Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence

Video thumbnail (Frame 0) Video thumbnail (Frame 13945) Video thumbnail (Frame 27890) Video thumbnail (Frame 33905) Video thumbnail (Frame 39506) Video thumbnail (Frame 46946) Video thumbnail (Frame 50008) Video thumbnail (Frame 64859) Video thumbnail (Frame 66316) Video thumbnail (Frame 67445) Video thumbnail (Frame 71357)
Video in TIB AV-Portal: Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence

Formal Metadata

Staring into the Abyss: The Dark Side of Crime-fighting, Security, and Professional Intelligence
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Nothing is harder to see than things we believe so deeply we don't even see them. This is certainly true in the "security space," in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think. That narrative serves as insulation to filter out the most critical truths we know about our work. An analysis of deeper political and economic structures reveals the usual statements made in the "security space" in a new context, one which illuminates our mixed motivations and the interpenetration of overworlds and underworlds in our global society. Crime and legitimacy, that is, are the yin/yang of society, security, and our lives. You can't have one without the other. And nobody should know this better than hackers. This presentation will make you think twice before uncritically using the buzzwords and jargon of the profession - words like "security," "defense," and "cyberwar." By the end of this presentation, simplistic distinctions between foreign and domestic, natural and artificial, and us and them will go liquid and the complexities of information security will remain ... and permeate future discussions of this difficult domain. As a result, we will hopefully think more clearly and realistically about our work and lives in the context of the political and economic realities of the security profession, professional intelligence, and global corporate structures. Richard Thieme has published hundreds of articles, dozens of short stories, two books (including Mind Games, a collection of short stories with more coming (FOAM, a novel, a serio-comic narrative of sex, secrets and intrigue, will be completed soon, followed by "The Room," a novelette about torture and the tortured), and he has given several thousand speeches. He speaks professionally about the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. Many recent speeches have addressed security and intelligence issues for professionals around the world. He has keynoted conferences in Sydney and Brisbane, Wellington and Auckland, Dublin Heidelberg and Berlin, Amsterdam, the Hague, and Rotterdam, Eilat Israel and Johannesburg South Africa, and the USA. Clients range from GE and Microsoft to the FBI, US Dept of the Treasury. and the US Secret Service. His pre-blog column, "Islands in the Clickstream," was distributed to thousands of subscribers in sixty countries before collection as a book by Syngress, a division of Elsevier. His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities. He lives with his wife, Shirley, in Fox Point, Wisconsin and can be reached at
Trajectory Musical ensemble Greatest element Presentation of a group Context awareness Building Decision theory View (database) Source code Client (computing) Mereology Mathematics Semiconductor memory Hypermedia Data conversion NEC IC Microcomputer Systems Ltd. Information security Curve Programming paradigm Email Digitizing Moment (mathematics) Bulletin board system Computer Flow separation Cognition Computer science Website Right angle Figurate number Virtual reality Spacetime Point (geometry) Web page Flock (web browser) Real number Theory Hacker (term) Computer-assisted translation Metropolitan area network Noise (electronics) Turbo-Code Addition Dot product Standard deviation Multiplication Information Content (media) Line (geometry) Frame problem Word Integrated development environment Fuzzy logic
Point (geometry) Flock (web browser) Multiplication sign Real number Decision theory Orientation (vector space) Workstation <Musikinstrument> 1 (number) Online help Shape (magazine) Mereology Rule of inference Neuroinformatik Chaining Sign (mathematics) Bit rate Hacker (term) Arrow of time Data structure Information security Perimeter Enterprise architecture Programming paradigm Digitizing Moment (mathematics) Projective plane Mathematical analysis Degree (graph theory) Radical (chemistry) Data mining Word Personal digital assistant Order (biology) Universe (mathematics) Self-reference Video game output Self-organization Normal (geometry) Complex system Object (grammar) Resultant Spacetime
Point (geometry) INTEGRAL Civil engineering Multiplication sign View (database) Water vapor Public domain Real-time operating system Chaos (cosmogony) Theory Medical imaging Sign (mathematics) Object-oriented programming Boundary value problem Data structure Office suite Data conversion Information security Monster group Traffic reporting Position operator God Cybersex Programming paradigm Arm Information Projective plane Mathematical analysis Sound effect Line (geometry) Thermodynamic equilibrium Category of being Word Process (computing) Order (biology) Video game Pressure Resultant Reading (process) Window Spacetime
Metre Point (geometry) Context awareness Musical ensemble Video projector Spline (mathematics) Observational study INTEGRAL Code Multiplication sign Source code Design by contract Laser Disk read-and-write head Theory Power (physics) Term (mathematics) Single-precision floating-point format Divergence Cuboid Boundary value problem Office suite Data structure Traffic reporting Information security God Addition Collaborationism Meta element Programming paradigm Wechselseitige Information Artificial neural network Digitizing Projective plane Physical law Content (media) Mathematical analysis Line (geometry) Offenes Kommunikationssystem Jukebox Integrated development environment Order (biology) Video game Fuzzy logic Object (grammar) Resultant Spacetime
Context awareness Building INTEGRAL 40 (number) Source code Sheaf (mathematics) Information privacy Computer programming Estimator Roundness (object) Hypermedia Flag Office suite Imperative programming Information security God Physical system Enterprise architecture Programming paradigm Software developer Keyboard shortcut Fitness function Demoscene Connected space Data mining Proof theory Telecommunication Order (biology) Self-organization Smartphone Right angle Text editor Resultant Spacetime Point (geometry) Dataflow Implementation Civil engineering Letterpress printing Virtual machine Similarity (geometry) Streaming media Power (physics) 2 (number) Revision control Hacker (term) Operator (mathematics) Authorization Boundary value problem Data structure Traffic reporting Informationsgesellschaft Task (computing) Condition number Mobile Web Complex analysis Dependent and independent variables Standard deviation Interface (computing) Physical law Volume (thermodynamics) Line (geometry) Cartesian coordinate system Cryptography Database normalization Uniform resource locator Voting Integrated development environment Software Statement (computer science) Aerodynamics Speech synthesis Game theory Fiber bundle Intercept theorem Communications protocol
