We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
6
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Thieme, Richard

Formal Metadata

Title
Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence
Title of Series
Number of Parts
122
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Nothing is harder to see than things we believe so deeply we don't even see them. This is certainly true in the "security space," in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think. That narrative serves as insulation to filter out the most critical truths we know about our work. An analysis of deeper political and economic structures reveals the usual statements made in the "security space" in a new context, one which illuminates our mixed motivations and the interpenetration of overworlds and underworlds in our global society. Crime and legitimacy, that is, are the yin/yang of society, security, and our lives. You can't have one without the other. And nobody should know this better than hackers. This presentation will make you think twice before uncritically using the buzzwords and jargon of the profession - words like "security," "defense," and "cyberwar." By the end of this presentation, simplistic distinctions between foreign and domestic, natural and artificial, and us and them will go liquid and the complexities of information security will remain ... and permeate future discussions of this difficult domain. As a result, we will hopefully think more clearly and realistically about our work and lives in the context of the political and economic realities of the security profession, professional intelligence, and global corporate structures. Richard Thieme has published hundreds of articles, dozens of short stories, two books (including Mind Games, a collection of short stories with more coming (FOAM, a novel, a serio-comic narrative of sex, secrets and intrigue, will be completed soon, followed by "The Room," a novelette about torture and the tortured), and he has given several thousand speeches. He speaks professionally about the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. Many recent speeches have addressed security and intelligence issues for professionals around the world. He has keynoted conferences in Sydney and Brisbane, Wellington and Auckland, Dublin Heidelberg and Berlin, Amsterdam, the Hague, and Rotterdam, Eilat Israel and Johannesburg South Africa, and the USA. Clients range from GE and Microsoft to the FBI, US Dept of the Treasury. and the US Secret Service. His pre-blog column, "Islands in the Clickstream," was distributed to thousands of subscribers in sixty countries before collection as a book by Syngress, a division of Elsevier. His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities. He lives with his wife, Shirley, in Fox Point, Wisconsin and can be reached at www.thiemeworks.com.
00:00
Uniform resource locatorCognitionPower (physics)ResultantBuildingFuzzy logicDatabase normalizationOrder (biology)Task (computing)INTEGRALDataflowComplex analysisInformationView (database)Physical systemRevision controlComputer programmingProgramming paradigmBoundary value problemAuthorizationVideo projectorGodJukeboxOffice suiteSource codeMetreSelf-organizationWindowDisk read-and-write headImperative programmingState of matterTheoryCondition numberPoint (geometry)DivergenceCollaborationismPhysical lawObservational studySimilarity (geometry)Volume (thermodynamics)Term (mathematics)Intercept theoremSpeech synthesisTraffic reportingDesign by contractDemosceneReal numberCurveCuboidEnterprise architectureGroup actionCartesian coordinate systemText editorEstimatorHacker (term)Standard deviationDigitizingInterface (computing)Right angleLevel (video gaming)Sheaf (mathematics)SpacetimeNumeral (linguistics)AdditionSoftwareReading (process)Data conversionInformation privacyCodeClient (computing)Integrated development environmentWebsiteMusical ensembleCommunications protocolArtificial neural networkMoment (mathematics)Video gameArmLine (geometry)Bulletin board systemServer (computing)40 (number)Statement (computer science)CryptographyContent (media)Multiplication signDecision theoryPresentation of a groupInformation securitySelf-referenceData structureMathematical analysisSign (mathematics)SmartphoneComplex systemReal-time operating systemPublic domainThermodynamic equilibriumGame controllerWechselseitige InformationProjective planeSingle-precision floating-point formatKeyboard shortcutObject (grammar)Monster groupContext awarenessChaos (cosmogony)Virtual realityArrow of timeMereologyComputerCivil engineeringInformationsgesellschaftWorkstation <Musikinstrument>WordOffenes KommunikationssystemComputer scienceCASE <Informatik>CybersexFlock (web browser)Shape (magazine)Bit ratePosition operatorLaserQuicksortDifferent (Kate Ryan album)Game theoryDot productHypermediaVirtual machine1 (number)EmailMetropolitan area networkFigurate numberOrientation (vector space)PerimeterComputer virusTelecommunicationVotingIntrusion detection systemWeb pageUniverse (mathematics)Fitness functionProof theoryConnected spaceProcess (computing)2 (number)Operator (mathematics)Roundness (object)ImplementationFlagData miningRule of inferenceSoftware developerTrajectoryLetterpress printingGoodness of fitService (economics)MathematicsOnline helpSoftware testingoutputSemiconductor memoryChainingDampingFocus (optics)SubsetPressureSound effectNEC IC Microcomputer Systems Ltd.Perfect groupNP-hardSystem callNeuroinformatikMedical imagingCategory of beingGreatest elementWater vaporDegree (graph theory)Computer-assisted translationNormal (geometry)Exception handlingNoise (electronics)Object-oriented programmingFrame problemRadical (chemistry)Confidence intervalMultiplicationGrass (card game)Public key certificateFlow separationSpline (mathematics)Fiber bundleMobile WebDependent and independent variablesAerodynamicsStreaming mediaMeta elementTurbo-CodeLecture/Conference
Transcript: English(auto-generated)
00:00
Thanks for being here. Uh, steering into the abyss, dark side of crime fighting, security, professional intelligence. Uh, what I'm gonna do, it's a longer talk as usual, it's longer for black hats, so I'm gonna try to hit the high points. You pick up the uh CD and there are I believe about 34 pages of documentation supporting what I'm saying. So some of it I will simply refer to and trust you if you're interested in seeing that I'm not
00:24
making it up, look at the CD and you'll see the support for it. Uh, it's uh, got several, let me get this stuff out of the way, several parts. Uh, and so I'll signal when I'm starting a new one. Uh, the beginning is about the fact that I can't get my mind
00:41
around that this is my 16th uh Def Con and that I keynoted- yeah, that's for longevity, right? That I am living. And, and yet there are markers that tell you how you are doing along the way. Uh, within the first couple, uh, London Sunday Telegraph had a
