Whoever Fights Monsters?

Video thumbnail (Frame 0) Video thumbnail (Frame 7835) Video thumbnail (Frame 11487) Video thumbnail (Frame 13302) Video thumbnail (Frame 16265) Video thumbnail (Frame 21792) Video thumbnail (Frame 25322) Video thumbnail (Frame 37679) Video thumbnail (Frame 50036)
Video in TIB AV-Portal: Whoever Fights Monsters?

Formal Metadata

Whoever Fights Monsters?
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Paul Roberts, Aaron Barr, Joshua Corman and Jericho - "Whoever Fights Monsters..." Aaron Barr, Anonymous, and Ourselves "Whoever fights monsters should see to it that in the process he does not become a monster." - Friedrich Nietzsche. Aaron Barr returns for the first time in what's sure to be a gritty and frank (and heated) panel. How can we conduct ourselves without losing ourselves? How far is too far - or not far enough? IT security has finally gotten the attention of the mainstream media, Pentagon generals and public policy authors in the Beltway, and is now in mortal danger of losing (the rest of) its soul. We've convinced the world that the threat is real - omnipresent and omnipotent. But recent events suggest that in their efforts to combat a faceless enemy, IT security firms and their employees risk becoming indistinguishable from the folks with the Black Hats. The Anonymous attacks and data spilled from both private- and public sector firms raise important questions that this panel will try to answer. among them: how to respond to chaotic actors like Anonymous and LulzSec, what the U.S. gains (and loses) by making "APTs" the new "Commies" and cyber the forefront of the next Cold War and APTs the new commies. Aaron, Josh and Jericho will debate whether we in the security community can fight our "monsters" without sacrificing the civil liberties and the freedoms we enjoy here at home. Full bios and descriptions available here: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Roberts
Principal ideal Slide rule Group action Open source INTEGRAL Multiplication sign Real number Perspective (visual) Public key certificate Rule of inference Field (computer science) 2 (number) Strategy game Hacker (term) Internetworking Core dump Software testing Information security Monster group Traffic reporting Physical system Enterprise architecture Dependent and independent variables Planning Incidence algebra Demoscene Social engineering (security) Degree (graph theory) Arithmetic mean Software Personal digital assistant Blog Video game Right angle Text editor Quicksort Computer forensics Resultant Monster group
Point (geometry) Area Email Group action Real number Characteristic polynomial Bit Mereology Perspective (visual) Twitter Cognition Goodness of fit Spring (hydrology) Software Energy level Right angle Data conversion Monster group Information security Address space
Point (geometry) Graphics tablet Slide rule Group action Context awareness Real number Physical law Line (geometry) Mereology Perspective (visual) Power (physics) Personal digital assistant Cuboid Summierbarkeit Right angle Information security Metropolitan area network
Point (geometry) Group action Service (economics) State of matter Multiplication sign Process capability index Chaos (cosmogony) Insertion loss Mereology Disk read-and-write head Event horizon Attractor Subset Goodness of fit Mathematics Causality Business model Energy level Software testing Data conversion Information security Error message Vulnerability (computing) Building Poisson-Klammer Gradient Sound effect Counting Exploit (computer security) Data management Message passing Spring (hydrology) Process (computing) Personal digital assistant output Website Right angle Pattern language Game theory Quicksort
Axiom of choice Group action Randomization Presentation of a group Multiplication sign Design by contract Insertion loss Chaos (cosmogony) Mereology Perspective (visual) Computer cluster Core dump Office suite Extension (kinesiology) Information security Vulnerability (computing) God Email Building Gradient Electronic mailing list Data storage device Sound effect Staff (military) Hecke operator Perturbation theory Category of being Type theory Data management Message passing Process (computing) Telecommunication Chain Order (biology) Self-organization Website Right angle Quicksort Freeware Geometry Point (geometry) Control flow Process capability index Menu (computing) Event horizon Revision control Finite element method Goodness of fit Causality Internetworking Profil (magazine) Operator (mathematics) Ideal (ethics) Proxy server Computing platform Condition number Information Forcing (mathematics) Physical law Projective plane Plastikkarte Planning Denial-of-service attack Incidence algebra Line (geometry) Exploit (computer security) Spring (hydrology) Voting Personal digital assistant Statement (computer science) Speech synthesis Game theory Family
Group action Building State of matter Multiplication sign Source code 1 (number) Real-time operating system Client (computing) Open set Mereology Perspective (visual) Information technology consulting Software bug Optical disc drive Mathematics Hooking Hypermedia Core dump Videoconferencing Position operator Area Cybersex Email Arm Building Electronic mailing list Sound effect Virtualization Social engineering (security) Arithmetic mean Message passing Googol Auditory masking Self-organization Right angle Quicksort Arithmetic progression Resultant Computer forensics Spacetime Web page Point (geometry) Functional (mathematics) Open source Real number Continuum hypothesis Flash memory Control flow Online help Web browser Rule of inference Field (computer science) Pentagon Power (physics) Twitter Goodness of fit Cross-correlation Causality Natural number Domain name Noise (electronics) Information Key (cryptography) Physical law Content (media) Planning Line (geometry) Word Personal digital assistant Blog Network topology Interpreter (computing) Video game Complex system Game theory Pressure
