KEYNOTE - Q&A - Ghosts of Past, Present, and Future - Bob Lord

hello I'm Bob okay so I think this is the part where you can ask questions and I will say oh my god you're the smart ones you tell me question yeah yeah so yeah hiring those we're gonna set have you repeat that question so everybody can hear so I looked at Democrats org slash jobs and I noticed that there were no security postings what can we do about that or do I just email you directly yes you can email me so we have filled the roles that we have but obviously so interesting factoid like the DNC is roughly 200 people I forget what the real number is if you think about the combined organization that I

left which was a Oh L plus yahoo that's almost as big those security people that that team is almost the same size as all of the DNC so I'm never going to get the funding to go hire another ten people like this it's not going to happen so what we have to figure out is how to to fill this role so a lot of people said I'd like to volunteer and up till recently we haven't we haven't had enough of the right foundation in place with the right permanent people in order to take advantage of people who wanted to volunteer now some people may just want to quit their jobs and help and there may be places where I can help you

also you know tweet am you know sending my email address but it's it's an interesting thing where you know a lot of people said oh I want to I want to volunteer a few hours here and there and do XY and Z but if you don't have the foundation it's really hard and part of the foundation is like I said there's people process and technology so a lot of what we have to do is work with the various teams and that means getting to know the teams and what is their history where is their technical debt where is their process debt and and all of that just takes a lot of time so we haven't

been in the place where there has been a shepherd who could then say okay you're the expert in this thing go right so so we can't have like 20 people just coming you know logging in and just trying to help that that wouldn't actually help that would that would slow things down sort of like mythical man-month if you're familiar with that book oh so it's a good book anybody read that book mythical man-month oh it's a classic it's it's a short read the you know quick summary there is you know adding people slows you down it doesn't speed you up but it has other benefits so I feel like we're kind of in that position now but yeah

I'd love to hear from more people who would like to help and in what way they've liked to help and as we get further into the election cycle as we go from two dozen candidates to a smaller number those opportunities may appear a little bit more clearly than they are today two dozen is a little bit rough but having said that if there's a candidate that you know you know I would never stop you from reaching out to the candidate and to the campaign and saying like I can do this but I also you know hopefully that came through the in the talk a lot of the stuff that really needs to get done is

some foundational real basic stuff and so I just you know want people to understand that you may be giving the talk on malware reverse engineering and you've got new techniques and a new code base that you're releasing open-source today and we really need you to help figure out why my password doesn't work for the database like that's just a practical reality of dealing with non-technical organizations that are distributed that's that's kind of the challenge that we're up against it's it's a good challenge but it's a little bit a little bit rough all right so good for anybody who here I'm gonna set this microphone right here if you have a question come on up ask your question on

the mic then put it down and take your answer okay good morning um I said to note on night Lord calm about volunteering you answered some of those questions in your presentation I mentioned watch a sec segou skis site and for anybody who doesn't know he's got a couple of essays on working on a campaign again it's idle words calm you mentioned that digi demson and mr. sagorsky does as well you mentioned that they hired 81 people for 2018 yeah there's 435 House seats there's 33 or 34 Senate seats there's 50 states and so it seems like there's a disconnect there I'm a semi-retired professional I've got time but and I can volunteer locally and I won't do that

but I've got a lot more cycles than the local campaigns are going to to consume so how do we match up the people that have the time and this apparent disconnect between the number of people available and the number of needs that are out there yeah so that's that's a great observation so I you know I don't run the digit n so I can't really speak for them but obviously finite resources mean you know finite number of campaigns and so you know I think we're really counting on the people who within that community are thinking about which of the battleground states which are the highest priority ones that they're going to be doing a good job with attic again

I majored in political science but I'm not going to be the person to say which which states are the most important states for people to place these resources in I'm gonna let people who have done that multiple times do that so I think it's really a matter of resource allocation and then groups like ragtag actually do have a process where you can apply to be a ragtag volunteer and they'll do their best to hook you up with with various campaigns that's a partial solution but there's no there's no one correct solution so when I said I really want people to think about you know just keep trying you know I talked a few people apply the