Focus (optics) Information Confidence interval Line (geometry) Client (computing) Computer programming Subset Word Process (computing) Software Hacker (term) Different (Kate Ryan album) Statement (computer science) Authorization Energy level Cuboid Software testing Damping Information security Physical system Exception handling
NP-hard Computer virus Presentation of a group Group action Perfect group Service (economics) Mereology Power (physics) Goodness of fit Roundness (object) Hacker (term) Different (Kate Ryan album) Authorization Data conversion Information security God Complex analysis Information Digitizing Software developer Grass (card game) System call Process (computing) Numeral (linguistics) Software Order (biology) Right angle Quicksort Reading (process)
thanks for being here staring into the abyss darkside a crime-fighting security professional intelligence what I'm gonna do it's a longer talk as usual it was longer for Black Cats so I'm gonna try to hit the high points you pick up the CD and there are I believe about 34 pages of documentation supporting what I'm saying so some of it I will simply refer to and trust you if you're interested in seeing that I'm not making it up look at the CD and you'll see the support for it it's got several we get this stuff out of the way several parts and so I'll soon know when I'm starting a new one the beginning is about the fact that I can't get my mind around that this is my 16th Def Con and that I keynoted yeah that's for longevity right that I am living and and yet there are markers to tell you how you are doing along the way within the first couple London Sunday Telegraph had a piece on something I'd said it's referred to me as a father figure for online culture I thought that was cool and then about a decade later some hackers said you know you're going to change that to a grandfather figure for online culture and then and then last year during my talk someone tweeted you may think Richard theme is just a deranged old man wandering about the con but he does actually have something worthwhile to say and those of you who are young and are amused by this story just know that this too will be the dots of your trajectory which will inevitably project into the future you cannot even imagine as as your chemistry changes but keep in mind that what chemicals take away chemicals can put back blessed be the names of those chemicals okay so ideally as we follow this trajectory over 20 years of Def Con or 19 we have a greater sophistication greater sense of nuance greater sense of the grayness of all things we hear about gray hat hackers as if they're one of three let me tell you the real definitions of a black hat hacker translates into a hacker right a gray hat hacker is a hacker who knows when it's appropriate to fudge the truth a white hat hacker is a hacker who put the truth down somewhere and doesn't remember where they put it it's all gray it is all gray hat hacking because hacking and computer science and computer technology and InfoSec is a subsection of society and society is all gray and the longer you live the grayer it gets and the more the blacks and whites dissolve into the irreducible middle this talk is not like many of them are the useful talks the practical talks the talks will tell you three things you can do on Monday morning when you get back to work what I'm trying to illuminate with this is the fuzzier grayer landscape of our professional and personal lives and as we grow older we see they are very much the same for a well-integrated human so that ideally when you come to some of those crossroads in the future that this talk will illuminate you will remember some of the things I said because the decisions you'll have to make it those moments are not trivial or easy because the world in which we now live is not trivial or easy and information security is not trivial or easy gosh there's just so many information security professionals 2010 Frost & Sullivan said there are two point two eight million information security professionals in the world to which a experienced and truth-telling security practitioner said then it sounds a lot better when you say information security professional to make air quotes because that's not what they all are we are all in this together all hackers all hacking is gray hat and nevertheless as an industry which is really what is still this of this is still about it black hat it's really about that the industry like all industries has developed a narrative which is self-serving it defines the view of reality which is permissible to speak it defines the paradigm and when you define the paradigm up front you don't have to worry about the answers because you're determining the very questions that can be asked and those things which of which we are not allowed to speak we do not have to worry about how people feel or think about them because they never surface they remain anomalous or a source of cognitive dissonance or background fuzzy noise but the fact is those in the picture of the narrative don't see that there's a frame and there is a ground of being for the narrative and that's what I want to illuminate if I can some of it the context not the content which it is habitual to hear about here or at blackhat things have changed over the years years ago I referred to the creation of the digital space as resulting in real birds in digital cages I came to that when I was asked by a global public relations company way back when when I start writing about this stuff in the 90s email was so new that when someone got an email it didn't even occur to them that the person writing it wasn't right there in their city so I got an email from someone in London because they had read something I'd written for an English magazine and assumed I was in London he asked me to come over for a drink after work to discuss doing brand defense and I called him and said I'm in Milwaukee I can't come over so easily but we can work we didn't have words for we didn't say work remotely then it was a new concept but I said I can do a lot of that from here we can collaborate tell me what brand defenses he said well that's easy if we have a client say who's a tobacco company I said I see you want me to build what we were learning to call websites that defend your client and he said no no we want you to build web sites that attack our client from a multiple multiplicity of points of view and will give you enough information to be credible in your attacks but not so much that it will be a smoking gun that could bring serious damage to our client and therefore you will collect in those websites the real birds and digital