Unexpected Stories From a Hacker Who Made it Inside the Government
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 112 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/38954 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2150 / 112
3
6
8
9
13
14
15
16
17
22
23
24
25
29
32
33
36
37
39
42
45
47
49
53
60
61
64
65
66
71
76
79
80
82
89
103
106
108
00:00
Ocean currentRepresentation (politics)MereologySemiconductor memoryGoodness of fitExclusive orFlow separationHypermediaMeeting/Interview
01:33
Patch (Unix)State of matterComputer programmingDifferent (Kate Ryan album)Traffic reportingElectronic mailing listQuicksortCASE <Informatik>BitTouch typingSemiconductor memoryPoint (geometry)FreezingOptical disc driveDependent and independent variablesLevel (video gaming)Lipschitz-StetigkeitBlock (periodic table)Hacker (term)Universe (mathematics)Multiplication signAuthorizationHecke operatorSoftwareRight angleWebsiteInformation securityDemosceneMotion capture.NET FrameworkDegree (graph theory)MomentumMessage passingEncryptionDecision theoryAddress spaceFile systemWordPhysical systemVector potentialFilm editing2 (number)Acoustic shadowDistribution (mathematics)Parallel portFlow separationSimilarity (geometry)Speech synthesisPlastikkarteSpecial unitary groupComputer file
09:15
Video gameMessage passingUniverse (mathematics)Quicksort2 (number)Point (geometry)Address spaceEvent horizonType theoryStudent's t-testDecision theoryMultiplication signBitMetropolitan area networkFrequencyDependent and independent variablesInformationStrategy gameMeeting/Interview
12:14
Different (Kate Ryan album)Dependent and independent variablesAttribute grammarWordCyberspaceDomain nameStrategy gameAdditionMessage passingLatent heatRevision controlPhysical systemRootQuicksortWebsiteInternetworkingSpacetimeFormal languageGroup actionData conversionHecke operatorSound effectHacker (term)Kinetic energyRight angleWeb pageHand fanSpeech synthesisStatement (computer science)Natural numberPower (physics)Web 2.0LogicMeeting/Interview
18:03
Multiplication signGame theoryRight angleView (database)ChainState of matterResultantSelf-organizationPoint (geometry)Different (Kate Ryan album)CyberspaceEvent horizonInheritance (object-oriented programming)Message passingConformal field theoryProcess (computing)HypothesisCASE <Informatik>Dependent and independent variablesMereologyDesign by contractSource codeParity (mathematics)Computer programmingFigurate numberData managementHypermediaBasis <Mathematik>SoftwareElectronic mailing listCategory of beingGroup action
24:46
Closed setWordQuicksortMereologyMessage passingData conversionHacker (term)CybersexPoint (geometry)Scheduling (computing)EmailMedical imagingInteractive televisionTheoryShape (magazine)Conformal field theoryLevel (video gaming)FlagAnalogySoftwareVideo gameState of matterMathematicsDependent and independent variablesTouch typingGame theorySystem administratorLattice (order)1 (number)Computer configurationService (economics)Suite (music)Design by contractTrailAngleOffice suiteMeeting/Interview
31:30
Multiplication signInteractive televisionReal numberPoint (geometry)Control flowWave packetPeer-to-peerDemo (music)Trojanisches Pferd <Informatik>FirmwareRouter (computing)FrequencyMereologyFault-tolerant systemFamilyBitMathematicsPhysical lawFormal language1 (number)Reading (process)Connectivity (graph theory)Physical systemSensitivity analysisNeuroinformatikGoodness of fitRoutingCheat <Computerspiel>Discounts and allowancesCoefficient of determinationBootingInclusion mapLecture/ConferenceMeeting/Interview
38:13
NeuroinformatikBootingMultiplication signSemiconductor memoryLevel (video gaming)WhiteboardHacker (term)SoftwareForm (programming)Operating systemRow (database)MereologySpeech synthesisPhysical systemDirection (geometry)Meeting/Interview
39:25
Analytic setCybersexCoordinate systemMultiplication signSoftware frameworkMereologyComputer programmingHacker (term)Projective planeRoundness (object)Group actionAnnihilator (ring theory)Virtual machineVariety (linguistics)Universe (mathematics)Boss CorporationConformal field theoryTotal S.A.SubsetQuicksortIncidence algebraInheritance (object-oriented programming)2 (number)TrailSpeech synthesisInformation securityBitProcess (computing)Peer-to-peerFeedbackMetropolitan area networkEntire functionSystem callPoint (geometry)Similarity (geometry)Limit (category theory)10 (number)ARPANETNumberExploit (computer security)Overhead (computing)Data managementView (database)PRINCE2Theory of relativityVideo gameMUDAsynchronous Transfer ModePerspective (visual)3 (number)TorusRight angleEmailMeeting/InterviewComputer animation
Transcript: English(auto-generated)
00:00
Just so we're clear, I'm only speaking as myself today. I am not a representative of the U.S. government. I am not a representative of my current employer. I'm pretty sure neither one of them would be really happy with me up here talking, but I feel it's part of my duty as part of this community to kind of give you some stories that are
00:24
personal stories from this community as what I took into the government, what I learned while I was in the government, what I saw that was a little bizarre while I was in the government, and what I'm taking back out of it. And there are four stories I'm going to tell you that
00:43
all have some kind of unexpected outcomes and unexpected twists. You've probably heard about some of these stories in the media, but these are kind of different back origins to them that you haven't heard before. I'll do my best to be as accurate as possible, but I'm going from memory from some of these, and some of these go back several years.
