LØpht - Heavy Industries
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39687 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 26290 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
SpacetimeDenial-of-service attackDependent and independent variablesIncidence algebraLogicSoftware testingDisk read-and-write headCybersexMagnetic stripe cardInformation securitySpacetimeInternetworkingBuffer overflowWhiteboardLine (geometry)Hacker (term)Computer hardwareText editorWritingWordEvent horizonPoint (geometry)WindowStrategy gameCodeComputer clusterTrailCartesian coordinate systemOffice suiteSoftware developerRevision controlRepresentation (politics)Facebook1 (number)Student's t-testComputer engineeringRight angleSoftwareGroup actionSoftware development kitMusical ensembleSystem callCoefficient of determinationVotingVulnerability (computing)DialerWeb crawlerMeeting/Interview
05:17
Hacker (term)SoftwareInternet forumBuffer overflowWindowMultiplication signNP-hardSoftware bugExploit (computer security)CodeSet (mathematics)Video gameAuthenticationContext awarenessINTEGRALSource codePoint (geometry)Stack (abstract data type)BitQuicksortCodierung <Programmierung>Sensitivity analysisDimensional analysisWeb browserCybersexTextsystemInformation securityState of matterSampling (statistics)HypermediaEndliche ModelltheorieControl systemSystem callTraffic reportingHecke operatorGoodness of fitVulnerability (computing)Group actionSpacetimeFunctional (mathematics)Graphical user interfaceMassBinary codeStatisticsMereologyFigurate numberPhysical systemSingle-precision floating-point formatTheory of relativityAreaEmailComputer configurationRight angleDevice driverArithmetic progressionSound effectBinary decision diagramDecision theoryProfil (magazine)Direction (geometry)Term (mathematics)Mass storageMusical ensembleFacebookInjektivitätComputer programmingGame controllerConnected spaceService (economics)Web 2.0WordLevel (video gaming)Meeting/Interview
13:47
Hill differential equationSuite (music)BitInformationQuicksortPoint (geometry)Lattice (order)Source codeSoftware bugWeb pageHypermediaHacker (term)AliasingComputer programmingGroup actionDescriptive statisticsWindowLevel (video gaming)Presentation of a groupProcess (computing)Contingency tablePlanningInternetworkingMereologyRow (database)Computer hardwareRight angleValue-added networkSet (mathematics)Flow separationMultiplication signExtension (kinesiology)Cycle (graph theory)Endliche ModelltheorieState of matterComputer crimeCryptographyReverse engineeringChainAuditory maskingPerspective (visual)CybersexString (computer science)Sensitivity analysisWave packetSinc functionRootOnline helpMeeting/Interview
22:05
Line (geometry)Goodness of fitElectronic mailing listQueue (abstract data type)QuicksortInternetworkingRight angleString (computer science)System callTraffic reportingMiniDiscMechanism designIntegrated development environmentGame theoryPoint (geometry)Control flowCovering spaceInformationMereologyVolumenvisualisierungProcess (computing)Theory of everythingRandomizationOnline helpBitRoundness (object)AreaShape (magazine)Personal identification number (Denmark)Formal languagePhysical lawReal numberSoftwareForm (programming)Table (information)Office suiteSoftware developerLevel (video gaming)EmailData managementDesign by contractHacker (term)Group actionVideo gameTerm (mathematics)TrailComputational fluid dynamicsInformation securityHecke operatorType theoryMetropolitan area networkTelecommunicationHypermediaSoftware testingText editorSpacetimeMathematical analysisUniverse (mathematics)Order (biology)File formatDigital photographyGodDenial-of-service attackCellular automatonInformation technology consultingMultiplication signLecture/ConferenceMeeting/Interview
30:22
VirtualizationQuicksortLattice (order)Different (Kate Ryan album)ExistenceSoftwareSpacetimeIterationProjective planeHacker (term)Information securityMultiplication signFilm editingCountingProcess (computing)Perspective (visual)Shared memoryNumberPlanningClient (computing)Service (economics)Dressing (medical)Right angleDialectGroup actionUltraviolet photoelectron spectroscopyIntegrated development environmentPhysical lawSelf-organizationMereologyState observerSensitivity analysisRoutingInternetworkingHypermediaRevision controlScaling (geometry)Open setSoftware repositoryDisk read-and-write headType theoryView (database)State of matterProof theoryTable (information)Similarity (geometry)EmailSelectivity (electronic)Figurate numberDrill commandsAddressing modeCoefficient of determinationGodTrailConnected spaceMeeting/Interview
38:52
SpacetimePoint (geometry)InformationKey (cryptography)Virtual machineSound effectRight angleDampingBitQuicksortInternetworkingPhysical lawRule of inferenceCASE <Informatik>Order (biology)VotingData miningAdditionFlow separationLevel (video gaming)Different (Kate Ryan album)AreaRepresentation (politics)Hacker (term)Information privacyProjective planeInformation securityView (database)CryptographyCodeComputer virusMereologyGodSystem callLine (geometry)Group actionCodeDecision theoryTranslation (relic)Goodness of fitEntire functionState of matterRoutingoutputHypermediaGame theoryStaff (military)MathematicsElektronische WahlLatent heatUniform resource locatorVideoconferencingTrailReading (process)Multiplication signWeb 2.0Message passingServer (computing)Ring (mathematics)Connectivity (graph theory)MalwareMachine visionExpert systemCellular automatonAngleWordProcess (computing)NumberTelecommunicationLattice (order)SpywareDeterminismSoftware frameworkMeeting/Interview
47:22
SpacetimeQuicksortMessage passingBit rateHacker (term)Point cloudLimit (category theory)Direct numerical simulationVulnerability (computing)MereologyContext awarenessSoftware developerDependent and independent variablesStatuteTerm (mathematics)TelepräsenzScaling (geometry)CodeTouch typingFeedbackPhysical systemProcess (computing)Multiplication signInformation securityFunctional (mathematics)1 (number)SoftwareEnvelope (mathematics)NP-hardCASE <Informatik>Type theorySemiconductor memoryInformationDecision theoryMeasurementContinuum hypothesisEntire functionSoftware testingWritingBitFluid staticsTwitterTangentRight angleMathematical analysisLibrary (computing)Internet service providerComputer hardwareFitness functionAbstractionSoftware bugMusical ensembleFrictionProfil (magazine)Integrated development environmentData structureSelf-organizationControl flowState of matterMathematicsWordPublic key certificateLattice (order)Mechanism designPhysical lawRevision controlPlastikkarteSource codeData storage deviceGoodness of fitPoint (geometry)Sound effectLevel (video gaming)CountingMobile appInheritance (object-oriented programming)Category of beingCrash (computing)Meeting/InterviewLecture/Conference
57:03
Connected spaceAreaState of matterInternetworkingIn-System-ProgrammierungSpacetimeSoftware testingDatabaseHacker (term)Image registrationTerm (mathematics)Physical systemLine (geometry)Multiplication signReal numberPoint (geometry)Control flowVotingGodMathematical analysisPhysical lawMereologyMiniDiscHypermediaForm (programming)Integrated development environmentGame theoryTraffic reportingUniverse (mathematics)SoftwareArithmetic meanProjective planeBitPointer (computer programming)Mathematical optimizationInformation securityDifferent (Kate Ryan album)QuicksortElektronische WahlVideoconferencingMathematicsRight angleMeeting/Interview
Transcript: English(auto-generated)
00:00
So, 20 years ago, most people didn't know what a DDoS was, what they thought fishing was a boating activity and hacker was a bad word. In a loft in Boston, a group of hackers stumbled into this world in the early 90s. They created Loft Heavy Industries and in 98, they were invited to testify before the Senate Committee on Governmental Affairs
00:20
about the risks and the risks with the burgeoning Internet. That unlikely event marked a turning point for the industry. Today's cyber attacks dominate the news and ethical hackers and researchers are on the front lines pushing for better security practices and more critical thinking. We're going to hear some never before revealed
00:40
details about that historic trip, hopefully, and we're going to see how they view security issues that are still problems today. So, I'm going to introduce them. So, Kingpin, also known as Joe Grand, is a computer engineer hardware hacker, former Def Con badge
01:07
designer and proprietor of Grand Ideas Studio. He joined Loft as a 16-year-old and worked on a bunch of acronyms, POC, SAG, pager, thanks Kingpin. A little tracking of the president, no.