cages the people who are opposed to our client and inflect the conversation alter it so that it becomes essentially harmless in the end and we will turn the digital cage and the birds because they have the illusion of the freedom of flying that comes from flapping will think they are free and flying in fact so I called those real birds and digital cages he wanted me to go into Usenet groups which existed so how many of you know what he used in that group is all right not not bad I was talking to a young whippersnapper who was trying to get me out of my literary mind setting in to transmedia and I said well the person who introduced us we met during the days of the bulletin board and he said what is a bulletin board and I said you know this is before Google it's what we use gopher and predictably he said what is go fer deranged old man wondering about the kind lost in his memories so he wanted me to go into Usenet groups using what we didn't yet call NIMS to create false personas we didn't call them screen presences and inflect the conversation so if it got too sticky or close to something that would be damaging to kill the cat or set fire to the curtains or do something that will distract people from what they're thinking you probably recognize this now as the real world in which we live the virtually inflected world in which people project themselves into virtual spaces because we evolved to be trusting of our senses and so we think that what we see is what's there and the bottom line of everything I see I speak about and write about is that nothing is what it seems it really really isn't this is not a conspiracy theory this is just what so nothing is what it seems it's what's so it's also so what so that's not news well now instead of digital birds in real cages with the advent of social media what we really have are real flocks of birds and digital cages and in addition to the illusion of the freedom of flying because when we look up or down or to either side we see other wings flapping we have the illusion of security because we're part of the herd we're part of the hump of the hump wings the bell curve of word I think I created the hump of the bell curve you know there's like 10% upfront those are the Masters of society who create environments and realities for us and we're the 80% in the hump of the bell curve humping along humping humping what they know how to do and then there's 10% at the end that are the dregs and the Masters keep the dregs so the hump wings will see the dregs and be grateful they're not the dregs and thank the masters for keeping them in the hump and not letting them fall back into the dregs ie people can't get work after three years or have a lower standard of living or who are denigrated in many ways and then everybody is happy except
the dregs but they serve a larger societal purpose by making the rest happy so if you deconstruct their unhappiness they too are happy they just don't know it so they get violent you know at any rate providing that hump providing that herd providing that flock of illusory digital wings provides not only the illusion of freedom but the illusion of security and as the bigger and bigger cage turns because we are part of a we cannot even see the edges of the cage so far is that parallel universe from us in other words we are all assimilated we cannot help being assimilated into the organizational structures or the larger cultural entities of which we become apart Margaret Mead great anthropologist said years ago that it takes her a full year to learn again what she learns in one week when she enters a new culture and the reason is when you come in new you see it with beginners eyes as the Buddhists say you see it fresh you see that the cues you are used to responding to aren't there but there are different cues and you see it clearly like the Terminator at the moon over against the light and the darkness you see the reals in the mountains of the cultural norms and behaviors in a different way but after a week or so she already unconsciously was assimilated into the culture to a degree that under my her objectivity and ability to see and it took longer and longer and longer to see more and more and therefore we go by the known but unwritten rules you know that and any organization some of you belong to them there are four kinds of rules there's known and written which are the manual they give you when you're hired and have to go through some organizational orientation and they're known for a moment as you leaf through them then they go in the Shelf and they become written but unknown over time because you never consult them again there are also unknown and unwritten which are the deep cultural structures of our lives the 98% of us had evolved and of which we are unconscious so we don't have to worry about those but the ones that govern the organizational life are the known but unwritten rules and anybody who succeeds in anything is pretty good at picking up on and intuiting what are the known and unwritten rules and obeying them in order to advance in the organization and keep sustenance and livelihood alive a friend of mine who's a cop and is also a Roman Catholic this is not meant to denigrate the Roman Catholic Church in all its illustrious history I'll just tell you what he said to me he's a cop and he's a Catholic he said you know that my church and my police life worked the same way when you're a rookie you know you're watched and as the dirty money comes through and the drug money doesn't all go back to station and some of the coke gets bled off or you go into an alley and you beat the living you beat somebody and you're standing there waiting for your partner's to finish kicking him into unconsciousness they watch what you do and if you're okay you don't do anything and the word goes around real quickly you're okay you're one of us and if you are one of us then you are elevated up to the structures and when you reach the top as Timothy Leary said you never get the truth from the company memo because you become so unstuck umph aney you're like invasion of the Body Snatchers somebody put a seedpod under your bed in the night when you joined and over time you become you look like yourself but pretty soon you only say the things the paradigm the company approves of allows you to say and you don't say the other things at all and and so you'll become you become part of the org and so my my friend the cop said that's who makes captain you know make captain if you don't protect the institutional life of the structure that advanced you and which you have by that point so internalized that you are it like you become Bishop and this is why the culture of my church he said has become a global he said it I didn't say it I don't know if I even believed something like this he said a global criminal pedophile enterprise I don't know I don't know of anything about that if that's true or not but he said it's the same way you come in and you see quickly