01:00
Memory is imperfect, so I apologize in advance. So I'm not trying to piss off or be pro or con any particular community, but I want understandings, which is why I'm trying to tell these kind of non-obvious stories. Somebody had tweeted me something encouraging
01:24
me to do this talk saying anything we can do to help people understand each other is good because, of course, prejudice is bred from ignorance and exclusion, so you can kind of consider this my transparency slash trip report from three years inside the DOD.
01:43
Not long after I started working at DARPA, I got funding approval for the first of one of many programs that I would actually run. I know most folks are only familiar with a few of them. The first program was something called Cinder, and it was focused on super-evolved advanced persistent threat. The program had nothing to do with whistleblowers,
02:03
had nothing to do with humans. It was targeting autonomous software. There was an author at Forbes magazine, Andy Greenberg, who found out that Julian Assange and I knew each other and have kind of known each other for, I don't know, probably 20 plus years, and he wrote an article that, the way I read the article, attempted to
02:25
hit me and Julian against each other, claiming that Cinder was a response to WikiLeaks. You know, a sexy story of hacker friends, you know, who now find themselves at odds, one trying to spill the government's secrets, one trying to protect the government's secrets. Yeah, that's a sexy story. The problem is it's entirely untrue because Cinder
02:43
had nothing to do with that. So since he and other folks wanted to kind of make a story about me and Julian where there was no story before, I figured I'd tell you an actual story about me and Julian. This first story is called how the DOD unintentionally
03:02
created WikiLeaks. So it was 2009. I had yet to go into DARPA. I was over in Germany for the CCC Congress, which, by the way, is awesome. And, by the way, Berlin is freezing in December. So it's a couple blocks from the hotel over
03:24
to the Congress, and I braved it across. It takes about like 10, 15 minutes before your lips come back and you can actually start to form words again. So there was this talk that I wanted to see at the Congress, and I watched it. It was great. There was a gap between the next talk that I wanted to see, and the whole
03:40
decision was do I go back to the hotel and go out in the frigid Berlin winter, or do I find something else to kind of pass the time. It's CCC. It's easy to find things to pass the time there. And there was a talk that was going on about WikiLeaks. Remember, 2009, no State Department cables, no nothing like that at this point. WikiLeaks
04:00
had been around, but it wasn't kind of in the popular vernacular. It wasn't a household name. So I look at it and go, oh, what it's taking to run WikiLeaks, how we do it behind the scenes operationally. I'm like, that's cool. And it talks in English and it's inside, so yay. And I'm looking at it and I'm like, Julian Assange, Julian Assange, you know. And the name was ringing a bell, but it didn't mean anything again
04:21
because, of course, you know, I haven't hit it. Now, I saw him up on stage and, you know, he's a kind of striking physical, the kind of shocking blonde, white hair, you know, sharply dressed, and I'm recognizing the voice. And it took almost the entire talk before it dawned on me that I knew him by a different name. I knew him as Prof.
04:40
Some of you remember Prof. Some of you remember Strobe that he wrote like ages ago. You know, he was over at, well, suburbia.net, I think, Prof at suburbia.net. And I was like, holy crap, this is the same guy who I've known, you know, for years. I hadn't seen him in like a decade or I hadn't interacted with him online. At one point I think he was even managing Sun's security updates and patches for all of the distributions
05:05
for Sunos at sunsite.unc.edu. So we should have nominated that for, you know, possible or potential, you know, epic ownage. That's kind of cool if you think about that. So after the talk I was all excited and, you know, I went up to him, waited until the crowds
05:21
kind of died, small crowds outside. He's having a cigarette. And I said, oh, this is going to be fun because I cut my hair, you know, I didn't have the ‑‑ if you've seen the shirts, most people remember me looking slightly different. And, of course, I'm like, oh, I'm going to play with this a little bit. So, you know, I walk up to him. I know he doesn't know my voice and, of course, he's not going to physically recognize me
05:42
so I do that whole, like, you know, hacker jerk sort of, you know, say something that, you know, it's like what the hell, how did they know that? Kind of to set up a state of detente. And I go, hey, when's the last time somebody called you prof? He looks at me weird and I'm like, oh, if you think that's weird. Did they ever find out why
06:01
the MD5 checksums on those Solaris update patches didn't match the actual patches that people installed? That was Sunsite, right? And he's just looking at me like who the heck is this guy? And probably possibly because he hadn't, you know, heard the phrase prof for a while and it could very well be that, you know, he had no clue what I was talking about with the latter one. And I go, hey, you know, it's me, it's Mudge,
06:23
Mudge from the loft sort of thing and he kind of relaxed and, you know, we chuckled about it. And I was saying, hey, you know, you were really, really passionate up on stage about, you know, WikiLeaks. What was the real impetus, what was the turning point
06:41
that made you do that? Because the last I had seen you, you were leaving the hack scene, going off to academia to do your advanced degree. He was working on a cryptographically based file system, a rubber hose file system for duress based decrypting. And I said, you know, where did you go? You know, all the old gang and everything haven't seen
07:04
you. So we chatted and he said, you know, let's go out and have dinner. So, you know, we spent the next several hours over food in Berlin and we were chatting and I wanted to know just how passionate he was and how far he was willing to go on it.