01:01
piece on something I'd said and it's referred to me as a uh, a father figure for online culture. I thought that was cool. And then about a decade later, uh, some hackers said, you know, you're gonna change that to a grandfather figure for online culture. And then- and then last year during my talk someone tweeted, you may think
01:25
Richard Thiem is just a deranged old man wandering about the Con, but he does actually have something worthwhile to say. And uh, those of you who are young and are amused by this story just know that this too will be the dots of your trajectory which will inevitably project into the future you cannot even imagine as uh, as your chemistry
01:45
changes. But keep in mind that what chemicals take away, chemicals can put back. Uh, there is- blessed be the names of those chemicals. Okay, so ideally as we follow this trajectory over 20 years at Def Con or 19, uh, we have a greater sophistication,
02:05
greater sense of nuance, greater sense of the greyness of all things. Uh, we hear about grey hat hackers as if they're one of three. Let me tell you the real definitions. Uh, a black hat hacker translates into a hacker, right? A grey hat hacker is a hacker who knows when it's appropriate to fudge the truth. A white hat
02:25
hacker is a hacker who puts the truth down somewhere and doesn't remember where they put it. Uh, it's all grey. It is all grey hat hacking because hacking and computer science and computer technology and info sec is a subsection of society and
02:43
society is all grey and the longer you live the greyer it gets and the more the whites dissolve into the, uh, irreducible middle. This talk is not like many of them are, the useful talks, the practical talks, the talks that tell you three things you can do on Monday morning when you get back to work. What I'm trying to illuminate
03:03
with this is the fuzzier or greyer landscape of our professional and personal lives and as we grow older we see they are very much the same, uh, for a well integrated human so that ideally when you come to some of those crossroads in the future, uh, that this talk will illuminate you will remember some of the things I said
03:23
because the decisions you will have to make at those moments are not trivial or easy because the world in which we now live is not trivial or easy and information security is not trivial or easy. Gosh, there's just so many information security professionals. 2010, Frost and Sullivan said there are 2.28 million information
03:46
security professionals in the world to which a experienced and truth telling security practitioner said then it sounds a lot better when you say information security professional to make air quotes. Because, uh, that's not what they all are. We're
04:10
not allowed to speak and nevertheless as an industry which is really what is still this uh, this is still about. Black Hat, it's really about that. The industry like all
04:20
industries has developed a narrative which is self serving. It defines the view of reality which is permissible to speak. It defines the paradigm and when you define the paradigm up front you don't have to worry about the answers because you're determining the very questions that can be asked and those things which of which we are not allowed to speak we do not have to worry about how people feel or think about
04:42
them because they never surface. They remain anomalous or a source of cognitive dissonance or background fuzzy noise. But the fact is those in the picture of the narrative don't see that there's a frame and there's a ground of being for the narrative and that's what I want to illuminate if I can some of it. The context, not the
05:04
content which it is habitual to hear about here or at Black Hat. Things have changed over the years. Years ago I referred to the creation of the digital space as resulting in real birds in digital cages. I came to that when I was asked by a uh
05:21
global public relations company way back when when I started writing about this stuff in the 90's. Email was so new that when someone got an email it didn't even occur to them that the person writing it wasn't right there in their city. So I got an email from someone in London because they had read something I'd written for an English magazine and assumed I was in London and he asked me to come over for a drink after work to
05:42
discuss uh doing brand defense and I called him and said I'm in Milwaukee I can't come over so easily but we can work. We didn't have words for it. We didn't say work remotely then. It was a new concept but I said I can do a lot of that from here. We can collaborate. Tell me what brand defense is. He said well that's easy. If uh we have a client say who's uh a tobacco company uh I say I see you want me to build what we
06:05
were learning to call websites that defend your client and he said no no no we want you to build websites that attack our client from a multiple multiplicity of points of view and we'll give you enough information to be credible in your attacks but not so
06:20
much that it will be a smoking gun that could bring serious damage to our client and therefore you will collect in those websites the real birds in digital cages the people who are opposed to our client and inflect the conversation, alter it so that it becomes essentially harmless in the end and we will turn the digital cage and the birds because they have the illusion of the freedom of flying that comes from flapping
06:44
will think they are free and flying in fact. So I called those real birds in digital cages. He wanted me to go into Usenet groups which existed. So how many of you know what a Usenet group is? Alright, not bad. I was talking to a young whippersnapper
07:02
who was trying to get me out of my literary mindset and into transmedia and I said well the person who introduced us we met during the days of the bulletin board and he said what is a bulletin board? And I said you know this was before Google it's when we used gopher and predictably he said what is gopher? A deranged old man wandering about
07:24
the con lost in his memories. So he wanted me to go into Usenet groups using what we didn't yet call NIMS to create false personas we didn't call them screen presences and inflect the conversation so if it got too sticky or close to something that would be
07:42
damaging kill the cat or set fire to the curtains or do something that will distract people from what they are thinking you probably recognize this now as the real world in which we live the virtually inflected world in which people project themselves into virtual spaces because we evolved to be trusting of our senses and so we think that what we
08:03