01:21
Decoder Kit, AMPS-based cellular phone hacking and Palm OS application development. You guys remember that one, right? What was the name of that, Joey? Harry Palm. Was that Harry Palm or Booty Call? I don't remember which one it was. The war dialer, probably.
01:42
So, Chris Wysopel, also known as Weld Pond, is a co-founder and chief technology officer at Veracode. At Loft, he was a thorn in Microsoft's side, researching security in Windows and writing Windows versions of Loftcrack and Netcat, and was webmaster for loft.com.
02:07
Tan. That was Facebook right there. Tan published a paper in 99, envisioning a cyber underwriter's lab to test software for
02:22
security weaknesses, and he led incident response after a logic bomb was planted at UBS. He did pen testing and red teaming for 12 and a half years at JP Morgan Chase and now works in security at a large health insurance company.
02:45
Peter Zatko, aka Mudge, worked in DARPA as a senior government official for DOD, running cyber.
03:01
He also worked as VP of Engineer Engineering at Motorola, and he was a deputy director at Google. He's head of security for Stripe and chairman of the board at the Cyber Independent Testing Lab.
03:23
Chris Thomas, aka Space Rogue, is a founding member of Loft, was a longtime editor of the Hacker News Network and is a public advocate for security topics through speaking writing and general gadflyness. He worked at AtStake and then went on to work in research at Tresswave Spider Labs and Tenable.
03:42
He currently leads global strategy for IBM's X-Force Red team. And then Dildog Christian Rowe, better known here as Dildog, was the co-founder and chief scientist at Veracode.
04:02
He's the founder of Hailstone, a security incubator inside CA Broadcom. He was a researcher at Loft and AtStake and a member of the Cult of the Dead Cow. Anyone remember Cult of the Dead Cow? He wrote original code for Back Orifice 2000, co-authored Loft Crack and Anti-Sniff,
04:32
and wrote some of the first buffer overflows for Windows.
04:43
So, thinking back to that testimony that was May of 1998, what did you say or convey to them that day that you think worked? So, I'll start. So, I think the thing that worked, and it was something that, you know, you never
05:01
plan it, right? I think much dropping his line of the 30 minutes worked, but we were like a visceral representation of what the adversary viewpoint was. Like, we were the first ones to actually talk like, these guys, you know, these guys
05:21
were building secure systems, building the software, they don't know what we're doing, we're hackers, we could break this stuff. Like, we made it really real to them that there are people that can do that stuff, and we were talking, you know, person to person. I think the other thing that we did that was important was we conveyed the poor state of software security and vendors just couldn't say, you know, all software has bugs,
05:46
we have security bugs, because if we could find them, we said they should be able to find them. So, I think those were some of the basic foundational things that, you know, got through. I think going along with what Weld had said, sort of raising awareness of hackers
06:00
in general, I was just at the Mob Museum in Las Vegas recently and learned about something that was pretty cool. The Keithover Committee back in like the 50s where they were basically exposing organized crime to the masses, it was the first time people learned about organized crime. This is like a little bit of an exaggeration, like a little bit of an exaggeration, but the testimony was sort of like that, because people had sort of heard about
06:22
hackers and up to that point they thought they were always bad, criminals, whatever, you'd see something in the newspaper once in a while, but this was the first time where we were on stage and saying, we can do good, like hackers can actually do the good side, besides the adversarial, we can educate people and do stuff that we, you know, think is helping. And I think that was really important. It was sensitivities.
06:42
That was, I've got a mic. You're the only one with it on you? It was one of the first examples of cultivating sensitivities across the chasm. Hackers were criminals. That's the only way we were referred to in the media. It's actually kind of how that whole thing came about in a strange way.
07:03
And on the government side, you know, we knew that there were some overlap where we all wanted the same thing, but we didn't want to become government. Government didn't sure the heck didn't want to become us, sort of set up. So why can't you just ignore the other parts and like figure out how to make progress in the areas where you both have interest?
07:20
One of the things that actually worked really well out of it, which took about two years afterwards, was that Senate testimony was leveraged to introduce verbiage into PDD 63, Presidential Decision Directive 63 under Clinton, which stood up the scholarship for service program. So if anybody went to one of the 73 colleges and got tuition
07:44
and then later had to go work for the FAA, FCC, FTC or anything else, but had your tuition paid for, that was largely driven by that Senate testimony as an exemplar of this is why we need smart young people, not just the old like, you know, old guard and the bureaucrats
08:03
and the policy wonks, which are very valuable, but maybe didn't know that new thing coming in. So it was an awareness sort of set up. Historically, the government was being briefed that, you know, like it was the Cold War, that if cyber was coming, you'd be able to see it the same way you'd be able to see missile silos built up,
08:22
that it would take 10 years, that you'd see large movements of, you know, equipment and funds and everything else and you could track it. And this was different because it was like, you know, here are some kids in Boston who did nation state stuff out of dumpsters as far as they were concerned, and they did it in a matter of months.
08:40
So what does that do for your threat model? And I think that was probably the biggest wake up call for the government. How do you think things have changed since then? Well, is this thing on? Okay.
09:00
I think that definitely that exploits have definitely gotten significantly harder to write over the last 20 years. I remember writing a lot of the first early Windows exploits and finding bugs was something that I literally stumbled across. It was not something I had to search for. You know, exploit trading for cash definitely existed,
09:20
but the sort of nation state support for exploit marketplaces and things didn't exist back then. So as the vulnerabilities have gotten harder to exploit, the relative cost and price associated with an exploit has skyrocketed. It's hopefully skyrocketed. So exploits also didn't usually require nearly the amount of chaining
09:40
that we have to do today to actually fully exploit a system. All of these layered defenses have really raised the bar on attackers and had an effect. And the most well-funded attackers are still finding that the lowest hanging fruit is uninformed and unlucky users who happen to click on the dancing bears.
10:04
But that said, instead of like phishing people's email, just email or making a crafty phone call, you've got online forums and SMS texts and whatever it takes to get to people, Tinder, I don't know. There are a lot more opportunities to phish people these days because of our increased connectedness.
