IATC - Cavalry is ALL OF US - Joshua Corman, Beau Woods, Rod Soto, Travis Moore & Heath Wickline

cool thanks so welcome to the this is kind of the last last talk we're doing at I am the cavalry track for 2018 at besides Las Vegas we do have whiskey we will pass that around a little bit in case you missed the opening this is cavalry whiskey that one of the cavalry folks found on a trip and we thought it was only appropriate since we gave it away in the opening to give some away in the closing because after a couple of days of intense conversation thinking debate and learning you might need something stiffer than a beer the back of it says to arms to arms and that's one of the things we want to want to do

in this conversation right now is to give you something to walk away with so it's not just a bunch of good thought and insight and then it all just gets left on the cutting-room floor and it's a you know on on youtube somewhere but actually things that you can pick up take away and do when you walk out of this room so it's a continuation not an end to the conversation but more of a middle and then carrying it on into the in real life world we've got a handful of folks up here that we invited up to help equip you to be able to do that we're gonna give them about five minutes each to give like a little thing you

know what can you do when you walk out of this room we have a couple of folks who built some open-source tools that you can put on your home network to identify IOT products and or IOT stuff and security issues potentially with them so it's kind of a democratization of security for the home we've got Travis Moore over there from Tech Congress who you saw earlier today to give a little pitch on like how to get involved and embedded in the public policy world even if you think you know you're unqualified or under qualified to go into Congress you might have a pathway for you and then Eli Sugarman with the Hewlett Foundation who's one of

the sponsors this conference and helped us to make sure we could do public round over in the Platinum to talk about some of the broader programmatic things that they're trying to do to bridge the gap between technology and public policy so I'm gonna hand off to Josh and surprise him let him say whatever he wants while I bring the bottle of whiskey around and we all have something to toast with it is our birthday speaking of birthdays we've been told maybe we should promptly be at the main stage in the main room exactly at 7 o'clock so we might want to leave a few minutes early to go do that I can't imagine why but as some of these

shots of bourbon whiskey are poured if you weren't here during the opening we don't want to repeat two to much but there's been some outstanding content we've had the privilege to have besides give us this space every year for the five years our existence in fact when we wanted to launch this when I said I we had to get this out of our system we weren't even on the schedule and they squeezed us in somehow we recorded pretty much everything and some of the sessions I wasn't even sure what we were gonna see from them were really amazing so please go back and watch many of these things but as Bo pushes this out you know the idea if you did come in the

middle was that we were deeply concerned about their relationship with teen technology in the human condition but more specifically we were really concerned about public safety human life and kept looking for the adults and couldn't find them and when you know that no one's gonna come save you when you know the cavalry isn't coming the point was it falls to us to be that that solution to step into the void to fill what was missing and without being cliche about it we really didn't know if it's gonna work right it could have been like you know Custer's last stand it could have been in March Light Brigade it could've been you know beautiful but but terrible but I think it's really

hard to deny that looking back we wanted to see could we try a different way that might have different results the blueprint works and as I said in the opening remarks in the keynote for this we know over the last five years we've had some pretty profound impact with your help with your advocacy with your ideas what we really want to figure out isn't just keep limping along but what's the next five years gonna look like you know we've resisted forming a 501 C 3 or 501 C 6 we've resisted getting to public about our participation and the kind of things we've been doing but I think for the next step you know we've been

friends with Eli for a long long time and I think one of the the site guys that we share and I hope I'm not stealing one of your quotes but it's my favorite thing you've ever said I said there's certain things that the the public sector can't do you met many amazing public sector folks but there's things that the private sector won't do so what do you do when there's things the public sector can't do but the private sector won't do and that falls to philanthropy to altruism to the crazy folks in the cavalry right so with that you know optimism and tenacity I think what we found is we play a really vital role as an error handling routine for