07:20
So I asked him a hypothetical question. I said, let's suppose back in the day my thing was I collected packet captures of everything. Let's assume some of those packet captures have you going into other systems. You know, beyond a shadow of a doubt. If I submitted
07:40
those packet captures, you know, kind of incriminating you to WikiLeaks, would you release them? And he looked at me and it only took a couple seconds and he said, hey, we get some very similar sorts of questions because people ask us, you know, kind of on a parallel, if someone were to send us a list of the contributors to WikiLeaks,
08:00
would we publish it? And the answer is that, you know, we don't want to know who our contributors are because we want to keep the protection there being WikiLeaks. I'm speaking as him from memory here. So we try to get in touch with the folks that contributed, but we won't know who they are. So ultimately, in case that list is real, we would have to publish it. I was like, oh, that's cool. And then he just,
08:22
you know, we moved on to the next topic. Now, if any of you have actually interacted with him or know somebody who has, they'll tell you that he is a very smart person and that's absolutely right. And it took me probably an hour to realize that he never answered my question. But he told me a really interesting story because he told
08:42
me, and this is what stuck with me in 2009 from that dinner, what the turning point was. Now, maybe this was a story just for me, maybe it was, you know, kind of the And I used to tell people inside the government the same question when later WikiLeaks kind
09:02
of popped up. He said, yeah, I had gone off. I was over at university doing my graduate work, something essentially fundamental research, which means something to the government folks. And he said it was funded, you know, by the U.S. government. It was a grant. From like NSA type DARPA sort of funding. I don't know if those were the actual agencies.
09:26
And he said it was during that time period where there was a big pullback from the DOD. And the message that the universities received was, we're not funding you to do basic research anymore. It's all classified now. His work got rolled up in that. Now, whether that
09:45
was actually why it was being pulled back or if that was just the perceived message, I don't know. So if you think about it, here's a non‑U.S. citizen who's made a life decision, go to graduate work, you know, kind of leave the community that we knew him in, and all of a sudden his funding gets pulled and he's told that he's not allowed
10:04
to know what it was that he was doing, not allowed to know what it was that he had discovered and no actual reason as to why the funding is. I mean, that's kind of what it's like when you're a graduate student and somebody pulls your funding sort of thing. And this just really, really rubbed him wrong. And he said this is the
10:21
wrong reason for classification if that's why he lost his funding. This is designed to keep people ignorant and withhold information to keep folks disadvantaged. And he said it was at that point that he decided that he was going to devote his life to exposing people who tried to keep secrets. And hence, WikiLeaks was born.
10:42
So when folks in the DOD would ask me, hey, do you know this WikiLeaks thing and what are your thoughts on how we could, like, you know, address it, they were a little surprised with my answer going, well, you know, by some accounts the government actually created it in the first place. It was at that point during the night at the restaurant
11:07
Julian goes, well, so, you know, that's what I've been doing for the past ten years, you know, what are you up to? I said, oh, I'm about to go work at DARPA. So that's my first story. Second story is about Anonymous and the Department of Defense.
11:32
I remember Anonymous from way back. I mean, Anonymous, I use it as like a proper noun, but obviously we're all familiar and it's much more ‑‑ it's kind of a movement, a thought, you know, it's more ephemeral than that.
11:43
And when I remember them, they were going after Scientology and RIAA and there was all the 4Chans or the soap opera stuff going on, and at some point their scope or the target, you know, expanded to include the government. And general wisdom was that the
12:02
triggering event was the DOD's response to WikiLeaks and Manning, et cetera. But the way I saw it, there was actually something else that was a bit more subtle that folks hadn't realized. So in 2011, the DOD released the strategy
12:20
for operating in cyberspace. There was some very minor backlash to some of the wording initially. I think there was an initial, you know, small leaked version of it that went out and it was followed by a later one. But there was some more specific backlash and chatter in the hacker researcher community. The strategy stated that the DOD was going
12:43
to treat cyberspace as a domain to conduct operations in. And it appeared kind of modeled off of outer space, you know, treating space as, you know, these are DODish words, a domain. And there were some confused conversations going, oh, why is anybody upset if you treat
13:01
cyberspace as a domain? You know, there wasn't that much upset with treating space and, you know, nobody lives in cyberspace. Which you could have kind of only here inside the government like a statement like that. Because if you think about it, you know, we all live in cyberspace. And the hacker researcher community made it, you know, made
13:21
cyberspace ‑‑ I'm really not a fan of that word ‑‑ made the Internet and, you know, online, you know, our homes well before the government and everybody else kind of made it just, you know, where they always lived and did everything in. So if you send a message that, you know, that's somebody's backyard and that you're going to militarize and, you know, prep for war in somebody's backyard, that can sound
13:45
really scary. And it can galvanize folks to respond. One of the problems was there was not an understanding as to who the message was actually intended for.