this is the he who fights monsters panel and i'm your host Paul Roberts I'm the editor at threat post calm we're a security news blog and we have a great panel today who i'm going to introduce in a second just a couple seconds on the ground rules or kind of how we're going to frame this I'm gonna introduce our panel members we have a few slides the kind of germane to what so each of the panel members are going to say and then we really want to take questions from you but we only have an hour so actually what we're going to do is hold questions further there's a Q&A session after this in pavilion for which is two doors down on the right I here and we're going to take questions there in the QA room afterwards okay and I know there are a lot of you who have questions that you want to ask but the you know the time the time for our panel is is short ok so I'm Paul Roberts my introduction to this too well anonymous and aaron barr nhb gary obviously came as a reporter and threat post covered this story as it was breaking as did a lot of other folks I have to know Aaron personally he reached out to me after i wrote a kind of an editorial piece called winning the war and losing our souls which was written at the time of the RSA conference and if you remember HB gary kind of pulled out of that conference at the last minute after all of this stuff broke and aaron reached out to me after that editorial and you can google it i think because i was probably one of the few journalists who actually expressed sympathy for him and and what he had to endure as a result of the attack by anonymous and you know we all fuck up every once in a while right but but most of us don't have Stephen Colbert kind of you know riffing on our fuck-ups in life and Aaron unfortunately did and he at that time myself and I know Josh thought about a DEFCON is a great way to kind of come back to this issue hopefully with Aaron in our midst to figure out what it what it all meant and Aaron also to his credit very much wanted to do that unfortunately attorneys got involved in particular attorneys for HB Gary which put the kibosh on that plan and they contacted Aaron they you know basically threatened a lawsuit if you were to appear in this panel they called his new employer and let them know that they would be you know pursuing legal action and you know Aaron's a guy who's got a wife and kids and a mortgage and we all know how that works but I want to you know just in the beginning of the panel sort of give props to aaron barr for having at least the courage to you know put himself out there and propose to come up here even if the lawyer has kept him from doing it okay let me let me introduce the our panel members starting from the left Josh Korman is Josh Korman is the director of security intelligence for akamai corporation he says unless you have plans to attack him in which case he is the research director for the enterprise security practice at the 451 group josh has more than a decade of experience with security and networking software for real it's real decade not an eight-year decade and most recently serving as before enterprise security practice a research director for the enterprise security practice before that principal security strategist at IBM internet security systems his research cups across sectors to the core challenges of the industry and drives evolutionary strategies yadda yadda yadda Jericho to his right has been poking around the hacker security scene for 18 years that's a real 18 years okay not that kind of 18 years that are only 12 years building valuable skills such as skepticism and alcohol tolerance which he's put to the test at this year's though show as a hacker turned security whore is a great perspective to offer unsolicited opinion on just about any security topic he's a longtime advocate of advancing the field sometimes by any means necessary so we're going to talk about that and he thinks the idea of forward thinking is quaint we're supposed to be thinking that way all the time no degree no certifications as the willingness to say things in most industry is thinking but unwilling to say themselves he remains a champion of security industry integrity and then small misunderstood creatures and you can find a med attrition org all right yeah it's here for Tricia to his right Baron Vaughn are he's worked as a security professional for 13 years that's a real 13 years baron both for and with IT firms including IBM in command systems he's currently working in Incident Response forensic security auditing at a leading aerospace company barons expertise includes ethical hacking pen testing social engineering information security audits computer forensics stenography open source intelligence and the like okay so he's
he's ready to weigh in on our panel as well and who is Baron Vaughn are maybe you're going to find out okay here's our Twitter handles and that Baron von our twitter handle isn't real so don't try and follow him okay I'm going to have some mic over to my esteemed panel member Jericho yeah so to put this in perspective raise your hand if you're not an asshole at some point in your career I see one one hand go ahead and leave please we prefer no liars how about if you don't profit from your security work yeah okay somebody raised their hand knob area and so how about if you think you know the whole story behind the HP Gary saga or if you think you even know half of the anonymous saga whoa one hand yeah let go ahead an get the hell out liar or wait is that Aaron Berger air those are but those are the threat post readers actually okay Aaron do you want to come up and be a panelist make sure you go to the room after this let's talk okay so after that does anyone want to admit that they're part of HP Gary or HP carry federal or if they're different companies yeah I know different companies so I know it huh do they pay you so when was that email address created exactly fed an email address Harrison's februari so that narrows it down we do have one member of anonymous in the group ah confirmed well he says I have an email address at HP Gary and I don't get paid by them yeah so think about those questions because a lot of what we are as a group and as an industry or leveling accusations at Aaron you know that was really kind of a lot of the criticism and we kind of forget to look at ourselves and say you know I'm basically halfway to the monster that we claim he is okay mr.