the gap between the public and private partnerships it's not something that we can own forever it's not something it's gonna scale but the question I posed each year the reason one an and on action was this cannot be a spectator sport it can't be like I like what the cavalry is doing it has to be this is what I'm going to do this is what I'm going to start this is what project I'm gonna sign up to lead because the only way this stuff happens is when you take a leadership role and you don't have to be an elite hacks or most of the folks that have had the most profound contributions haven't depend but I'm not gonna keep

going but just to remind a few highlights you know when we started this I said people will have to die first before we'll get anyone to listen to us and you've heard from Suzanne Schwartz and FDA and Seth nobody died before they put in place the post market guidance and nobody died before they started strongly advocating for coordinated vulnerability disclosure and nobody had died when they did their first safety communication for a bedside infusion pump because it had the potential to take human life and the day I realized that wait a second we've already had an impact before harm was a day I knew we were on to something and I'd like to tell you that was our

crowning achievement but I think because of that teamwork proven true Suzanne it analyzed folks in Congress like Jessica that you've met who started saying wait a second I like what they're doing here maybe the automotive speculators should do the same thing and that's got the attention of DHS we started putting out safety specifics principles and then that got the attention of Commerce Department I said you know we should really codify coordinated vulnerability disclosure and you know when you blink you go from people thinking hackers equals criminals to several parts of the federal government right here this week last year what you might not have known is we write to sitting congressmen to DEFCON for two days to engage two

sitting congressmen for the DC DEFCON I don't still to this day know how Bo pulled that off but you know if the idea was to build empathy and trust between the gaps between public sector private sector hopefully everyone's got a shot glass right now please uh almost done get two more okay perfect amount we planned it that way all right so I would like to uh everyone that is of drinking age and willing to train raise a glass the idea was we knew eventually we would figure this stuff out and the world would figure out how to make safer more trustworthy and reliable device so we knew eventually that would happen that was never the mission here the initial

must be safer sooner by working together and it's been a privilege to work together with each of you thank you you can tell the amount of planning that went into this because we had to calculate the number of people that were going to be in our first session drinking and today's session drinking and we did it absolutely perfectly I mean facts don't lie right so I want to turn it over to some of our guests up here on stage we're going to talk about specific ways that you can put calorie intention into kinetic action with a technical a career you thing and then some broader things that maybe catapult you into a different kind of stratosphere so guys I'll turn it

over to you you know I get up here and run some slides awesome thank you everybody for coming and thank you Josh I've been following this project for years I'm a true believer in I am the cover II if you actually follow some of my talks in the past I have warned that basically just like he says nobody's coming like the problem is at times it's what's available for dose of ones who want to do something right so I decided me and Joe we decided to do something we decided to take some of the principles in the technology thus cutting edge and it's right now dominant in Silicon Valley we decided to put it together and

something that you can put on home and we decided to give it away so we create a Chiron which is what you're looking at right now and that is my house so for example at dusk myself so your stairs my house right there I have around 20 sailfin i OD s-- which is very rare but i working security research so I wouldn't ask anybody to do something I wouldn't do myself so what we try to do is basically we try to create something that grandma can use and when we talk about Grandma we're talking about the lowest common denominator of an user we wanted to create something that you just put it on you reboot it and then you

browse to it using a any type of browser we created a series of automated tasks so we use for example we use because we know that technically the the best approach is probably to put a tap in certain environments we know that's possibly not not achievable in the home network so we usually we look at the home network you have the connection for your mother and then you have the wireless which is what mainly everything wrong there or your fire stick your TV your toaster your refrigerator everything so we decided basically to use a couple of tools that do pass a capture of information one of them is POF one of them is a burrow so basically

with those two we added a map and with a map we created cron jobs of all this so the the the tool is constantly receiving information and parsing information Umbro mainly broken and HTTP the the tool will scan your network slash 24 basically it grabs the DHCP address and then there's a screen that says okay so if your network is this then I will pass this parameters to a map I will do this every four hours and then I will post it to come on so we decided to use a okay which is open source as well so we created with that we create a visualization the visualization basically tells you what's going on and