unless you're unconscious what is going on and if you say something you go to Fort Wayne Indiana and if you don't say anything you become Archbishop of New York or Boston or LA or Chicago and it's oh that's just what so but in that case because the evil is so deep it's not so what but at any rate as an illustration of how organizational life assimilates us it works pretty well well the same thing happens in the so called security space the space of information security and in the intelligence community where groupthink permeates percolates through the structures and from externals the input is minimized so the weakest link in of the chain is frequently the definition of the problem and the definition of the problem is Matt Blaise pointed out is often not what we think it is that's true not only about security but it's also true about the security indicee industry itself so the question I'm asking is who are we really what is the security space really and what is our self referential narrative about the industry include and above all like all paradigms what does it exclude and allow us not even to think about saying much less say what is the rule base of the filter and how well does it work at the perimeter because like computers themselves the perimeter no longer exists there is no perimeter defense if there's no perimeter and there's nothing but Mobius strips interlacing with one another like parallel universes so let's not be white hat hackers and forget where we put the truth let's simply identify what the truth is and articulate it nothing is harder to see than the truth we have come to see believe so deeply that we don't even see them because our narratives become self referential they're bounded by mutual self-interest and they are characterized by a heavy dose of groupthink beliefs are fine beliefs are good they're useful just don't believe in your beliefs just hold them lightly true of all beliefs notice oh oh if that's something I believe and then let it go because we know now from neuroscience that we make decisions prior to inventing the reasons we say we do them the decisions take place unconsciously they manifest and then we say the reason I did that and it's always as Nietzsche said in the war between pride and tell and humility that's why autobiography is never trustworthy pride always wins so how do you change the paradigm well once when I was in the church I was in a leadership project in which we're discussing new paradigms for clerical leadership in the Episcopal Church and after we brought in all the people from Silicon Valley and all the think-tank people I'm somebody had money and funded this and the second year of a three-year project I was sitting there listening the gavel of all these what we called Cardinal directors big churches you know I mean if you play outright you can do okay you know I was sitting in a million dollar rectory in Hawaii attending my parish my wife had a sign made that said the pastor is in with an arrow pointing to the beach blanket and we're sitting in a million dollar house and that's when you realized he came to do good and you did well you know this is so an analysis of the deeper political and economic economic structures will always reveal behaviors and beliefs in a different light and it will illuminate our mixed motives and the fact legitimate and illegitimate enterprises interpenetrate one another deeply like yin yang you know there's black and white and they interpret a trait and the white becomes a little gray and the black becomes a little white the overworld and the underworld make up just one thing one vanilla chocolate swirl of pudding one complex system and this also has a serious impact on say purity and intelligent practitioners on our psyches and our relationships and our lives when we refuse to face the dark side of what it is we do and its impact on us then it has even more impact on us because the more you push it down the harder it pushes back beware Nietzsche said lest you stare into the abyss as you stare into the abyss lest it stares into you cognitive dissonance is always present and it can lead to serious stress but if you become conscious of it and work at resolving at earliest managing the contradictions in your life it seems to work a little better what is the goal of becoming conscious a friend shared a story about a intelligence practitioner who as a result of someone he had recruited in another country as an agent of the person was discovered outed tortured to death died horrific aliy the person who had recruited him our guy was struck by it burdened by it he started drinking heavily they had to take his clearances away for a while put him on a different desk and send him to a therapist and I said but where's the therapist well the therapist is cleared by the agency therefore assimilated into the culture of the agency and I said what is the goal of therapy the goal of therapy the answer came back clearly is to get the guy back into shape to go back to the original desk and do the work again
which got him into trouble psychologically speaking in the first place I said well that's not what I did counseling for for 20 years when I did counseling the goal was to enhance someone's ability to see the darkness in their own life see all the contradictions integrate them into a bigger self and transcend with wholeness and integrity what they thought had been a burden and he said that's not our goal our goal is for the guy to get get back to work we're not concerned with wholeness and integrity and I said so what happens if he can kind of work but you're not sure if it all took he said then we watch him very very very carefully well it has an effect on us in the days before it became public I was talking to people who were tortured and I was talking to people who did the torturing it started to affect me to listen to their stories listen to someone who did torturing talk about for example the is Becks you ever work with the is Becks he said it was a novelty when we told the news Beck's that one of the purposes of torture was to get information you got it they didn't know that they thought it was just something we do and I was saying that to someone had been doing interrogation seriously and well for 17 years and he said there's vex my god you ever work with the Turks by which he meant that all they want as a confession there doesn't have to be a perp that doesn't have to be a crime there's a piece of paper sign it oh you don't want to sign it that's the way it is listening to their stories oops deaths the story of medical practitioners doctors falsifying death certificates when someone said oops lost them heart attack up stents and then use the information they gained from each instance of torture to advance the ability to do torture well the next time this is medical experimentation on human beings which was prohibited by Nuremberg but is practiced waterboarding is a red herring it's an image of something we can imagine not being