DNC it's like ah we have so few roles like it has to be a really really strong match otherwise you know I can't bring you on I don't have 150 200 you know heads so you know we have to we have to hire very carefully but I tell them like I don't want you to be discouraged this is one way that you can contribute there are a thousand others I only know of a few of them so to keep looking and so part of the answer is and I'll reply to your mail at some point when I can get caught up but I really want people to make it a project to keep looking it's

not like you know you strike out once and you're done like continue to try this is messy and it's organic and whatever you come up with will be obvious in retrospect but I can't I can't predict what that will be for you and for the organization you end up protecting so just just keep trying please we need we need more people to do that sort of thing so thank thank you for the work you've already done yep jump on in hi good morning I'm Jack first of all I guess thank you for for what you do because I think InfoSec pros leaving Silicon Valley and working for the civil society side thing is really important the only

way that starts to change so everyone tells you that but thank you so what sort of outreach I was pleasantly surprised by how much how much outreach occurs to support of campaigns like that digit ends but once like the the blue waves in office what's being done of the state and local level or anything in terms that similar support yeah thanks yeah so so again we so it's very interesting you know when I when I started it was obvious that I had to work to protect the DNC and the other interesting thing about working in my role is I don't have to be coy with anybody about the hand I was dealt it's the subject of you know hooks and

articles and things like that so we've been working really hard to continue to evolve modernize a lot of systems try to cut technical debt but not long after I started got my sea legs then Tom Perez is the chair made sure I understood that helping the State Parties was going to be a very high leverage thing and so not just protecting them but giving them some of the tools to be able to help campaigns as they were starting again there's you know how many campaigns are there in any any major year like like a bajillion up and down the ballot so it's not just the presidentials that we're worried about I mean well you know all

the way down to school board and that kind of thing so the the trick for us is to try to figure out how to be high leverage and so we did a lot of that work in the midterms but again I was just kind of guessing like maybe people want a webinar on you know doing this like maybe we bring in the social media companies and have them do a webinar I don't know we're making this stuff as we go along and then we took the stuff that we thought resonated with people and and then we've really polished that so we've been really pushing not just the presidential campaigns but we've gone back and now we're cycling through all

of the presentations making sure the state parties are aware of this we now I have email blasts that we send out they didn't have time to talk about this but we also of this email list that we send out to them to say if you see anything that's suspicious please let us know even if you've dealt with it even if you've resolved it even if it was nothing send us a note so that we can then think about that in the broader context lo and behold a bunch of people then sent out of things think ah this is nothing but we had this thing like oh well a bunch of campaigns are having this thing yeah

weird call from Russia that's weird okay the second campaign or stayed with something okay so now you start to see a pattern that they know they never would have seen and so we're trying to build up you know a federation of people who are involved and know how to start asking some of the right questions I try to respond personally to as many of these these alerts as I can get even sometimes I mean you can probably guess that sometimes I get they send me their spam like I don't need this that's okay it's suspicious I yeah but they're just trying to sell you you know whatever and so I try to teach them you

know what it is that I look for and try to build up that confidence so that when something bad happens they really do rope us in so again is is that like an ironclad strategy with clear deliverables and results no but we're trying to take take into account that this is a messy organic system and that we we have to start infusing it as best we can so working with some of these partners is going to help but yeah so that's it's it's messy and I just they just tell you like it's messy it's organic and and you know the things that I will tell you next year that worked or didn't work will probably surprise me

like I think I know what's gonna happen and I the one thing I've learned in this job is I will be surprised how do you manage candidates that don't part as their own personal security like they're in facebook accounts or whatever they've had up you've done something in this space what tell me your background I like working in a corporate environment and some really awkward executives that might not want to have their own so your hypothesis is that like senior people in a campaign would kind of have some of the same behaviors as senior people in a corporation Oh interesting interesting theory so again I don't have agents on everybody's machines so I can't I can't tell for

sure but we do you know we do try to lean in a little bit so I you know it's it's like I'm you're the personal trainer for the for the campaigns and for the state parties and you know your personal trainer is going to tell you to eat right and don't drink too much and stop smoking and all that stuff and so I have to find a way to explain sort of like let them understand I'm here for you I'm gonna give you the same message over and over again because eating right and you know exercise it's it's kind of what you have to do I don't know any any shortcuts but I want to build

credibility with them so that I can occasionally you know lean in to figure out what's really going on to build that trust so they know I'm not going to narc on them not going to share information between parties between campaigns like you know we have you know very strict confidentiality rules so so the good news is that we have some good evidence that the the senior people are taking it seriously and I don't know if that's I'm not going to take credit for that it may simply be the climate it may simply be that there are you know molar reports that come out that happened to pertain to this space and you don't have that in

the industry that you work in so again when I when I said I want to tell you the Yahoo story even though it's all public most people don't know it and telling these larger stories is actually part of that and so it may be that they're more sensitized I'm not really sure but but yeah working with very busy people is very hard but we we work with we work the security person we have a point of contact that's so we have the top ten things you need to do to run a secure secure organization number one is have somebody in charge and so for each of the campaigns we have somebody who's in charge that we can