your in your in your environment so you can see on the top right that's obviously you need to let run a little bit but you can see the traffic you can see the the top active home network IPs you can see the top destination so we you can do visualizations with you IP so for example you can see for example what is n IP for Ross they're connecting to my camera why is it an IP for China connecting to my lock like my like my anything you may have monitor camera or whatever DVD actually you know if you actually see there I was able to find out that I had a I had a and all VNC

show my PC installation a home thanks to Karen so I I brought the I just let her run just put it on and let it run and then I I see the port for for the NCSA okay that's probably means uncompromised when I looked at it it was a a an all install of show my PC that's been there for years and it's been pinging back and had no idea so what happens for most of the time to homes is nobody knows what's going on you had no idea what this thing's are connecting lately we even heard that they now hold the police apparently there's a case of a Lexus and a frantic caller police when somebody

was meeting somebody down so we need to know what these things do and seeing is believing and and showing a lease of what's going on even even if we say hey you have an IP on the other side of the world connecting to your house this might be something you want to take a look at the next thing we're going to do is we're going to add open source vulnerability assessment tools so for example we're gonna run and map as NSE scans and then we're gonna create this research that says hey you have your TV that's horribly for example or your device has a default creds for SSH right we have to find a way to

make it easier for the end-user boom but that's our that's our struggle and that's that's what we're pursuing we're pursuing a way basically put this a home and then later on and maybe later on we'll create a maybe a cloud a place where we can basically grab sanitize this info because I'm an advocate for privacy sanitize this info and detect and even predict storms if you go or do you to the homes and I I'm a person that worked and one of the biggest or security operation centers in the world most of those botnets confirm things at home if you look under I even BPM filter I was I had to write a security update

on VPN filter come to find out to all my devices were vulnerable I was like oh wait a minute this is my ass so this is this is how this is how critical this things are we're putting all this stuff on the internet I'm gonna say this again don't put your toaster on the Internet or your car or your pacemaker a pacemaker where Wi-Fi for God's sake so this this is a way to do to approach that this open source we can give you access to github you can modify it wherever you want you can add anything you want you know a time some of the technology we had to fight you know previous employers because they were

doubtful what we're gonna put out there we did it so that's what we do so rod you're taking capabilities it typically would cost multiple millions of dollars in a corporation the tool sets to do that and you're making it available to you know grandma grandpa stay home cool so if somebody wants to get involved and engaged in this project you've got have you got a github link for them or some way to get involved is right there cool so what's that just read out so that camera get hot for /j said that Jade's EAD eh for slash kyurem that's Kyokai like an evolution like we're like lawns doing so this is like kind of thought of the reason they have teaching

tools the actors here too yeah so like real quick here like getting a little into this sort of like just the history of how it started like we originally started a couple years ago doing acting on which is like basically it's really uh can we just put the links in the YouTube video yep exactly and then that way people can can go cruise that and see it and check it out and basically just start it's like starts at get up J's a day and these are all gonna be in the YouTube video so so um thank you guys next we'll hand it over to Eli Sugarman of the Hewlett Foundation give us some perspectives and thoughts on how he's

trying to get security researchers engaged well thank you Thank You beau and I apologize or I guess I I don't the my talk will be a little less a little less technical but essentially the Hewlett Foundation we're a big private philanthropy and so we serve charitable purpose and my program really focuses on building a cybersecurity field that brings together those with technical expertise legal expertise policy expertise really just acknowledging what the gentleman we're talking about that digital devices and connected devices are in our lives and they're largely insecure and so as a society we need to think about this stuff and it's not getting enough attention at the policy level despite the best efforts a lot of policy

entrepreneurs and so it's a credit to the cavalry for really innovating new ways to engage and really have that impact and so one of the things that the cyber initiative at the foundation is trying to do is just find ways to you know open the tent up broaden it out and really say if you have a technical background and you really want to get involved in law and policy and regulatory change of the kind that Josh and Bo and all of you know many of you are involved with there are a lot of different avenues open to you but they're not always clear and so what I was hoping to do is just mention a few