Korman all right is this thing on all right so for those who don't know philosophy the rest of the whoever fights monsters is that should see to it he himself does not become one and I stock quite a bit of cognitive dissonance over Jesus you know that 17-yard in our kissimmee wants to join the non ops and you know the the guy protecting a fortune 50 network or so wants to fight them and I basically thought it was useless to talk about white hats and black hats and gray hats and you know you dust out your Advanced Dungeons and Dragons and essentially it's not just a good versus evil thing I mean some people see anon as Robin Hood right got a good Arab Spring freeing oppressed people transparency for the wind right other people see it as the Joker chaotic evil day just want to see the world burn you know so what we tried to figure out is the conversation wasn't moving forward so I just dust dust of this thing out and the real defining characteristic isn't good or evil it's their chaotic right so we have a a rise of the chaotic actor so to speak and most of the confusion or debate is we're romanticizing about the positive or attractive aspects of this but we're not being very deliberate about which roles
we want to play and we're going to get the sum of that search in your soul I mean that was the point of your article was as we're fighting this are we losing our soul and Aaron's a living embodiment of even he even violated his own personal ethic in some of his actions and we just get so caught up in the activity that we were not in control of
it but rather a victim of it so try to figure out through the course of this where you fit on here but more importantly where do you want to fit on here because in our pursuit to raise security awareness or improve security we may actually be driving something far worse than the patriot act right we may cause powerful and uninformed people to act and power Lee powerfully uninformed ways and real quick he didn't realize when he made the slide that the boxes that actually have a hat those are off-limits none of you in this room fit any of those bills so figure out which of the other six boxes you are great baron any thoughts well I'm kind of in the middle of the whole thing from a perspective of the government intelligence agencies all of this kind of activity especially on Aaron's part is a part and party of what we've been doing since the beginning since the forming of this nation disinformation intelligence gathering so what Aaron did yes it kind of crosses the line when you start to talk to a company or in this case a law firm it's going to go after individuals within our own country even the CIA wasn't chartered to do that so yeah in my book he crossed it but as Richard theme said in his black pad black hat tutorial it's all gray one man's terrorist is another man's freedom fighter you just have to know where you
sit and you have to come to grips with it okay thanks good thoughts i think i'm going to start just with a i think probably the question that the answer which will maybe help us understand where each of you guys come from but who who is anonymous in your minds whether that's who they are literally or who they are kind of symbolically i'll take a stab but i think people think anonymous first of all it's probably several participants in the room maybe even on the stage and and it's not a group right I mean we know this but I'm just to tell you things you already know anonymous is not a group essentially it's it's a it's like Taylor rental branding it's a franchise I mean some people that took the name we're doing things like arab spring or something locally it was just a way to it was almost like a postsecret right it was a way to do something without getting caught maybe as a whistleblower and it could it can form a very valuable part of our culture I think it was kind of hijacked by smaller groups and now it's become something that's maybe one from public benefit the public menace depending on who you are I think my personal disappointment is if in fact you think this is going to make security better by showing failure I doubt it like anybody done work with fortune 50 fortune hunter and Cisco's they're not going to make they're not going to better security all right they're going to do more seniority wait wait wait so you're saying that pointing out failures is not going to help securely no no I look let me let me refocus to my actual point any cause will have an effect it just may not be the desired effect and if we're going to do this hey we're going to have chaotic attractors I don't think we're going to eliminate nor do I want to eliminate participants throughout that grade I would like to challenge that if we're going to do something like this let's let's let's up our game now why don't we have a lull sec that targets child exploitation sites you know anybody fall on the gesture why don't we have more people doing things to map out or a das jihadist websites we have an opportunity to not just cause chaos because directed chaos which is kind of an oxymoron but if in fact we feel powerless that PCI's hijacked our industry if in fact we don't feel like we can actually get our jobs done because management won't listen there might be more constructive ways to channel that angst I think that was an excuse though I think they just took that up after originally saying that they just wanted to smash things so to make it have some sort of legitimacy and to maybe when they do get caught have some sort of case to make in court saying we were doing this because we believe in this I don't believe that's the case I think it's been hijacked completely now all the way up to the nation state level so we have actors in many countries attacking many different things and they could be just red cells that are working from it within other governments intelligence groups because they're anonymous and even after qualification I kind of disagree I mean how many of us have been in the industry for long enough and it's like you know you arc 40 to 80 hours a week and you're banging your head against the wall you're getting paid to do it and they're still not listening how long do we have to go through this before you know we actually affect change you can do pen test for 15 years and go back and like every six months you retest and it's like wow you know you still didn't fix this remote service you still didn't you know sanitize input here you're not learning your lessons so maybe it is
