Users (politicians, CEOs, journalists, lawyers, etc.) tolerate the idea that is impossible create better operating systems and applications, without errors and backdoors. In an SW environment totally lacking critical look at the work of programmers, testers, analysts.

1. The five fatal The five fatal
flawsflaws
inin cyber security cyber security
napravnik.jiri@salamandr.cz
It's time to change the basics of Cyber Security

2. content
● The cost of the Cyber Security
● Users are dependent on IT
● What was gone wrong
● The five fatal flaw
● A different approach
● Three steps to resolve problems

3. The cost of the Cyber Security
Users, companies and State Institutions over the last
few years give tens of billions dollars into IT security
which shows how ineffectively purchase and solution
● Still similar problems and attacks are repeated
● Tha basic problems were still unresolved
● Still is not a defense against sophisticated attack

4. Users are dependent on IT
● Banks, trading or manufacturing
companies depend on smoothly
functioning IT
● Hacker attacks know no borders
● Sophisticated viruses can be modified
and then attack back into computers of
original author

5. A dangerous place PC,
phone, etc.
● PC and viruses
– Over 25 years have not resolved problems with
viruses in PC
● Nearly 10 years we are using smart phones
– Small box, small screen
– The same problems as in a PC environment
● Problems with PC or smartphones viruses
are not resolved, and the same problems
appearing in IoT, SCADA and a cars

6. What was gone wrong?
● We criticize producers of food for horse
meat in meat balls, ...
● We criticizes the Volkswagen that
smoking their TDI engine
● But, we are afraid to criticize large SW
manufacturers, although programming
is a purely human work

7. The five fatal flaw
1) The software is still considered as a copyright
work, but still missing responsibility creators for
their work
2) Software supposedly can not be written better
3) The biggest threat for IT security are supposedly
inexperienced users
4) Are created norms, standards and laws, but does
not revise errors and backdoors in the basics of IT
5) The past 15 years grow new generation of IT
specialists who teached only "the one correct
view" to computer security

8. Fatal flaw no. 1
Software is viewed in the same manner as a
book or film but there is no responsibility from
the side of the author SW
● SW development is the result only of human work
● Programming is an exact discipline, where anything is
possible clearly defined, programmed and tested
● Software companies are looking for software
engineers, analysts, testers. This is similar to other
companies that develop and manufacture a product
for which they are responsible

9. Fatal flaw no. 1 ­ comparison
Software is viewed as in the same manner as a
book or film but there is no responsibility from
the side of the author
● The engineers of bridges or engines must respect the
laws of nature. For example, differential expansion of
materials or chemical reaction of substances, etc.
● For drugs are examined side effects. For the human
body does not exist "manual" by which verifying what
the new substance can influence

10. Error no. 1
The mistake is that ordinary users
(government officials, CEOs, lawyers,
journalists, etc.) still tolerate opinion :
Software companies do not have to
be responsible for their work

11. Fatal flaw no. 2
Software supposedly cannot be written better
● Each product can be improved and manufactured
better, this is the foundation of progress
● Creating software is only human work. But, authors
SW still argue that it can not be done better

12. Fatal flaw no. 2 ­ comparison
Software supposedly cannot be written better
● In non-IT fields are customers and control
authorities very demanding on the quality and
safety of products
● Non-IT manufacturers must emit large amounts to
applied and basic research in physics, chemistry,
etc.

13. Error no. 2
Users (politicians, CEOs, journalists,
lawyers, etc.) tolerate the idea that is
impossible create better operating
systems and applications, without errors
and backdoors

14. Fatal flaw no. 3
For nearly 15-20 years "experts" say that
problems in IT security have been caused
by inexperiened users
● User behavior can not be changed
● 20 years excuses on inexperienced users
● It is not possible to change the behavior of all
users. Must be change SW author's access, work
and resposibility

15. Fatal flaw no. 3 ­ comparison
Automakers know that drivers are careless
and doing mistakes
● Automakers do not say that the problem are
inexperienced drivers, example drivers - IT
professionals
● Automakers recognize that they do not change the
behavior of drivers. So they take the initiative and
equip new cars systems which monitor driver
behavior and errors

16. Error no. 3
It is a mistake, that IT professionals for
more than 15 years rely on the change
in user behavior, instead of to take the
initiative.
Similarly, as do car manufacturers.