of them and really just signal that that our role is to help build the platform to help build those channels so that you can get involved and bring the deep expertise that you have to bear to sort of work with Travis and sort of his colleagues in Congress to write better laws to work with the executive branch to pass better regulations and to work with a lot of the nonprofits who are trying to impact those policies to really have better ideas because I think it's fair to say that a lot of the think tanks and a lot of the nonprofits really want to do better when it comes to advocating on tech policy and cyber

issues but they need your help to do so so so to get a little bit more concrete I think there are a few things that you can really do when you step out the door to really have an impact one is you can sort of pursue fellowships and say I come from more of a technical background but I want to go serve in government I want to work on the hill I want to go work in a think tank I want to go work in a non-profit and it can be daunting to figure out where those opportunities are but talking to people like Travis talked to me there are lots of others who can help steer you and say these are

groups who need your knowledge right now I know of at least two big think tanks in Washington DC who are gonna be advertising jobs where they want people largely like you to come in house and to help them do better because they have a lot of blah they have a lot of national security that a lot of policy expertise they really don't have any clue about frankly many of the things that were just - let alone how the Internet is architected or a lot of the other issues have been discussed at these sides so sort of those opportunities to serve and to really you know take a year or two years a bit of a detour in your career

you can have amazing impact and just to say that that I want to help if you're interested to find those opportunities um you can also do a lot more to write and to educate by leveraging the media obviously you know you love certain websites certain Twitter feeds certain blogs there are probably others that you know you know about or or might want to read it's surprisingly easy to actually write and to get your ideas out there all it takes is a little bit of time and effort to cultivate relationships with those platforms and then adjust the way that you communicate and right working with them to get your ideas out there and so another thing is you know some of

the technical blogs and some of the publications like are probably a safer space but you know one in one example is sort of you know the law fair blog the publishes a lot on encryption and a lot of issues you may be interested in they are hungry for authors who have a technical background and come from this community to write for them because they know that they're weak in that area so those are a lot of the groups I think there are media plays there where you can push your ideas out there and shape the debate that way and then I think there are ways to just sort of build relationships right and this is a lot of

what Josh and Bo I think have done extremely effectively where if you can build trust with somebody from a different tribe or a different entity or government stakeholder oftentimes you can they get to the point where they'll call you and say hey what should I do what do you think about this they'll invite you to that conversation that isn't public and you can just sort of do a brain dump and sort of say like have you thought about this or how about that do you even know these people and so I think spending the time to reach out and really help people find their way whether it's at the conference's happening in Vegas this week or

elsewhere it goes a long way and again that's a place where the foundation tech Congress I'm the cavalry can help sort of steer you to those people who may share your interests and may actually be looking for someone like you even though they didn't even know that you existed and so all to say that those big policy issues that you know and care about you can't influence them I know you're already doing a lot of hard work with the cavalry and with other you know sort of nonprofit and volunteer and sort of activist organizations but I think there are a lot of opportunities and so I think just like anything in life you know it takes a little bit of

research it takes a little bit of time the foundation is really honored to support the cavalry and just help fund b-sides and some of their work because I think they're really setting the example that a lot of other groups should follow but aren't quite there yet and I'm hoping over time that model is copied by more and more groups that sort of broadened beyond safety do a lot of those other really important areas but don't really have the sophistication and sort of just the division that I think a lot of the folks in the room do so just to say I want to do anything I can do to help you can follow me on twitter at you

life Sugarman you can email me I don't have slides but I can make sure that my email address sort of is made available it's also just a sugar man at Hewlett org and so you know thank you again for your time all right thanks Eli so now we want to call up Travis Moore who he's already talked about tech Congress and a little bit but we want to capture like a nice quick succinct five minute overview and how you can actually get involved engaged thanks both so I'm gonna sell you on going to work in Congress yeah we we as as Bo and Neil I mentioned we place and if you saw the panel earlier