14:03
So in addition to treating it as a domain, they said something else, which was, and in response to ‑‑ and I'm paraphrasing, but in response to hacks, we'll consider responding with kinetic force. So if you don't actually specifically call out who the
14:21
recipient of the message is, everybody reading it thinks it's directed to them. I read it. I thought it was directed to me. And I'm going like, you know, what the heck? You know, I joke my buddy and I replace his, you know, his, you know, HTML, you know, the main web page, you know, and that's considered a hack and all of a sudden I've got somebody
14:40
launching a Patriot missile at me? This makes no sense. You know, what level of hack? Because if we look at like CFAA response, you know, maybe they actually think a Patriot missile is the right thing for, you know, defacing a website. I don't know. And none of these are the right questions because I'm not the intended audience, but of course I'm reading it as if I was. And of course the logical next question is, wait, do they understand
15:03
how attribution works? Because, you know, what if I do it, you know, bouncing through an ally? You know, what if I do it from within the U.S.? Are they going to kinetically respond against themselves? I mean, this is ‑‑ and you kind of go, okay, wait, you know, back up. If the message were directed to, let's say, you know, other countries,
15:27
other, you know, somebody in specific that's got a significant power that they say, look, we're talking about critical infrastructure or something of that nature. If you turn off the lights in New York, we'll probably be able to figure out who you are because you're not a small little hacker defacing websites and maybe there's attribution in
15:44
place that we can respond to. That would have been an entirely different sort of message. And I wouldn't have read it as the whole like, wow, if I get root on something in my own system, you mean is the government going to shoot me? Which is just silly, but I wasn't the only person who read it that way. And it's nice having been in this field and
16:04
in the hacker research community for, geez, going on almost 25 years ‑‑ well, actually over 25 years. And some folks were sending me ‑‑ hey, have you seen what's going on in the chat rooms? And there were some folks who were claiming affiliation or claiming support of anonymous that were going, hey, have you read this? Look who's
16:24
trying to prep for war in our backyards. Do they even understand how attribution works? This is bullshit. If they think they can find me, it's on. Let's go. And the next thing you know, there were a couple websites defaced and they ended in like .gov. Now, this is where it gets kind of funky. Defacing a website is kind
16:49
of a message. It's a little warning shot. But that's in a language that govies don't know. So the govies didn't get the message as far as, you know, what I saw. So here's the initial strategy for operating in cyberspace that goes out. It's probably directed to somebody
17:05
else but by poor messaging. It's misinterpreted by a group. The group responds, fires a warning shot. The warning shot isn't understood. And it's like, hey, what are these vagabonds doing? Look at the little street punks or whatever. They're not somebody who actually has a message that we should actually engage in. And it's just this little cascading effect.
17:24
So that's kind of unfortunately where I saw, you know, the expanding of scope and a lot of misunderstandings. I'm not saying the two groups should be friends. And I'm not saying one group is good and one group is bad. But when you send a message out into the world, and this is for both groups, you really need to make sure it's understandable
17:42
by all the parties that are going to receive it. You can't assume it's just going to be read by the person you had in mind. With all love and respect, there is one very obvious commonality between the hacker research group and the government, and it's that they can be very arrogant and expect everybody will speak their own language and
18:01
that they don't have to speak anybody else's. And I think that's a really common mistake. So the recommendation for the government, from my vantage point of both sides, is figure out how your messages are going to be received by the more general populace of cyberspace because we all live there now. This is actually a great opportunity for diplomacy. And you can kind of think of it like the lost city of Atlantis. Because cyberspace
18:25
kind of took the world by surprise. Obviously it hasn't been around that long. So what if Atlantis just popped back up and there was an advanced, very technically capable group of people there? You wouldn't sit there and ignore them. You wouldn't taunt them. You wouldn't attack them. You'd probably actually try and understand them and figure
18:40
out how messaging to somebody else might be interpreted to them. You might even try and figure out where you guys already, you know, see things eye to eye and where you have differences. So my recommendations to the citizens of cyberspace is keep in mind that the government and in particular the DOD has very specific focuses and goals.
19:00
And they often only see things from their own point of view because they're really focused on doing that job. And when you read things that appear to be a message directed to you or your community, coming from an unlikely source, you should question whether or not the message is actually intended for you or if it's just intended for somebody
19:20
else and really poorly worded. And if you still think a response is necessary, you really need to think about the message that you're sending to make sure that you don't make the same mistake in return. My third story is, well, let me give you a little background. I know a lot of people approach me outside of work and go, hey,
19:47
Mudge, you know what's going on. We're all owned. And these were large companies that are oftentimes funded by taxpayer money. I'll just say that they're large government contracting organizations. And it's like, hey, why don't you, like, start a program that
20:01
actually pays us to go clean up the compromises or at least figure out what happened and how bad the damage was. Isn't that your job? And it made me think that there's actually ‑‑ there's not a financial incentive for these companies to actually go
20:22
fix the problems. So the next question was, is the inverse true? Can government contractors actually make more money by remaining compromised and continuing to lose intellectual property? So this talk is called game theory is a bitch.
20:43
I was having dinner with ‑‑ a lot of these stories are because I'm outside having dinner somewhere. I don't cook. I was having dinner with an old friend and his company goes in and cleans up APT after, you know, big well‑known names get compromised, whether
21:02
they're government contractors or commercial organizations. And he posed a really interesting hypothetical because we were just shooting the crap back and forth. And he said, hey, what do you think about the following chain of events? First, RSA gets compromised. Networks defended by their tools are vulnerable and as a result
21:25
a defense contractor gets compromised. Said defense contractor, if you look up on Wikipedia, is the one who made this really cool stealth drone. Later a really cool stealth drone goes missing over in a Middle Eastern state. What do you think about that chain of events?
21:45
I'm like, that's terrifying. And he's like, yeah. And I'm like, no, no, for an entirely different reason. Look at it this way. I have no clue. That's a hypothetical and there are a whole bunch of rumors about what had happened. But let's assume that you as a country or a large organization, that your advantage is technology. You can field the fastest
22:06
and the best technology. So you're ahead of everybody. That's your advantage. Newest, most advanced toys. Someone else steals some of your tech. What do you have to do? You got to replace it with newer tech, right? You got to keep your advantage. So suppose
22:26
a government contractor gets some other super tech tool and what does their government customer actually need to do? Well, the government in that case, and this is all game theory hypothetical, need to pay someone to make the next version so that the people
22:40
who just stole it don't achieve parity. So that they're not even. They could go to some other government contractor because, of course, you know, the one in question just lost everything. But they actually most likely won't. And here's probably why. The initial contract for very expensive research efforts can take a long time to put in place.