so bad as Rumsfeld said just dipping him in the water or something like that as if choking to death almost is not so bad because we didn't kill him except when we did but the serious torture is not just water bothering it's used as an image to distract people from the truth of what it is that we do but it is not what we are allowed out here in the psychic space of of America to talk about clearly and so as a result as Jane Wagner said I'm getting more and more cynical all the time and I still can't keep up what is it what does it do to you to hear secrets or live with secrets and carry them as a burden I had dinner in Washington once with a friend from FBI and a friend from NSA and they were talking about what it did to them and one of them said imagine if you're listening to terrorists slit the throats of people in real-time you're hearing the horror and you go home at night and your wife says was your day and all you are allowed to say was fine dear it was fine so one of the impacts of the dark side is secondary trauma a therapist told me to read about trauma when I tried to engage her a bioethicists in a project to look at torture at least before I was in the public domain uh-huh and of course they wouldn't because it would jeopardize their professional positions so I read about trauma and what it did to you and I went back and I said I've read all of a sequelae of trauma that are predictable and she said you know I wanted you to read that and I said sure because I'm dealing with people who were traumatized and she said anything else and I said no cuz when you're in it you can't see it and she said you're showing all the symptoms of secondary trauma my wife said I could have told you that a year ago but she was my wife so you know you listen but you don't listen but when a
therapist you don't know says it you say oh I didn't know that my point is that by virtue of the work we do in the security space we often all of us and all of us in America by virtue of knowing and having these conversations if we dare to have them begin to show the symptoms of secondary trauma it distorts our view of reality it makes it more binary and it makes us more paranoid not just appropriately paranoid but wondering what is really going on all the time and then when they call you a conspiracy theorist for wondering it makes it even worse because you're not allowed to evolve a conversation civil discourse about the truth in order to know what it is because the one thing that holds true is it does set you free to tell the truth and to know the truth and integrate it into your life so hopefully this analysis will make us think twice before we use the buzzwords and jargon of our profession words like security itself and defense like when they change the department awards to the Department of Defense before going into a hundred and fifty countries with the military presence as we have now are words like terrorism or cyber war words which are weasel words designed to create a paradigm which we unthinking they articulate and in which we thinking they live one example of what it does to us is this article which appeared on dark reading security pros may be ready to crack under growing pressure faced with securing personal devices and a growing base of threats security pros feel overwhelmed I ISC to survey reports what it is about is the fact that when you're doing a job that you know can't be done it causes not only trauma but it breaks down your ability to function effectively it reminded me the story in John Hersey is Hiroshima after the blast there's a flash of light and a doctor noticed two three people coming into the office their arms peeling and bleeding and burned and he started to treat them as he would anyone who came in the office with those symptoms but when he turned around there were five or ten more and he tried to treat them but then there were twenty more and thirty more and he looked out the window and hundreds were streaming down the street burned and bleeding toward his office and he was reduced to someone who could only go from one to the other to the other saying they're there they're there they're there the security industry they're there it'll be okay they're there but is it in fact implementing in the meantime the structures of security that will give security or is it simply carrying out the de-facto Commission which now the intelligence community itself has become commissioned to do not by any state because they're dissolving as the boundaries around them dissolve but by the fact of their lives in the trenches where they exchange information with one another in an effort like a thermostat to maintain some kind of equilibrium in the global body politic so that chaos which is always threatening to break out at any bubble or aperture will not break out the bottom line of the security world is to be able to assure people that the world in which they wake up tomorrow will be pretty much like the world in which they went to sleep that's a different Commission than creating implementing and sustaining security so hence the title whoever battles monsters should take care not to become a monster too you stare long enough into the abyss the abyss will stare right back at you or the way the sign put it at Sandia National Labs do not look directly into
the laser beam with your remaining eye pretty good okay so security has a context and what I want to do is turn a little context into content and illuminate the slightly bigger box into which we say we're going when we're going out of the box it's really just a bigger box we never get to the end of the biggest boxes of all the ground of being itself but Eddie Bernays created context you remember Eddie Bernays I'd like to use this example that the publishers asked him to help with selling books so he went to bright intellect and intellectual people Nobel Prize winners said his literacy relevant to America this is 1920s they all said yes yes yes signed off on that called together architects builders contractors said do you want to help build an America viable in the 20th century yes yes yes they all signed up as a result anyone coming in to an apartment building or house after the 1920s and not before would often find what they agreed to build which were built in bookshelves and then when people came into those apartments or houses without thinking or seeing it they bought books you've got a bookshelf you put on a book context into content unseen digital cage go in fly by books so as I say I want you to believe in your beliefs but contextualize them differently hold them differently and that does not often happen at security conferences where your beliefs are reinforced and repeated so much that you actually believe in your beliefs the price James Baldwin said one pays from pursuing any profession are calling is an intimate knowledge of its ugly side now I learned that growing up in Chicago worked with my alderman until I was through college I was never once asked to