, like to
the point where you could potentially take it over. Sure,
you can either bend it to your will, use it

to do some some upward processing, or or get data
from that person's computer to to use in some kind
of criminal way. Oh yeah, absolutely. Uh. It may be
something as simple as simple in quotes as stealing files.
It may be something more complicated, like installing a key
logger that's going to copy everything someone types in so

you start to get all their their info, like their
logins and passwords, that kind of stuff. It may even
be a backdoor access where you can you can control
that processing power for specific nefarious purposes without the person
necessarily knowing what's up except for the fact that their
computer seems to be really kind of sludgy and slow,
or it could just be fair mischief. Yeah, it could
just be that, you know, yeah, as they say. So. Meanwhile,

you've got the cybersecurity professionals who are looking for vulnerabilities too,
but they're not looking to exploit them. They're looking to
patch them to to address those vulnerabilities and and tweak
them so that they're no longer and opening for hackers
to exploit. They also try to nullify malware that hackers
are developing. So uh, they're trying to make sure that

the various worms and virus is and other types of
malicious software that hackers unleash upon the world are nullified
in some way. It's super tricky to do because you
remember those old days of the huge downloads of the
Norton anti virus updates. Yeah, yeah, well yeah, I remember
the days of like when you're shutting down your computer

and says, hang on, I need to download about, you know,
half the gig's worth of data before you can leave,
and then you think, well, as we'll go get another
cup of coffee because I'm gonna be here for a while. Uh.
At any rate, this this is very much the relationship. Right.
You've got the release of software hackers trying to exploit it.

Cybersecurity professionals trying to address the vulnerabilities and nullify the malware.
Hackers go back to trying to find other vulnerabilities to exploit. Also,
this is not necessarily all just happening back to back,
because there's a lot of overlap. I mean, just because
cybersecurity professional identifies and even patches vulnerable opening and software

that doesn't magically propagated out to everybody who's ever downloaded
that software. Now, so this is your your responsibility message here.
Update your browser. Update your browser, update your operating system,
update your security settings. Make sure that you keep those
as close to up to date as possible, because while

it can be irritating to take up time to do
that sort of thing, it often addresses these vulnerabilities and
makes you less liable to experience issues created by evil,
nasty hackers out there. This also means that cybersecurity folks
are typically a step behind hackers right because often they
while they're trying to identify the own vulnerabilities, they may

not be looking in the same place as that hackers
start looking at, and they have to respond to the
malware that hackers are creating. So you get this TikTok,
where the reactionary response to the cybersecurity is to counter
the move that the hackers have made, but it doesn't
magically counter the next move the hackers make. You have
to do it over and over and over again. So

wouldn't it be cool if we could get an actionary
system rather than a reactionary or one that is reactionary
all on its own and doesn't require a human interaction
at all? Because where the bottle nick really well, especially
now and I'll get into more of the reason of
why now it's particularly a problem in a little bit later,

But as you say, it can be actionary to Lauren,
you could have software that is actively looking at vulnerabilities
before any human has even laid eyes apart for the
developer on the code, and then in that case you
close off the system before a hacker is even able
to exploit it. But in other cases where there may

already be a vulnerability known to hackers, uh, the systems
could be patching that vulnerability as well as trying to
counteract any malware that hackers have created. If you were
able to do this and take humans out of that picture,
it would be amazing because it would be way faster
and more efficient than than than a human. But it's
a tall order. It's really not an easy thing to

ask for. Who would ask for such a thing? Sort
of a you're right they did, DARPA asked that thing.
Wait wait, First of all, though, let's remind everybody who
is DARPA. It's the R and D division within the
Department of Defense, with the awkwardest name ever being the
Defense Advanced Research Projects Agency used to be. Or yeah,

it used to be ARPA. I like. I like that
the way you deliver that it made me think of
like defense against the Dark arts, which in a way
is kind of what we're talking about today. Yeah. I
actually I'd never heard it put this way before. This
might be have always been part of its charter, but
but I didn't come across this description until some stuff
we were reading for this episode today. But they described

it as preventing strategic surprise. I watched a video about that,
and my favorite quote was, surprises are hard to predict.
I know exactly what you're talking about. I watched that
same video. I'm like, you don't say. I think you
said surprises can be hard to predict, Yes, which I

thought was amazing. It reminds me of the Giant the
Giant Souvenir shop at Las Vegas, where one of the
signs says, if it's in stock, we have it, and like, yeah,
I guess that's I mean, I would have argued that
that was pretty much obvious, but I'm glad that you
put it out there. So, uh, yeah, DARPA is it's

got a long history obviously with technology. I mean, the Internet,
you could argue, is really a product of work that
was done when DARPA was called ARPA. There was a
predecessor to the Internet called ARPA net and during the
development of our and that many of the protocols that
underlie the way the Internet works were developed. So very

much a part of the world of software and hardware.
Not just hey, can we develop a new thing that
flies faster and uh and it's harder to detect than
anything else we've ever created, but things that have benefits
far beyond just a basic military application. Now, to be fair, DARPA,

being part of the Department of Defense, is primarily concerned
with matters of protecting national security and and uh making
certain that the United States technological capability remains at the
very front of the entire world as much as possible.
You know, you've got to keep that in mind. But
beyond that, the developments of various DARPA initiatives have uh

much greater consequence than improving our defensive capabilities. Oh sure, well,
and and started started to say in way that just
like NASA, getting people into space has a lot of
further reaching implications in terms of technology and design. And
we've in fact talked about a few of the darpest
projects here on the show before. Right, So first we
should mention DARPA really is more of an administrative organization. Right.