work with and it doesn't have to be somebody who's a cyber security expert it can simply be a really great project manager who can then go around and make sure that all of the stuff gets done and so so far so good but again I can't I can't see everything because they're not remote offices and I'm not headquarters but so far so good five minutes okay next question I have a question about data accumulates ease me about data accumulation by campaigns and it's kind of a big question said again about what a data data accumulation about campaigns yeah so it's kind of a big question and I'll try and keep it as succinct as I can but it's not my strong

point it seems like there's a lot of election tech springing up which revolves around political parties and campaigns accumulating as much data as I can on electors so that they can target them as best I can it seems to happen on all sides of politics and we just wonder as a as a trend collecting huge amounts of data cross-referencing it with other data sets is it something that causes you any concern in terms of that being a potential well a lot of data that will be obtained by someone who shouldn't get it in the end yeah so thanks for that so so so one of the things that I've noticed is that there's so yes obviously

I'm security I'm concerned about everything so you know if you ask me Bob are you concerned about something of course so a lot of the data is actually public data and that's not widely known and so you know we sometimes have a mismatch between what what is actually private and what is not and what people's expectation is not usually I mean you you generally speaking know that when you go in and fill out a form to register to vote that that information is used in certain way it's given to political parties but sometimes there's a little bit of a disconnect there but yeah I think we continue to need to evolve our thinking in terms of

what is PII you think about this for you know the notion of public has really changed without us having language over the last several you know since the advent of the internet we haven't really kept up with our mental models so it used to be that if you wanted to know how much I paid for my house you could fly to San Francisco you could go to City Hall between 10 a.m. and 4 p.m. you know modulo like holidays or people feeling like they didn't want to work that day so you could go figure it out you could just ask them but now we have a world in which you can go figure that out before I exit the door and it's

public information but those seem very different to me and so I think there's this larger conversation around what is what is public what is not that we have and we don't have language really to deal with that so but but point taken yeah oh sure and then I think we have one last one last question um what I was thinking of is is this um there seems to be kind of an explosion of kind of canvassing recording apps so for instance if um if I go and knock on your door and I say are you planning on voting for candidate a B or C then I will then after you give me the answer to that question just one person to

another I'll go and enter that into into some of these apps and so we've got a sort of a situation where there's potentially kind of an arms race I guess I'm between Dems and Republicans where we might all agree that the that's information that might not be public but but but I've given it to a stranger but maybe maybe we shouldn't be accumulating it but then at the on the other on the other hand we've got both parties want to accumulate that information and the other one probably wants to be the one who says well will accumulate yes I mean it's it's obviously a far more new and nuanced conversation that would have to involve people actually do the data

analytics in the collection and the you know the enrichment of all that stuff you as a as a person who's told somebody who knocks on your door or somebody who calls you or text you telling them that you don't plan to vote for this candidate or you're not a Democrat is actually valuable information because it means we'll stop bugging you so I think it's you know it kind of works it kind of works both ways so the last thing you want is every campaign to constantly call you because there's no predictive analytics around whether or not you're going to be amenable to having the conversation so again I'm not the data analyst you know I don't even play one

on TV to be honest with you but I think it's one of these things where there are there are some real benefits to collecting and sharing that information but you're absolutely right this is this is a new world of data and obviously there have been some high-profile events or on data acquisition manipulation so yeah I think we have to continue to be vigilant okay last question if any I think they want you to go to the microphone it's exciting so I hear you have like a really awesome vintage crypto collection this is true sister what do you have in your collection sir so I started collecting back at Netscape which was the company that made of $35 browser and

so I started collecting my first item was a it's called M 209 which is an old army device many of which were made by the smith-corona corporation and if you think about it it kind of makes sense because you need the kind of skills to build design and and and roll out something that is a mechanical device so it has little cipher wheels and you can encrypt and decrypt and I was just fascinated by this one of the things I really like about it now that you asked and none of you care damn about this but one of things I like about it is when you when you encrypt the ciphertext is is put into blocks of five characters

and then a space and five characters I thought that's weird must be a bug and then I started researching this and I was like now it's not a bug you need to now give this to the teletype guy who's gonna then wireless wireless via Morse code and it's just easier than a just a long string of characters so you break it up but when you decrypt it it doesn't do that you actually now looks like regular English text they put this into hardware like what that's crazy difficult and there's all sorts of little little flourishes on the thing so I got the bug and I fell in with a group of misfit crypto collectors and just started buying a few other

things here and there and answer the obvious question yes I have an enigma I know you're all wondering could you an enigma okay I think that's it so thank you all thank you for coming I'm so honored oh really really thank you and please please please find a way to contribute don't let me do this alone