23:06
You're talking over a year. Sometimes longer than ‑‑ sometimes you measure it in years rather than months. That was part of the coolness of CFT is that we were measuring that in days. Imagine if you're under something ‑‑ sequestration is what we're under now.
23:22
It can take even longer. So if a government agency wanted to start a new program to replace tech, so that's essentially starting the same program to do the same thing that you were already paying somebody to do, A, it's tough to get permission to do that because you got to go justify taxpayer money. I'm like, we just gave you the money to do that. And B, when you spin it back up, you're going to have to redo
23:43
a lot of work. You're going to have to redo the contracting that you already had in place. You're going to have to spin people up to speed on management side. You're going to have to respin up the tech side. And you've spent years putting that in place. So why wouldn't you just go back to the people that you already have a relationship with, already have a contract with, they already know what they lost or, you know, maybe
24:03
you know what they lost and stuff and you can tell them because they're your customer. So you just pay them to give you the next thing. Remember, they're not financially incentivized to go fix how they were actually compromised in the first place or clean it up. Because staying with a really familiar solution or situation is comfortable, which makes us
24:20
a trap that a government funding source can actually be particularly susceptible to. You can view this on a case‑by‑case basis and kind of staying with the same contractor can even make sense. But if you step back and listen to what's been talked about in the media, you may see something that's a larger picture that seems like an
24:41
endless list of technologies and IP being stolen. And each time it happens, that company is in a situation where, A, there's really no penalties or reprimands for it. And on the contrary, they're actually rewarded with more funding. So because their customer needs to take ‑‑ make the next tech to replace the stuff that just got stolen
25:02
to replace the stuff that just got stolen to replace the stuff that just got stolen. So, yeah, game theory is a bitch, because if you look at it this angle, and part of the neat thing about game theory is you can fall into game theoretical without realizing that you're doing it. Government contractors can actually be in a situation or are actually in a situation that they're financially incentivized in some places not to listen
25:24
to their networks as admins and not actually to really deal with the problem, perhaps the way with the drastic changes that need to be made. The fourth and kind of closing story, and maybe I'll do a fifth story about Barnaby Jack
25:43
and Abu Dhabi. Yeah, I think I'll do that. The fourth story ‑‑ sorry, I just mentioned Barnaby Jack and I just started getting a little teary. I think I might stick with just the fourth story then. Fourth story closing is more of a kind of
26:03
plea to both the government communities and the hacker researcher communities, because from the vantage point of both. I don't have a lot of examples of our community, the hacker researcher community, really reaching out in a proactive and positive way to educate and enlighten the government. We do it, but we do it really ad hoc, and I think we need
26:25
to try a little harder to do specific examples. I've been a little upset about some other things in the news lately, and actually one of your options, it is a scary option, is to actually go inside and try and fix them there. People will fight you tooth and nail.
26:41
It is not for the faint of heart. That's actually what I did when I went over to DARPA. I didn't go there because I thought it was cool. I didn't go there because I wanted to be a part of the government. I actually went there because I thought that they and other parts of the government had kind of lost their way, and I had an opportunity to go in and fix it. I did get a really nice unofficial email
27:04
from somebody recently, and it was about CFT, which makes me think that we actually, because you guys were all a big part of that, did manage to pull some of that off. So I'm going to quote from this email I got to my personal account, and the person said, I
27:21
recently had a meeting with all the agencies and DOD services, and listening to them, it was my turn to be terrified because of how out of touch with reality they were with cybersecurity and cyber defenses, and it made me realize how much I and the DOD owe you, and that's us, for a cyber fast track. And here's the part where I was really happy. He said,
27:43
I thought CFT was showing the government how they should be doing contracting, but now I actually understand what you were doing. It was showing the government what the real state of the art is and why they should be afraid of people on the inside who continue to just preach the status quo and throw money at the same problems the
28:00
same way they have done before. So that was actually pretty cool because somebody ‑‑ they're starting to realize that. And I've heard people at high levels, flag officers, a couple pockets were starting to refer to hacker researchers as, you know, researchers. It was hacker equals researcher, not hacker equals criminal. And I thought that was really cool. It's not saying that we should go all in and support the DOD. I'm not
28:23
telling you you should like the DOD. I've got a lot of issues with the DOD. I will continue. I'm sure they've got a lot of issues with me. This talk might even be one of them. But what happens there is now that they know where some of the real ideas and some of the real talent come from, they're undoubtedly going to try and reach out and tap into
28:43
it in various ways, and this kind of goes back to our earlier story where they kind of projected their problems and their images and their goals on somebody else. So there's likely to be some uninformed and failed outreach efforts. So I've got a couple of recommendations to the government that maybe will help with that.