It's not so much that you go to DARPA and
you enter into a world of shiny labs with lots
of beakers and and beeping computers and stuff and and
and technicians and scientists running everywhere with like crazy alien
looking devices. That's not really what DARPA is. What DARBA
really is is the organization that provides funding to other

research organizations. They what what DARPA does is identify a need.
They say, we need for this type of technology to exist.
Who out there thinks they can do it? And then
we've got some money for you, exactly, And then you've
got different organizations that respond and they'll say I think
we can do it, and then DARPA reviews the various proposals,

decides which organizations are the most likely to succeed based
upon those proposals, and funds them in order to try
and develop that technology. Uh. And sometimes what DARPA does
is they do this in the form of a competition.
It's not just hey, hey, we need this one type
of technology. Who thinks they can do it? It's hey,

we've got this idea for a crazy thing we want
people to be able to do with with technology. We're
gonna pit you against other groups that also want to
do this thing, and whoever wins gets a big old
fat prize, which may or may not be equal to
the amount of money that these organizations have to pour
into their research and development to create the technology in

the first place. But they still own that technology and
can use it to make the money. Absolutely so, we
have talked about them multiple times. Uh. The first time
that I was able to find using the handy dan
control f feature on our RSS feed was from November eighth,
two thousand thirteen, when we published robot you Can Drive

My Car? How many times have we made that joke.
I'm almost convinced. I'm pretty convinced I made that that title.
I could be wrong. I could be wrong, but yeah.
So it was one of our earliest episodes about autonomous vehicles,
and in that episode we talked about how DARPA played
a key role in getting the development of driverless cars

rolling because they have wheels. Uh. But yeah, the the
original Grand Challenge that DARPA issued was about autonomous vehicles.
On May eighth, two thousand fifteen, we published an episode
titled What's Up with DARPA, which really was more of
an episode to explain what DARPA really is all about

and some of the projects that DARPA was overseeing at
that time, um and mostly leading up to the Grand
Robotics Challenge, which of course we already kind of covered
in the previous episode, and then we had on June seventeen,
two fifteen, So not long after that one, we released
our episode about the DARPA Robotics Challenge. They are not
the not the Grand Challenge, which was autonomous cars, but

rather the challenge of building a humanoid robot, or at
least a robot capable of following over a lot. They
people excelled at that part of the challenge, which really
wasn't part of the challenge. You didn't want your robot
to fall over, but to be able to do a
series of of steps, a series of tasks that would

potentially be part of a rescue operation or an emergency
response operation in the wake of a disaster, similar to
the uh the Fukushima plant when the tsunami hit. So like,
one of the tasks was walked to a door and
open it. Man, that was that was a tough one. Yeah,
it turned out to be a lot hard. Like robots
were not being able to grab the weren't able to

perceive where the doorknob was accurately, and so they kept
trying to grab at places the doorknob definitely was not.
Stepping through the doorway was bad, Yeah, which is a
very difficult thing to mechanize. That. They had to pick
up a drill and like use it. Yep, they had
to climb us as stairs, which also turned out to
be super tricky. Yeah, there are a lot of things
that we humans typically find fairly easy. I mean, even

if we couldn't do all of the different tasks, we
might find at least, some of the tasks pretty natural
for us to complete, but for robots that's not the case.
There is no natural for a robot. Uh. And it
turned out that a lot of those what we thought
of as simple tasks were really complicated. So those are
the episodes where we specifically focused on DARPA. But today

we want to talk about the more recent Cyber Grand Challenge,
which comes into the concept we're talking about here about
creating an automated system capable of recognizing vulnerabilities and patching
them in real time. That's the basic idea, right, Like
DARPA's like, hey, this is what we want, uh, you team,

you know, start forming teams out there to do competitions,
and we'll have a big challenge and whoever wins gets
a prised. That's the basic idea, um. But it's interesting
because it's using an approach that humans have been following
for a while. It's it's not not like they've invented

a game that the robots have to compete in. The
game already existed and in fact has a a bit
about an interesting name. It's it's a capture the flag game. Yeah,
which is funny because it doesn't actually resemble Capture the Flag. Yeah,
so what what is the capture? They have these tournaments, right,

so capture the Flag tournament might be a thing. A
bunch of hackers show up too, and it's a model
for testing people's skills at cybersecurity challenge. Just so a
CTF tournament you might see something like this, a bunch
of cybersecurity pros all show up and get a piece
of target software and then they go to work trying
to be the first to discover security flaws in the