do something legal you know typical was when they asked if I wanted to be a precinct captain I was 18 I said well yeah but where's Kitty going they said Oh Kitty's still on I said well how can I be precinct after kitty Ark precinct captain is still on say oh no no I was so naive we need a Republican precinct captain so you can destroy campaigns undermined people and report back as an infiltrator in spy the problem was that I was 18 you had to be 21 to be a precinct captain they said that's not an issue that's that's for the document Department as you know so the bottom line is you grew up in that environment I woke up one day in the middle of my young life and said my god the father of every friend I have is doing something illegal one was in jukeboxes you know the Seberg story now that kid is the director of security for Seberg and he directs security all right offers you cannot refuse is what they were making two people others were in gambling equipment I found out one was distributing porno porno in those days was 16 millimeter films black and white the Iran on noisy projectors not nearly as efficient or effective it's just being able to put on your headphones close the door and say I'm gonna be working on this for a while god bless the digital cage so what I'm really saying is know yourself right I mean the goal of spiritual growth is to know yourself to face the worst you think about yourself see it see it's not worse it's human we're just human and integrated in yourself so you can transcend it and be a more actionable agent of what results as what we call freedom as a result of that kind of integration integrity in order to do this in the security space we have to look at what are the deep politics of the security space I used that term from Peter Dale Scott who teaches at Berkeley and has written a lot of books like deep politics and the death of JFK he's not concerned with who killed JFK because so many people justifiably wanted him dead that it could have been any of them and any of the scenarios in the absence of further evidence could have been the right scenario it certainly could have been the Cubans it could have been the Vietnamese payback for for Jen being assassinated it could have been the mafia of course because his dad was mafias but dead group in Boston worked with the Mafia's distributed liquor bootleggers his dad got into such trouble he had to have a sit-down with Sam Giancana in Chicago my town and have him take a contract off his head and they did they worked it out I had Charlie Fischetti lived upstairs of our apartment and the apartment building he grew up in Chicago he was Capone's lieutenant until he died of a heart attack in Miami and you just grew up in this in this millio so anybody could have killed Kennedy but what he wanted to focus on was the important distinction between traditional conspiracy theory conscious secret
collaborations toward shared ends and deep political analysis which is the study of those practices and arrangements whether or not deliberate which are usually repressed rather than acknowledged in the latter there is an open system with divergent power centers and goals not a single objective or control point so it's not like somebody is doing this to us it's that there's a convergence of mutual self-interest and an unwillingness to acknowledge the truths for example of the security industry and what it does it's kind of like a guy when I was working on a project on intelligence and ethics with some people and I talked to a guy in the Navy said we have a moral code don't lie don't cheat don't steal we don't say don't kill because the only reason we exist is to kill so if you feel dude that one in it would change the paradigm of calling it a moral code or an ethical code or whatever they call it in addition as we solve the morphing geopolitical structures into meta national stage-managed globalism the sources of power the references the points of reference for power in the world are not what they think concrete example I did a talk for the FBI in Chicago special agent in charge of the Chicago office talked about it's not your father's FBI anymore he said we were instantiated stood up as a police agency in America and we don't go foreign but now as a result of boundaries dissolving we have to go foreign and new intelligence all the time the flipside of that is the CIA was instantiated to break all of the laws it could in its mission in all other countries except our but now it's impossible to say where ours ends and the others begin in other words foreign and domestic like natural and artificial in the world of biology no longer make meaningful distinctions because the grayness and fuzziness in the middle has expanded all the way to the edges there is no foreign and domestic when you're looking at the sources of power what the special agent at the FBI said is I used to be able to appeal straight up to the patriotism of people we're working with to do X Y or Z on behalf of our country and they find
now it is in conflict with their Allegiance and the sources of their authority and power and money which comes from meta national structures which do not yet have names but to which the money in its flows continues to point so I'm not making this up criminal structures are sustained or tolerated by police they always have been Whitey Bulger and in Boston for example working closely with the FBI the integration of crime and legitimacy is the way it is crime and legitimacy interpenetrate one another you can't have one without the other so I wrote but at the new paradigm for security workshop information security is one task both offensive and defensive of the intelligence community sanctions breaking foreign laws while prohibiting similar activities at American soil but simple distinctions of foreign and domestic no longer hold the convergence of enabling technologies of intrusion interception and panopticon bind with a sense of urgency about the counter-terror imperative and a clear mandate from our leaders to do everything possible to defeat an amorphous non-state enemy enemy defined by behaviors rather than boundaries borders or even clear ideological allegiance has created an ominous but invisible and seemingly inevitable set of conditions that undermine previous cornerstones of law ethics and even religious traditions therefore IT and security professionals exercise an implicit thought leadership because you create the structures that bind and inform society and civilization your real charge is not to defend and protect the nation any longer but to stabilize the world this is not your father's world anymore either so we have to assure people that they must wake up in a safe and sane environment because otherwise things fall apart now we're doing all this in a deeper context yet in a context of a world within the world a secretive world a secret world which since 9/11 has grown and grown and grown I had dinner now long ago with someone who helps to write