see is what's there and the bottom line of everything I speak about and write about is that nothing is what it seems. It really, really isn't. This is not a conspiracy theory this is just what's so. Nothing is what it seems. It's what's so. It's also so what. So that's not news. Well now instead of digital birds in real cages with the advent
08:24
of social media what we really have are real flocks of birds in digital cages and in addition to the illusion of the freedom of flying because when we look up or down or to either side we see other wings flapping we have the illusion of security because we're part of the herd. We're part of the hump of the humplings the bell curve
08:42
a word I think I created. The hump of the bell curve you know there's like 10 percent up front those are the masters of society who create environments and realities for us and we're the 80 percent in the hump of the bell curve humping along humplings hump that's what they know how to do and then there's 10 percent at the end that are the dregs and the
09:01
masters keep the dregs so the humplings will see the dregs and be grateful they're not the dregs and thank the masters for keeping them in the hump and not letting them fall back into the dregs i.e. people can't get work after three years or have a lower standard of living or who are denigrated in many ways and then everybody is happy except the dregs but they serve a larger societal purpose by making the rest happy so if you deconstruct their
09:24
unhappiness they too are happy they just don't know it so they get violent you know at any rate providing that hump providing that herd providing that flock of illusory digital wings provides not only illusion of freedom but the illusion of security and as the bigger
09:45
and bigger cage turns because we are part of a flock we cannot even see the edges of the cage so far as that parallel universe from us in other words we are all assimilated we cannot help being assimilated into the organizational structures of the larger cultural entities of which we become a part Margaret Mead great anthropologist said years ago that it takes her
10:05
a full year to learn again what she learns in one week when she enters a new culture and the reason is when you come in new you see it with beginner's eyes as the Buddhists say you see it fresh you see that the cues you are used to responding to aren't there but there are different cues and you see it clearly like the Terminator at the moon over against the
10:23
light and the darkness you see the reels in the mountains of the cultural norms and behaviors in a different way but after a week or so she already unconsciously was assimilated into the culture to a degree that undermined her objectivity and ability to see and it took longer and longer
10:40
and longer to see more and more and therefore we go by the known but unwritten rules you know that in any organization some of you belong to them there are four kinds of rules there's known and written which are the manual they give you when you're hired and have to go through some organizational orientation and they're known for a moment as you leaf through
11:02
them then they go on the shelf and they become written but unknown over time because you never consult them again there are also unknown and unwritten which are the deep cultural structures of our lives the 98% of us that evolved and of which we are unconscious so we don't have to worry about those but the ones that govern the organizational life are the known but
11:20
unwritten rules and anybody who succeeds in anything is pretty good at picking up on and intuiting what are the known and unwritten rules and obeying them in order to advance in the organization and keep sustenance and livelihood alive a friend of mine who's a cop and is also a Roman Catholic this is not meant to denigrate the Roman Catholic Church in all its illustrious history I'll just tell you what he said to me he's a cop and he's a Catholic
11:45
he said you know my church and my police life work the same way when you're a rookie you know you're watched and as the dirty money comes through and the drug money doesn't all go back to station and some of the coke gets bled off or you go into an alley and you beat the living you beat somebody and you're standing there waiting for your partners
12:05
to finish kicking him into unconsciousness they watch what you do and if you're okay you don't do anything and the word goes around real quickly you're okay you're one of us and if you are one of us then you are elevated up through the structures and when you reach the top as Timothy Leary said you never get the truth from the company
12:23
memo because you become so instantiated as an aspect of the company you're like invasion of the body snatchers somebody put a seed pod under your bed in the night when you joined and over time you become you look like yourself but pretty soon you only say the things the paradigm the company approves of allows you to say and you don't say the
12:43
other things at all and and so you become you become part of the Borg and so my my friend the cop said that's who makes captain you don't make captain if you don't protect the institutional life of the structure that advanced you and which you have by that point so
13:03
internalized that you are it like you become bishop and this is why the culture of my church he said has become a global he said it I didn't say it I don't know if I even believe something like this he said a global criminal pedophile enterprise I don't know I don't know anything about that if that's true or not but he said it's the same way you come in and
13:24
you see quickly unless you're unconscious what is going on and if you say something you go to Fort Wayne Indiana and if you don't say anything you become Archbishop of New York or Boston or LA or Chicago and it's that's just what's so but in that case because the evil
13:42
is so deep it's not so what but at any rate as an illustration of how organizational life assimilates us it works pretty well well the same thing happens in the so-called security space the space of information security and in the intelligence community we're group think permeates percolates through the structures and from externals the input is is
14:03
minimized so the weakest link in of the chain is frequently the definition of the problem and the definition of the problem as Matt Blaise pointed out is often not what we think it is that's true not only about security but it's also true about the security industry industry itself so the question I'm asking is who are we really what is the
14:23
security space really and what is our self referential narrative about the industry include and above all like all paradigms what does it exclude and allow us not even to think about saying much less say what is the rule base of the filter and how well does it work at the perimeter because like computers themselves the perimeter no longer exists there
