WEBVTT
00:00:00.000 --> 00:00:19.220
prerol music
00:00:19.220 --> 00:00:25.180
Herald: Our next speaker, he's a professor
of security engineering at Cambridge
00:00:25.180 --> 00:00:31.250
University. He is the author of the book
Security Engineering. He has done a lot of
00:00:31.250 --> 00:00:39.890
things already. He has been inventing semi
invasive attacks based on inducing photo
00:00:39.890 --> 00:00:45.580
currence. He has done API attacks. He
has done a lot of stuff. If you read his
00:00:45.580 --> 00:00:50.520
bio is it feels like he's involved in
almost everything we like related to
00:00:50.520 --> 00:00:57.084
security. So please give a huge round and
a warm welcome to Ross Anderson and his
00:00:57.084 --> 00:01:01.496
talk, The Sustainability of safety,
security and privacy.
00:01:01.496 --> 00:01:02.746
applause
00:01:02.746 --> 00:01:16.125
Ross Anderson: Thanks. Right. It's great
to be here, and I'm going to tell a story
00:01:16.125 --> 00:01:23.981
that starts a few years ago and it's about
the regulation of safety. Just to set the
00:01:23.981 --> 00:01:31.405
scene, you may recall that in February
this year there was this watch Enox's
00:01:31.405 --> 00:01:37.709
Safe-Kid One suddenly got recalled. And
why? Well, it's unlikely that unencrypted
00:01:37.709 --> 00:01:42.790
communications with the backhand server
allowing an authenticated access and
00:01:42.790 --> 00:01:47.006
translated into layman language that meant
that hackers could track and call your
00:01:47.006 --> 00:01:52.260
kids, changed the device ID and do
arbitrary bad things. So this was
00:01:52.260 --> 00:01:57.447
immediately recalled by the European Union
using powers that it had under the Radio
00:01:57.447 --> 00:02:02.388
Equipment Directive. And this was a bit of
a wake up call for industry, because up
00:02:02.388 --> 00:02:07.514
until then, people active in the so-called
Internet of Things didn't have any idea
00:02:07.514 --> 00:02:11.470
that, you know, if they produced an unsafe
device, then they could suddenly be
00:02:11.470 --> 00:02:20.374
ordered to take it off the market. Anyway,
back in 2015, the European Union's
00:02:20.374 --> 00:02:25.835
research department asked Eireann Leverett,
Richard Clayton and me to examine what I
00:02:25.835 --> 00:02:32.327
would see implied from the regulation of
safety, because the European institutions
00:02:32.327 --> 00:02:36.855
regulate all sorts of things, from toys to
railway signals and from cars through
00:02:36.855 --> 00:02:41.071
drugs to aircraft. And if you start having
software and everything, does this mean
00:02:41.071 --> 00:02:46.310
that all these dozens of agencies suddenly
start to have software safety experts and
00:02:46.310 --> 00:02:51.604
software security experts? So what does
this mean in institutional terms? We
00:02:51.604 --> 00:02:57.512
produced a report for them in 2016, which
the commission sat on for a year. A
00:02:57.512 --> 00:03:03.000
version of the report came out in 2017 and
later that year the full report. And the
00:03:03.000 --> 00:03:07.351
gist of our report was once you get
software everywhere, safety and security
00:03:07.351 --> 00:03:12.721
become entangled. And in fact, when you
think about it, the two are the same in
00:03:12.721 --> 00:03:19.287
pretty well all the languages spoken by EU
citizens. speaks other languages.
00:03:19.287 --> 00:03:23.170
It's only English that distinguishes
between the two. And with
00:03:23.170 --> 00:03:28.264
Britain leaving the EU, of course you will
have languages in which safety and
00:03:28.264 --> 00:03:33.578
security become the same. Throughout
Brussels and throughout the continent. But
00:03:33.578 --> 00:03:38.191
anyway, how are we going to update safety
regulation in order to cope? This was the
00:03:38.191 --> 00:03:44.185
problem that Brussels was trying to get
its head around. So one of the things that
00:03:44.185 --> 00:03:50.619
we had been looking at over the past 15,
20 years is the economics of information
00:03:50.619 --> 00:03:56.381
security, because often a big complex
systems fail because the incentives are
00:03:56.381 --> 00:04:01.530
wrong. If Alice guards the system and Bob
pairs the cost of failure, you can expect
00:04:01.530 --> 00:04:08.374
trouble. And many of these ideas go across
the safety as well. Now, it's already well
00:04:08.374 --> 00:04:13.203
known that markets do safety in some
industries, such as aviation, way better
00:04:13.203 --> 00:04:18.903
than others, such as medicine. And cars
were dreadful for many years for the first
00:04:18.903 --> 00:04:23.245
80 years of the car industry. People
didn't bother with things like seatbelts,
00:04:23.245 --> 00:04:28.643
and it was only until Ralph Nader's book,
Unsafe at Any Speed, led the Americans to
00:04:28.643 --> 00:04:32.767
set up the National Highways,
Transportation and Safety Administration
00:04:32.767 --> 00:04:37.410
and various court cases brought this
forcefully to public attention that car
00:04:37.410 --> 00:04:42.900
safety started to become a thing. Now in
the EU, we've got a whole series of broad
00:04:42.900 --> 00:04:49.292
frameworks and specific directives and
detail rules and thus overall 20 EU
00:04:49.292 --> 00:04:55.074
agencies plus the UNECE in play here. So
how can we navigate this? Well, what we
00:04:55.074 --> 00:05:00.035
were asked to do was to look at three
specific verticals and study them in some
00:05:00.035 --> 00:05:06.507
detail so that the lessons from them could
be then taken to the other verticals in
00:05:06.507 --> 00:05:17.967
which the EU operates. And, cars were one
of those. And some of you may remember the
00:05:17.967 --> 00:05:26.601
carshark pepper in 2011. Four guys from
San Diego and the University of Washington
00:05:26.601 --> 00:05:30.720
figured out how to hack a vehicle and
control it remotely. And I used to have a
00:05:30.720 --> 00:05:34.477
lovely little video of this that the
researchers gave me. But my Mac got
00:05:34.477 --> 00:05:41.370
upgraded to Catalina last week and it
doesn't play anymore. So, verschlimmbessern?
00:05:41.370 --> 00:05:44.354
Man sagt auf Deutsch? Oder?
Yeah.
00:05:44.354 --> 00:05:49.316
applause
00:05:49.316 --> 00:05:53.717
Okay. We'll get it going sooner or later.
Anyway, this was largely ignored because
00:05:53.717 --> 00:05:59.976
one little video didn't make the biscuit.