the protocols and policies of governments on intrusion and detection I said are we ever going to get freedom from intrusion and surveillance back she laughed it was easy of course not she knows how deeply the structures of authority and power have been penetrated by those those technologies we're never going to get them back in the Washington Post Dana priest wrote the top secret world the government created in response to the terrorist attacks of September 11th has become so large so unwieldy and so secretive that no one knows how much it costs how many people it employs how many programs exist within it or exactly how many agencies do the same work there are twelve hundred and seventy government organizations and 1,900 private companies on programs ready to counter terror Homeland Security and intelligence in over 10,000 locations across the country almost a million people hold top security clearances 33 building complexes for top secret intelligence work have been built just in September 2001 many security and intelligence agencies do the same work creating redundancy 50,000 intelligence reports each year a volume so large that many are routinely ignored after it happened because they were traumatized by a trauma leads to sometimes to speech someone described the scene in the office of the director of the NSA when he told senior officials the new executive order mandated x y&z and the silence was frozen because he said these are things we had been told all our professional lives we did not do we do not do that because it violates the law in the Constitution unless we recontextualize the Fourth Amendment so that it makes some sense in a world without walls it will continue to have less and less meaningful application and as Michael Hayden said when asked if there were not ethical implications or legal implications to vacuuming up the communications of Americans without court order or warrant he said we don't have to worry about those because quote we have the power unquote that's the world in which we do our work and on behalf of which we do our work but you do not hear it spoken of at conferences like blackhat it is the given it is the unspoken premise and assumption that the economy based on that secret world will continue to manifest itself as a military-industrial entertainment media educational complex in which the Nexus of power one to the other is so close and tight that one becomes indistinguishable from the other in my short story in mind games I only brought a few right pitch right not supposed to be a vendor pitch I have half a dozen of these if anybody wants one signed and for only five bucks the few remaining in print Islands in the clip stream it's gone all electronic five bucks for that one twenty bucks for that one five bucks for that I have five of each it's really a prize and it will be worth a great deal of money one day what the older I get the better I was and when I'm dead my value will be through the roof okay so we don't usually discuss the simple reality of the sources of research and development in the world which funds our enterprise it's just a given people deal with one another they do not always ask from where the money comes you do not always know indifferent false flag operations ten minutes are you kidding Jesus all right forget but forget that all right God the meat of this and they're all in that on that CD but let me just start rattling them off and and make this kind of fit is what hackers and security professionals really say when we talk to one another in the privacy of our shared spaces okay one stood at the vendor space at blackhat last year with me and looked out at the sea of booths and the beach bunnies and and the booth bunnies I mean and and all the swag the chocolates and the Pens and the glowing lighted balls and said you know not one of these people can deliver on the promise they make which is to secure the enterprise not one of these people can deliver on their promise they are selling something that cannot do what they claim which is protect and secured the enterprise and when I mentioned that a particular application was based on smoke and mirrors to the editor of a major national security information security publication he laughed and said Richard our industry is based on smoke and mirrors a quote which you heard me say was said by the editor of the magazine but CNN yesterday reported and Richard theme said the whole industry is based on smoke and mirrors every attributed statement I made at blackhat they removed the quotes into all of the things out of context and brought in statements made by others and wove those into it was a nice piece it just had very little to do with what was actually said in the way it was said I just point that out all right we identify the threats that we can fight not the threats we cannot fight we sell what we can sell not what we can't sell cryptography is a great example cryptography is the opiate of the naive because sure it can protect a lot of things but not if the system is broken Peter Newman was talking to Rivest about voting machines and Rivest said the cryptography is terrific and the voting machines and Peter Newman said yes but the entire system is broken and reversed to cryptographers said that's not my problem ok holistic thinking at its best right and he's really smart guy I remember someone laughing at the ATM and other embedded device Cody was looking at because it was so simple and easy to exploit one hacker said in mine on expert opinion I would say the cellphone stuff is even easier and another added mobile device security implementations currently suck more than the abomination that we call mainstream software ok Dan gear pointed out by name the financial world has proven by demonstration that we humans are bundle ek pible of building systems we can either understand nor control the digital world is insisting on a second round of proof just as the greatest enemy of our personal health is ubiquitous cheap food the greatest enemy of our national health is ubiquitous cheap connectivity you know that the applications being added by the thousands and the smart phones being added by the thousands simply increased the coves and niches of the coast line of the attack interface so there's a whole section that I won't even touch on what the FBI is actually doing in coin tail pro 2.0 I will skip the section on emile durkheim which you can read about in which he pointed out that criminality and legitimacy necessarily
interpenetrate one another in any society and i'm going to skip the point about what the banking system is actually sustaining and supporting an example of which is how much money is effectively laundered through that system I will give you a couple quotes US and European banks wander between 500 billion and a trillion dollars of dirty money each year half of which in the US alone senator carl levin summarizes estimates are up to a trillion of international criminal proceeds moved internationally in deposited in bank accounts between two and a half and five trillion have been laundered by US banks and circulated the flow of corrupt money and transitioned from transitional economies is twenty forty to forty billion dollars the result of this is without the dirty money the US economy external accounts would be totally unsustainable living standards would plummet the dollar weakened the available investment in loan capital would shrink and Washington would not be