14:44
is no perimeter defense if there's no perimeter and there's nothing but mobius strips interlacing with one another like parallel universes so let's not be white hat hackers and forget where we put the truth let's simply identify what the truth is and articulate it nothing is harder to see than the truths we have come to see believed so
15:04
deeply that we don't even see them because our narratives become self referential they're bounded by mutual self interest and they're characterized by a heavy dose of group think beliefs are fine beliefs are good they're useful just don't believe in your beliefs just
15:22
hold them lightly true of all beliefs notice oh oh that's something I believe and then let it go because we know now from neuroscience that we make decisions prior to inventing the reasons we say we do them the decisions take place unconsciously they manifest and
15:42
then we say the reason I did that and it's always as Nishi said in the war between pride and tell and humility that's why autobiography is never trustworthy pride always wins so how do you change the paradigm well once when I was in the church I was in a leadership project in which we were discussing new paradigms for clerical leadership in the
16:04
Episcopal Church and after we brought in all the people from Silicon Valley and all the think-tank people I'm somebody had money and funded this and the second year of a three-year project I was sitting there listening the gabble of all these what we called cardinal rectors big churches you know I mean if you play it right you can do okay you
16:22
know I was sitting in a million-dollar rectory in Hawaii tending my parish my wife had a sign made that said the pastor is in with an arrow pointing to the beach blanket and we're sitting in a million-dollar house and that's when you realize you came to do good and you did well you know so an analysis of the deeper political and economic economic structures
16:48
will always reveal behaviors and beliefs in a different light and it will illuminate our mixed motives and the fact legitimate and illegitimate enterprises interpenetrate one another deeply like yin-yang you know there's black and white and they interpenetrate and
17:04
the white becomes a little gray and the black becomes a little white the overworld and the underworld make up just one thing one vanilla chocolate swirl of pudding one complex system and this also has a serious impact on security and intelligent practitioners on our psyches on
17:20
our relationships and our lives when we refuse to face the dark side of what it is we do and its impact on us then it has even more impact on us because the more you push it down the harder it pushes back beware Nietzsche said lest you stare into the abyss as you stare into the abyss lest it stares into you cognitive dissonance is always present and it can lead
17:43
to serious stress but if you become conscious of it and work at resolving it or at least managing the contradictions in your life it seems to work a little better what is the goal of becoming conscious a friend shared a story about a intelligence practitioner who as a result
18:01
of someone he had recruited in another country as an agent the person was discovered outed tortured to death died horrifically the person who had recruited him our guy was struck by it burdened by it he started drinking heavily they had to take his clearances away for a while put him on a different desk and send him to a therapist and I said but where's
18:21
the therapist well the therapist is cleared by the agency therefore assimilated into the culture of the agency and I said what is the goal of therapy the goal of therapy the answer came back clearly is to get the guy back into shape to go back to the original desk and do the work again which got him into trouble psychologically speaking in the first place I said well that's not what I did counseling for for 20 years when I did
18:43
counseling the goal was to enhance someone's ability to see the darkness in their own life see all the contradictions integrate them into a bigger self and and transcend with wholeness and integrity what they thought had been a burden and he said that's not our goal our goal is for the guy to get get back to work we're not concerned with wholeness and integrity and I
19:05
said so what happens if he can kind of work but you're not sure if it all took he said then we watch him very very very carefully well it has an effect on us in the days before it became public I was talking to people who were tortured and I was talking to people
19:21
who did the torturing it started to affect me to listen to their stories listen to someone who did torturing talk about for example the Uzbeks you ever work with the Uzbeks he said it was a novelty when we told the Uzbeks that one of the purposes of torture was to get information you got it they didn't know that they thought it was just something
19:46
we do and I was telling that to someone who'd been doing interrogation seriously and well for 17 years and he said the Uzbeks my god you ever work with the Turks by which he meant it all they want is a confession there doesn't have to be a perp that doesn't have to be a crime there's a piece of paper sign it oh you don't want to sign it
20:06
that's the way it is listening to their stories oops deaths the story of medical practitioners doctors falsifying death certificates when someone said oops lost him heart attack oops deaths and then used the information they gained from each instance of
20:27
torture to advance the ability to do torture well the next time this is medical experimentation on human beings which was prohibited by Nuremberg but is practice waterboarding is a red herring
20:41
it's an image of something we can imagine not being so bad as Rumsfeld said just dipping him in the water or something like that as if choking to death almost is not so bad because we didn't kill him except when we did but the serious torture is not just waterboarding it's used as an image to distract people from the truth of what it is that we do but it is not what
21:07
we are allowed out here in the psychic space of America to talk about clearly and so as a result as Jane Wagner said I'm getting more and more cynical all the time and I still can't keep up what is it what does it do to you to hear secrets or live with secrets
21:25
and carry them as a burden I had dinner in Washington once with a friend from FBI and a friend from NSA and they were talking about what it did to them and one of them said imagine if you're listening to terrorists slit the throats of people in real time you're hearing
21:41
the horror and you go home at night and your wife says how was your day and all you are allowed to say was fine dear it was fine so one of the impacts of the dark side is secondary trauma a therapist told me to read about trauma when I tried to engage her a bioethicist in a