But in 2015, there suddenly came to the
00:05:59.976 --> 00:06:04.643
attention of the industry because Charlie
Miller and Chris Valasek, two guys who had
00:06:04.643 --> 00:06:10.870
been in the NSA is hacking team hacks a
cheap Cherokee using Chryslers Uconnect.
00:06:10.870 --> 00:06:14.171
And this meant that they could go down
through all the Chrysler vehicles in
00:06:14.171 --> 00:06:18.548
America and look at them one by one and
ask, where are you? And then when they
00:06:18.548 --> 00:06:21.676
found the vehicle that was somewhere
interesting, they could go in and do
00:06:21.676 --> 00:06:26.878
things to it. And what they found was that
to hack a vehicle, suddenly you just
00:06:26.878 --> 00:06:34.539
needed the vehicle's IP address. And so
they got a journalist into a vehicle and
00:06:34.539 --> 00:06:38.649
they got into slow down and had trucks
behind them hooting away, and eventually
00:06:38.649 --> 00:06:43.102
they ran the vehicle off the road. And
when the TV footage of this got out,
00:06:43.102 --> 00:06:47.505
suddenly, people cared. It made the front
pages of the press in the USA, and
00:06:47.505 --> 00:06:52.359
Chrysler had to recall 1.4 million
vehicles for a software fix, which meant
00:06:52.359 --> 00:06:58.268
actually reflashing the firmware of the
devices. And it cost them billions and
00:06:58.268 --> 00:07:02.170
billions of dollars. So all of a sudden,
this is something to which people paid
00:07:02.170 --> 00:07:10.675
attention. Some of you may know this chap
here, at least by sight. This is Martin
00:07:10.675 --> 00:07:15.852
Winterkorn, who used to run Volkswagen.
And when it turned out that he had hacked
00:07:15.852 --> 00:07:20.292
millions and millions of Volkswagen
vehicles by putting in evil software that
00:07:20.292 --> 00:07:26.780
defeated emissions controls. That's what
happened to Volkswagen stock price. Oh,
00:07:26.780 --> 00:07:33.770
and he lost his job and got prosecuted. So
this is an important point about vehicles
00:07:33.770 --> 00:07:37.668
and in fact, about many things in the
Internet of things for Internet of
00:07:37.668 --> 00:07:42.246
targets, whatever you want to call it. The
thread model isn't just external, it is
00:07:42.246 --> 00:07:47.105
internal as well. There are bad people all
the way up and down the supply chain. Even
00:07:47.105 --> 00:07:54.605
at the OEM. So that's the state of play in
cars. And we investigated that and wrote a
00:07:54.605 --> 00:08:03.785
bit about it. Now, here's medicine. This
was the second thing that we looked at.
00:08:03.785 --> 00:08:08.789
These are some pictures of the scene in
the intensive care unit in Swansea
00:08:08.789 --> 00:08:13.335
Hospital. So after your car gets hacked
and you go off the road, this is where you
00:08:13.335 --> 00:08:19.918
end up. And just as a car has got about 50
computers in it, you're now going to see
00:08:19.918 --> 00:08:34.040
that there's quite a few computers at your
bedside. How many CPUs can you see? You
00:08:34.040 --> 00:08:39.807
see, there's quite a few, about a
comparable number to the number of CPUs in
00:08:39.807 --> 00:08:47.235
your car. Only here the systems
integration is done by the nurse, not by
00:08:47.235 --> 00:08:55.528
the engineers at Volkswagen or Mercedes.
And does this cause safety problems? Oh,
00:08:55.528 --> 00:09:06.723
sure. Here are pictures of the user
interface of infusion pumps taken from
00:09:06.723 --> 00:09:13.500
Swansea's intensive care unit. And as you
can see, they're all different. This is a
00:09:13.500 --> 00:09:17.736
little bit like if you suddenly had to
drive a car from the 1930s an old
00:09:17.736 --> 00:09:22.452
Lanchester, for example, and then you find
that the accelerator is between the brake
00:09:22.452 --> 00:09:27.416
and the clutch, right? Honestly, there
used to be such cars. You can still find
00:09:27.416 --> 00:09:33.325
them in antique car fairs or a Model T
Ford, for example, for the accelerator is
00:09:33.325 --> 00:09:39.003
actually a lever on the dashboard and one
of the pedals is as a gear change. And yet
00:09:39.003 --> 00:09:44.330
you're asking nurses to operate a variety
of different pieces of equipment and look,
00:09:44.330 --> 00:09:50.645
for example, at the Bodyguard 545. The one
on the top to increase the doors. Right,
00:09:50.645 --> 00:09:54.527
this is the morphine that is being dripped
into your vein once you've had your car
00:09:54.527 --> 00:09:58.949
crash, to increase the dose you have to
press 2 and to decrease that, you have to
00:09:58.949 --> 00:10:06.882
press 0. Under the Bodyguard 545 at the
bottom right, to increase the dose you
00:10:06.882 --> 00:10:14.367
press 5 and to decrease it, you press 0.
And this leads to accidents, to fatal
00:10:14.367 --> 00:10:21.179
accidents, a significant number of them.
Okay. So you might say, well, why not have
00:10:21.179 --> 00:10:25.576
standards? Well, we have standards. We've
got standards which say that liter should
00:10:25.576 --> 00:10:30.510
always be a capital L, so it is not
confused with a one. And then you see that
00:10:30.510 --> 00:10:37.522
and the Bodyguard on the bottom right.
MILLILITERS is a capital L in green. Okay.
00:10:37.522 --> 00:10:43.285
Well done, Mr. Bodyguard. The problem is,
if you look up two lines, you see 500
00:10:43.285 --> 00:10:49.172
milliliters is in small letters. So
there's a standard problem. There's an
00:10:49.172 --> 00:10:53.785
enforcement problem and there's extra
inanities because each of these vendors
00:10:53.785 --> 00:10:58.285
will say, well, everybody else should
standardize on my kit. And there are also
00:10:58.285 --> 00:11:04.745
various other market failures. So the
expert who's been investigating this is my
00:11:04.745 --> 00:11:09.515
friend Harold Thimbleby, who's a professor
of computer science at Swansea. And his
00:11:09.515 --> 00:11:14.603
research shows that hospitals safety,
usability failures kill about 2000 people
00:11:14.603 --> 00:11:22.207
every year in the UK, which is about the
same as road accidents. And safety
00:11:22.207 --> 00:11:29.572
usability, in other words, gets ignored
because the incentives are wrong. In
00:11:29.572 --> 00:11:33.486
Britain and indeed in the European
institutions, people tend to follow the
00:11:33.486 --> 00:11:39.190
FDA in America and that is captured by the
large medical device makers over there.