time for anonymous or low sec to come in take these companies bend them over and fist them and wake them up I would agree with it's got a kind of anonymous as a business model right I want agreed there's a neat but i think that the companies will just go back to their son daniel ism the sea levels will just go back to playing with their ipads and their new toys and they'll you know go right across the policies and say yeah it's not for me i'm a sea level so matter how scared you make them they're just going to fall back into old bat patterns it's not going to make a change so i'm not going for a second say that there isn't the opportunity for something some some way to change the game what we're doing clearly isn't working I've seen the reaction of victims of all set and they're not getting smarter I guess that's my point it's that I think there's the opportunity here to catalyze a different conversation to drive things forward instead of just banging your head against the wall over 15 years I'm just not seeing that message sent equals message received in fact you look at the Sony thing because of the earthquake happening and costing them far more damage and financial loss than the punishment campaign and to stain raping of what 23 on your last count on your website best timeline of the Sony pwnage campaign is on the attrition site but that almost made us go from just think of a timeline we went from unmotivated and ignorant of the bracket of the chaotic actors or exploitation to aware and motivated straight past that too hyper aware in numb right we've done from in action of one kind to inaction of another it's actually not really hurting Sony that bad as much as it like we felt like yeah yeah rah-rah we showed the weakness in their security posture this is a rounding error on the losses to head from there quakes it's a rounding error and my fear is that again powerful and uninformed executives are going to look at this is a highly acceptable loss so I'm not saying don't do this I actually like lots of aspects of this I think it could be channeled into a catalyzing event but if it's simply some reason to ignore our entire industry then we fucked up well you say that you know these companies aren't learning and for the most part you're right but just as an example so Sony they get been over in all kinds of
creative ways and that's right after they fired all kinds of security staff well are they learning well maybe you know there was someone very high up in the Sony security job line that was a black hat why would they send that person here you know if they had fire and security staff and didn't care maybe now they are saying well okay it might be worth you know this security thingy that you know we hear so much about now I mean this is going to take people like myself and others to help control the narrative I hope the press helps control a responsible narrative but a good lesson that anonymous and all set could have done with sony and i'm trying to focus away from how were they pwned because who cares there's a million ways to pawn them here's a good takeaway if you sue a researcher who finds a vulnerability in your platform you're going to get raped right I mean if you haven't figured out the ideas behind you know coordinated disclosure or that those kinds of actions have negative consequences we've now upped the ante so one thing they may learn is don't frickin sue researchers so if we can steer the lesson instead of just hope that attacking them teaches them something okay we have to follow that up right so I mean you know there's obviously there's a long history of hacktivism and and you know you can look at you know you can look at group like electronic disturbance theater legions in the underground called the dead cow Federation of random action you know many of the hacktivists incidents that have been you know documented or that we can point to our in support of political causes human rights and so on I mean I think that's sort of what Josh was getting at when he was talking about building a better anonymous you know they're there there's certainly no shortage of shoes out there that that technically adept and inform people can support or encourage I guess the question is is anonymous's I mean if you look across you know we're talking about both Tunisia and Egypt those operations but also Sony ok so Sony was really about geo hot HB gary was about them being pissed off that they might get doxxed um you know what is the connecting threat what is the what what's the ID what's the ideal that ties us all together beyond we could do it and we did what's first crack baron well I just like to go back to the last point for a second it's no coincidence that hacking insurance is up so I think a lot of companies and I did hear about one in particular yesterday I'm not going to mention them but they laid off a bunch of people in security and they bought hacking insurance give you a hundred dollars right now if you name them know how many people have hacking insurance in the audience so back to what was the question I forgot no the question was look again there that you know we can look back historically and see incidents of ideologically motivated hacktivism again whether it's in opposition to China and support of Myanmar against the Republican Party god bless him or or what have you but when you look at a nut when you look at anonymous when you look at anonymous and lull sack it's harder to discern what the message is certainly you know operation you know Tunisia and Egypt seem like pretty straightforward hacktivists you know examples of hacktivism zony I don't know you know an HB Gary almost certainly not well i would say that in the genesis of anonymous you had the fight against scientology they had people who were involved in the groups who were involved in Scientology they had friends they had family who are getting you know taken away technology right right so that was the start of it they fought a giant entity with a lot of money and a lot of lawyers with an anonymous attack that led on to you know this whole Arab Spring they're trying to do something good they're trying to set up comms in places that are shutting down internets but when it started to diverge into anti-sex lull sec whatever you want to call it right before HB Gary it became something completely different and i'm not sure completely of the motivations to start I know that Aaron had said things he had said them publicly on the news and they