29:03
So I think it's really cool when government officials throw on blue jeans and a black T‑shirt because, of course, then they're part of our community. But that's not necessarily all there is to interacting with us. And it makes sense before you present at a conference
29:23
like this that you should probably consider attending one and actually interacting and getting to know the people. There was one guy, there was a three‑star general who did that at ShmooCon, and I thought that was one of the coolest things. He wasn't there for any agenda, and I remember conversations with him afterwards. He actually had an understanding. He was like, oh, this is awesome. No, there's no way people should
29:43
try and go in and mess with them or try and co‑op them or try ‑‑ I was like yeah, exactly. That's us. That's the citizen. That's the population of the U.S. So the message, you know, to the other ones who haven't really made that turn is go and
30:02
actually interact. Now, the response I'd get was the schedules, too crazy. You know, can't possibly do it. And I saw those schedules, and sometimes I was even on those schedules. But if it's important enough, I know ‑‑ I acknowledge they are crazy schedules. These
30:21
people demand they sleep for half the year. Bad analogy as soon as I said it. I was going to say like a swear word and bears came out instead in any way. If it's important enough for you to want to reach out to a community, you got to go out and you got to make the effort and you got to put it in your schedule and you got to go interact with them on a one‑on‑one level first because that's showing your homework and doing
30:43
your homework shows respect. The next suggestion to them is ‑‑ and this is what I tried to encourage inside is you can't go out and do a recruiting pitch because it comes across really poorly. I used to get so bent out of shape when I would see a GOVI stand
31:01
up at a hacker conference and I'm like, here it comes. We do awesome stuff, but we can't tell you anything about it. Trust us. You know, deal with the mohawk. If you shaved your hair, if you put on a suit, maybe even a uniform, stop smoking dope, you can come work for us and actually do something with your life. And it's like that's how I interpreted it. Now, that might not be the message. It might just be, look, we
31:23
need help and we're trying to reach out to you, but it's just a take‑take‑take sort of message. What can you do for us today? What can you do for us now? And to me it was offensive. What would it be like if you had a senior official from a very
31:41
technical agency come out and actually give a technical talk? Because this is a meritocracy. That's where this community came from. A meritocracy is your value in the community is based upon how much you contribute to that community. And that's one of the reasons why I was really happy that ‑‑ because I know a lot of people are like, why the
32:01
hell did Mudge go over and go to the DOD? He was one of us, now he's one of them. And I had spent 15, 20 years contributing to this community and I wasn't about to stop. And when I was there, I was able to actually fight for this community and try and make sure that the interactions were a little bit better and that we were treated and engaged with normally. And those 10, 15 years of contribution gave me enough grace period
32:27
to build trust up again on both sides. And you've got to do that. And you do that by interacting with people. So the value of somebody in one of those agencies coming and giving a technical talk wouldn't be that you learn something really cool
32:40
about how SELinux was actually done and why it was done or what the internal battles were to get it across. It wouldn't be that somebody is going through the technical components of one of the patents, one of the numerous patents that are out there, you know, let's say IPG location, the ones that we've read about. It would actually be that they're engaging us and interacting with us in our own language and treating us as peers
33:03
and starting a dialogue. So I think I will give the Barney the one after this, but I'll summarize this one here. Am I telling us ‑‑ am I pleading that we should not challenge the government? Absolutely not. I think challenging the government is your
33:21
patriotic duty as a citizen. I think it is very important to do. It's painful for both sides, but it's something that has to happen and it's why we're such a great nation. We also need to ‑‑ I mean, you can't train a dog just by repeatedly
33:46
beating it. I mean, it will learn some stuff, but it will probably learn stuff that you weren't intending and it will bite you at some point. So when you see the dog do something good, it's nice to give it a treat. And there are certain little pockets inside the government. And one of the things that I think that we
34:02
as a community can do better is, yes, we need to challenge the stuff that we're seeing. We need to challenge the things that are in the news. But if you see a small pocket of hope, like if you see a Congresswoman that's helping put through Aaron's law,
34:24
changing things like CFAA, I don't deal with losing people well. Excuse me. If somebody's
34:54
going to change CFAA, we need to support them. We need to help them. We need to encourage them for actually going ‑‑ because they're going to get a lot of crap thrown
35:02
at them. And they're actually doing the right thing and there's not a lot of people supporting them. So we need to be more vocal as a community to actually support them. There was a colonel in the Army who managed to get the NSA to have to include Little Brother as a book that they read as part of their training. Have you read Little
35:23
Brother, Cory Doctorow's? That's awesome. That helps sensitivities. That guy caught a lot of crap for that. And it was really cool. I mean, there's nothing wrong with that book. That book gives you a new way of looking at things. And the more ways you have of looking at it, the more understanding you have and the more positive outcome. That
35:42
guy is also ‑‑ colonel, he's over at West Point. His name is Greg Conte. I'll call him out. He was one of the people who encouraged the cadets to actually go out and talk at our conferences and contribute. So the build your own UAV at a 99.99% discount by Mike Wiegand was an example of that. And that's engaging and that's actually sharing
36:02
and it created dialogues. At SchmooCon, he and his colleague walked through their training course that they ran at Fort Meade to try and socialize folks. It was lessons of the Kobayashi Maru. I highly recommend you go watch this talk because he had to teach
36:21
them how to cheat. And it's hilarious and it's insightful and it's humanizing. Most we see those pockets of hope and of outreach and of engagement, I'd just really like to ask all of us to try and figure out a way for each time we're challenging something
36:43
else to try and encourage the good behavior. Okay. So let me try and give my Barnaby one without actually breaking down into tears here. See if I pull myself together. It's a real quick one, but it's my little tribute to him. There's two things that happened,
37:00
and interactions with Barnaby that I'll always remember. I mean, I remember all of the interactions, but two really stand out. One was a talk. I was on the steering committee of NDSS and they asked me if I could bring in some folks to run some demos that would kind of break the academics out of the academic mold and what better people than Barnaby
37:20
Jack when he was working with EI and the rest of the EI team to actually come in. The problem is that the conference, you know, like a lot of conferences, very cheap, they wouldn't pay them to come do the work or whatever. So I said, all right, guys, you know, the drinking bill the night before is on me. I'll just foot the bill myself. Which is a very, very dangerous thing to do. Barnaby had a great time. I don't think
37:44
they went to sleep. They just kept drinking. They were on in the morning. And the audience at NDSS I don't think actually really understood how cool the technology was that was being demonstrated. Because this is almost ten years ago at this point. And Barnaby was
38:01
remotely compromising a wireless router, replacing the firmware and then trojaning the Microsoft updates that were going through it over the wire before they were delivered to the end system. And then they were demonstrating boot route where they were getting an Ethernet. So a computer that was told not to boot off the network, the Ethernet adapter was
38:21
on the PCI board. So it had direct memory access. And it would still emit a boot P packet. And if you responded to it, the Ethernet board would actually shove it directly in memory and boot from the network even if your BIOS didn't have that capability. So of course they would say, here is your base operating system. It has a little hypervisor
38:43
and then of course the operating system would load up on top of it. This is a decade ago. This was awesome. And the reason why I don't think any of the audience actually caught the technical part of those talks is because Barnaby nearly threw up on stage ten times in the middle of trying to give that talk. And everybody in the first row was terrified that they were at some perverse form of a Gallagher hacker show.