software and then release a secure patch to fix the problems.
So they've got to sort of they have to like
reverse engineer the software, figure out what its vulnerabilities are,
address those vulnerabilities, and get them fixed. Uh. And so
that sounds like a good test of your steel as
a cybersecurity professional. But what if you removed the human

hackers from the competition, right, Like, so in this case,
the people competing aren't competing directly in searching that software,
finding the vulnerabilities, and patching them, but rather developing software
that can do that on their behalf automatically. Yeah, so
that they aren't the ones guiding the software. Very much

like in the rival less car scenario. You were not
allowed to have any kind of remote control of the vehicle, right,
The vehicle had to be able to do everything on
its own, and if it failed, it failed. Same sort
of thing with this kind of software. The idea being
that you don't get to guide the software. It has
to be able to analyze that that target software and

identify the vulnerabilities and patch them all on its own.
So why even bother doing this? Well, it's because computers
are everywhere now, They're pervasive, they're integrated into our daily experience,
and they're on all scales. Right, the stakes have never
been higher as far as cybersecurity goes, and they're only

getting higher exactly right. So it used to be higher,
or it used to be you know, the early days
of viruses, you know, way back in the day where
things weren't even necessarily networked yet and people were spreading
viruses via physical discs and oh yeah, uh, you know,
the worst that was going to happen is you might
cause a lot of damage to your computer. Yeah, and

that's not good. I mean that could have you know,
potentially disastrous consequences for somebody's personal I don't know, personal
projects or whatever. But you wouldn't have um extremely dangerous, widespread,
society wide consequence. It's not not a catastrophic event. It's
something we're not going to kill anybody. Right. On an

individual basis, it could range from inconvenient to financially difficult,
depending like let's say you know, my dad, for example,
is an author, and if he had had a computer
virus affect our old computer upon which he was writing
his novels, that would have had a very profound impact
on his ability to do his work as an author.

But it's not like that would suddenly also affect all
the other computers in the world. It's happening on a
very individual machine. Right. But then, okay, so once you
start networking computers all over the place, suddenly you can
spread viruses uh and malware and vulnerability knowledge much more easily,
and you can exploit sensitive information and you can uh,

you can you can have much more far reaching consequences.
You can cause economic disaster. Um. Now, imagine expanding this
to the next level beyond just network devices. Our devices
are no longer just information devices. There, uh, you know,
standard infrastructure devices, devices that control the world around us,
power plants in our own HVAC systems and all all

sorts of things. Yeah, so we elevators everything, right, Yeah,
we started with things like your desktop computer. But then
we're also like, okay, well we also have laptop computers.
And now we've also got uh cell phones. Oh and
smartphones came a little bit later, tablets to other computer systems.
In uh, traffic lights to not just within an entire

system of try lights, but within an individual traffic lights
or appliances or televisions or sensors. I mean we as
we approach the Internet of things, we have more and
which you could argue that era is already upon us.
We are in the Internet of things era. Now we
have more and more devices that are partially or fully

dependent upon computerized systems, which may and in fact you
might as well say, do have vulnerabilities in them. They
may not all be identified, but there's almost certainly a
vulnerability in every system that human beings have produced, because
we can't necessarily predict the vulnerabilities while we're making them,

Like they really shouldn't have released that smart of and
has the vulnerability where somebody can get it to throw
you inside and turn on self cleaning mode. HANSL. And
Gretel five thousand. I told them not to do it,
but you know, they just might not have been able
to predict that that vulnerability was there. Yes, when you're
in the middle of developing, it can be difficult to
see that, right because your number one goal is to

get the thing you want to happen to happen. Yeah,
you want, you want the whatever it is, whatever the
the end goal is of the code you are writing.
You want to achieve that goal. So let's say that
you're just writing a program. It's a really simple program.
It's like, let's say it's a word processing program. So
you're just trying to create a word processing program, and

you wanted to have all the basic elements of word
processing involved in it. You're concerned with writing code that
creates a working word processor. You may not notice that
in the way that you develop this code, you have
created a vulnerability that would allow a hacker to access uh,
let's say some administrative level commands on an operating system

through the code you've made. Because that wasn't what you
were thinking about when you were building your word processor.
You weren't trying to you weren't even thinking that that
was a possibility. You were just trying to make a
working word processor. Yeah. Yeah, And and and for all of
these all of these computers, people are writing so much
code every day, trillion lines of code a year. That

was in the early two thousands, so we're talking about
way more. And and you think about you think about
the number of platforms that have increased since the early
two thousand's. That's before the smartphone was really a thing.
You know, think about two thousand seven. That's when the
iPhone gets introduced. That's when the smartphone, at least in
the United States, really becomes a consumer product. Before that time,

it was something that you might see some executives having
as part of the way they interact with their businesses,
But the average consumer in the United States didn't have
a smartphone until after two thousand seven. At that point,
you've got so many different devices now that people are
developing code for, and some of them aren't even you know,
your traditional computers or smartphones or tablets. They might be