didn't like it and they just took him down his fault frankly after the school came out and everything started to come out about what they were doing yeah a lot more people jumped on the bandwagon but after that else tech really seemed to kind of lose its aegis now they're just hitting the Phoenix PD because they don't like the way the Phoenix laws are on immigration well you know I don't like them either but outing law enforcement officers who were bound by duty to to actually carry out legislation that a legislature is put together they have no say over I mean other than one mo one vote per person you're just putting them in danger see I list recently came out evidently to I haven't seen it yet but you know there could be people in danger now because their names are known as CIS I also know there's a lot of practitioners in the room you know we like to break stuff in part of our persona he mentioned Richard theme I mean he's gonna present again today I believe but if you haven't seen a present before first of all you need to see in present of a second he's really resonating with a lot of the themes that went in the preparation of this panel but in your day job right you're even working really really hard to try to make sure you can accomplish your mission and when you see these really high profile high visibility noisy attacks it's going to cause the ship to focus there right now guess what I don't really give a crap if they stole a bunch of credit cards I'm you know there's been very little negative consequence to to loss of a highly replaceable credit card what I really care more about is losing intellectual property it's the irreplaceable so this is actually distracting you from your core mission just like PC is distract you from your mission so your executives are distracted from risk management to PCI now the distractor and risk management too loud noisy DDoS attacks what's actually going to put your organization on a business or cause layoffs it's the loss of those irreplaceable assets so we're now have a new noisy thing that distracts us from the actual mission we have now you we didn't bring it up yet but I mean there were groups that were taking down child exploitation sites anybody in here like child exploitation it's okay not really but anybody in here you know that's that's something we could all get behind right but there was a group at least one group that I know he hands back in the day what's up the game right there's some bad people doing bad things just I don't know raise your hand if you dislike fud in our industry oh come on more hands huh wake up guys now have you ever encountered a vendor that was totally full of shit hell let's just have a medium grade nobility of a chaotic group how about we have a published treatise that if you do any of the following definitions of three three definitions of fud that the because of these three things will lead to the effect of a 3 day detox camp chain and ddos campaign and we will basically have a disincentive and deterrent for bullshit vendors spreading fear uncertainty and doubt in short anonymous needs to make a menu you know for the appetizer I'll take a two-day toss you know then the breach and I'm not even advocating vigilantism right but I don't think it's going to go away it's more a matter of if we think this industry is dysfunctional or we don't think we're being heard let's have a more strategic and intelligent approach
to it all right if you don't do these three things you will never hear from us if you do these two things here's exactly what will happen to you I think you may have more chance of random chaos motivating stupid fear it's a very targeted cause and effect may actually modify behavior go go go ahead i'll go and advocate vigilante justice in some cases i'm fine with it you know once again if anonymous is taking requests attrition we keep a list of companies that have legal threats against researchers you know so someone finds a vulnerability or some new cool bypass and companies swoops in and says you know if you publish we're going to sue you well there you go there's your top 10 list of companies that really need to be pent over one way or another and the same goes again for HP Gary they need to be taught another lesson you know threatening to file an injunction against bar for talking here something about free speech comes to mind but I don't know the exact quote you know so HB Gary now not only are you a bunch of assholes that said oh wait no that's HP Gary federal not us now so yeah they laid all the blame on aaron barr oh he's the mega asshole but wait a minute now that he's gone you turn around and you show that you have you know it I want to say more evil streak by trying to limit him and you know again Paul covered this I understand why Aaron backed out and the kind of neat part is that originally there's two times he tried to back out of the panel the first time he resolved it um you know he talked to his new employer and he still made the effort to get on the panel and that was really cool of him and then the second one was you know it's too much like said wife kids mortgage he's got too much to lose now so you know just just take it all into account and consider the entire picture as much as we know of it yep and I want to talk about HP Gary because I definitely want to reward them for a you know suing Aaron off our panel and trying to you know squelch discussion of you know what what was revealed by the heck of that company what came out of those emails so we are going to talk about that and we're not we're not going to let H be Gary kind of get away with stifling that discussion but just to follow up I'm wondering when you're talking about it you know and on an anonymous or something like it as a as a tool to enforce best practice I guess in a way drink you huh you said best pract okay yeah sorry but you know aren't isn't what we're really isn't what you're sort of sketching out a kind of vigilante ism so you know it's it's like you know as somebody said to me yesterday's it's like the you know the Clint Eastwood movie you know sort of clinic so it comes into town but of course you never know what town Clint Eastwood's going to come into you know you never know where he's going to choose to you know enforce order or enforce his version of order and you may not agree with his version of but I guess I'm acknowledging that this is happening and I'm being put my big boy pants on and saying it's not going to go away let