22:00
project to look at torture at least before it was in the public domain and of course they wouldn't because it would jeopardize their professional positions so I read about trauma and what it did to you and I went back and I said I've read all the sequelae of trauma that are predictable and she said you know I wanted you to read that and I said sure because I'm dealing with people who are traumatized and she said anything else and I said no because
22:25
when you're in it you can't see it and she said you're showing all the symptoms of secondary trauma my wife said I could have told you that a year ago but she was my wife so you know you listen but you don't listen but when a therapist you don't know says it you
22:42
say oh I didn't know that my point is that by virtue of the work we do in the security space we often all of us and all of us in America by virtue of knowing and having these conversations if we dare to have them begin to show the symptoms of secondary trauma it distorts our view of reality it makes it more binary and it makes us more paranoid not just appropriately
23:06
paranoid but wondering what is really going on all the time and then when they call you a conspiracy theorist for wondering it makes it even worse because you're not allowed to evolve a conversation civil discourse about the truth in order to know what it is because the one
23:24
thing that holds true is it does set you free to tell the truth and to know the truth and integrate it into your life so hopefully this analysis will make us think twice before we use the buzzwords and jargon of our profession words like security itself and defense like
23:40
when they change the Department of War to the Department of Defense before going into 150 countries with the military presence as we have now or words like terrorism or cyber war words which are weasel words designed to create a paradigm which we unthinkingly articulate and in which we unthinkingly live one example of what it does to us is this article which
24:03
appeared on Dark Reading security pros may be ready to crack under growing pressure faced with securing personal devices and a growing base of threats security pros feel overwhelmed ISC to survey reports what it is about is the fact that when you're doing a job that you
24:22
know can't be done it causes not only trauma but it breaks down your ability to function effectively it reminded me the story in John Hersey's Hiroshima after the blast there's a flash of light and a doctor noticed two three people coming into the office their arms peeling and bleeding and burned and he started to treat them as he would anyone who came in the office
24:43
with those symptoms but when he turned around there were five or ten more and he tried to treat them but then there were 20 more and 30 more and he looked out the window and hundreds were streaming down the street burned and bleeding toward his office and he was reduced to someone who could only go from one to the other to the other saying they're there they're there
25:04
they're there the security industry they're there it'll be okay they're there but is it in fact implementing in the meantime the structures of security that will give security or is it simply carrying out the de facto Commission which now the intelligence
25:25
community itself has become commissioned to do not by any state because they're dissolving as the boundaries around them dissolve but by the fact of their lives in the trenches where they exchange information with one another in an effort like a thermostat to maintain some kind of equilibrium in the global body politic so that chaos which is always threatening to
25:46
break out at any bubble or aperture will not break out the bottom line of the security world is to be able to assure people that the world in which they wake up tomorrow will be much like the world in which they went to sleep that's a different Commission than creating
26:01
implementing and sustaining security so hence the title whoever battles monsters should take care not to become a monster too you stare long enough into the abyss the abyss will stare right back at you or the way the sign put it at Sandia National Labs do not look directly
26:21
into the laser beam with your remaining eye pretty good okay so security has a context and what I want to do is turn a little context into content and illuminate the slightly bigger box into which we say we're going and we're going out of the box it's really just a bigger
26:42
box we never get to the end of the biggest boxes of all the ground of being itself but Eddie Bernays created context you remember Eddie Bernays I like to use this example that the publishers asked him to help with selling books so he went to bright into like intellectual people Nobel Prize winners said his literacy relevant to America this is 1920s they all said
27:04
yes yes yes signed off on that called together architects builders contractors said do you want to help build an America viable in the 20th century yes yes yes they all signed up as a result anyone coming in to an apartment building or house after the 1920s and not before would often find what they agreed to build which were built in bookshelves and then when people came into
27:25
those apartments or houses without thinking or seeing it they bought books you got a bookshelf you put on a book context into content unseen digital cage go in fly buy books so as I say
27:44
once you believe in your beliefs but contextualize them differently hold them differently and that does not often happen at security conferences where your beliefs are reinforced and repeated so much that you actually believe in your beliefs the price James Baldwin said one pays from
28:05
pursuing any profession or calling is an intimate knowledge of its ugly side now I learned that growing up in Chicago worked with my alderman until I was through college I was never once asked to do something legal you know typical was when they asked if I wanted to be a precinct
28:23
captain I was 18 I said well yeah but where's kitty going they said oh kitty's still on I said well how can I be precinct captain of kitty our precinct captain is still on he said oh no no no I was so naive we need a Republican precinct captain so you can destroy campaigns
28:40
undermine people and report back as an infiltrator and spy the problem was that I was 18 you had to be 21 to be a precinct captain they said that's not an issue that's that's for the document department as you know so the bottom line is you grew up in that environment I woke up one day in the middle of my young life and said my god the father of every friend I have is
29:03