00:11:39.190 --> 00:11:45.150
They only have two engineers. They're not
allowed to play with pumps, etc, etc, etc.
00:11:45.150 --> 00:11:50.322
The curious thing here is that safety and
security come together. The safety of
00:11:50.322 --> 00:11:55.316
medical devices may improve because as
soon as it becomes possible to hack a
00:11:55.316 --> 00:12:02.577
medical device, then people suddenly take
care. So the first of this was when Kevin
00:12:02.577 --> 00:12:07.334
Fu and researchers at the University of
Michigan showed that they could hack the
00:12:07.334 --> 00:12:12.270
hospital, a symbolic infusion pump over
Wi-Fi. And this led the FDA to immediately
00:12:12.270 --> 00:12:17.244
panic and blacklist the pump, recalling it
from service. But then said, Kevin, what
00:12:17.244 --> 00:12:21.108
about the 200 other infusion pumps that
are unsafe because of the things on the
00:12:21.108 --> 00:12:27.760
previous slide? Also, the FDA, we couldn't
possibly recall all those. Then two years
00:12:27.760 --> 00:12:33.118
ago, there's an even bigger recall. It
turned out that 450 000 pacemakers made by
00:12:33.118 --> 00:12:38.939
St. Jude could similarly be hacked over
Wi-Fi. And so the recall was ordered. And
00:12:38.939 --> 00:12:42.590
this is quite serious, because if you've
got a heart pacemaker, right, it's
00:12:42.590 --> 00:12:47.681
implanted surgically in the muscle next to
your shoulder blade. And to remove that
00:12:47.681 --> 00:12:51.740
and replace it with a new one, which they
do every 10 years to change the battery,
00:12:51.740 --> 00:12:54.950
you know, is a day care surgery procedure.
You have to go in there, get an
00:12:54.950 --> 00:12:58.256
anesthetic. They have to have a
cardiologist ready in case you have a
00:12:58.256 --> 00:13:05.340
heart attack. It's a big deal, right? It
costs maybe 3000 pounds in the UK. And so
00:13:05.340 --> 00:13:11.000
3000 pounds times 450 000 pacemakers.
Multiply it by two for American health
00:13:11.000 --> 00:13:18.510
care costs and you're talking real money.
So what should Europe do about this? Well,
00:13:18.510 --> 00:13:22.970
thankfully, the European institutions have
been getting off their butts on this and
00:13:22.970 --> 00:13:27.650
the medical device directors have been
revised. And from next year, medical
00:13:27.650 --> 00:13:31.170
devices will have post-market
surveillance, risk management plan,
00:13:31.170 --> 00:13:37.460
ergonomic design. And here's perhaps the
driver for software engineering for
00:13:37.460 --> 00:13:41.600
devices that incorporate software. The
software shall be developed in accordance
00:13:41.600 --> 00:13:45.680
with the state of the art, taking into
account the principles of development,
00:13:45.680 --> 00:13:50.810
life cycle risk management, including
information, security, verification and
00:13:50.810 --> 00:13:57.470
validation. So there at least we have a
foothold and it continues. Devices shall
00:13:57.470 --> 00:14:02.150
be designed and manufactured in such a way
as to protect as far as possible against
00:14:02.150 --> 00:14:06.620
unauthorized access that could hamper the
device from functioning as intended. Now
00:14:06.620 --> 00:14:11.040
it's still not perfect. There's various
things that the manufacturers can do to
00:14:11.040 --> 00:14:17.090
wriggle. But it's still a huge
improvement. The third thing that we
00:14:17.090 --> 00:14:20.990
looked at was energy, electricity
substations and electro technical
00:14:20.990 --> 00:14:25.700
equipments in general, there have been one
or two talks at this conference on that.
00:14:25.700 --> 00:14:30.480
Basically, the problem is that you've got
a 40 year life cycle for these devices.
00:14:30.480 --> 00:14:35.750
Protocols such as Smart Bus and DNP3 don't
support authentication. And the fact that
00:14:35.750 --> 00:14:41.180
everything has gone to IP networks means
that as with the Chrysler Jeeps. Anybody
00:14:41.180 --> 00:14:45.750
who knows your IP address can read from
and with an actuator's IP address, you can
00:14:45.750 --> 00:14:51.200
activate it. So the only practical fix
there is to re-perimeterise and the
00:14:51.200 --> 00:14:56.300
entrepreneurs who noticed this 10 to 15
years ago and set up companies like Beldon
00:14:56.300 --> 00:15:00.980
have now made lots and lots of money.
Companies like BP now have thousands of
00:15:00.980 --> 00:15:06.050
such firewalls which isolate their
chemical and other plants from the
00:15:06.050 --> 00:15:11.480
internet. So one way in which you can deal
with this is having one component that
00:15:11.480 --> 00:15:14.900
connects you to the network, you replace
it every five years. That's one way of
00:15:14.900 --> 00:15:20.270
doing, if you'd like sustainable security
for your oil refinery. But this is a lot
00:15:20.270 --> 00:15:25.280
harder for cars, which have got multiple
RF interfaces. A modern car has maybe 10
00:15:25.280 --> 00:15:31.600
interfaces in all those there is the
internal phone. There's the short range radio
00:15:31.600 --> 00:15:37.310
link for remote key entry. Those things.
There are links to the devices that
00:15:37.310 --> 00:15:41.030
monitor your tire pressure. There's all
sorts of other things and every single one
00:15:41.030 --> 00:15:48.350
of these has been exploited at least once.
And there are particular difficulties in
00:15:48.350 --> 00:15:53.180
the auto industry because of the
fragmented responsibility in the supply
00:15:53.180 --> 00:15:57.530
chain between the OEM, the tier ones and
the specialists who produce all the
00:15:57.530 --> 00:16:03.380
various bits and pieces that get glued
together. Anyway, so the broad questions
00:16:03.380 --> 00:16:08.480
that arise from this include who will
investigate incidents and to whom will
00:16:08.480 --> 00:16:15.890
they be reported? Right? How do we embed
responsible disclosure? How do we bring
00:16:15.890 --> 00:16:21.500
safety engineers and security engineers
together? This is an enormous project
00:16:21.500 --> 00:16:25.580
because security engineers and safety
engineers use different languages. We have
00:16:25.580 --> 00:16:31.040
different university degree programs. We
go to different conferences. And the world
00:16:31.040 --> 00:16:35.450
of safety is similarly fragmented between
the power people, the car people, the
00:16:35.450 --> 00:16:40.680
naval people, the signal people and so on
and so forth. Some companies are beginning
00:16:40.680 --> 00:16:44.940
to get this together. The first is Bosch,
which put together their safety,
00:16:44.940 --> 00:16:48.960
engineering and security engineering
professions. But even once you have done
00:16:48.960 --> 00:16:53.640
that in organizational terms, how do you
teach a security engineer to think safety
00:16:53.640 --> 00:16:58.950
and vice versa? Then the problem that
bothered the European Union, are the
00:16:58.950 --> 00:17:04.350
regulators all going to need security
engineers? Right. I mean, many of these
00:17:04.350 --> 00:17:10.250
organizations in Brussels don't even have
an engineer on staff, right? They are
00:17:10.250 --> 00:17:16.260
mostly full of lawyers and policy people.