10:20
So while it may be harder to exploit things, it has become easier to exploit people over time. That said, on the plus side, far more people are aware of the need for security these days. Even grandma on Facebook knows about hacking and might even know what phishing looks like. Two-factor authentication is available in many places when it wasn't.
10:43
But that's still surprisingly not in a lot of banks. Of all the places that should happen, more banks don't have it in enough places. Video games have it, not your bank, I don't know. And yes, SMS two-factor sucks. Please, everyone stop using it. So yeah, I mean definitely the profile for the attacker
11:04
has changed in terms of the amount of work. It took me weeks to write a really good weaponized exploit back in 1998, and now it would take nine months to write something that was from initial injection point to full control. Against the hard target, yeah.
11:20
Against the hard target, yeah. One of the things that changed, and actually since we have two folks from Veracode here, and this goes back to Slint, which was like the original lexical integrity source code checker that kind of maybe helped you guys a little bit with the idea there, was at the loft I want to do this sort of like consumer reports thing and say like let's look at software, whether it's binary,
11:43
whether it's source code, and say like tell people what's good and what's bad. And the problem was there were no examples of good. Everything was just crap. And you can't go out there and give people actionable advice by saying like, well if you're going to choose web browsers, well you've got CERN's browser and that's it, and it sucks.
12:04
So there you go. You're welcome. If you want a word processor, you've got this one option, and it's crap, so you can't do it. Now we actually have examples. I think Windows 10 was a huge step function for Microsoft as far as hardening. You've got Chrome.
12:20
You've got a couple of good examples that show that you can do solid build quality, really hard targets. At the same time for every one of those, you get like a thousand things that just don't do it that are out there at mass. But now we have examples of good and bad. Before we didn't have examples of good. Plenty more examples in general. Now it's all indexed. It used to be that if I wanted to exploit every single network driver on the planet,
12:45
I would go find a bug in MSDN's example code because everyone would cut and paste that. Now if I want to do something like that, I go to Stack Overflow and I find bugs in Stack Overflow samples because people are just going to cut and paste that. If you want to find bugs in ICS stuff or SCADA DCS stuff, Stack Overflow. Seriously, you'll find them.
13:01
Or look for the resumes. And people will post examples of what they've done in code in those embedded control systems. Yeah, and then you just look for where they worked. And by the way, GitHub is the new pay spin. I think another dimension of what's changed is definitely the adversary space.
13:22
Senator Thompson asked us when we were there. He said, could a nation state hire a group of hackers such as yourselves and hack the United States? I don't think he would ask that question in 2018 because it's in the news every day. But it was actually like a theoretical thing back in 1998.
13:42
Will governments do this? And yeah, of course our answer was yes they can. Well a funny thing was the National Security Council and visiting the loft prior to the Senate testimony where they all huddled out in our parking lot and we all got freaked out so we ran over and we said, no, no, we just invited you in.
14:00
That was a huge extension of trust sort of stuff. You can go back to your skiffs in Washington and talk all you want. You have to tell us what you're talking about in front of us like huddling. And they said, well, this blows our threat models. What you've done we always thought was only nation state capable. And so we were wondering if any governments have approached you yet. And the answer was, no, but if you'd like to be the first,
14:22
we're willing to entertain offers. And luckily they laughed. I think that's the time when we gave them the loft root beer also and all of you got headaches and stomach problems. Everybody got sick. Thanks, Joe. It's amazing they invited us back.
14:41
Joe poisoned the government. Unintentionally. National Security Council and masks with homemade root beer. Going off of what Weld said is that nation state or not, attacks are so common now where back in the day they weren't, we're so desensitized to it and we're naming our bugs and we have giant presentations about it and it's like a real circus.
15:04
But an attack happens, stock price goes up, there's a media frenzy, stock price goes up, and then everyone goes back to work and then you do the next one. So it's really this very different cycle. Related to the tools, we were creating our own tools and we were getting stuff out of dumpsters and reverse engineering things that weren't available because the documentation wasn't there.
15:23
Now everything is online and the tools to do stuff, especially from the hardware perspective where I'm from, the resources are out there. You can get every tool you need to hack hardware for under $100. We went dumpster diving for documentation on more than one occasion. Now you can just Google for it. I think it's the access information and the resources which is great
15:44
and possibly for people on the defense maybe not so great. So one question before I let the audience have a chance. How did the testimony, the invitation to come to Congress happen? That's a point of debate.
16:00
It's actually really not a point of debate. No, it's a point of debate. Well, what had happened was at the loft, we were trying to do it full-time. So we actually had a couple of folks on early payroll and I was going out. This is pre-payroll. Well, actually, yeah, that's right. Well, Loftrack was paying a little bit of stuff.
16:22
I mean Loftrack, but we were getting press. Yeah, we were getting a lot of press and that's actually what kind of started this in my mind. We were getting a bit too much press and I was really worried. Remember the MIT thing where I had to sit up there against the Net Day who was the FBI director, the cybercrime FBI part and this was Hackers for Girlies when they had hacked the New York Times and so I'm sitting on a panel that MIT had invited me with.
16:42
All the loft guys were there. Tan was there. You know, this went really well. And the FBI Boston cyber part says like, we're investigating all the leads. We've already talked to all the relative people. And so I open my big mouth and say, on the same panel, no, you haven't because if you look at the source code on the hacked page,
17:03
it calls out, greets to the loft and mudge and I'm sitting here on the panel with you and I'm telling the audience that you never talked to me. You know, didn't go over too well with the Boston FBI. We were also, you know, making like a lot of news, you know, the local NECN, the cable news and stuff like that
17:21
and I honestly thought that we needed a contingency plan. So I actually started to go out to the government and very quietly I started to advertise that I would train and you guys remember me going out to a bunch of these. Air Force Information Warfare Center, you know, Quantico, NSA for I4C4X groups and stuff like that. Anybody in the government could get me to go out
17:42
and I would educate them and train them just on tech stuff and I would not take any payment because I didn't want to be under, you know, I didn't want them to have chains or strings to pull sort of stuff. And the goal was I figured that the FBI or the DOJ was going to at some point just from the media, try and make an example out of this. And like pull us up and make some big sort of like,
18:02
we got the hackers, you all know about them, sort of set up. And if that happened, that I wanted to be able to like reach out to the folks at West Point and have like, you know, colonels and majors show up in uniform and say, no, these guys aren't the bad guys. They've actually just been very upfront and help. Through that, I ended up briefing the National Security Council several times
18:22
and became friends with Richard Clark and then we had the meetings with him and then he became kind of a friend of the loft and he brokered it with the Senate. And he and I kind of talked a lot about that and I was uncomfortable with it and then they reached out to us and then I had to approach it with the other loft folks and I remember Weld is familiar and with some of the back stuff.
18:43
I didn't do a great job of sharing it with all of the loft folks. But it was kind of prepared because we were not going to go into the Senate and get ambushed and just get raked up and down the hills. It was going to be friendly or else we weren't going to do it. We were very scared ahead of time. We were terrified. Walking into that room, what kind of reception we would get.