hardware that the consumer is never interacting in a way
where they're even all where their software involved. Sure, like
every single Intel chip that's sold has has stuff hard
coded into it, and that's it's not just Intel every
every chip, sure yasically many chips and your basic firmware. Right,
the idea that you've got programming that is physically codified

into a system, it's not. It's not like some ephemeral
software that exists for a moment and then it's gone.
It's it's actually part of the device itself. So we've
got all this code, huge amounts. Now, imagine it's your
job to go through code and find vulnerabilities, and you're thinking,
there's more code generated every day than I could possibly

get through in a week. It's kind of like the
issue with YouTube where you talk about how many hours
per minute get uploaded to YouTube. There's no way to
watch all the content because it's physically impossible. Yeah, you
could say, well, how could we monitor all that content
to make sure people aren't uploading copyrighted movies and stuff

like that? But you know what you could do. You
could design a program to look through all of that
stuff and compared against the database of copywritten material, it's
alood easier than hiring Bob to try to watch an
impossible number of YouTube videos every day. Yeah, so, yeah,
you've got and if you've seen you've seen people trying
to get around this, I bet right on YouTube where

they like they upload copyrighted material, but it's like obscured
and flipped and zooming in and out in weird ways
to try to prevent auto detection. Right, have you seen this? Yeah?
Or people you know, people just have like a a
section of whatever the view would be. Yeah, those are
the worst, right where you're like, oh, it's the lower

two thirds of a television screen so that this doesn't
get picked up. An awful, awful sound quality. What a
wonderful experience I'm having right now. I'm going to go
buy the movie. Man. Really we think about it, it's
more of a great tool to convince people to purchase
this stuff legitimately in order to have a decent experience.
But at any rate, Uh. One of the things that

was interesting when I was researching this was the you know,
you got those trillion lines of code, what does that
mean in terms of vulnerabilities? And the estimate I was
hearing was about they were talking about a billion vulnerabilities
existing out there, a billion. So you've got trillion lines
of code and a billion vulnerabilities. Finding a billion vulnerabilities

within a trillion lines of code. That is such a
monumental test. Most experts are saying like, yeah, I can't
even wrap my head around hold on, am I doing
the math right? That that that would be one vulnerability for
every thousand lines of code? Yeah. Yeah. So then you
sit there and you think about it, like if you
let's say that you've got a job requests saying, yeah,
so turns out there's a billion vulnerabilities out there. I'm

gonna need you to clear those up before the end
of the year. She was just like, I'm going into
a new line of work and you can't do it. Yes,
I'm leaving this up and also possibly my sanity goodbye. Um.
And these these vulnerabilities do shake out into actual issues.
I read a report where a security firm called Jamalto

said that approximately a billion records personal records were compromised
worldwide alone, so one in like one in seven points something. Yeah,
so you've got well, I mean assuming that that that
a human person only creates one record per year, and
I think it's more than that. But but yeah, but
at any rate, like like like a billion is a

nice round number, Like it's large, it's not small, it's
it's impossible for me to even you know, have a
concept of how much that is. And when you think,
like we said about how they this this code is
integrated not just in software but in hardware across all
sorts of different devices and infrastructures, you realize this is

legitimately a problem. It is. It is really a threat, right,
It's not it's not just it's not just something like
oh that's inconvenient. It's not like, oh man, my cellphone's
gonna get hacked. It's like, oh man, are a hydro
power plant is going to get hacked? The US Director
of National Intelligence one James Clapper in listed cyber attacks

as the most serious global threat, above terrorism, above weapons
of mass destruction, above sid ducks. I don't know, yeah, Godzilla, yeah,
more so than that not saying something so yeah, you've
got you've got the perfect situation for disaster here, right,
You've got a target rich environment, and cybersecurity experts might

know to to really seek out the stuff that's going
to have wide propagation first, because obviously, if you're a hacker,
you want to try and hit as many targets as
you possibly can. So from a cybersecurity point of view,
you'd say, let's make sure we cover the stuff that's
going to get the widest circulation first and then worry
about the smaller programs kind of like you know, think

of it like concentric raicles. We want to get on
that middle of that target first, so like operating system
updates or major product upgrades, that kind of stuff, stuff
that lots and lots and lots of people are going
to get. But that also means the hackers can say, well,
I won't hit as many people if I aim for
these other more niche oriented software packages, but I'm also

less likely to encounter resistance. I'm more likely to find
a vulnerability that people haven't identified yet, and therefore will
be able to hit a greater percentage of that niche
than I would if I aimed for operators who's really
shoring up the defenses of this organ trail clone that
I downloaded right, which, by the way, is a great game,

But I mean I I do want to put in
here that there are certainly uh hackers for good, like
white hat hackers cybersecurity type experts that we've been talking about,
who are actively working every day to to plug up
these kind of vulnerabilities. UM you know, not looking to
cause harm or mischief, but to seek these things out
and to change them. Their conventions around the world where

where where hackers and other interested parties gathered to strategize
and to learn and to present research and to disclose
security problems that they've found. Um, you know, either providing
outright or selling the information to the parties at hand
that that would be able to enact changes. Um. One
of those black hat is actually happening this very weekend,