And then, of course, for this audience,
00:17:16.260 --> 00:17:21.280 line:1
how do you prevent abuse of lock-in, you
know, in America if you've got a chapter
00:17:21.280 --> 00:17:25.200
from John Deere? And then if you don't
take it to a John Deere dealer every six
00:17:25.200 --> 00:17:29.790
months or so, it stops working. Right. And
if you try and hack it so you can fix it
00:17:29.790 --> 00:17:34.740
yourself, then John Deere will try to get
you prosecuted. We just don't want that
00:17:34.740 --> 00:17:41.100
kind of stuff coming over the Atlantic
into Europe. So we ended up with a number
00:17:41.100 --> 00:17:46.770
of recommendations. We thought that we
would get vendors to self-certify for the
00:17:46.770 --> 00:17:52.160
CE mark that products could be patched if
need be. That turned out to be not viable.
00:17:52.160 --> 00:17:57.100
We then came up with another idea that
things should be secure by default for the
00:17:57.100 --> 00:18:00.630
update to the Ready Equipment Directive.
And that didn't get through the European
00:18:00.630 --> 00:18:06.980
Parliament either. In fact, it was Mozilla
that lobbied against it. Eventually we got
00:18:06.980 --> 00:18:11.850
something through which I'll discuss in a
minute. We talked about requiring a secure
00:18:11.850 --> 00:18:15.210
development lifecycle with vulnerability
management because we've already got
00:18:15.210 --> 00:18:21.330
standards for that. We talked about
creating an European security engineering
00:18:21.330 --> 00:18:25.830
agency. So that would be people in
Brussels to support policymakers and the
00:18:25.830 --> 00:18:30.540
reaction to that. A year and a half ago
was to arrange for ENISA to be allowed to
00:18:30.540 --> 00:18:35.040
open an office in Brussels so that they
can hopefully build a capability. There
00:18:35.040 --> 00:18:40.200
with some technical people who can support
policymakers. We recommended extending the
00:18:40.200 --> 00:18:45.830
product liability directive to services.
There is enormous pushback on that.
00:18:45.830 --> 00:18:50.430
Companies like Google and Facebook and so
on don't like the idea that they should be
00:18:50.430 --> 00:18:55.620
as liable for mistakes made by Google
Maps, as for example, Garmin is liable for
00:18:55.620 --> 00:19:00.930
mistakes made by the navigators. And then
there's the whole business of how do you
00:19:00.930 --> 00:19:05.220
take the information that European
institutions already have on breaches and
00:19:05.220 --> 00:19:10.140
vulnerabilities and report this not just
to ENISA, but the safety regulators and
00:19:10.140 --> 00:19:14.160
users, because somehow you've got to
create a learning system. And this is
00:19:14.160 --> 00:19:19.050
perhaps one of the big pieces of work to
be done. How do you take, I mean, once all
00:19:19.050 --> 00:19:23.550
cars are sort of semi intelligent, once
everybody's got telemetry and once that
00:19:23.550 --> 00:19:28.050
are, you know, gigabytes of data
everywhere, then whenever there's a car
00:19:28.050 --> 00:19:34.050
crash, the data have to go to all sorts of
places, to the police, to the insurers, to
00:19:34.050 --> 00:19:40.350
courts, and then, of course, up to the car
makers and regulators and component
00:19:40.350 --> 00:19:45.060
suppliers and so on. How do you design the
system that will cause the right data to
00:19:45.060 --> 00:19:49.680
get to the right place, which will still
respect people's privacy rights and all
00:19:49.680 --> 00:19:54.900
the various other legal obligations? This
is a huge project and nobody has really
00:19:54.900 --> 00:19:59.880
started to think yet about how it's going
to be done, right. At present, if you've
00:19:59.880 --> 00:20:03.780
got a crash in a car like a Tesla, which
has got very good telemetry, you basically
00:20:03.780 --> 00:20:07.200
have to take Tesla to court to get the
data because otherwise they won't hand it
00:20:07.200 --> 00:20:13.320
over. Right. We need a better regime for
this. And that at present is a blank
00:20:13.320 --> 00:20:18.910
slate. It's up to us, I suppose, to figure
out how such a system should be designed
00:20:18.910 --> 00:20:23.870
and built, and it will take many years to
do it, right. If you want a safe system, a
00:20:23.870 --> 00:20:32.940
system that learns this is what is going
to involve. But there's one thing that
00:20:32.940 --> 00:20:37.920
struck us after we'd done this work, after
we delivered this to the European
00:20:37.920 --> 00:20:41.940
Commission, that I'd gone to Brussels and
given a thought to dozens and dozens of
00:20:41.940 --> 00:20:49.060
security guys. Richard Clayton and I went
to Schloss Dagstuhl for a weeklong seminar
00:20:49.060 --> 00:20:53.010
on some other security topic. And we were
just chatting one evening and we said,
00:20:53.010 --> 00:21:00.250
well, you know, what did we actually learn
from this whole exercise on
00:21:00.250 --> 00:21:07.090
standardization and certification? Well,
it's basically this. That there's two
00:21:07.090 --> 00:21:12.790
types of secure things that we currently
know how to make. The first is stuff like
00:21:12.790 --> 00:21:17.890
your phone or your laptop, which is secure
because you patch it every month. Right.
00:21:17.890 --> 00:21:22.180
But then you have to throw it away after
three years because Larry and Sergei don't
00:21:22.180 --> 00:21:35.920
have enough money to maintain three
versions of Android. And then we've got
00:21:35.920 --> 00:21:41.460
things like cars and medical devices where
we test them to death before release and
00:21:41.460 --> 00:21:46.600
we don't connect them to the Internet, and
we almost never patch them unless Charlie
00:21:46.600 --> 00:21:52.750
Miller and Chris Fellowship get to go at
your car that is. So what's gonna happen
00:21:52.750 --> 00:21:59.050
to support costs? Now that we're starting
to patch cars and you have to patch cars
00:21:59.050 --> 00:22:02.890
because they're online, I want some things
online, right? Anybody in the world can
00:22:02.890 --> 00:22:06.760
attack us. If a vulnerability is
discovered, it can be scaled and something
00:22:06.760 --> 00:22:11.150
that you can previously ignore suddenly
becomes something that you have to fix.