me just look at what's happening we within a non officer all set I mean there running on each other we now have topiary in custody custody custody if you believe it's still feared and end this good evidence that it is they're going to lean on him they're going to squeeze him he's going to turn I mean some of the daxing events we saw were basically rifts within the group so when you don't have an organizing principle you don't have a mission or a goal you're just kind of doing shit it's self destruct store certain extent so I think there's an opportunity here that if the real driving force was that you think security sucks and you want to make it better that's an AF rights conditional statement I'm not so sure that the current you know one dot 0 or 1 or 2 dot 0 is working do you think the information that came out of the attack on HB Gary including the in from the plans teen Themis and the back and forth with Honda and Williams and and the Chamber of Commerce did the did the transparency that we as a community gained about that those types of dealings justify the attack and and a second question might be do any of you think that the the harsh light of day light that was that was shown on those types of dealings have curtailed those types of contracts projects negotiations discussions either within the Beltway or anywhere else it's been going on for a very long time in the private sector private sector intelligence is a very very big business before z before Blackwater many former intelligence operatives go into business for themselves and do black ops type of work for companies inside and outside of this country so it's nothing new it's just somebody got their hand caught that's all well I guess the real question for the audience then is the whole HB Gary saga when we learned what they were doing who was actually surprised at anything they were doing proposing or just spitballing who was honestly like wow I've never heard a company do this I think I saw one hand and that's good because like you said this has been you know a million multi-million if not a billion dollar business the thing is we just don't know all the companies that have been doing it they haven't hit the news Mike yeah we were in a hurry yeah so the question is why why do we listen to this guy if he's not willing to show his face shall I unmask missile are you a thought are you then oh wait wait okay so we have two different opinions but then the question becomes you know who listens to Lowell sec when they say we hack something but they haven't actually released the information who believes anonymous when they say something so quick show of hands though who thinks we shouldn't listen to a fucking thing he says because maybe he's a Fed Navy has an agenda we don't know who the fuck he is why should we listen to him who thinks he should unmask raise your hand come on be more courageous only a couple people okay just to make sure who thinks he should stay masked I think this is what they call a self-selecting population so wrote wing now that's an excellent question but it goes back to why does someone need to show their identity if they're making good points or if they have relevant experience you know and now that we're a little ways into the panel I'll say we vetted him we know his background we know some of what he's done some of which he can't talk about and we know that he will add a certain perspective to the panel so we were fine with that him coming on claiming to be anything he wanted to be within reason I am a squirrel new battle cry good as for the gentleman talking about being doxed I'm in the open I've always been in the open I'm not covert I'm over it so with that okay now everyone in the audience is going who the fuck is that in East Oakland I'm over but I don't have my picture out there that often raise your horse no choice is 456 yeah you're still missed
yes I'm still mess so in short and that's why it's such a great question is master no mask it doesn't really matter you know it's more about the message the content so no now introduce yourself to the audience you want to introduce yourself oh I go by the name crip tia i have a blog on wordpress i've been blogging about ball sack anonymous for quite some time they know who i am i have treaded the line where I say to them hey you wanna out people for doing bad things cool but do it right stop this crap well you're just you know SQL Inge taking down you know data that's unimportant your last dump that I looked at the demand tactile one SP you document see you know sensitive but unclassified you can get it with google in short he's saying you're a bunch of pussies for that one and I did say that in so learn your target know what they're doing really my one of my last posts I said look the real dirt is only come out from insiders you know you have Pentagon Papers you had deep throat and now I got Manning me and the source not the movie yeah not the movie so you you've got people in the know who have access to very dirty things who decide to speak power to tree and release that information now in Bradley's case I think from the transcripts that I've seen he was is mentally unbalanced to a certain extent because of all the crap he's gone through going into the military was a bad idea with where he wanted to go with his life with reassignment so he had a lot of pressure and trusting that piece of shit lameo was another entrusting royal struck however the collateral murder thing the video very important to be out there because there's a lot of shit that's going on over in the Med that we don't know about and that's just one tidbit but that out of all the dumps all the cables and stuff that was the most important thing the rest of it unimportant to me sure there's backbiting between the United States and other countries we deal with people we don't like we have to that's just the nature of the game so if you're going to do this and you're going to find the real dirt then find the real dirt the vet it and give it to the paper what WikiLeaks wanted to do and did before the cult of Julian real quick building on that and going back to the building a better anonymous which I wonder if we can do that as a consulting gig you know you know releasing 250,000 I've already reserved the better anonymous domain by the way so okay quick is there a lawyer to trademark this um you know releasing 250,000 cables is really cool but it's also kind of hurting your cause you know there's so much noise there and