19:03
I think it's one of the reasons why I demanded everybody wear a suit because we didn't know who we were going to walk in there and have the senators call us all criminals. He did not have a suit, he wore his father's. And I haven't worn one since. I mean we were assured that it was going to be a friendly meeting
19:22
but we also in the back of our minds felt, you know, we could get in there and they're just going to call us all criminals and what do we do then? Because if you watch it, you'll actually see that it was Senator Thompson that says like I'm informed that you think you can take the Internet down in 30 minutes. He was talking about my BGP work that I was doing it by day job which was a government contractor at the time. And there's no way that they would have known that
19:42
had it not been the fact that in the day job and the night job I shared that with the folks in the National Security Council. So I mean a lot of these questions, you know, were sensational but they were relatively safe and it was a little weird because we were still terrified. We worked out for sensitivities. I think we did a good job preparing the written testimony
20:03
because looking at that, like the spoken, for me, I'm sort of embarrassed about but you guys were fine. The written testimony was like a really good description of what could happen and so we prepared that in advance. I think we had to send it to them a little bit in advance. It's still in the public record if you can find it. Right, it's in the public record.
20:21
So we didn't know how they were going to react to us but by doing that, it puts something into the public record that actually was going to stick regardless. And John Glenn obviously messed up a little bit when he was like and I've worked with some of you and I'm like, oh geez. So one of the other interesting things about it was we only agreed to do it if we could testify under our hacker aliases.
20:42
And we just almost couldn't believe that they allowed this. They said the only people who ever testified before under their aliases were in the witness protection program, which might not have been a... This made expense reimbursement really difficult. Well, this was hilarious and I might be giving away a little bit of opposite for it.
21:02
Part of it was, and these guys all know this intimately, I hate flying. I'm petrified of flying. And we wanted to go to the NSA crypto museum. And if we took a train, we weren't going to get to the crypto museum before it closed. So we rented a Dodge Ram 3500, you know, 15 passenger... Like an 11-seater van. Yeah, 15 passenger van, black tinted out windows
21:21
and like Brian Oblivion and everybody else, like the hardware guys are like, let's put in tennis, let's actually like map the Northeast corridor. The thing looked like it was a SIGINT sort of van going on. This is 1998. And there's a story about taking the wrong turn, which I won't go into when we went into the NSA wrong entrance,
21:40
with a van that looked like SIGINT. We really fit in because we had all the antennas. They didn't know what to make of it. But when we get down there, they were like, you know, we're checking into the hotel. And it was Al Anderson, Bob Baderon, you know, CC, DD, E, FF. And the weird thing was the hotel was like, yeah, we've seen this before. You're going to the Senate, aren't you?
22:00
So the other thing about it under the hacker names was the reason we did that was because we were protective of our day jobs, right? Like we were going to be talking... We didn't know how the vendors and the partners of the companies we worked at were going to take this. Well, we did know how Microsoft used to handle it. Yeah, Microsoft, you know, because obviously they can pull strings with your employer, right?
22:21
But it didn't work out so well because there was reporters there with cameras and our picture was on the front of Internet Week when we got back into work the next week. Our picture was on the front of the Washington Post. I mean, the handles, though, wasn't just for day jobs because not all of us had day jobs.
22:40
Some of us weren't old enough to work yet. But, you know, we were pissing a lot of people off because we were seven kids in a warehouse and, you know, you had some professional jobs still. But whatever, I remember reading some mailing list posts of people on like, you know, academic, cybersecurity, whatever we called it back then, lists saying,
23:01
why don't you guys come out from behind your handles if you have something to share and whatever? And we're like, well, we're sharing the technical information. You don't need to really know who we are. We're the loft in Boston with Kingpin and Mudge and this is what you need. But it was also a protection mechanism just in general because what we were doing was not normal. Also, even at that point, we had built up a considerable reputation
23:21
individually and as a group under those names. And if we suddenly started using our real names, nobody would know who the hell we were. Well, one of the reasons you don't give up the names, if you remember when I went down to the Clinton round table in the White House for that, and this is where my name actually, because I had done, I thought, a pretty decent job of never having a picture of me, never having my name on the internet or whatever.
23:42
And so I get invited to go down because Dick Clark goes like, hey, you know, you guys have done good. Mudge, why don't you come down and meet with the president for this like sort of photo op. This was right after Spake will Drop, the big DDoS sort of stuff. And to go into the White House, you have to always give them your social security number and other stuff like that because they want to check. It's embarrassing if you owe child support
24:02
or if you have like warrants out for you and you're being invited in to see like the president. They gave that list directly over to the media. And so I have my name. They don't give a social part, but they give the names. So I get a call from a reporter. I'm back in Boston and they're like, Hey, Spake, you know, I just got this sheet
24:22
from the press corps at the White House and it has everybody's name on it. Is Mudge really Peter Zadka? And I'm like, I was like, okay, thank you very much. I hung up and I immediately called you. So I call the National Security Council going, he just blew my cover, and it was the White House Communications Agency and they're like, oh, we'll fix it. So what they do, yeah, they fixed it.
24:42
What they did is then they sent out to the same press folks the exact same thing with my real name replaced with Mudge. On the exact same thing. Now, I got death threats from the hacker community because folks were like, hey, you're a sellout. What are you doing? Are you a fed?
25:00
Are you a hacker? I mean, look at all the stuff I contributed to open source or whatever. You can look at the CFT. You can see why I'm doing it, I hope. But yeah, this is part of the reason why you don't want your real name out there sometimes. I mean, that wasn't a lot of fun as like a 26-year-old getting random phone calls to my cell phone, even cell phones that nobody else knew. Because there's some good phone freaks out there
25:20
threatening your life. So you guys prompted some interesting newsroom discussions when I was reporting on your activities and my editor would say, OK, so we're supposed to identify people with their real names. So who is Space Rogue? We need a real name. And I'd be like, well, but that's the name that I have to report.
25:41
That's what they're giving me. So I had to do some education that this is a new type of world, a new reporting era. And so that was really fun in the newsroom. Not just the media. The academic journals had to do the same thing. I published papers with Bruce Schneier and David Wagner and Microsoft's crypto stuff that I worked on. Usenix wouldn't accept my judged and vetted paper
26:05
because they didn't have my real name on it. I don't know if you remember the federalist papers? Yeah, I don't know if you remember this, Eleanor. But I think you specifically asked me what my real name was. And I was like, you know what? If it's good enough for the US Senate, it's good enough for Wired.
26:21
All right. So let's take it to, anyone have any questions? All right, so we're going to take some questions. I'm going to ask people, really? Come on over. All right, anyone has questions, please queue up right here. Hey, Render. I hope, at least it should be a friendly question, I hope. You never know. Well, you wonder who was sending all those death threats
26:42
and everything. No, I just want to say, all of you are directly responsible for me. Is that? Sorry. I don't know if we should take credit for that.
27:00
Formative years, late 90s, there was no, there weren't a lot of examples out there of what to do with these skills and these interests. So you guys are the only thing out there. And I think you did a damn good job. So thank you very much. Thank you. And if you agree and you think that these guys
27:23
helped form who you are, please stand up. I want to see. You are responsible for all of this. Some of these people probably weren't even born then. Thank you. Thank you for everything you've done.