00:22:11.150 --> 00:22:14.650
And if you, you have to pull all your cars
into a garage to patch them, that costs
00:22:14.650 --> 00:22:18.490
real money. So you need to be able to
patch them over the air. So all of a
00:22:18.490 --> 00:22:26.920
sudden cars become like computers or
phones. So what is this going to mean? So
00:22:26.920 --> 00:22:34.030
this is the trilemma. If you've got a
standard safety life cycle, there's no
00:22:34.030 --> 00:22:38.150
patching. You get safety and
sustainability, but you can't go online
00:22:38.150 --> 00:22:43.600
because you'll get hacked. And if you get
the standard security lifecycle you're
00:22:43.600 --> 00:22:50.650
patching, but that breaks the safety
certification, so that's a problem. And if
00:22:50.650 --> 00:22:54.730
you get patching plus redoing safety
certification with current methods, then
00:22:54.730 --> 00:22:58.930
the cost of maintaining your safety rating
can be sky high. So here's the big
00:22:58.930 --> 00:23:09.770
problem. How do you get safety, security
and sustainability at the same time? Now
00:23:09.770 --> 00:23:13.040
this brings us to another thing that a
number of people at this congress are
00:23:13.040 --> 00:23:17.960
interested in: the right to repair. This
is the Centennial Light, right? It's been
00:23:17.960 --> 00:23:24.230
running since 1901. Right. It's in
Livermore in California. It's kind of dim,
00:23:24.230 --> 00:23:30.200
but you can go there and you can see it.
Still there. In 1924, the three firms have
00:23:30.200 --> 00:23:34.790
dominated the light business. GE, Osram
and Philips agreed to reduce average bulb
00:23:34.790 --> 00:23:39.590
lifetime some 2500 hours to 1000
hours. Why? In order to sell more of
00:23:39.590 --> 00:23:46.430
them. And one of the things that's come
along with CPUs and communications and so
00:23:46.430 --> 00:23:52.360
on with smart stuff to use, that horrible
word, is that firms are now using online
00:23:52.360 --> 00:23:58.340
mechanisms, software and cryptographic
mechanisms in order to make it hard or
00:23:58.340 --> 00:24:03.860
even illegal to fix products. And I
believe that there's a case against Apple
00:24:03.860 --> 00:24:16.790
going on in France about this. Now, you
might not think it's something that
00:24:16.790 --> 00:24:20.780
politicians will get upset about, that you
have to throw away your phone after three
00:24:20.780 --> 00:24:25.070
years instead of after five years. But
here's something you really should worry
00:24:25.070 --> 00:24:31.640
about. Vehicle life cycle economics,
because the lifetimes of cars in Europe
00:24:31.640 --> 00:24:36.990
have about doubled in the last 40 years.
And the average age of a car in Britain,
00:24:36.990 --> 00:24:46.530
which is scrapped, is now almost 15 years.
So what's going to happen once you've got,
00:24:46.530 --> 00:24:54.110
you know, wonderful self-driving software
in all the cars. Well, a number of big car
00:24:54.110 --> 00:25:00.200
companies, including in this country, were
taking the view two years ago that they
00:25:00.200 --> 00:25:06.320
wanted people to scrap their cars after
six years and buy a new one. Hey, makes
00:25:06.320 --> 00:25:10.100
business sense, doesn't it? If you're Mr.
Mercedes, your business model is if the
00:25:10.100 --> 00:25:13.790
customer is rich, you sell him a three
year lease on a new car. And if the
00:25:13.790 --> 00:25:18.370
customer is not quite so rich, you sell
him a three year lease on a Mercedes
00:25:18.370 --> 00:25:23.715
approved used car. And if somebody drives a
seven year old Mercedes, that's thought
00:25:23.715 --> 00:25:31.620
crime. You know, they should emigrate to
Africa or something. So this was the view
00:25:31.620 --> 00:25:38.070
of the vehicle makers. But here's the rub.
The embedded CO2 costs of a car often
00:25:38.070 --> 00:25:43.380
exceeds its lifetime fuel burn. My best
estimate for the embedded CO2 costs of an
00:25:43.380 --> 00:25:48.030
E-class American is 35 tons. So go and
work out, you know, how many liters per
00:25:48.030 --> 00:25:53.760
100 kilometers and how many kilometers
it's gonna run in 15 years. And you come
00:25:53.760 --> 00:25:59.710
to the conclusion that if you get a six
year lifetime, then maybe you are
00:25:59.710 --> 00:26:07.180
decreasing the range of the car from 300
000 kilometers to 100 000 kilometers. And
00:26:07.180 --> 00:26:13.080
so you're approximately doubling the
overall CO2 emissions. Taking the whole
00:26:13.080 --> 00:26:16.710
life cycle, not just the scope one, but
the scope two, and the scope three, the
00:26:16.710 --> 00:26:22.320
embedded stuff as well. And then there are
other consequences. What about Africa,
00:26:22.320 --> 00:26:26.820
where most vehicles are imported second
hand? If you go to Nairobi, all the cars
00:26:26.820 --> 00:26:31.110
are between 10 and 20 years old, right?
They arrive in the docks in Mombasa when
00:26:31.110 --> 00:26:35.310
they're already 10 years old and people
drive them for 10 years and then they end
00:26:35.310 --> 00:26:39.090
up in Uganda or Chad or somewhere like
that. And they're repaired for as long as
00:26:39.090 --> 00:26:43.560
they're repairable. What's going to happen
to road transport in Africa if all of a
00:26:43.560 --> 00:26:48.660
sudden there's a software time bomb that
causes cars to self-destruct? Ten years
00:26:48.660 --> 00:26:56.040
after we leave the showroom. And if there
isn't, what about safety? I don't know
00:26:56.040 --> 00:27:00.420
what the rules are here, but in Britain I
have to get my car through a safety
00:27:00.420 --> 00:27:05.010
examination every year, once it's more
than three years old. And it's entirely
00:27:05.010 --> 00:27:09.510
foreseeable that within two or three years
the mechanic will want to check that the
00:27:09.510 --> 00:27:15.880
software is up to date. So once the
software update is no longer available,
00:27:15.880 --> 00:27:24.580
that's basically saying this car must now
be exported or scrapped. I couldn't resist
00:27:24.580 --> 00:27:29.120
the temptation to put in a cartoon:
"My engine's making a weird noise."