there's so many pointless documents one of the better things they could have done is to actually go through an handpick the top 10 top 50 or whatever put them out one a day or something you know we used to have like the HP bug of the day right all right you know leaked cable of the day month the browser boat yeah exactly and you turn it into this kind of campaign but you also focus on the big ones you know the collateral damage you know any of the other specific cables that really out terrible things happening that the public should know about and here's a little key for you all you love these who you want to do this how do you know you have the real dirt right how do you know you're not getting disinformation yeah we've already shown that companies are out there doing dissing ferment disinformation campaigns you know his paint on or lulz fallen into one of their traps have we now been fed a bunch of shit made up by the companies that we think we know something about okay but let's let us not let H be Gary off the hook here right so you know if ate with friends like these who needs enemies actually I won't show this wait okay we feel so powerless against this nameless faceless flash mob right that instead of focusing on you know the actual adversary community we're fighting with each other because we can write I mean it's almost a Streisand effect the act of trying to intimidate Aaron off stage such that you don't draw attention has drawn so much more attention I've had five people come up to me saying guess who my next target is it's HB Gary now I'm not suggesting that but people are you thinking it right so um you know we just put a big target on themselves in the effort to suppress good guys talking about good guy stuff or even going after rafa losa black hat for taking a picture somebody who had the anonymous mask near their booth you know they freaked out chased him down that's right that's right okay let me ask you I mean I think what we've heard you say is look what what came out in the HB Gary emails was business as usual within the Beltway or elsewhere the stuff has been going on for years it's actually a big industry should we conclude from that then then that there was nothing untoward that HB Gary and aaron barr hadn't crossed the line or were not proposing to cross a line if you're not pissed off about it there's a problem yeah that even they definitely cross i think IM pissed off about it you know that's funny because when Aaron was on the panel we weren't gonna go there but he's not here anymore ya know so HB Gary and Aaron bard they crossed the line but my point is that yeah that's business as usual for dozens of companies out there you know and even then how many companies unrelated to that entire field of you know information gathering in open in tell how many of these other companies have ethical lapses you know if you need to be reminded once again attrition Erato we keep a list of shit like that and when you start going down this list and you realize it's like page down page down page down what the fuck is this you know and it goes back a long way and that represents literally 10 minutes of work a week because we're busy doing other stuff what happens if we actually built a real time line every company that you do business with they've done something shady in the past and odds are they've done something shady in the past three months so but just in case people don't know you're the journalist in the room with all the facts so Paul it was the Chamber of Commerce thing that really torqued people right so can you give like a 30 60 second overview of what was perceived across a line what happened with the Chamber of Commerce or the emails that came out is it is that the law firm of Huntington Williams which is representing a Chamber of Commerce ok we have 10 minutes the law firm is representing a chamber of commerce was working with Themis which was team themis which is a name that represented palantir HP Gary and Barry co2 research what the Chamber of Commerce thought was a basically a corrupt organization that the SEIU and think progress and change to win were engaged in you know criminal activity basically to try and undermine some of the Chamber of Commerce's members and they wanted you know to use the tools of palantir the kind of data correlation to land HB Gary's open source intelligence Barako to try and reveal that of course they're not the Justice Department so even if they had figured out that it was you know a Rico violation I'm not sure it was up to them to prosecute it but that was that was what they brought to Aaron and brought to these companies to say we have a problem when we're looking for your help with it but I'd like to remind you that October Surprise and some of the things that Karl Rove pulled are on mosque in our mainstream government so and these are against the other party okay so we understand the chamber commerce thing but I guess did did the did the mainstream media get it wrong I mean did we in the press were we too willing to buy anonymous's interpretation of what was in those emails were we and would we have felt differently if instead of the Chamber of Commerce it was a plan by a politically left-leaning a progressive group to interviewed you know to investigate coach or cock industries and and Americans for Prosperity and and and some of the groups that have you know probably this audience generally more up in arms I mean was our feelings about this tempered or colored by who was being in you know who was on the on the who was behind the the law firm who was paying for this and what the mission was because aaron has always said I would have done it for anyone I you know oh sure chamber of commerce but I would have done it for you know Greenpeace or pita or you know it didn't matter I mean it was this they were a customer he's client agnostic client agnostic right everybody's they're all their money's all dream does it matter did the press get it wrong I think you can generically say yes and no you know the press is kind of a nebulous group like anonymous I mean some of the journalists I think got at least got it right and or put a fair perspective on it in some of them you know sensationalized it you know what I think he's right i mean 60 minutes is doing a long piece on the whole thing right now it's going to come out in the fall hopping posts doing some investigative journalism on this there's a couple stories being done and i personally there's two scary