27:40
That actually means a lot because when we were doing the loft, especially when we were trying to figure out how to fund ourselves, we looked at going into government contracts and we looked at any sort of funding thing where we wouldn't have to become like a commercial entity. And it's honest to God why I did cyber fast track when I went into DARPA because I'm like, I want what we needed at the loft in order to keep doing good stuff available for other folks, even if I don't get to do it.
28:02
And actually, some of the guys actually did do, get to take advantage of it in there. And the biggest thing was, it was a pain in the butt for us to figure this out and it shouldn't be that pain in the butt for other folks because they should be able to do it more easily so they can figure out the next thing and take it further. And that's the whole sort of thing. How do you get the next team and inspire them or the other people
28:22
and not make it as difficult? And you've released a lot of really good stuff and a lot of other folks in here have released a lot of really good stuff. You have, man. Oh, it's good stuff. That's why I think we were successful is that other folks who think that we might have inspired did neater stuff than we did. And look how Def Con has grown too.
28:42
We were standing on the shoulders of other people and inspired by other people and then it just keeps growing and it's like this exponential growth where everybody can do something, right? And it's amazing. So it's just going to keep going. And I feel like we were just this little... It was ALGM, there was LOD, there was a whole bunch of stuff. We were just this little piece of it and it really is an honor to hear that.
29:01
Other than feeling old, thank you. But it's amazing, yeah. Thanks. What did you guys screw up along the way? What did we screw up along the way? A lot. A lot. A lot of stuff we'll not talk about. Is that it?
29:21
You'll notice at stake's not being talked about a lot, although it actually was really important for a lot of other areas, but it was very personally painful for all of us. I don't want to say that was a screw up, but it was definitely a learning and growing experience. I tell people that I wouldn't have changed it, even though it was hard. It is what it is. And it is what it is. And we were trying to do something. We wanted to fund ourselves. If we were trying to do something nobody had done,
29:42
there were not small security consultants. For those that don't know, at stake was the commercial entity that Loft turned into after we got VC funding or got bought or however it went around. And then that all kind of fell apart. But we wanted to do it full time and we took a risk and nobody, it's not like we could follow the path of anybody else. We didn't know it would happen. And yeah, there's a lot of personal stories.
30:01
There weren't a lot of vendor funded security companies out there at the time. Yeah, but I think it shaped a lot of what we did moving forward also. I'll tell you one of the things I always wonder if I did right or not is I kind of buried what the take the internet down in 30 minutes was. And I did that during my day job. I did it during my night job. I didn't even really share a lot of it inside the Loft
30:21
with like the BGP update attacks. There's a whole bunch of tricks with putting like the target inside an AS set so it gets discarded. There's a lot of, we're seeing it now in the media. And it's a very viable one. And actually if you go back through, you know, like, Pataris or some of the other route views sort of things, you can see some interesting nation state stuff going on if you know what to look for. And it goes back almost to 1998, which was interesting.
30:44
And I always wonder if I shouldn't have actually released a proof of concept for that. I'm still wondering. Maybe now, but not then. I know. Well, now it's actually more like, you know, an hour and a half rather than 30 minutes
31:01
because all of the, you know, the private peering exchanges and the IXPs and stuff like that. But yeah, that was our big thing was you can't hide behind it, you can't make it opaque. Here's how it works so both offense and defense can understand it. And there was a lot of confusion about that and a lot of sensationalism. And I always wonder if it shouldn't have been backed up
31:22
with an actual O-day release. So scary. Uh-oh. Uh-oh. Hey, guys. Stand down. You know, the table recognizes Devian Olam. How do you do? I guess I wanted to ask about the changing landscape both of the hacker community and the world at large because people, my first question is kind of easy
31:42
because I think it's a no. Could the loft exist today? Or we think of the loft, we think of hacker halfway house. We have like maker spaces and hacker spaces, but a lot of younger people could see you like, oh my God, I want to do that. But that isn't really that anymore. If people want to share minds
32:01
and maybe even crash together or maybe not, maybe that's not, what is feasible for people who really want to collaborate in this economy and in this time and in this job market and could the loft exist today or what is it now? What should other people do now? I mean, look at all the hacker spaces that exist all over the world and they're not exactly like the loft because we were much more private
32:21
and careful with what we were releasing and sharing. Private just as far as like people couldn't come over. We wanted to be physically located. We wouldn't have virtual members because of the direct interchange when we had like group meetings and stuff. We couldn't do virtual back then because virtual didn't exist. But the hacker spaces that exist are in different regions. You know, around the world for people to get together, like-minded people to get together and work.
32:40
It's not exactly the same. You know, it was just that particular time. I feel like we were lucky that the seven of us plus Silly and Dildog when they came in later, like... And Stefan. And Stefan. We just happened to all click and it just worked because there was a lot of other people in the Boston community that we hung out with and did stuff with but for us it was just a really special sort of lucky thing.
33:01
Maybe it can exist. I feel like there's more kind of commercialism of it, right? Because we were doing it and we didn't expect to make money at first. When we wanted to, we tried to by selling T-shirts and services and stuff. But it was... Loftracking. Yeah, I mean, we weren't planning on doing that but now it's very financially driven I think a lot of times
33:22
and you can do things on your own and have a hobby but if you want to survive, you have to promote and do things that maybe are more sensational than... I'd like to just go and say yes, it can. And here are the examples. Chaos Computer Club. Right there. You know, Tool. Right there. Fantastic examples of that sort of hacker mentality at a much larger scale.
33:44
You want to look at specialization, stuff that Dildog really started to go into. You know, Project Zero. I mean, who doesn't want to be a part of that sort of setup? So it exists out in that sort of philanthropic sort of thing, that sort of open thing like CCC. It exists inside of organizations like the Google Project Zero sort of stuff.
34:03
So yeah, I think it's even better than it used to be. One observation that I've got on that is that many times the availability of the internet and interconnectivity has allowed people to collaborate on shorter projects like individual projects.
34:21
You know, we have repos now where people collaborate. We have Slack channels where people collaborate and they usually... I'm not going to be overlapping from certain groups of people, but you'll have people working together for a single purpose as opposed to simply just having a group of friends that hang out. So instead of being people and sort of place-oriented,
34:42
a lot of the organization these days is project-oriented and outcome and goal-oriented type work. You know, I can't count the number of Slack channels that I'm on now. And you know, just all for different kinds of purposes and not necessarily for the purpose of like making friends and being a close-knit group, but for helping like to bring something to bear
35:02
to help solve problems, to push some agenda forward, to make some software that should exist a reality or whatever. But I've just found that it's easier to like make small bubbles of projects and work on iterate on those. So I'm going to actually come to Mike.
35:20
So I have a day job. And we actually had Karen Elazari at our conference in Washington. And one of the things Karen talked about was that corporate environments in corporate America need to embrace the hacker community, the security community, because a lot of the clients that I talk to still view all of us as enemies. And I'll walk into a client meeting,
35:40
and I obviously don't dress like this, and people are like, I know you from DEFCON. And I have to say, no, that's not me, because there's still a perception. And like I buy my daughter a T-shirt, and she goes to school, and people go, oh, aren't hackers bad? And she knows the answer. No, hackers are people who get stuff to do things that the creator didn't think could be done, right? Do you have a question?