00:27:29.120 --> 00:27:32.490
"Can you take a look?"
"Sure. Just pop the hood. Oh, the hood
00:27:32.490 --> 00:27:36.600
latch is also broken. Okay, just pull up
to that big pit and push the car in. We'll
00:27:36.600 --> 00:27:41.400
go get a new one."
Right? This is if we start treating cars
00:27:41.400 --> 00:27:53.250
the way we treat consumer electronics. So
what's a reasonable design lifetime? Well,
00:27:53.250 --> 00:27:58.260
with cars, the way it is going is maybe 18
years, say 10 years from the sale of the
00:27:58.260 --> 00:28:03.660
last products in a model range, domestic
appliances, 10 years because of spares
00:28:03.660 --> 00:28:09.720
obligation plus store life, say 15.
Medical devices: If a pacemaker lives for
00:28:09.720 --> 00:28:16.410
10 years, then maybe you need 20 years. Of
electricity substations, even more. So
00:28:16.410 --> 00:28:22.500
from the point of view of engineers, the
question is, how can you see to it that
00:28:22.500 --> 00:28:27.690
your software will be patchable for 20
years? So as we put it in the abstract, if
00:28:27.690 --> 00:28:34.830
you are writing software now for a car
that will go on sale in 2023, what sort of
00:28:34.830 --> 00:28:39.090
languages, what sort of tool change should
you use? What sort of crypto should you
00:28:39.090 --> 00:28:46.390
use so that you're sure you'll still be
able to patch that software in 2043? And
00:28:46.390 --> 00:28:50.040
that isn't just about the languages and
compilers and linkers and so on. That's
00:28:50.040 --> 00:28:59.490
about the whole ecosystem. So what did the
EU do? Well, I'm pleased to say that at
00:28:59.490 --> 00:29:05.800
the third attempt, the EU managed to get
some law through on this. Their active 771
00:29:05.800 --> 00:29:10.440
this year on smart goods says that buyers
of goods with digital elements are
00:29:10.440 --> 00:29:15.570
entitled to necessary updates for two
years or for a longer period of time if
00:29:15.570 --> 00:29:20.880
this is a reasonable expectation of the
customer. This is what they managed to get
00:29:20.880 --> 00:29:24.990
through the parliament. And what we would
expect is that this will mean at least 10
00:29:24.990 --> 00:29:29.520
years for cars, ovens, fridges, air
conditioning and so on because of existing
00:29:29.520 --> 00:29:35.100
provisions about physical spares. And
what's more, the trader has got the burden
00:29:35.100 --> 00:29:39.720
of proof in the first couple of years if
there's disputes. So there is now the
00:29:39.720 --> 00:29:48.160
legal framework there to create the demand
for long term patching of software. And
00:29:48.160 --> 00:29:54.570
now it's kind of up to us. If the durable
goods were deciding today are still
00:29:54.570 --> 00:30:00.030
working in 2039, then a whole bunch of
things are gonna have to change. Computer
00:30:00.030 --> 00:30:04.650
science has always been about managing
complexity ever since the very first high
00:30:04.650 --> 00:30:09.780
level languages and the history goes on
from there through types and objects and
00:30:09.780 --> 00:30:14.730
tools like git and Jenkins and Coverity.
So here's a question for the computer
00:30:14.730 --> 00:30:19.560
scientists here. What else is going to be
needed for sustainable computing? Once we
00:30:19.560 --> 00:30:31.440
have software in just about everything. So
research topics to support 20 year
00:30:31.440 --> 00:30:35.670
patching include a more stable and
powerful toolchain. We know how complex
00:30:35.670 --> 00:30:41.730
this can be from crypto with looking at
history of the last 20 years of TLS. Cars
00:30:41.730 --> 00:30:45.480
teach that it's difficult and expensive to
sustain all the different test
00:30:45.480 --> 00:30:50.790
environments. You have a different models
of cars. Control systems teach for that
00:30:50.790 --> 00:30:54.480
you can make small changes to the
architecture, which will then limit what
00:30:54.480 --> 00:30:59.640
you have to patch. Android teaches how do
you go about motivating OEMs to patch
00:30:59.640 --> 00:31:04.140
products that they no longer sell. In this
case, it's European law, but there's maybe
00:31:04.140 --> 00:31:10.840
other things you can do too. What does it
mean for those of us who teach and
00:31:10.840 --> 00:31:15.090
research in universities? Well, since
2016, I've been teaching safety and
00:31:15.090 --> 00:31:20.490
security together in the same course the
first year undergraduates, because
00:31:20.490 --> 00:31:25.560
presenting these ideas together in
lockstep will help people to think in more
00:31:25.560 --> 00:31:30.300
unified terms about how it all holds
together. In research terms we've have
00:31:30.300 --> 00:31:34.590
been starting to look at what we can do to
make the tool chain more sustainable. For
00:31:34.590 --> 00:31:39.750
example, one of the problems that you have
if you maintain crypto software is that
00:31:39.750 --> 00:31:44.550
every so often the compiler writes, okay,
so a little bit smarter and the compiler
00:31:44.550 --> 00:31:48.450
figures out that these extra padding
instructions that you put in to make the
00:31:48.450 --> 00:31:53.970
the loops of your crypto routines run in
constant time and to scrub the contents of
00:31:53.970 --> 00:31:58.130
round keys once you are no longer in use,
are not doing any real work, and it
00:31:58.130 --> 00:32:02.840
removes them. And all of a sudden from one
day to the next, you find that your crypto
00:32:02.840 --> 00:32:07.520
has sprung a huge big timing leak and then
you have to rush to get somebody out of
00:32:07.520 --> 00:32:11.900
bed to fix the tool chain. So one of the
things that we thought was that better
00:32:11.900 --> 00:32:17.360
ways for programmers to communicate intent
might help. And so there's a paper by
00:32:17.360 --> 00:32:21.800
Laurent Simon and David Chisnall and I
where we looked about zeroising sensitive
00:32:21.800 --> 00:32:27.830
variables and doing constant time loops
with a plug in and VM. And that led to a
00:32:27.830 --> 00:32:32.810
EuroS&P paper a year and a half ago: "What
you get is what you C", and there's a plug
00:32:32.810 --> 00:32:40.770
in that you can download them and play
with. Macro scale sustainable security is
00:32:40.770 --> 00:32:45.980
going to require a lot more. Despite the
problems in the area industry with the
00:32:45.980 --> 00:32:51.800
737Max, the aerospace industry still has
got a better feedback loop of learning
00:32:51.800 --> 00:32:59.280
from incidents and accidents. And we don't
have that yet in any of the fields like
00:32:59.280 --> 00:33:05.360
cars and so on. It's going to be needed.
