Transcript: This is a rush transcript created by a contractor for KPBS to improve accessibility for the deaf and hard-of-hearing. Please refer to the media file as the formal record of this interview. Opinions expressed by guests during interviews reflect the guest’s individual views and do not necessarily represent those of KPBS staff, members or its sponsors. The legal battle between the U.S. Justice Department and Apple opened a paned doors talks about personal privacy versus public security. Joining us a man is a man who is an innovator in the field of cyber attacks. Stefan Savage is a factor of computer science at UCSD. He is also the recipient of the 2015 award in the computing sciences for computing machinery. Thank you so much for joining us. Thank you for having me. Congratulations on your award. You were prompting us to look at attackers differently than how we have. My field has tended to look at computer security is very much a mechanistic challenge. That there are problems that create vulnerabilities and if we fix those we will be okay. If we build corresponding defensive that that is the entirety of the challenge. The reality is that those are simply the mediums in which this conflict plays out. The reason we care about security is we haven't adversary who's trying to get information or money or what have you from is. -- From us. So it gives us the larger picture of why the adversary is motivated to do what they are doing. Like solving a immigration problem by building a big wall. That won't solve the problem it will shifted somewhere else. So we try to look at the problems from understanding the attackers and what their underlying business models and appendices were. So just not thinking about defense but how did they run their operations and what were the weak point in how they tried to accomplish their goals? Because at the end it is very much criminal. So I did a lot of research to find out what their motivation was and how they were focusing on big banks, right? Yes. We focused on various advertising scam, web engine abuse, etc. etc. At the end of the day that is consumers buying illegal goods. So we track through the plethora of dependencies that they had including all kinds of technical dependencies on Butnits and so forth but we also track the flow of money back to the bank and found that, in fact, those were the weak points in their supply chain. Because there were relatively few banks that were willing to work with them. We were able to then do a bunch of work with some help from folks in the White House and Visa and MasterCard to put together a program to try to shut down merchant account to people that are selling illegal goods. That was a tremendously effective approach. For a very small amount of money in a number of categories. Notably we first did this with Microsoft. They were able to shut down the sale of counterfeit Microsoft software for 18 months. So you save billions of dollars with relatively little (this case. That's right. I think that is something that is done far too little. Getting empirical data that goes to the issue of what the return on investment for interventions that we have. We have knee-jerk reactions and how to spend money on security and we do much better when we can put it on a scientific footing. A lot of people have heard of the stories that you looked into the security of automobile computer system. That is everyone's big fear of having someone take control of their car. That started back in 2009. Myself and an ex-student of hours were noticing that the computers were being added to almost everything in our daily lives. And I think the car was the most interesting because not only do we all have them, but these days there complicated computer systems that have wheels on them. They are powerful and scary. So we just bought some Carson had the students take them apart and try to understand how they were built. -- So we just bought some cars and had the students take them apart and understand how they were built. So we showed them we could take over a car and drove -- turn off the brakes. That was a wake-up call. Is there any way around that review the that a continuing threat at this point extract I think it is a continuing risk. The threat is someone who wants to do it. This is not a cost-effective way to take someone out. What has been good is I think there has been a lot of reaction. GM has 100 people that work full-time on this problem. Department of Transportation has taken over Cybersecurity and there are standards in place now. So there was enough warning that by the time the cost of doing this is low enough, you would really have to worry about someone attacking you in anger that the industry is in better shape to take responsibility for. At the heart problem. It sounds so. What you working on now? The thing I'm most excited about is evidence-based security. Which is trying to measure what is the impact of various defenses or behaviors or outcomes? So the same way we think about evidence-based medicine. We would like to be able to put computer security on the same footing and the we can actually measure if you do these things and then it would make you more secure. Instead of guessing which is what we do today. Thank you so much. That is Stefan Savage. And you will be receiving the foundation award in a banquet on June 11 in San Francisco. Congratulations. Thank you very much.
Keeping information networks secure is an ongoing battle, sometimes a losing one, as Sony Motion Pictures will attest. The studio is still feeling the fallout from the huge and very public 2014 hack of its systems.
Recently several hospitals have had their networks attacked and data stolen.
If Stefan Savage, a professor of computer science at UC San Diego, has his way, large-scale attacks on information systems will be much more difficult for would-be hackers to manage in the future.
Savage thinks about computer and network security — a lot. This week he received a prestigious award from the Association of Computing Machinery-Infosys Foundation because his research is changing the way we think about attackers and how to hinder them.
In one study, Savage and his UCSD group proved that even the computer systems in our automobiles are vulnerable to attack. It is possible for someone — who has no physical access to a vehicle — to control it.
Savage's group has worked with automobile manufacturers toward eliminating the potential threat. The FBI even produced a PSA about automobile security citing Savage's work.
Another Savage study looked at that scourge of modern life: email spam. The study sought to understand how spammers make money and how best to disrupt them.
Savage discusses his work on network security and what it means for us on KPBS Midday Edition Thursday.