July August four in Las Vegas. Right. The other big
one I hear about all the time is def con right,
that also happens in Las Vegas. I urge you that
if you ever decide to attend one of these conventions,
bring a burner phone and leave your normal one at home. Yeah,
I'm being totally serious, that's I I agree. These hacker

thons often have a wall of shame, and if you
have not secured your technology properly, they will put your
name up there because they will have found how to
access your stuff and say, look, uh, this is serious.
You need to be aware of this. Yeah, I'm not
These these quote unquote white hat white hat hackers certainly

are not outside of the realm of the mischief type
of concept. I mean, but it's not's mischief for good
and yes, exactly to be fair, one of the issues
that hackers who are doing this work run into is
a lack of cooperation on the side of the companies
that are producing the software. Right, and that's starting to change,
I think, um, I think that a lot of companies

have come into the realization that it is less expensive
to hire this kind of security expert than it is
to allow someone to create a vulnerability in the programming. Um.
But and and and and many many companies do these
days have hackers on their team looking for these kind
of vulnerabilities. And there's been tons of successful projects to

come out of freelancers and contractors and full time hackers,
you know, work bolstering everything from from the security of
hospital patients records and pacemakers and insulin pumps. Insulin pumps
have computers in them. Now that's terrifying, um and wonderful.
But but but to to making a t M S
and net network routers more secure, to making prison and

office doors unhackable important stuffs for work right, right, all
of these things. Um, so you know it's not that
it's not that humans are totally falling down on the job.
It's just that we are only humans, right, which is
why we need the machines to take over. Right, Yes,
because the idea of being that you know, if you
have a computer program, stop us out. Exactly. If you

have a computer program that's properly orchestrated, properly designed and
coded so that it can look for vulnerabilities and patch
them autonomously, then it's going to be able to work
much faster, more efficiently than any human could. It never
gets tired, it's never going to miss vulnerability because it's

been staring at this code for like six hours and
it just you know, you get that blindness six hours
was Yeah, well, most of my programmer friends are like,
you know, fourteen hours in with like seventeen cups of
coffee and sure increasing twitch and exciting eye twitch. Yeah. That.
The issue there, of course, is that you're more likely
to miss something, yeah, you know, but a computer program

doesn't because it just keeps on trucking. No. Obviously, the
dependability on the program is only as good as the
developers are, right, but ideally they would catch problems before
bad guys could ever identify there was a problem there
in the first place, and everything gets patched, maybe even
before the release of the software, so that there's never

the opportunity for a hacker to take advantage and exploit
of vulnerability. So this all leads up to this Cybergrand Challenge,
which is happening August fourth, and that's where we get
this automated Capture the Flag tournament. This is also in
Las Vegas, kind of on the tail end of of
black Hat. I'm not sure if it's officially I doubt

it's officially affiliated, right, Yeah. I love the idea of
DARPA showing up to black Hat soap UM and everyone's like, hey, buddy,
hacked your system last week. Looking good. So so this
is this is actually the final round of competition. It's
a competition that's been going on for a while now.

It's not something that is you know, they had made
it just for this one day UM and in fact,
in earlier rounds of competition, which began back in ten,
there were more than thirty teams that registered for this
UM and they could register as either an open track
competitor which covered self funded teams, or a proposal track competitor.

Which were teams that were invited to participate by DARPA
itself and partially supported by the agency to develop the
tech necessary to compete. This is not unusual. The same
thing happened in their driverless car challenges, where they had
teams that were specifically invited to participate versus those that
volunt that that essentially stepped forward to enter the competition.

So so there were more than thirty back in two
thousand and fourteen, we're down to seven finalists. Now. Each
finalist team received an award of seven fifty thousand dollars
to prepare for the Grand Challenge after completing these preliminary rounds.
So here are the seven finalists in the Cybergrand Challenge.

There are some researchers from Moscow, Idaho, which I did
not know was a place UH with the Center for
Secure and Dependable Systems or CSDS. Now, this was a
group that formed out of the with the Idaho State
Board of Education called for this group to come into
being UH specifically at the University of Idaho to advance

computer security education and research. According to their their profile
on DARPA, they represent the only system that was entirely
built from scratch. Every other stom that is in the
finals had existed in some previous form before these these
preliminary tests began. Next, you have Deep Red, which is

a team from Raytheon. They took their name by combining
Deep Blue, which was IBM system that took on Grand
Masters and chess, and the color of Raytheon's logo, which
is red Deep read. So this is not the the
Dario Argento movie. No. Now. Next you have Dissect, which

is spelled d I S e k T. And they
hailed from Athens, Georgia, so I went to college in Athens, Georgia.
They are the one team in the challenge that has
managed to post scores in five other CTF events hosted
by various other universities and and organizations. So they've they've
got a record, yeah, of doing well in other competitions. Next,

you've got four All Secure. That's all one word. They're
out of Pittsburgh pencil Mania. That team started with researchers
who worked with Carnegie Mellon University. You have Shellfish with Fish. Yeah,
they're out of Santa Barbara, California. That group grew out
of a hacking team at the University of California, Santa Barbara,

and it includes, according to their profile, the youngest program
analyst expert in the competition. I love like the little
facts that you get under each team as you go
through them. Uh. Next you have tech X, which is
based out of Ithaca, New York, and Charlottesville, Virginia. Team
members come from Gramma Tech Incorporated and the University of Virginia.