What can we use as a guide? Security
00:33:05.360 --> 00:33:13.070
economics is one set of intellectual tools
that can be applied. We've known for
00:33:13.070 --> 00:33:18.020
almost 20 years now that complex socio-
technical systems often fail because of
00:33:18.020 --> 00:33:22.490
poor incentives. If Alice guards a system
and Bob pays the cost of failure, you can
00:33:22.490 --> 00:33:27.740
expect trouble. And so security economics
researchers can explain platform security
00:33:27.740 --> 00:33:34.040
problems, patching cycle liability games
and so on. And the same principles apply
00:33:34.040 --> 00:33:38.750
to safety and will become even more
important as safety and security become
00:33:38.750 --> 00:33:43.940
entangled. Also, we'll get even more data
and we'll be able to do more research and
00:33:43.940 --> 00:33:51.080
get more insights from the data. So where
does this lead? Well, our papers Making
00:33:51.080 --> 00:33:56.240
security sustainable, and the thing that
we did for the EU standardization and
00:33:56.240 --> 00:34:00.500
certification of the Internet of Things
are on my web page together with other
00:34:00.500 --> 00:34:04.910
relevant papers on topics around
sustainability from, you know, smart
00:34:04.910 --> 00:34:11.280
metering to pushing back on wildlife
crime. And that's the first place to go if
00:34:11.280 --> 00:34:15.540
you're interested in this stuff. And
there's also our blog. And if you're
00:34:15.540 --> 00:34:20.790
interested in these kinds of issues at the
interface between technology and policy of
00:34:20.790 --> 00:34:25.980
how incentives work and how they very
often fail when it comes to complex socio-
00:34:25.980 --> 00:34:31.240
technical systems, then does the workshop
on the Economics of Information Security
00:34:31.240 --> 00:34:36.750
in Brussels next June is the place where
academics interested in these topics tend
00:34:36.750 --> 00:34:47.400
to meet up. So perhaps we'll see a few of
you there in June. And with that, there's
00:34:47.400 --> 00:34:53.250
a book on security engineering which goes
over some of these things and there's a
00:34:53.250 --> 00:34:56.127
third edition in the pipeline.
00:34:56.127 --> 00:34:58.577
H: Thank you very much,
Ross Anderson, for the talk.
00:34:58.577 --> 00:35:08.787
applause
00:35:08.787 --> 00:35:13.290
We will start the Q&A session a little bit
differently than you used to, Ross has a
00:35:13.290 --> 00:35:18.807
question to you. So he told me there will
be a third edition of his book and he is
00:35:18.807 --> 00:35:24.745
not yet sure about the cover he wants to
have. So you are going to choose. And so
00:35:24.745 --> 00:35:29.545
that the people on the stream also can
hear your choice, I would like you to make
00:35:29.545 --> 00:35:36.610
a humming noise for the cover which you
like more. You will first see Bill's covers.
00:35:36.610 --> 00:35:43.570
R: Cover 1, and cover 2.
H: So, who of you would like to prefer the
00:35:43.570 --> 00:35:52.510
first cover?
applause Come on.
00:35:52.510 --> 00:36:01.850
And the second choice. louder applause
OK. I think we have a clear favorite here
00:36:01.850 --> 00:36:04.517
from the audience, so it would
be the second cover.
00:36:04.517 --> 00:36:08.690
R: Thanks.
H: And we will look forward to see this
00:36:08.690 --> 00:36:13.727
cover next year then. So if you now have
questions yourself, you can line up in
00:36:13.727 --> 00:36:18.867
front of the microphones. You will find
eight distributed in the hall, three in
00:36:18.867 --> 00:36:27.070
the middle, two on the sides. Signal Angel
has the first question from the Internet.
00:36:27.070 --> 00:36:31.560
Person1: The first question is, is there a
reason why you didn't include aviation
00:36:31.560 --> 00:36:36.278
into your research?
R: We were asked to choose three fields,
00:36:36.278 --> 00:36:40.649
and the three fields I chose were the ones
in which we's worked more, most recently.
00:36:40.649 --> 00:36:46.413
I did some work in avionics for that was
40 years ago, so I'm no longer current.
00:36:46.413 --> 00:36:49.096
H: Alright, a question from microphone
number two, please.
00:36:49.096 --> 00:36:54.097
Person2: Hi. Thanks for your talk. What
I'm wondering most about is where do you
00:36:54.097 --> 00:37:00.750
believe the balance will fall in the fight
between privacy, the want of the
00:37:00.750 --> 00:37:06.582
manufacturer to prove that it wasn't their
fault and the right to repair?
00:37:06.582 --> 00:37:10.120
R: Well, this is an immensely complex
question and it's one that we'll be
00:37:10.120 --> 00:37:15.104
fighting about for the next 20 years. But
all I can suggest is that we study the
00:37:15.104 --> 00:37:19.670
problems in detail, that we collect the
data that we need to say coherent things
00:37:19.670 --> 00:37:24.279
to policymakers and that we use the
intellectual tools that we have, such as
00:37:24.279 --> 00:37:28.760
the economics of security in order to
inform these arguments. That's the best
00:37:28.760 --> 00:37:32.601
way that we can fight these fights, you
know, by being clearheaded and by being
00:37:32.601 --> 00:37:35.873
informed.
H: Thank you. A question from microphone
00:37:35.873 --> 00:37:44.836
number four, please. Can you switch on the
microphone number four.
00:37:44.836 --> 00:37:51.380
Person3: Oh, sorry. Hello. Thank you for
the talk. As a software engineer, arguably
00:37:51.380 --> 00:37:57.049
I can cause much more damage than a single
medical professional simply because of the
00:37:57.049 --> 00:38:04.043
multiplication of my work. Why is it that
there is still no conversation about
00:38:04.043 --> 00:38:09.236
software engineers caring liability
insurance and being collaborative for the
00:38:09.236 --> 00:38:13.485
work they do?
R: Well, that again is a complex question.
00:38:13.485 --> 00:38:16.874
And there are some countries like Canada
where being a professional engineer gives
00:38:16.874 --> 00:38:21.705
you a particular status. I think it's
cultural as much as anything else, because
00:38:21.705 --> 00:38:27.365
our trade has always been freewheeling,
it's always been growing very quickly. And
00:38:27.365 --> 00:38:31.969
throughout my lifetime it's been sucking
up a fair proportion of science graduates.