we place technologists to work in in one of the places that is most hostile to but increasingly less so but as most hassles of Technology in in in the world the United States Congress so why are we doing this there are 3,500 legislative staff in Congress who's got a ballpark of how many of those folks are technical you can't answer if you were at my earlier 0 you're close you're actually quite close anyone else to also very close its its but it's under 10 7 it was five until until last year and I'm proud to say two of our alumni are the first two technologists hired in the United States Senate this is a problem for obvious reasons I

probably don't need to explain to you technology is the infrastructure of our daily lives it's embedded in in everything that we do and and our our premise is that decent functional independent government requires this expertise in-house the House and the Senate intelligence committees which are investigating how Russia meddled in our elections you want to know how many technical staff they have on hand zero no one that understands computing forensics or attribution these are these are not not technical things right this is this is not just about a new fun app this is about this is about fundamentally about our democracy right and so we are placing technologists in roles where they can have a direct direct impact so

one really great example of that one of our fellows last year a guy named chris segrin chris was at the aclu before he went to go in tech congress he thought he'd do the fellowship spend a year in congress become a better activist go back out to civil society and what he found was that within his first two months he was able to get more done inside Congress than he'd been able to get done in the prior four years a half-dozen issues he got done right off the bat he got the Department offense to adopt advanced email encryption he got the Department of Homeland Security to adopt advanced email encryption he got the Senate and the United States

Congress to approve signal and he got a half a dozen senators actually using it he helped break story about foreign intelligence services using stingray devices in Washington DC right by the White House when the Department of Homeland Security was doing essentially nothing about that last fall when the sexual harassment was was when me too broken was was taking down multiple members of Congress he walked over the office of compliance this is the HR office for the United States Congress and he said walk me through how you're storing these sexual harassment but you know how are you taking this in where where's it being served where's being stored he he found that it's being stored on it was being stored

on random company that random vendor that they were using off-site extraordinarily minimally secured no security audits he had that lock down by the way by the way the John Conyers allegations john conyers who was chairman of the jewish air committee nobody knows how that story got out we had russia metal in our 2016 elections there's no knowing whether or not other intelligent services were meddling in or had access to that information just three weeks ago he helped break a story that a voting machine leading voting machine manufacturer this was a company that processed 60% of the ballots in 2006 contrary to all public statements they made prior was allowing remote access to their voting machines these

are these are big deals right this is a this is a big deal and it's not just Chris if you were here earlier you saw John John is we brought John and he's working for Senator Gardner he is running the Senate cybersecurity caucus he had beau up about two months ago they brought in a bow and some other folks brought in a bunch of IOT devices and hacked them live in front of a bunch of congressional staff to help people understand the vulnerabilities there so another fellow buki Auto bio working for Senator Udall anybody see the stories about the ACLU running portraits of members of Congress through this Amazon's facial recognition right so she's working on she is working on a

legislative response to but maybe we should be thinking more critically about our biometric biometric privacy and whether we should we should have some sensible limits or or or we should be thinking about limits on facial rec so extraordinarily impactful things and these folks serve as receptive stew receptors for all of you all so my my call to action we're recruiting right now we're recruiting for the next 32 days for our next class of fellows for 2019 so I've been asked three things of you one is if you have ever had an inkling that you think you might want to work in government apply if you don't want to apply everybody in this room has some friend that gets really riled up

when we talk about politics that is really engaged in in in political conversation nominate them so Tech Congress that io / nominate please nominate them every single fellow that we've had to date has come from a personal referral and so we treat this this community can help us send our next set so if you have someone everybody in your probably has someone they can think of nominate them third if you can't be bothered to do that go to our twitter at congress fellows retweet our application announcement it's pin to the top of our page that we that may sound insignificant but getting the word out is hugely hugely important so that's it no experience of government that doesn't

matter what we do is we provide a really really great education into how government works it's a tour of duty it's one year we pay 80 K which is a huge pickup for probably most of you but I can guarantee you it is an extraordinarily meaningful and impactful experience and so if you know anyone come find me my email is all over our website travis at tech congress at i/o but we need help finding great candidates so send them to us and if you think you might be interested please apply yourself thanks [Applause] thanks Travis so you've had two days to content or enough to fill up a substantial portion of YouTube's bucket for the month we