36:00
Yes, the question is... I specifically told you before you got out here... No, but I can't moderate myself. So what are your thoughts on how we can better get that sort of... The sensitivity. The relationship between what we all do here and what businesses do, because we're in conflict more than not.
36:21
This was actually what drove Cyber Fast Track. And what a lot of folks don't know is that I would get pings from NSA and the White House periodically saying, you seem to be a day one. You're friends with the hacker community. You may or may not have a whole bunch of clearances, sort of stuff like that over here.
36:40
How can we trick them into doing work for us, because they seem really clever. And I'm like, did you really just phrase it that way? I mean, this is how you make new adversaries. And I think the thing that worked the best is not embrace the hackers or whatever. It's to recognize that it is another group of people. And they're different. And you don't have to turn them into you,
37:01
and you don't have to turn into them. So if the law city of Atlantis just pops up out of nowhere and has significant capabilities, you don't go like, oh, we've got to make them become Americans. And you don't say like, oh, we have to just attack them. You don't know what it is. You build out a relationship, and you figure out where you have like goals and similarities. And you focus on those, and you let people be themselves
37:23
in the other areas. That's what worked. I can't tell you how many times I had to send back nasty emails. Keith Alexander and I went head to head a number of times on this. But I don't think you have to embrace it. I think you have to respect it and figure out where you have like overlaps and where everybody can move forward without trying to co-opt people.
37:41
And so you're like, oh, cut your hair, and become a government person. Or the hacker way is the only way. You cut your hair, and become a government person. Where's my hair? But I think it's funny that you say that, because I don't go into a lot of corporations. But I feel like we've done a really good job as a community to share the good side. And what I get from people when I do go into organizations,
38:05
they say it's nice that somebody's here that has a different perspective. Because so many people are in their silos, they're working. They don't go to DEFCON. We sort of think it's normal to come here, but it's not. So having that perspective is much better.
38:22
You may not have noticed, but that's not well-drilled hair either. Yeah, you're still wearing your wig. Yeah, so I think coming in and having a fresh perspective is OK. It's just trying to maybe convince people that that's OK. But we feel you. Yes.
38:42
All right, thanks, Render, for breaking the seal on this one. But I just want to say, you guys, you were the original bad boys. You were the original sort of hackers. And you guys threw ups and downs through the years. Here you are all these years later, and you're doing good. You turned it around, and you're doing good for the community and for our industry. And I just applaud that, because it paved the way
39:00
and showed that it's possible, no matter how you started out, that you can turn it around. And you can encourage the community and do awesome things. So thank you for that. And yes, there is a question. But folks should realize that means a lot to us, because that's Johnny Long for Hackers for Charity.
39:23
So hearing that from you, given that that's how we feel about you, means a lot. Thank you. Thank you. You guys showed me that it was possible, so it really encouraged me, so thank you. But my question is, let's assume that you weren't the good guys. How long would it take you to take the internet down today? Well, kinetically or?
39:42
Whatever it takes. Well, actually, we got that a lot right afterwards. And it was weird, because we wrote that a lot. But honestly, I mean, I honestly didn't even share a lot of the BGP stuff inside of the loft. And a lot of the questions were, well, if somebody could take the entire internet down, why haven't they done it to demonstrate it?
40:02
And even back at that time, you saw people hijacking prefixes. You saw people redirecting it. I had a friend at MIT that used to periodically take the East Coast and just route it to a dorm in MIT in order to saturate the lines just to mess with the other dorms over there. The loft web server was physically at May East.
40:22
It was on the FIDI ring at May East. So we knew from whence we spoke. We had a friend who actually put it there for us, free of charge, which was nice. The MD5 components were all zeros for everybody for the shared secret in order to talk BGP for the national access point. But what people didn't realize is there's no value
40:42
in actually taking down all of the internet because then you take down all of your targets as well. If I want to go into a foreign area and do a strike, why would I black out the skies so I can't fly in there myself? So the problem is that you can still take it all down. It would take a lot more because of the cascading effect
41:00
and some of the dampening. And there's a little bit of RPKI and some 3379 BGP-ish sort of stuff, not much. But by going to private peering points, they've made it really easy to go in with a scalpel and take out individual areas, reroute it, and nobody else notices. And we're seeing the crypto hijacking for the mining pools happening.
41:21
We're seeing that places like Iran and other areas occasionally leak their route advertisements out. It's probably not even a hijack. It's because they're intentionally routing the stuff through their own monitoring infrastructure. Remember that time North Korea just disappeared from the Internet for like, I don't know how long? I have no recollection of what you're talking about, Senator.
41:40
There's another aspect to this question because after we did the testimony, we had several people come up to us and say, hey, I heard your testimony. You can take down the Internet, blah, blah, blah. Was it because you could do X, Y, and Z? And we'd be like, well, that's not what we were talking about, but that would work. That would work too. And so at the time, there were multiple ways to do what we were talking about.
42:01
And are there other ways that we don't know about to do it now? Maybe. I mean, I think you're seeing it being taken down in a very interesting way by social media right now on its own. Thanks, John. Hello. I'm guessing you guys all have a lot of experience with the law and being on the good side and the bad side,
42:21
so my question's kind of around that. The Supreme Court came out with a decision a few months ago, and this is my translation of what I read, was police need a search warrant to go track down a cell phone, but the government for national security reasons don't.
42:41
What do you think of that? I think it only applies to geolocation information. In other words, where the location of the phone is and tracking of it, if I'm remembering the court case properly. No? I thought there was more to it. I'm sorry, I thought there was a lot more to it because it rambled on. Yeah, I didn't follow up on that particular case.
43:03
I definitely wouldn't say that we're all caught up on the law. How I ended up in the loft is I got arrested as a kid because I had nowhere to do what I wanted to do, and these guys accepted me in. So no, the law is, I don't know how much we've actually paid attention.
43:21
At least I haven't paid attention to it even now because I would rather do something I want to do and share it and then pay the consequences later than not be able to do it and then not be able to read the information. So literally I was a senior official of the Department of Defense and I funded about 180 different small projects from hackerspaces
43:45
and individual folks. I did have to follow the law a lot, and in particular a lot of US codes for Title 10 and Title 50 in addition to CFAA and Electronic Communications and Privacy Act sort of stuff. I'm not familiar with that particular case,
44:00
so some of us had to follow the law, and that's why we became Midnight Basketball for Hackers for Kingpin. So I will say, though, that since you brought up the legal question, there are a lot of issues that occur at the federal level and the state level that can require a different viewpoint for input. A lot of the people who are writing these laws
44:21
may not have the vision to see all the angles that a specific law or rule may impact, and that's where we can come in as hackers. We can help inform the lawmakers of our point of view and how we think that certain proposed laws may impact us or other parts of the Internet. So one call to action that I'll give now is to get involved in that process.
44:44
Call your senator, write your representative. It makes a difference, and if you hear about a law or a proposal that's getting put forth, let them know that you may be an expert in that topic and are willing to talk to their staff and their aides. Or at the very least, give them your opinion. Give them your opinion. Write the letter. They assume for each call that there is 100 people who didn't call.
45:03
Now might be a great time to tell every Congress person that you can to go ahead and read Matt Blaise's paper on the safety of secure voting machines. That's a key topic right there. I mean, I've done several briefings in D.C.