00:38:31.969 --> 00:38:35.058
If you were to restrict software
engineering to people with degrees in
00:38:35.058 --> 00:38:38.377
computer science, then we would have an
awful lot fewer people. I wouldn't be
00:38:38.377 --> 00:38:43.193
here, for example, because my first
degree was in pure math.
00:38:43.193 --> 00:38:46.744
H: All right, the question from microphone
number one, please.
00:38:46.744 --> 00:38:52.646
Person4: Hi. Thank you for the talk. My
question is also about aviation, because
00:38:52.646 --> 00:38:59.399
as I understand that a lot of the, all
retired aircraft and other equipment is
00:38:59.399 --> 00:39:06.313
dumped into the so-called developing
countries. And with the modern technology
00:39:06.313 --> 00:39:12.180
and the modern aircraft where the issue of
maintain or software or betting would
00:39:12.180 --> 00:39:19.092
still be in question. But how do we see
that rolling out also for the so-called
00:39:19.092 --> 00:39:24.630
third world countries? Because I am a
Pakistani journalist, but this worries me
00:39:24.630 --> 00:39:31.925
a lot because we get so many devices
dumped into Pakistan after they're retired
00:39:31.925 --> 00:39:36.706
and people just use them. I mean, it's a
country that can not even afford a license,
00:39:36.706 --> 00:39:41.464
to operating system. So maybe you could
shed a light on that. Thank you.
00:39:41.464 --> 00:39:45.547
R: Well, there are some positive things
that can be done. Development IT is
00:39:45.547 --> 00:39:50.841
something in which we are engaged. You can
find the details of my Web site, but good
00:39:50.841 --> 00:39:55.808
things don't necessarily have to involve
IT. One of my school friends became an
00:39:55.808 --> 00:40:00.695
anesthetist and after he retired, he
devoted his energies to developing an
00:40:00.695 --> 00:40:05.693
infusion pump for use in less developed
countries, which was very much cheaper
00:40:05.693 --> 00:40:09.339
than the ones that we saw on the screen
there. And it's also safe, rugged,
00:40:09.339 --> 00:40:16.082
reliable and designed for for use in
places like Pakistan and Africa and South
00:40:16.082 --> 00:40:22.183
America. So the appropriate technology
doesn't always have to be the wiziest?,
00:40:22.183 --> 00:40:29.192
right. And if you've got very bad roads,
as in India, in Africa, and relatively
00:40:29.192 --> 00:40:33.883
cheap labor, then perhaps autonomous
cars should not be a priority.
00:40:33.883 --> 00:40:35.801
Person4: Thank you.
H: All right. We have another question
00:40:35.801 --> 00:40:40.694
from the Internet, the Signal Angel, please?
Person5: Why force updates by law?
00:40:40.694 --> 00:40:45.355
Wouldn't it be better to prohibit the
important things from accessing the
00:40:45.355 --> 00:40:50.348
Internet by law?
R: Well, politics is the art of the
00:40:50.348 --> 00:40:56.635
possible. And you can only realistically
talk about a certain number of things at
00:40:56.635 --> 00:41:00.895
any one time in any political culture or
the so-called Overton Window. Now, if
00:41:00.895 --> 00:41:05.931
you talked about banning technology,
banning cars that are connected to the
00:41:05.931 --> 00:41:10.288
Internet as a minister, you will be
immediately shouted out of office as being
00:41:10.288 --> 00:41:14.422
a Luddite, right. So it's just not
possible to go down that path. What is
00:41:14.422 --> 00:41:19.574
possible is to go down the path of saying,
look, if you've got a company that imports
00:41:19.574 --> 00:41:24.323
lots of dangerous toys that harm kids or
dangerous CCTV cameras are recruited into
00:41:24.323 --> 00:41:28.380
a botnet, and if you don't meet European
regulations, we'll put the containers on
00:41:28.380 --> 00:41:32.009
the boat back to China. That's just
something that can be solved politically.
00:41:32.009 --> 00:41:36.940
And given the weakness of the car industry
after the emission standard scandal, it
00:41:36.940 --> 00:41:40.775
was possible for Brussels to push through
something that the car industry really
00:41:40.775 --> 00:41:46.376
didn't like. So, again, and even then that
was the third attempt to do something
00:41:46.376 --> 00:41:52.309
about it. So, again, it's what you can
practically achieve in real world politics
00:41:52.309 --> 00:41:56.364
H: All right. We have more questions.
Microphone number four, please.
00:41:56.364 --> 00:42:01.189
Person6: Hi, I'm automotive cyber security
analyst and embedded software engineer.
00:42:01.189 --> 00:42:06.895
Most the part of the ISO 21434 Automotive
Cyber Security Standard, are you aware of
00:42:06.895 --> 00:42:09.995
the standard that's coming
out next year? Hopefully.
00:42:09.995 --> 00:42:13.588
R: I've not done any significant work with
it. Friends in the motor industry have
00:42:13.588 --> 00:42:17.589
talked about it, but it's not something
we've engaged with in a detail.
00:42:17.589 --> 00:42:21.484
Person6: So I guess my point is not so
much a question, but a little bit of a
00:42:21.484 --> 00:42:25.830
pushback but a lot of the things you
talked about are being worked on and are
00:42:25.830 --> 00:42:32.990
being considered over the years updating
is going to be mandated. Just 30, a 30, 40
00:42:32.990 --> 00:42:38.220
year lifecycle of the vehicle is being
considered by engineers. Why not? Nobody I
00:42:38.220 --> 00:42:44.634
know talks about a six year lifecycle that
you know, that that's back in the 80s,
00:42:44.634 --> 00:42:49.010
maybe when we talked about planned
obsolescence. But that's just not a thing.
00:42:49.010 --> 00:42:53.695
So I'm not really sure where that language
is coming from, to be honest with you.
00:42:53.695 --> 00:42:57.590
R: Well, I've been to close motor industry
conferences where senior executives have
00:42:57.590 --> 00:43:02.990
been talking about just that in terms of
autonomous vehicles. So, yeah, it's
00:43:02.990 --> 00:43:09.860
something that we've disabused them of.
H: All right. So time is unfortunately up,
00:43:09.860 --> 00:43:14.570
but I think Ross will be available after
to talk as well for questions so you can
00:43:14.570 --> 00:43:19.300
meet him here on the side. Please give a
huge round of applause for Ross Anderson.
00:43:19.300 --> 00:43:20.780
applause
00:43:20.780 --> 00:43:24.211
R: Thanks. And thank you
for choosing the cover.
00:43:24.211 --> 00:43:26.381
36c3 postrol music
00:43:26.381 --> 00:43:52.000
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!