39:07
Then the other thing I remember about Barnaby was I had just got in and I was working for DARPA. And my first public speaking engagement as a U.S. official was in Abu Dhabi.
39:26
So here I am, first time, the government is a little nervous about me. I'm a little nervous about them. I'm flying under my government official passport, not my blue tourist passport. So all the coordination between the countries that I imagine has
39:41
to go on with those folks. And I'm in Abu Dhabi and it was actually to do the keynote for Black Hat. It was the first year they were over there. And it was the first time ever that I was showing parts of the cyber analytic framework that I drove at DARPA. And it was my way of trying to get a small group of peers that I could interact with
40:01
and get feedback and just talk honestly, like, does this make sense or am I full of crap? And Barnaby was there and the Gruk is there. And those are two people that put together ‑‑ you know, that will deplete the world's alcohol supplies. And he was doing his jackpotting ATM machines. Now, the UAE has a lot of money they've
40:22
come into since the 70s. And in the ‑‑ in the palace, there is an ATM machine that dispenses gold bars. Very expensive gold bars. Not like you've got like a $200 withdrawal limit. I mean, these are in the tens if not hundreds. I can't remember
40:40
how high up the price was. There might have been the ability to withdraw a million dollar gold bar from it. And some of you might have seen the picture of Barnaby kind of going like that, right next to the thing. So Barnaby's had a few drinks. And they see the gold ATM machine. So why do you think it works? And they're
41:02
peering behind it and everything. And the folks who are ‑‑ I think it's the son or one of the relatives of the crown prince who I knew from a prior life is looking at me and going, what's going on? And they're all starting to gather around the gold ATM.
41:21
And I forget who it was that tweeted and said, I remember Barnaby in the UAE and having to go to the State Department to basically ‑‑ or not the Embassy, calling the Embassy to make sure everything was okay. So it wasn't the Embassy. It was me. Having to go over and talk to, you know, people who were part of the court of the crown prince
41:41
and explaining, no, I know you're not used to extremely heavy drinkers. And you just invited a bunch of hackers into your country. And they've demonstrated a bunch of crazy terrifying things. And now they're eyeing your million dollar gold vending machine. It's Barnaby Jack. He's cool. Don't worry about it. I tell you what, you probably
42:01
want to know if your million dollar gold vending machine has this problem. So why don't you let them do a little bit and then when they walk away, why don't you pull the plug on the thing and then move it off the floor? And sure enough, everybody got a little tired because of course there's some research that has to go into these things and the alcohol fueling only lasts so long. And when everybody got a little tired and decided
42:24
to walk away, the next day you see there's this big curtain pulled around everything and nobody's allowed near the thing. So there was no reach out to the Embassy and there was no international incident. But there was Barnaby Jack and he'll be missed. Thank you. So I'm John Oberhigh, but I'm joined up here
43:02
by just a very small subset of the CFT performers that were involved with Mudge's DARPA program, cyber fast track. So we want to take an opportunity ‑‑ hold out a second. I wanted to get up here and thank Mudge for all of his efforts inside
43:36
DARPA with this program. We all had a lot of fun. You've seen some of the research
43:41
that's come out of it at DEF CON Black Hat and there will only be more that's coming out soon. But we also wanted to thank him for his entire career from loft to DARPA and now onwards to Google. I'm sure there's many more interesting things to come. So please give your strongest round of applause for Mudge and everything he's done for the security community. There's more. There's more. Yeah, we're not done. So what we didn't
44:18
mention is hopefully ‑‑ I'm going to say a few things about Mudge and hopefully
44:22
some other people that have participated in CFT will as well. My name is Joe Grand and I've known Mudge for a really long time. I was in the loft back in ‑‑ I
44:40
was a little kid and ended up getting in trouble for some things, joined the loft and Mudge came in around the same time. I don't know if I ever told him this but he was one of my mentors growing up. From that point as a 16‑year‑old kid everybody else in the loft was older. I sort of got to see the experience of somebody
45:01
that was like six or eight, I don't know how 20 years older than me, I don't exactly know. He never actually told me his age. But it was something that, you know, I got to sort of follow along. I was in the loft and it was a great experience and I sort of grew up in that from 16 to 22. After we started at stake, you know, we sort
45:22
of disappeared for a while. Mudge went one way, I went another, some of the other guys sort of, you know, just disappeared. And then he sort of surfaced, I guess, 2008 or 2009 and all of a sudden Mudge is back and he's in DARPA. And I was like holy shit. Mudge is back and he's working for the man. And here I was, you know, grew up
45:46
with him in the loft and there's a lot of stuff in the loft that you guys don't know. And it was awesome. And yeah, I didn't really know what to think. I was still involved in DEF CON and the hacker community and it was just to me seeing that it was like
46:01
wow that was a big jump and that takes some serious balls to do that. And I could everyone was like what's going to happen? What's he actually going to do out there? So it turned out to be an amazing thing. CFT happened and a huge number of my friends ended up doing all these projects. Charlie Miller had two projects in CFT and I was
46:24
like how is everybody doing all this stuff? I want to do a project for CFT. I was running with Charlie one day and he's like yeah, you should do it, man. Mudge has this whole thing wrapped up. You just write a proposal and he reads it and if it gets approved they'll just send you money and you can work on stuff. I'm like really? Is it that easy?