17. Fatal flaw no. 4
Creating Standards, Norms, and Laws, but do not solve
errors in the basics of IT and Cyber Security
● Many people, companies and authorities devotes its energy
to creating new standards
● The same people, in next time experiencing disillusionment
after a successful sophisticated attack. Because the
standards do not prevent sophisticated attacks
● Little effort is devoted to resolve mistakes in the
basics of SW

18. Fatal flaw no. 4
● There are many standards for users and
administrators. Exist only little laws and standards
for authors SW anf for responibility of authors SW
● The current situation creates the false impression
that problems with viruses and hackers can be
solved with using standards and laws
● In fact, norms and laws only current solves
consequences, not the causes of problems

19. Error no. 4
Current norms and laws do not solves
the situation with a operating systems or
applications, as it is in the case of
aerospace (ISO 9120) or auotmotive (ISO
16949) norms
Current standards and laws solve current consequences,
but does not solve the real causes that are associated
with computer viruses and hacker attacks

20. Fatal flow no. 5
In the past 15 years grow new generation of IT
specialists who teached only "the one correct
view" to computer security
Single-Sided teaching are related to inaccurate views
● The authors SW supposedly can not guaranteet for their work
● Software supposedly cannot be written better
● For nearly 15-20 years "experts" say that problems in IT security have
been caused by inexperiened users
● Are creating standards, norms, and laws, but this do not solve the basic
errors in IT

21. Error no. 5
In an SW environment totally lacking critical look at the work
of programmers, testers, analysts. This misinformation views
also use some journalists and politicians
Training of new IT professionals in many ways reminiscent of
the education of the young generation in the Eastern Europe
bloc before 1989. At that time, the people at the East Europe
were also teached into the only one correct view on the issue
of life and the world

22. Correction of the problem
● Solutions exist !! This is the main and
the significant information
● Creating of software is purely a human
work, which can be clearly described,
programmed and tested.

23. Absolutely a different
approach
● Apollo Program
8 years from JFK's speech to the journey of Apollo 11 to the Moon
– Resolved many new challenges
● Rocket technology
● Orientation in universe
● Protecting people and electronics from radiation
– And many discoveries from different fields of natural sciences
● Creating software - more than 15 years of unresolved issues
– The purely human work
– The exact discipline where is possible
to clearly describe all

24. Responsibility of the authors
● Manufacturers of children's toys, food or
household appliances are responsible for their
products
● Volkswagen is responsible for smoky TDI
engines

25. Solution no. 1
Creating software is purely human work. An
error in the program is the result of bad work of
authors
Must be set equally critical perspective onMust be set equally critical perspective on
software like as in area of cars, toys orsoftware like as in area of cars, toys or
foodfood

26. Solution no. 2
Verification of originality, origin and the integrity of
system files in PC, phone, IoT, etc.
● For solutions may be used "The three laws Cyber
Security"
● The tree laws of cyber security is a similar solution
like in aviation, where is watching spareparts from
manufacturers to installation in aircraft

27. Solution no. 3
● Pyramid of Cyber Security
● The verification of originality, origin and the integrity of
system files is a necessity
● Equally critical approach to cars and to software is a
necessity
the need for more changes
– It is necessary to promote regular testing software like
crash tests cars
– Authors SW must take the initiative, example
like car-makers

28. Summary
✔ Exist a solution for 20 years old problems with viruses and
hackers
✔ Base of solution is a change of thinking all users. Claims
for the authors of SW should be similar like demands on
the food or car manufacturer
✔ The technical part of the solution can be implemented
almost immediately. The most important
is to change the mindset and
demands of users.

29. Summary
● Creation of software is purely human work
● Creation of software is a exact discipline in
which everything can be clearly defined,
programmed and tested
● Changing of the basics SW can help solve the
vast majority of problems with computer
viruses and hacker attacks

30. About author
Jiří Nápravník (*1968)
https://cz.linkedin.com/in/napravniksalamandr
● 1997 – 2002 forensic expert, cybercrime
● 2003 - helped track down hackers - robbers bank accounts via
internet banking
● He described and tried the attack to secure electronic signature
(eSign, PKI, eIDAS)
● He described and tried the attack to chip card, with private key inside
● 2014 He defined The Three Laws of Cyber security
● 2015 He defined The Pyramid of Cyber Security