doing something illegal one was in jukeboxes you know the Seaborg story now that kid is the director of security for Seaborg and he directs security all right offers you cannot refuse is what they were making to people others were in gambling equipment I found out one was distributing porno porno in those days was 16 millimeter films black and white you ran on
29:25
noisy projectors not nearly as efficient or or effective as just being able to put on your headphones close the door and say I'm gonna be working on this for a while God bless the digital cage so what I'm really saying is know yourself right I mean the goal of spiritual
29:47
growth is to know yourself to face the worst you think about yourself see it see it's not worse it's human we're just human and integrated in yourself so you can transcend it and be a more actionable agent of what results as what we call freedom as a result of that kind of
30:03
integration integrity in order to do this in the security space we have to look at what are the deep politics of the security space I use that term from Peter Dale Scott who teaches at Berkeley and has written a lot of books like deep politics and the death of JFK he's not concerned with who killed JFK because so many people justifiably wanted him dead that it
30:23
could have been any of them and any of the scenarios in the absence of further evidence could have been the right scenario it certainly could have been the Cubans it could have been the Vietnamese payback for for Jen being assassinated it could have been the mafia of course because his dad was mafia's but that grew in Boston worked with the mafia's distributed
30:43
liquor bootlegger his dad got into such trouble he had to have a sit-down with Sam Jinkan in Chicago my town and have him take a contract off his head and they did they worked it out I had Charlie Fischetti lived upstairs of our apartment in the apartment building I grew up in Chicago he was Capone's lieutenant until he died of a heart attack in
31:06
Miami and you just grew up in this in this milieu so anybody could have killed Kennedy but what he wanted to focus on was the important distinction between traditional conspiracy theory conscious secret collaborations toward shared ends and deep political analysis which is the
31:25
study of those practices and arrangements whether or not deliberate which are usually repressed rather than acknowledged in the latter there is an open system with divergent power centers and goals not a single objective or control point so it's not like somebody is doing this to us it's that there's a convergence of mutual self-interest and an unwillingness to
31:45
acknowledge the truth for example of the security industry and what it does it's kind of like a guy when I was working on a project on intelligence and ethics with some people and I talked to a guy in the Navy said we have a moral code don't lie don't cheat don't steal we don't say don't kill because the only reason we exist is to kill so if you fielded that one
32:04
in it would change the paradigm of calling it a a moral code or an ethical code or whatever they call it in addition as a result of the morphing geopolitical structures into metanational stage managed globalism the sources of power the references the points of
32:20
reference for power in the world are not what they think concrete example I did a talk for the FBI in Chicago and special agent in charge of the Chicago office talked about it's not your father's FBI anymore he said we were instantiated stood up as a police agency in America and we don't go foreign but now as a result of boundaries dissolving we have
32:40
to go foreign and do intelligence all the time the flip side of that is the CIA was instantiated to break all of the laws it could in its mission in all other countries except ours but now it's impossible to say where ours ends and the others begin in other words foreign and domestic like natural and artificial in the world of biology no longer make meaningful
33:03
distinctions because the grayness and fuzziness in the middle has expanded all the way to the edges there is no foreign and domestic when you're looking at the sources of power what the special agent at the FBI said is I used to be able to appeal straight up to the patriotism of people we're working with to do X Y or Z on behalf of our country and
33:21
they find now it is in conflict with their allegiance and the sources of their authority and power and money which comes from meta national structures which do not yet have names but to which the money in its flows continues to point so I'm not making this up criminal
33:41
structures are sustained or tolerated by police they always have been whitey bugger and in Boston for example working closely with the FBI the integration of crime and legitimacy is the way it is crime and legitimacy interpenetrate one another you can't have one without the
34:08
other so I wrote at the new paradise for security workshop information security is one task both offensive and defensive of the intelligence community sanctions breaking foreign laws while
34:24
prohibiting similar activities on American soil but simple distinctions of foreign and domestic no longer hold the convergence of enabling technologies of intrusion interception and panoptic reach combined with a sense of urgency about the counter terror imperative and a clear mandate from our leaders to do everything possible to defeat an amorphous non
34:44
state enemy defined by behaviors rather than boundaries borders or even clear ideological legions has created an ominous but invisible and seemingly inevitable set of conditions that undermine previous cornerstones of law ethics and even religious traditions therefore I.T. and security professionals exercise an implicit thought
35:05
leadership because you create the structures that bind and inform society and civilization your real charge is not to defend and protect a nation any longer but to stabilize the world this is not your father's world anymore either so we have to assure
35:26
people that they must wake up in a safe and sane environment because otherwise things fall apart now we're doing all this in a deeper context yet in a context of a world within
35:41
the world a secretive world a secret world which since nine eleven has grown and grown and grown I had dinner not long ago someone who helps to write the protocols and policies of governments on intrusion and detection I said are we ever going to get freedom from intrusion and surveillance back she laughed it was easy of course not she knows how
36:04
deeply the structures of authority and power have been penetrated by those those technologies we're never going to get them back in the Washington Post Dana Preece
36:21