things here I've personally seen evidence that they've been manipulated on the narrative they're being social engineering trivially so the press is becoming an asset of the Lowell sec and the empty sack I've also seen that if you are trying to be an anonymous a true the word truly anonymous source to the press I accidentally socially engineered out their sources without trying right so I think right now it's probably a Symetra feeling in favor of anonymous because the press doesn't have the filter or the some press do some of the better journalists in this trade space do but for the most part they're being like played like a fiddle okay um Duke gently do organizations have a right Leon's kind of step into the chamber of commerce issues do they have a right to protect themselves from from damaging or illegal activity in the same way that nations do the United States so we're not we're not going to argue that the United States has the right to have cyber offensive capabilities to corporations have the same right this is why I'm really pissed off that HP Harry better a lawyer to Aaron off the stage because he had a couple really cutting questions he had a couple really excellent points and there is a chance now to finally have a discussion about what is lawful for defending your own interest you know how far can you take it if someone breaks into my home physically in my state I can shoot and kill him we are we have almost no ability to fight back to have back to do any sort of forensics we don't have the laws of not caught up with that yet so I liked the forcing function of this particular case because it asks us in a might start challenging discussion of what is lawful hat back you know and because there aren't laws there's a lot of gray area and ambiguity and maybe if you consult with your own internal counsel maybe you should start stretching that ambiguity right now because we cannot with stain an attack on pure passive defense we are getting our asses kicked others nation states have rules that they've set up corporations are corporations but they've recently how recently the ruling was but they're considered personal entities a single entity that can be treated as a person you know that whole thing with the Supreme Court recently about money and advertising and all that so if you as a person our hacked and you hack somebody back and you're caught you just going to say well well you know they attack me not virtual castle law it's not going to work so no they didn't have the right to do that take a look at our offensive countermeasures calm some of the stuff Paul calm doing John strands been doing they're not saying these things are legal but they're we're going from purely only defense to may be unlawful offense and there's a continuum there of active defense and there's some things where there's a lot more you probably could do and if you get some legal coverage and advances you could probably stretch that a little further then also let me reiterate for the people who came in later we are doing a question and answer session immediately following this in pavilion room for all so I'm looking on Twitter for questions I think the hashtag is T panel Thank thanks for breaking it Jeff the Twitter's broken again well if it comes back up t panel is a hashtag and just sent some of your questions I will be checking it between here and the pavilion for let me let me ask you is is anonymous protecting us is anonymous standing up for us or is anonymous terrorizing us and I guess one question I would ask the audience is how many people here feel like they would feel safe taking a public position in a blog post quoted in a news article being critical of a ba of anonymous being critical of their actions and how many people would feel safe doing that like that wouldn't result in them getting attack are you sure you're not sticking your penis in a hornet's nest right sorry well safe meaning you don't feel like you would you don't worry that you would be retaliated against yeah okay son uh-huh respect them okay but if you do choose not to respect them well as an example I don't know all rights it and that real quick that's what I mean some of the stuff that I've written has been like that where I say hey you know overall they're doing some good but this is where they need to improve this was like really lame you know it turns into constructive criticism and they haven't attacked us and you know like for example all-sec they were retweeting one of my articles saying oh look you know this is a good write-up so I think that while many people say oh well they're just you know wild crazy kids know they have perspective too they understand that you know what they're doing could be better and you know they're not going to lash out just at anyone they're probably going to go after the people that attack them needlessly or say something that's just really stupid yeah and when I had that thing up there I'm not saying we're not we shouldn't have this role at all I'm not saying that at all there's a real opportunity that if wielded properly this power could do a lot of good there's also the opportunity that if wielded poorly it's going to cause the very things we claim we don't want right so it's a complex system and when you poke hear something happens the question is are you poking here to cause the right things to happen or are you going to end up in bad places okay it wasn't about eliminating anonymous it was about building a better one right and I asked that as a question I mean I've certainly written about anonymous and I've written critically about anonymous and I haven't been attacked and I think a lot of journalists could say the same thing so I'm not saying it because I have an opinion about what the answer is to that question but right right and that goes back to my point you know they'll go after the ones that say really stupid things and the rest that it's like whoa yeah that's how journalism works right we're outside right right well and to and to the point here you know we've only re they've only attacked to news organizations you know it's kind of like you know if you're Armenian you know we've only attacked to Armenians and then one was this guy and the other was that guy and you know so if you're meaning you probably don't have to worry you know Anna taxon attack but i think i'm getting a big def con x which means we're out of time but I thank you very much for coming today and question-and-answer panels in pavilion for