46:43
He's like yeah, do it. So that was last year. So I was like I don't know, do I want to work for Mudge again? That's going to be really weird. We were in the loft and I don't want him to be my boss. For real, this was his huge complaint. I'm like they'll give you money. He's like I don't want to work for Mudge. But he's like it's not
47:02
working for Mudge. Some other group takes care of it. So I'm like all right, cool. And I thought it was just a great ‑‑ it was a great thing that he was doing. So I submitted a project that got rejected. And I'm not sure I'm allowed to say this because I don't know if it was part of the official process but he called me up. I submitted the proposal and like 15 minutes later he calls me. He's like I need to talk to you in person about this.
47:25
I don't want to just send you an e‑mail. So he explained the process to me. I'm like all right, that's cool. Too much engineering, whatever. It didn't fit the DARPA thing, the CFT thing. I'm like okay, that's fine. But it sort of drove me to like ‑‑ I was like I got to get a CFT in. All my friends are doing it. It's like I got to
47:41
take advantage of this while I can before it goes away. So eventually I got one in and I'm still working on it right now. And it occurred to me that it's ‑‑ it's not that you can like ‑‑ you're doing this project to make money, right? You're not doing a job to make money. It's the fact that you're able to get money to do what you
48:03
want to do. You do what you love to do and you're not losing money is sort of what it is. And that's sort of what we tried to do at the loft is like do what we want to do and not lose money but make sure that we can keep kind of pushing things. So I don't know. I just wanted to say that ‑‑ I don't know if you noticed on the back. Could someone turn around? On the back of these shirts it says making the
48:21
theoretical practical since 1992. And I don't know how we came up with that. But that was one quote that we talked about, you know, writing exploits and kind of showing vendors like look, this is a possibility. But the one that isn't on the back of this shirt is what we always used to say about making a dent in the universe when we were
48:42
at the loft. I think Mudge actually came up with that. So we'd be in interviews and news stuff and press and Mudge would always say we're going to make a dent in the universe. And I was like yeah, yeah, yeah. I said it but I was like that's total bullshit. How are we going to make a dent in the universe for like seven guys with ‑‑ he had long hair as you know. And seven guys in a warehouse. How are we going to actually
49:03
make a dent in the universe other than in the hacker community. That's like a small ‑‑ that's not the universe. That's our universe but it's not the universe. But he actually believed it. And I was sort of like I was going along with it but he believed it and it didn't actually hit me until he got to DARPA and did CFT and it's like holy shit, he did make a dent in the universe. You know, like that ‑‑ what he did
49:25
in the work that came out of CFT like totally changed the world. Whether it's immediate or later it changed the government, it changed the thought process, it's amazing. So I just wanted to personally thank him and welcome him back out of working for the man back into like the normal world. So thanks.
49:47
I do also have to say that Charlie is responsible for probably 70% of the CFTs that were submitted. I had a very similar phone call with him, I don't know, a couple years back. I remember distinctly and, you know, people have a very interesting opinion of what it's like
50:03
to participate in any sort of DARPA or government grant. And, you know, speaking with Charlie and learning about the streamline process and the kind of low overhead it takes to get a grant through and actually get funding to, again, do what you want to do was very attractive. So I think this program itself was wildly successful alone, but I think it's
50:26
also changed a lot of our personal views about dealing with the government. I hope that can continue with CFT with the next program manager. I would also say that BitSYS, are there any of the BitSYS guys up here? So BitSYS helped run the program for DARPA.
50:41
So we'll all give them a round of applause ourselves because they were great to work with. You know, I hadn't registered for DEF CON in over 20 years, which brings some perspective. And I've known this guy for a very, very, very long time. And he always
51:02
wanted to be something greater than the average bear and to change things. And I don't know if he'd mind me saying this, but I'll say it anyway. Back in the day, when his hunger was great, he asked me to take over the loft, which is probably a bad idea for a
51:20
variety of reasons. But I had faith in them that he is going to figure it out. And he did. And I've worked for him now for the last couple of years. Unfortunately, I've been fired by him because the program is ending. But congratulations, guy. You really did good. Thank you. I just want to say something super quick. We're hackers and we're
51:52
individualists and we hate anyone speaking for us. But Mudge is pretty much the only guy that I'll let speak for me any time he wants.