attacks of September eleventh has become so large so unwieldy and so secretive that no one knows how much it costs how many people it employs how many programs exist within it or exactly how many agencies do the same work there are twelve hundred and seventy government organizations and nineteen hundred private companies on programs related to
36:42
counter terror homeland security and intelligence in over ten thousand locations across the country almost a million people hold top security clearances thirty three building complexes for top secret intelligence work have been built just since September two thousand one many security and intelligence agencies do the same work creating redundancy fifty
37:04
thousand intelligence reports each year a volume so large that many are routinely ignored after it happened because they were traumatized by a trauma leads to sometimes to speech someone described the scene in the office of the director of the NSA when he told senior
37:23
officials the new executive order mandated X Y and Z and the silence was frozen because he said these are things we had been told all our professional lives we did not do we do not do that because it violates the law and the Constitution unless we recontextualize the fourth
37:44
amendment so that it makes some sense in a world without walls it will continue to have less and less meaningful application and as Michael Hayden said when asked if there were not ethical implications or legal implications to vacuuming up the communications of
38:03
Americans without court order or warrant he said we don't have to worry about those because quote we have the power unquote that's the world in which we do our work and on behalf of which we do our work but you do not hear it spoken of at conferences like
38:26
black hat it is the given it is the unspoken premise and assumption that the economy based on that secret world will continue to manifest itself as a military industrial entertainment media educational complex in which the nexus of power one to the other is
38:45
so close and tight that one becomes indistinguishable from the other in my short story in mind games I only brought a few right pitch right not supposed to be vendor pitch I have half a dozen of these if anybody wants one signed and for only five bucks the few
39:05
remaining in print islands in the clipstream it's gone all electronic five bucks for that one twenty bucks for that one five bucks for that I have five of each it's really a prize and it will be worth a great deal of money one day what the older I get the
39:21
better I was and when I'm dead my value will be through the roof okay so I'm going to so we don't usually discuss the simple reality of the sources of research and development in the world which funds our enterprise it's just a given people deal with one another
39:42
they do not always ask from where the money comes you do not always know in different false flag operations ten minutes are you kidding Jesus all right forget but forget that all right god the meat of this and they're all in that on that CD but let me just start
40:05
rattling them off and and make this kind of fit is what hackers and security professionals really say when we talk to one another in the privacy of our shared spaces okay one stood at the vendor space at black hat last year with me and looked
40:23
out at the sea of booths and the beach bunnies and the booth bunnies I mean and all the swag the chocolates and the pens and the glowing lighted balls and said do you know not one of these people can deliver on the promise they make which is to secure the enterprise not one of these people can deliver on their promise they are selling
40:43
something that cannot do what they claim which is protect and secure the enterprise and when I mentioned that a particular application was based on smoke and mirrors to the editor of a major national security information security publication he laughed and said Richard our industry is based on smoke and mirrors a quote which you heard me say was
41:02
said by the editor of the magazine but CNN yesterday reported and Richard theme said the whole industry is based on smoke and mirrors every attributed statement I made at black hat they removed the quotes interwoven things out of context and brought in statements made by others and wove those in too it was a nice piece it just had very
41:21
little to do with what was actually said in the way it was said I just point that out alright we identify the threats that we can fight not the threats we cannot fight we sell what we can sell not what we can't sell cryptography is a great example cryptography is the opiate of the naive because sure it can protect a lot of things but
41:44
not if the system is broken Peter Neumann was talking to Rivest about voting machines and Rivest said the cryptography is terrific on the voting machines and Peter Neumann said yes but the entire system is broken and Rivest the cryptographer said that's not my problem
42:01
okay holistic thinking at its best right and he's really smart guy I remember someone laughing at the ATM and other embedded device code he was looking at because it was so simple and easy to exploit one hacker said in my non-expert opinion I would say the cell phone stuff is even easier and another added mobile device security implementations
42:21
currently suck more than the abomination that we call mainstream software okay Dan Geer pointed out by name the financial world is proven by demonstration that we humans are abundantly capable of building systems we can either understand or control the digital world is insisting on a second round of proof just as the greatest enemy of our
42:44
personal health is ubiquitous cheap food the greatest enemy of our national health is ubiquitous cheap connectivity you know that the applications being added by the thousands and the smart phones being added by the thousands simply increase the coves and niches of the coastline of the attack interface so there's a whole section that I
43:04
won't even touch on what the FBI is actually doing in COINTELPRO 2.0 I will skip the section on Emil Durkheim which you can read about in which he pointed out that criminality and legitimacy necessarily interpenetrate one another in any society and I'm going to skip the point about what the banking system is actually sustaining and
43:24
supporting an example of which is how much money is effectively laundered through that system I will give you a couple quotes U.S. and European banks laundered between 500 billion and a trillion dollars of dirty money each year half of which is in the U.S. alone Senator Carl Levin summarizes estimates are up to a trillion of international
43:44
criminal proceeds are moved internationally and deposited in bank accounts between two and a half and five trillion have been laundered by U.S. banks and circulated the flow of corrupt money and transition from transitional economies is twenty forty to forty billion dollars the result of this is without the dirty money the U.S. economy