They developed a program they call pea soup, which is
an acronym that stands for preventing exploits of software of
uncertain provenance. I don't know do I love or do
I hate those contrived acronyms. You might want to ask
where they answer that question show? You might want to
ask where they deep inside yourself, where does the A
and P soup come from? In that preventing exploits of what? Yeah,

where's the A come from? One wonders from that, I
should be peck soup or soup. Uh. Then you have
I love this name to co Jitsu, which is a
team that is based in uh, well, the three different places. Actually,
they have researchers who are in Berkeley, California, Lausane, Switzerland,

and Syracuse, New York. So it's a collaboration of scientists
from Berkeley, cyber Haven, and Syracuse, and they're all competing
for prizes that that collectively amount to just under four
million dollars um. And so there's some there's some big
money and obviously some great bragging rights if you're the

group that creates the automated system that wins. I mean,
that's that's some nice accolades to have. Sure. I mean
also see above re being able to sell it to
a company done that rent it out at any rate. Right,
But they, you know they Dark was very quick to
mention that this competition is really more about identifying the

most effective approaches. It's not necessarily we have identified the
working strategy. This, this one product here is clearly the
way we're gonna go everyone else. Thank you for showing up.
It's not Willy Wonka, right, you know, it's not everyone
else has to go home. It's rather saying the elements
that you had in your approach, these these particular ones

we've identified, were really effective, but this other team had
these that were very effective in a different way. How
can we start to look at the things that worked
best and create best practices. So they're going to create
a Frankenstein cyber security robot. Well it's really too maybe
who knows, but really, I mean, it's about about identifying

what strategies work the best in order to move forward
with the next step. Um. So you might wonder, all right, well,
how is this all gonna play out based upon that? Well,
you know, it hasn't happened yet. Uh. And while we're
all about talking about the future and speculating, we are
incapable of telling you who won yet I can't. After

it happens, we can do it, but right now, not
so much. Um. It may turn out that none of
those programs perform better than human experts they'll be pitted against.
That is a possibility that certainly wouldn't surprise me today,
right Uh. And it may still be that even if
that happens, we're able to at least identify the reasons

why programs didn't measure up to humans or things that
got close but didn't quite get there. Well, I mean,
one thing that strikes me is maybe maybe they've found
a way to uh to circumvent this problem. But it
seems like you couldn't really combine the advantages of an
automated system. For is the advantages of a human operator

in a competition setting, because in a competition setting, there's
a limited scope of problem solving area, if you know
what I mean. So there's like a limited problem solving space,
and what the automated system would seem to have at
its advantage is sort of just limitless time and and

speed to search the problems space for problems to identify
and and like like multiprocessing multiprocessor tracks to accomplish that
on multiple systems, in multiple programs at the same time. Um,
but but I'm sure that you can. I mean, the
hard evidence that you're going to get here is like
if if a computer program can crack all the vulnerabilities

and patch them in a fifth of the time that
a human does it, or vice versa, then then you've
got a pretty solid idea of of how fast each
system is working. And and over time that kind of
time difference will will be affected by how much it
can get done well. And also we need to remember
Darba challenges sometimes teach us a lot. Even when everyone fails,

all the competitors fail, that was the case, this failure
won't be nearly as funny as watching those robots trying
to open that door. Yeah, right, well, I was mostly
thinking of the driverless Car Challenge. That's that's funny too. Well,
the Driverless Car Challenge. The first time they held that
back in two thousand four, they didn't award a winner,
no one. No one team was able to complete the objectives. Uh,

in the time allotted. Most of them had pretty remarkable
failures where the vehicle at some point got off track
or failed to respond anymore, or just you know whatever
for whatever reason it was, was not able to complete
the course. But they decided to go ahead and hold
the challenge again the following year, which gave the team's
chances to go back and reevaluate their work, make changes

and improvements so that they were better able to compete
the following year. And that's when things started to really
move forward literally in that case. And uh, when you
look at it that way, you could say, well, if
they had just in two thousand and four said well
this this isn't gonna work, We're walking away from this,
then we wouldn't be on the cusp of the autonomous

car revolution, which we appear to be right now. Right
they could very we have companies right now talking about
it will be a matter of years, not a lot
of them, a few years, and then we'll start seeing
autonomous cars in earnest start to hit the roads beyond
just the limited use we're seeing, where it might be
like an office park automated bus, or something that navigates

through like a relatively closed system like an airport, that
kind of thing like around an airport at various terminals. Um.
So it may be the same with this Grand Cyber Challenge,
where that first year of competition we don't see a
clear winner, but that doesn't necessarily mean this is the
end of the line um. Although it's also possible that