45:21
for different staffers of different representatives and senators, and they eat this stuff up. They really do because they're hungry and thirsty for that knowledge. They don't have any other place to get an unbiased third-party opinion that's not paid for by a lobbyist. So if you can get those meetings, you can write those letters and let them know your opinions of whatever bills are being crossed,
45:40
it makes a huge difference. And even more importantly, give them your opinion, but if you have data points, nobody's bringing data to this game. Our industry is the only industry that doesn't have clinical trials and ground truth and anything else. You bring numbers or other things, you stand out.
46:01
Give them your opinion. For God's sakes, if you have data or if you start to measure stuff, that's how I rebooted DARPA. That was the entire framework. That was the 125 lines of code malware that took half a billion dollars away from Keith Alexander and redirected it. Because it was like, we brought data. What do you have? Well, you got an opinion. That's great. Here's data.
46:26
That actually leads right into my question. If you guys were invited back to the Senate now 20 years later, what would be your main message to the senators? I don't know. Somebody to choose from. Well, we sort of did that.
46:41
We did that a couple of weeks ago, months ago. Yeah, a couple of months ago. But it wasn't directly with the senators. It was with staffers. It was basically what had changed, what hadn't changed. And you should watch the video. I guess a big message that I would like to bring is that we've come a long way in 20 years,
47:01
but we've got a lot longer to go, a long way to go with what we're doing, especially with the rise of new technologies like IoT, the risk in electronic voting. We've got other issues that we need to talk about. So we have come a long way in 20 years. We're not dealing with the same old doom and gloom, but we still have a long way to go. My personal campaign is don't stamp things with safe or not safe.
47:25
Don't do, and I've got this thing going back and forth, like a UL seal or a FIPS 140 sort of does it pass or not pass sort of thing. Give them a continuum. Give them a fuel economy. Give them crash test rating. Give them the nutritional labels on the food
47:40
so folks can make informed decisions. Give them transparency about the libraries that are coming with it, something that is measurable, because all of the other industries have this, and we don't. And I have nothing for or against, like Buyer Eye versus Crowdstripe versus Carbon Black versus whatever, but they all say they're the best, and they're all very different,
48:02
and you're putting them in your environment. I mean, if you went to the grocery store, and you're like, well, all the food is just food, and there's nothing else, no other information, and your doctor's like, don't you dare have sodium because you're going to die. You're like, well, I don't know. This looks pretty good, bacon. If there's no information, you can't make an informed decision.
48:20
So that's what I'd actually talked to the senators about. It's like that is something that the government can do a little bit, and I wouldn't use liability, like we said during the first time. That went over like a lead balloon with the Senate. I'd instead say like incentive structures or other ways of like encouraging people, maybe giving them tax breaks or whatever for organizations
48:41
if they gave that data so that folks can make their informed decisions. Because one size doesn't fit all. It's all how you word it, right? Yeah, I think the other thing that we sort of touched on in this meeting here, and something I think that I would spend more time talking about is they had asked us like, well, what can we do for legislation? And sort of the answer was have less of it.
49:01
You know, get rid of DMCA and don't prevent us from doing security research because we're the good guys. We're still the good guys. So I think that would have to be a big point of like letting them know. You don't need more laws to make stuff happen. You can kind of let back a little bit and let people get some more freedom to do things. Well, that was an interesting time because HR 514, DMCA, and WIPO,
49:21
World Intellectual Property, you know, stuff was all coming out. So our big message to them then was do not make it illegal to see what's in the sausage. You know, because that's what they were going to do. And I think today it's unfortunately kind of the same message except now it's advertise what's in all the sausage so that folks can figure out whether it's kosher or not
49:41
because it matters to certain people. So this is a tweet from Dan Kaminsky in 2014. For an industry built on layers of abstraction, there is a remarkable lack of historical awareness around older technical design decisions. In the context of the cloud and DevOps development, do you think that's making the problem worse or better?
50:05
Could you repeat that? Yeah, sorry. We missed a little of that. Sorry. At the band. Did you get the tweet for it? Just swallow the mic also, please. We can't hear you. Thank you. Right up there. OK. Dan Kaminsky tweet 2014. For an industry built on layers of abstraction,
50:20
there is a remarkable lack of historical awareness around older technical design decisions. In the context of the cloud and DevOps development, do you think that the problem is getting worse or better? So some of these foundational things that everything still sits on have really not been fixed. Like BGP still has problems.
50:41
DNS has problems. The whole SSL certificate system has problems. And this is something that we talked about when we talked a few months ago up at the Senate is it just seems like we're just sort of biding time and just hoping everything just keeps going OK as we become more and more dependent
51:01
on that technical infrastructure. Every year goes by, we're more dependent. I don't want to be dependent on that when the only doctor that can operate on me is doing telepresence across the planet and someone launches a BGP attack. So we're getting more dependent on this stuff, but no one's really going back and doing a good job trying to fix the foundations.
51:21
And I think the hacker community and InfoSec in general has a pretty short memory. So because there's so much information coming out, there's what, 500-something talks just at DEFCON now. And it's hard to sort of know what the prior decisions were or even prior work. So we're seeing repeating stuff. And I don't know if there's a way cloud or not,
51:42
like how to consolidate that in some way. And I know The Dark Tangent's trying to do it with InfoSec.org or something to harvest all of everybody's talks from all over the world. But I don't know how we can have a cohesive memory of our entire community or something. I think that's what you need to learn what happened in the past.
52:03
What's that? A lot you might want to forget. Oh, you know what? Maybe we should just put everything in blockchain. Did that work? I'm a hardware guy. In terms of the processes by which we write software
52:22
and things changing over time, it used to be that you simply did not find out about security issues until software was published. These days we find out about it sooner and sooner because of the availability of various types of testing. I made it my business for like 10 years to write static analysis software
52:40
that could make it easier to find flaws before they went out the door. But that was met with a lot of resistance by developers. To really continue to affect change in the future to improve the state of things, developers need to be more involved in finding their bugs and fixing them sooner. That said, there's a lot of friction there
53:01
because the tools aren't very good for developers. They're not written with developers in mind. They're written with AppSec people in mind. And the profile of the use case for developers iterating quickly on code and trying to get things out the door quicker
53:20
disincentivizes security analysis. So coming up with tools that developers can actually use that are low false positive rate and fast enough to be part of their process is really key. I'm going to go ahead and say this is something I'm working on actively. Today I know that that's where I need to be in terms of developing tools.
53:41
But in general, pushing the cultural envelope for developers to make it such that security is something that not only is something that they want to do because it makes them feel good. The developers that I talked to do want to write secure code. They do want to use tools. They just don't want to have to be a pain in the butt. So meeting them where they are
54:01
instead of forcing the hand through Draconian security teams who won't let code out the door is really where we have to be. It's hard work for the security community to do that. It's been historically over the last 10 years we have simply said fix your code or by the time it goes out
54:21
you're going to have your pants pulled down or be embarrassed by all these vulnerabilities. But that's intellectually lazy on our part. It's simply saying that it's good enough to embarrass developers into attempting to write more secure code. That's not going to attack the problem at scale. We actually have to help them make it easier.