able to sustain its global Empire I'm not making it up I'm just saying the banks do this it's not just American bank UBS the Vatican bank Barclays around the world as well as Citigroup Bank of America is a beautiful statement on their policies and money laundering completely contradicted by their actual practice Wells Fargo which oviya was just find over a million million dollars because they laundered over a billion dollars on behalf of the cartels in Mexico which are fighting one another to death killing over 35,000 people they laundered so much money through Wells Fargo that it equaled one third of the Mexican GDP and Wells Fargo's claim was that no one at the bank noticed okay all right so three thousand died on 9/11 I'm
sorry I love bond traders and firemen and policemen too but thirty five thousand have died in the cartel Wars which are enabled and sustained by the banking system which it is the primary purpose of the security industry to protect who is always cited as the five minutes okay who's always cited as the first line of defense the financial institutions must be defended and protected so people can know they will wake up in a secure and safe world as we have done for the last few years of course this is just the way it is all the documentation on all the banking systems I cite and talk about our on the C D so let's get back to what hackers or security professionals are saying about this they are saying in my humble opinion the focus is on stuff to be placed on top of a flawed underlying foundation we can never get to acceptable levels of interest InfoSec unless either a we rip out the network's and start from scratch or change the confidence of government and corporate info set folks did not tolerate mediocrity and empower them with the authority resources the support to do what it takes to do it right otherwise good money goes after bad and the status quo is maintained I no longer do pen tests or red team's because nobody learns from what we find they just want to check the box of compliance so why bother I'm not making a difference anymore remember what I said about InfoSec professionals beginning to feel overwhelmed by the impossibility of doing the job why bother I'm not making a difference if clients don't care except for making a nice profit on a gig which is where it goes then you become cynical then I know I'll be ignored so why should I another said the problem is to tell the truth you have to one not be a vendor and to be willing to spill the beans on getting on there are very few people willing to get up and say I work security my job is to prevent intrusions we get owned a lot so I kind of fail at my job sometimes it is really really bad and here's how we deal with it in other words manage the risk so people can wake up feeling oh yes this or that happened RSA etc whatever even when we do our jobs right we're going to get owned the real challenges get business leaders to accept that reality and let us redirect funding to programs that help companies deal with it attacks are simple defense is hard it is gradual it is continual it is not sporadic it is elusive and it is often boring you do not hear too much
defense presentations at blackhat you hear attacks because they're sexy and fun and it's more fun to blow up than keep it from being blown up that's what a hacker does I understand that what I'm articulating
is not popular a disciple of Gandhi said even those of us who loved him were joist when he was assassinated because his presence was a constant upward call to be more than we were and it was a real he didn't say it this way in Urdu he said it was a pain in the ass but that's what he meant it is a pain in the ass to look at this stuff and try to deal with it and not forget it suppress it and ignore it the minute we go onto the next presentation what is the stuff of the craft we're not willing to ask the next round of hard questions because we haven't realized yet that what we've got is broken there are people out there still trying to perfect AV and ideas mousetraps no big data solution will magically solve the problem of I have to see it first in order to detect it later 80% of viruses might be stopped 20% don't when you are owned you are owned risk and accountability our inability to identifying convey technology risk kills us executives don't get it we don't therefore have the conversation at the place of power and authority where it will make a difference to begin grass doing what we're doing and yet what is doing the shocking thing is the HPG fiasco which I loved someone describing as a by bikers suck bumper sticker at a Harley rally you know don't be stupid he said software security problems in all sorts of goods and services check greater societal dependence and the technology check greater complexity check everybody's selling zero days to God knows who for money check professional development of digital weaponry check a black market economy check industrial espionage check leaked information targeted traded check intelligence agencies outside the US growing capabilities like Iran saying after Stuxnet in the future we will have to consider pre-emptive action those of you who know know that Stuxnet is the one in the public so we could talk about it like waterboarding but there have been others and some of them are serious and part end worse things for the future what keeps me up at night a guy asked in an interview the other night what keeps me up at night is when the Chief Technologist to CIA tells me he can't sleep at night that's what keeps me up at night he says reading the Pfizer intercepts gives him nightmares but I can't tell you what's in them thank you you've done your job secondary trauma yeah the real question is not how much security do I need until I have no risk it's how much do I need until I can live comfortably with the real risks I am facing have the conversation okay I'm finishing I've only got 10 minutes wasn't that an X wasn't it a Roman numeral X okay all right let me let me wrap it up Oh let me just wrap it up by saying build networks with the people who are really your friends let me tell you how I knew who they are the guy came up to me about a few years ago when I had two months to say for a change and and the people were saying cut and the guy who does the audio this is cut but the guy who does the audio said because he'd read my book and loved that he said they're two people I won't cut Martin Luther King jr. he's dead in you so make friends with the little people right