one of the automated systems will just totally smoke all
the other competitors, both computer and human, the most likely
outcome will be that through this challenge, will learn which
of these techniques are the most promising and which one
seemed to be less effective, and thus people can direct
their attention to to the avenues that appear to be
best best chance of success, with the goal ultimately of

creating these automated systems that could be rolled out on
rather large scale too. You know, check for probe for
vulnerabilities in software across multiple platforms in some cases before
they can actually be encoded into hardware. I mean anything
that's been encoded into hardware that's tough. Like you, you

can do firmware updates, but that's really a software layer.
It's not like you're physically changing the chip that's already
been produced. You're you're just you're trying to compensate for
a vulnerability that's been hard coded into a device. That's
a little trickier, but um, moving forward, you could at
least mitigate that somewhat and limit the number of vulnerabilities
that get put into hardware. So the biggest outcome of

this would be that we'd have a safer approach to
this wondrous future we've talked about, this Internet of things
future where reality is responding to our wishes and desires
before we can even voice them, and refrigerators can eat us.
I don't want to see that happen, Joe. But I
also don't want to see a future in which this

wondrous world I'm walking around in is also uh enabling
a hacker to track my every movement, or get tons
of personal information about me, or exploit me in some
other way that I may or may not be aware
of or you know. Yeah, it's a concept where we
want to make the world better with this, not scarier. Yeah,

you don't want to open the door and have a
guy sitting there like. So here's the thing. I've been
tracking your every movement for the last two years, and
unless you pay me this exorbitant amount of money, everyone's
gonna know about how often you go to Taco Bell.
You're terrible, terrible puppy kicking excursions throughout the neighborhood when
you think everyone's asleep or whatever it may be. Uh,

the taco bell thing, while it does strike deep into
my heart, I think I could. I could reconcile myself
with over time, Over time and a couple of taco locos,
I could probably do it. But yeah, it's oh my god,
are those the ones that are in Derrito's. Yes, that's
the thing, right, Yeah, a taco that's inside Derrito's. The

shell itself is made out of essentially derrito chip. Yeah,
and and then you've got um like melted cheese on
top of it. It looks pretty insane. I have never
actually tried one of these things, and I just happen
to know what the name is um. But yeah, if
we want this another future, we want it to be
a safe one. And obviously, again, if we're talking about

trillions of lines of code, expecting it to be a
safe future without the use of computer assistance seems to
be implausible at the at best. You know, one potentially
frightening implication of this whole scenario. It's not of what
what DARB is doing with this competition, necessarily, but just

the fact that we're in a position to be having
this kind of competition is that we could as humans
lose sight of what's happening in the sort of back
and forth between people who want to compromise our information
security and and take over our devices and the measures

that are put in place to protect them. It's kind
of like that frightening scenario and automated trading, where you
have computers making lightning fast buy and sell decisions on
the stock market or commodities markets, and even the people
who design these systems don't understand what they're doing in
real time, right writer, or you know, small small glitches

like like that time that like I don't know, like
like something on Twitter made the stock market waiver for
a moment and everyone was like like like taking their
hands slowly off of the computer wheel. It is terrifying
when you get to a system that's so sophisticated that
even the people who design the system cannot be fully
certain what caused it to make a specific decision at

a specific time. Right, And so I think that there
is generally we might want to be concerned about allowing
a state of affairs where humans just sort of get
cut out of the loop of understanding the software that
governs our day to day lives. Like, so you imagine
this this future scenario, hackers have massively powerful automated vulnerability

aching software that tests all networked systems that can find
for weak points. You know, it's essentially like living in
a world where people could insert lockpick guns into ten
thousand different houses front doors every eight seconds to see
what could be picked. So this is kind of like
the black hat version of the software we were just talking, right,

But I'm getting there. So if you have that, there'd
be no way for human security agents to keep up.
So you need this kind of automated vulnerability seeking and
containment software, right, But imagine so you've got these two
systems working in tandem. Both automated sort of in a
in an automated security arms race back and forth. Um,

will humans lose track of what their own software does
and how? I don't suspect so, because humans are still
the ones creating the software with a specific purpose in mind.
And what we're looking at is the matching or exploiting
of vulnerabilities within that software, not fundamentally changing how that

software behaves or what it is supposed to do. But Jonathan,
what if what if that software decides that the real
vulnerability in the system is us? It's a little different.
But I like where you're going. Yeah, no, no, no,
I mean, I don't mean that, but I do. I know,
I know, you know, but I do mean. Like, Okay,
so let's say a computer this program detective vulnerability and

then patches it. But as we all know, sometimes maybe
a security patch can destabilize the system in another way.
You've just caused a new problem that needs to be addressed.
And so what if they say, ah, you know, every
time it patches something, it's not sophisticated enough that it
can do that without compromising something else in the system.
So we've got to we've got to let it fix

the compromised part also, so it's got a patch security
and it's got to fix the destabilized system, and then
that caused another problem. Bloom. I I can imagine scenarios
where they're cascading effects requiring us to create self modifying software,
and I don't know. Self modifying software always makes me

feel icky. Well, the problem is we need it now anyway.
We have so many, so many lines of code that
there's a need. Like if what's the other option. We
don't develop the automated software we train about another billion
people in cybersecurity. It's well, or we don't have an