54:43
And that means becoming their friend. It means not being seen as an adversary to development. One of the things that would actually help a lot for developers and DevOps and everything and then I'll touch upon the cloud things. I think that's a very important question. There's some sort of feedback. So if you turn on like stack guards you have no clue whether it actually inserted them or not.
55:02
You turn on fortify source on like a Linux system you have no clue whether it removed 90% of the weak functions that you didn't know that you shouldn't have put in there with strong ones or .005 and actually it's closer to the latter in a lot of cases. So there's no feedback for developers as to whether when they're trying to do the right thing it's having an effect or not.
55:21
So I do think that's something that we can do a lot better as a security community is like providing feedback and measurements. On the cloud stuff I'm actually really impressed with the cloud from the large providers not so much from the small ones and it's because they're essentially getting fuzzed all the time by their users. So if you look at Amazon or GCE or anybody else
55:43
they're really hardened in a lot of ways or Azure you know sort of stuff because they have millions of users who are doing crazy stuff all the time in the real world and also they're doing AB testing as to what to roll out. So yeah I actually think that abstraction at scale if it was like you know if you think of the world
56:01
as AFL at large you know just you know as a Mechanical Turk version of AFL yeah that's actually really useful for the large providers but the small ones don't get that benefit and they scare me. So cloud's a mixed bag. This is for Mudge. Tell us about the election hacking and your response.
56:24
Does it have to be Mudge? Those are the topics I've talked about a lot. So I've got a question for you. You've got a question? Go ahead. I've been wondering how if you can tell me I don't know statute of limitations when they you know when that ends but what's your most
56:42
Are you implying that we did anything that requires statute of limitations? Ma'am? I don't know. You're at Def Con. You're up on this stage. I don't know. What was, what are your most like what's your most fun or entertaining or memorable hack that you can talk about?
57:00
No comment. Do you guys remember the midnight poker nights with Hobbit? I'll see you get off the bowl ISP in Latvia and raise you a small internet connectivity area in the Gulf states for you know Okay you need to shut up right now.
57:20
Back to Rogue Agent's election question. I think the thing to keep in mind when we read about election hacking in the press is that there's a big difference between probing a registration database and changing an actual vote in a real election. And there's a very big blurring in the media
57:42
between oh my god the election was hacked or the voters were hacked in some state and whether or not a vote was actually changed. You okay? Yeah. What have you heard? I think it's important to keep that in mind and when you see these media reports
58:02
of registration database was probed or copied or whatever that's not the same thing as somebody breaking into an election changing an actual vote. It's not the same thing but all this in the media over and over again votes are getting hacked, systems are vulnerable with this it makes it so that people don't trust the system. People don't understand so they're not going to trust the system
58:20
less people are going to vote and there are actually people out there who don't believe our president was elected legitimately because they believe systems were hacked. There are people who believe that. I think that's part of the problem. That was part of the goal is that they're trying to cause mayhem by forcing people or changing people's mind. I'm not going to get into who's they.
58:42
It could be anybody but a lot of the information that we're seeing reported in the media and I'm not going to 400 pounds. I'm not going there. There's a lot of people in that now I've lost my time. We only have a few more minutes left.
59:01
I just want to give a pointer to the answer there. Alex Halderman and the folks out of University of Michigan went over to Estonia and what a lot of folks don't know is actually that was part of the Google project that I ran for Project Vault and watch the video of an actual online e-voting internet sort of environment. It is amazing and terrifying
59:20
and it is 15 years old and hasn't been updated and it is still the exemplar of the best thing out there which should make people pause. Bear in mind that the real election hacking is being done by our own government. It's called gerrymandering and you can vote against it. That is the perfect point to close on.
59:41
We can just drop the mic and walk out on that. So I want to thank all you guys. That was awesome. Go ahead Eleanor, sorry. One last question. What advice do you have for hackers and researchers, security researchers today? Let's start with at the end of the line and just move this way. Advice for people in the audience.
01:00:00
the audience. Um, never be afraid to get started on something. Um, I, uh, often times get into form of analysis paralysis wondering if the thing I'm going to do is going to either make me money or be valuable or whether people will notice it. Um, you just simply don't know, um, if it's interesting, get started on it, tear it apart. Uh, you
01:00:24
know, make it your quest to learn about that thing as much as possible. Um, break new ground whenever you can. Uh, if you think nobody else has maybe done it, just do it. Um, and try to finish what you start. It's the hardest thing ever when you've got a million ideas, but it's, it, that's the only way anything ever gets done. I think my big advice to
01:00:44
security researchers today is just be careful, right? There's a lot of companies that don't like you. There are laws that don't like you. Uh, and that doesn't mean don't do it. Please keep doing what you do, but be careful, do some research on the laws, don't cross the lines, stay out of jail, stay out of the courtroom. I'd say play the long
01:01:08
game. Um, you know, I remember going out to talk to cadets when I was at the loft. Those cadets are now colonels. Um, and they actually have impact. Same thing with Senator's aides. Um, same thing with CFT. I mean, Kingpin came up at the end of my
01:01:24
talk at Def Con like a few years back going like, we didn't know what the heck, you know, much turned into the man, what's going on? And I got a lot of crap for it, but then folks saw that no, actually not still kind of much, you know, trying to make the dent in the universe sort of thing. And you made it easy for us to take government money. So play the long game. Everybody else is optimizing locally, optimize globally
01:01:45
and for the long term. Uh, I guess a lot of people ask me like what they should focus on in terms of, uh, um, you know, people I work with that are actually coming to me to learn how to get more advanced in their security testing. And, um, everybody
01:02:03
wants me to point them at something the company is using or would be useful or whatever, but ultimately it has to be something you're really interested in because it's going to take tons of hours of your devotion. So, um, obviously focus on that. And then the other thing I would say is that, uh, it's really easy to get wrapped up in the excitement
01:02:21
of things and make mistakes. And today disk space is cheap and there's this concept of big data. Everybody's collecting data on everything. So a lot of things that we may have gotten away with as kids, I think we got really lucky. Um, and the, so definitely a much more dangerous, uh, environment out there for people. So, um, you know, make
01:02:41
sure you, you, uh, are careful not to cross the line more careful than, you know, I think kids normally are. Yeah, but don't be afraid to fail either. Otherwise you'll be, uh, so, so I would say, you know, I hope you welcome the newbies. Be nice to them. They have imposter syndrome. Um, and, uh, but if they're here, they want to learn. Um,
01:03:03
and the, the other thing I would say was network with people that aren't just like you, like people when you go back to the office, developers, UI people, managers, get them to understand how we think. Um, so, you know, spread it a little bit outside our community. I think you just have to love what you do. And it doesn't matter what it is.
01:03:24
But if you are passionate about something like that's really what you want to do. You want to find something that you really care about. And you shouldn't be searching for money. You shouldn't be searching for being on stage. You shouldn't be searching for, you know, branding you or whatever. Yes, I know I'm up here. That wasn't the goal when I started hacking. But it's because I love what I do. And if you do that, you can
01:03:43
look around Def Con and there's a lot of people that do amazing things that, that are not on a stage. They're doing stuff that you're not going to read about in the news and it's all over this entire hotel, right? So you, you find something that you love and good things are going to happen. Great. Thank you.