44:05
the external accounts would be totally unsustainable living standards would plummet the dollar would weaken the available investment in loan capital would shrink and Washington would not be able to sustain its global empire I'm not making it up I'm just saying the banks do this and it's not just American banks UBS the Vatican Bank Barclays around
44:23
the world as well as Citigroup Bank of America has a beautiful statement on their policies and money laundering completely contradicted by their actual practice Wells Fargo, which Ovia was just fined over a million million dollars because they laundered over a billion dollars on behalf of the cartels in Mexico which are fighting one another to death
44:40
killing over 35,000 people they laundered so much money through Wells Fargo that it equaled one third of the Mexican GDP and Wells Fargo's claim was that no one at the bank noticed okay all right so three thousand died on 9-11 I'm sorry I love bond traders and
45:02
policemen too but 35,000 have died in the cartel wars which are enabled and sustained by the banking system which it is the primary purpose of the security industry to protect who is always cited as the five minutes okay who's always cited as the first line of defense the
45:21
financial institutions must be defended and protected so people can know they will wake up in a secure and safe world as we have been for the last few years of course. This is just the way it is all the documentation on all the banking systems I cite and talk about are on the CD so let's get back to what hackers or security professionals are
45:45
saying about this they are saying in my humble opinion the focus is on stuff to be placed on top of a flawed underlying foundation we can never get to acceptable levels of infosec unless either a we rip out the networks and start from scratch or change the
46:05
competence of government and corporate info set folks to not tolerate mediocrity and empower them with the authority resources and support to do what it takes to do it right otherwise good money goes after bad and the status quo is maintained I no longer do pen tests or red teams because nobody learns from what we find they just want to
46:23
check the box of compliance so why bother I'm not making a difference anymore remember what I said about infosec professionals beginning to feel overwhelmed by the impossibility of doing the job why bother I'm not making a difference if clients don't care except for making a nice profit on a gig which is where it goes and you become
46:41
cynical then I know I'll be ignored so why should I another said the problem is to tell the truth you have to one not be a vendor and two be willing to spill the beans on getting owned there are very few people willing to get up and say I work security my job is to prevent intrusions we get owned a lot so I kind of fail at my job sometimes it is
47:02
really really bad and here's how we deal with it in other words manage the risk so people can wake up feeling oh yes this or that happened RSA etcetera whatever even when we do our jobs right we're going to get owned the real challenge is get business leaders to accept that reality and let us redirect funding to programs that help companies deal with
47:25
it attacks are simple defense is hard it is gradual it is continual it is not sporadic it is elusive and it is often boring you do not hear too much defense presentations at black hat you hear attacks because they're sexy and fun and it's more fun to blow
47:41
shit up than keep it from being blown up that's what a hacker does I understand that what I'm articulating is not popular a disciple of Gandhi said even those of us who loved him rejoiced when he was assassinated because his presence was a constant upward
48:01
call to be more than we were and it was a real he didn't say it this way in Urdu he said it was a pain in the ass but that's what he meant it is a pain in the ass to look at this stuff and try to deal with it not forget it suppress it and ignore it the minute we go on to the next presentation what is the step of the craft we're not willing to ask the next round of hard questions because we haven't realized yet that what
48:23
we've got is broken there are people out there still trying to perfect AV and IDS mouse traps no big data solution will magically solve the problem of I have to see it first in order to detect it later 80% of viruses might be stopped 20% don't when you are owned you are owned risk and accountability our inability to identify and convey
48:43
technology risk kills us executives don't get it we don't therefore have the conversation at the place of power and authority where it will make a difference to begin grasping what we're doing and yet what is doing the shocking thing is the HBG fiasco which I love someone describing as a biker suck bumper sticker at a Harley
49:03
rally you know don't be stupid he said software security problems and all sorts of goods and services check greater societal dependence in the technology check greater complexity check everybody's selling zero days to God knows who for money check professional development of digital weaponry check a black market economy check industrial
49:23
espionage check leaked information targeted traded check intelligence agencies outside the US growing capabilities like Iran saying after Stuxnet in the future we will have to consider preemptive action those of you who know know that Stuxnet is the one in the public so we can talk about it like waterboarding but there have been others and some of them
49:42
are serious and portend worse things for the future what keeps me up at night a guy asked in an interview the other night what keeps me up at night is when the chief technologist at CIA tells me he can't sleep at night that's what keeps me up at night he says reading the Pfizer intercepts gives him nightmares but I can't tell you what's in
50:02
them thank you you've done your job secondary trauma yeah the real question is not how much security do I need until I have no risk it's how much do I need until I can live comfortably with the real risks I am facing have the conversation okay I'm finishing I've only got
50:21
10 minutes wasn't that an X wasn't it a Roman numeral X okay all right let me let me wrap it up let me just wrap it up by saying build networks with the people who are really your
50:53
friends let me tell you how I knew who they are the guy came up to me about a few years ago when I had too much to say for a change and the people were saying cut and the guy who does
51:04
the audio this is cut but the guy who does the audio said because he'd read my book and loved it he said there are two people I won't cut Martin Luther King jr. he's dead and you so make friends with the little people right