Internet of things, I guess, is an option which is
not That's not happening unless there's just a catastrophic change
in our technology, you know, one of those sun spots
or solar right layers, barring some enormous electromagnetic pulse device
that goes over an entire or large enough section of

the world, or a scenario where our priorities shift to guzzoline, right,
I think, I think that's I mean, we we've kind
of committed, right, We're kind of committed to a pathway
which requires us to do this, and so it's almost
a moot question at this point of should we do
this now, it's we have to do this, or we

have to at least attempt to do this to see
if it will work, because we've created a problem that
isn't going away on its own unless we make a
fundamental change in the way we are moving forward, which
doesn't seem likely, uh, at least not within the foreseeable future.

It would amaze me to see a real move to
put the brakes on the Internet of Things. Yeah, I mean, so,
I understand why you're getting where you're where you're headed.
But I think, first of all, we already have those problems.
Right If you detect a software vulnerability and you patch

it and that destabilizes things, we already have to fix that.
It's just right now we're the ones who have to
do it. But yeah, no, no, I I see, I
certainly see your point, Jonathan, And I think that that's
that's it's absolutely ludicrous to think that we're just going
to stop networking all of our increasingly valuable electronics to

the Internet. Um. But but I but I definitely you know,
think that caution, or at least a kind of concept
of science fiction horror be be kept close to our
hearts and and considered. Uh yeah, I mean, I don't
really have an alternative to suggest. I understand that I
think we probably need something like automated cybersecurity, but it

just I don't know. I just guess thought we should
be aware of this fact that, you know, there's always
something a little bit strange about the idea of, in
any extent, of cutting humans out of the loop of
architecture of software that runs our lives. I do think
also that like, and I say this with absolute respect
and love for for programmers, and specifically specifically cybersecurity programmers.

Um uh, I don't think we have to worry about
those nice humans being not paranoid. I think I think
that they've got that covered, and I think that they
will take that into consideration when they're doing their work.
I think it's part of part of the gig. Yeah,
I agree, I think. Uh. I mean, obviously, any time
you're talking about developing any sort of technology, particularly automated technology,

you have to be cognizant of the consequences if stuff
were to go wrong, trying to anticipate as many of
those possible outcomes as you possibly can, and to plan
for them and account for them so that they don't happen. Uh.
For one thing, it's it's always going to be impossible
to do that to perfection. Um. And at some point

you just have to say, well, we just we've got
to move forward and hope that we have uh accounted
for all the most risky outcome us um. But yeah,
it just it becomes a matter of practicality eventually, and
unless we do reverse gears and back off from this
approach of Internet of things, which at this point I

think there's so many companies that have so much money
in Internet of things that that's unrealistic. Uh, It's it's
something we have to move forward with. I'm very curious
to see how this turns out. I really look forward
to reading up on the competition once it's finished and
seeing how the various teams did and uh, you know,
did any did any of the teams or did multiple

teams uh significantly outperformed the human participants. I can't wait
to learn more about it. So we'll probably at some
point do a follow up of some sort um either
forward thinking video or maybe a future podcast where we
talk about these concepts and how how did the machines do?

Did we did we see a market improvement in performance
over humans or is that something that humans are just
better at doing than machines are right now, because sometimes
we run into that stuff. It seems to be fewer
and far between these days, but it does still happen.
For instance, we're still better at opening up a door
and walking through it. All right, Well, that wraps up

this episode. Yeah, that's I love, I love it is
to be. It's like the classic Escape from Daleks is
just run up some stairs until the Yeah, the reboot
ruined all that, but back in the day, the good
says stairs would protect you from the Dolleks. All right, So,
if you guys have any suggestions for future episodes of

forward Thinking, or you got any questions or comments anything
like that, you can send us a message, otherwise we
won't hear you. Our email addresses FW thinking at how
Stuff Works dot com. If you search Facebook for FW thinking,
our profile will pop right up. You can leave us
a message there. We are FW thinking on Twitter. You
can always tweet us at Twitter. We're happy to hear

from you, and we will talk to you again really soon.
H For more on this topic and the future of technology,
visit forward thinking dot com problem brought to you by

Toyota Let's Go Places,

Fw:Thinking News

Advertise With Us

Follow Us On

Hosts And Creators

Jonathan Strickland

Jonathan Strickland

Joe McCormick

Joe McCormick

Lauren Vogelbaum

Lauren Vogelbaum

Show Links


Popular Podcasts

Stuff You Should Know

Stuff You Should Know

If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.

The Nikki Glaser Podcast

The Nikki Glaser Podcast

Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.

Music, radio and podcasts, all free. Listen online or download the iHeart App.


© 2024 iHeartMedia, Inc.