wanted to to now flip from us talking to you to you guys telling some of maybe your favorite moments in the last five years or some of the things that you look at you're like wow that's kind of cool I can't believe that that happened or some ideas for what to do next where to go five years in we're a little bit of crossroads and so we need to have help from the folks who are gonna pick this up and continue it on and keep going for the next five years because they you know people change times change and we need to to broaden our number of people contributing and helping so I want to throw it out to the

crowd we've got a portable mic here we're running around and hand it off to you and you guys can tell us what you're thinking maybe something you saw today or yesterday that just lit your brain up like a Christmas tree and got you stimulated and you want to talk about it I've got one about can you run so I really want to thank you thank everyone up there I get a lot of hope and from from that I am the cavalry movement I think I have you you mention this a little bit but considered taking money and considered incorporating or forming that formal structure obtaining funds you've done great work with a shoestring and and I hope everyone's taking care of

their health and and you know we're checking in about burn-in that's obviously really important but I can't help but think that we a little bit of funding this could work giving better perhaps or yeah it's a good question we've we've thought a lot about taking funding not taking funding one of the nice things about the existing structure that we have is that we're truly independent you know it's free time spirit time stuff that gives us a kind of a different status in DC and when we go to talk to companies and different things then if we're like an advocacy group or a lobbying group or a professional or any of the other kind of nonprofit

statuses that you could have there's different trade-offs to it I think you know so far we've kind of erred on the side of maintaining that independence that volunteer status but it's it is getting to the point where it's tough to get any bigger and do any more without having some kind of support infrastructure that might mean incorporating it might mean teaming up with some other partners who are already incorporated and doing things in the same kind of area you know folks like Eli and Hewlett folks like Travis and Tech Congress where we can work on small projects together and again a fully volunteer fashion but they provide the support infrastructure to be able to scale

something bigger and make it kind of blow up so all really good questions if you've got any specific ideas it's ketchup over a beer and we can talk about it yeah where do we begin probably been so much of a mentor to me actually as a regulator that just to see how you guys conduct yourselves professionalism and leading with empathy how you converse with people and get people to understand what you're taking a technical subject matter and making it understandable so it's been extremely powerful as a federal regulator and maybe made me better and and also to know that you guys are out there doing what you do it I I struggle on a daily

basis to feel like I'm making an impact and I think that we are making an impact but what I am struggling to know that you guys are out there doing and struggling as well I think that's hugely important so I think we're all working towards the same goal from different angles so we should struggle more so just to know that people you know we struggle these are weighty weighty issues and some maybe I feel kind of selfish because you guys are dealing with other industries like automotive so why should we be complaining about metal devices or you know the way the issues around medical places but just wanted to thank you for your your leadership and

kindness and showing us that apathy can be such a powerful tool thank you and one of the I think highlights of our past few years has been working with folks like you at FDA as well as other places that really want to be safer sooner together it's not just a tagline it's actual thing that we can do and I think rather than being frustrated in isolation or struggling in isolation it's really too true that teaming up together we might struggle together but hopefully the individual struggle is a little bit less and the effect is a little bit more in the back so I really appreciate the presentations specifically the gentleman from the UK and basically that the three principles

of IOT it's like hey if you're not doing these three things or just done which is awesome and at in my role I I have an opportunity to to tweak at some folks who are doing stuff in the electric sector so I look forward to repurposing these these themes and and when people come up to say what do we do about IOT you say hey there's here's a list it's super easy there's three things on there if the manufacturer I don't care who it is if they're not doing these three things it's time to talk to somebody else super easy but I appreciate the the software tool on that you can give to your grandma you know in a portable

things you can click on it be awesome but I wanted to thank Bo I wanted to thank you and I want to thank Josh for the five years that you've invested into this and I wanted to tell you that I appreciate it's a nuanced message of I am the Calvary and I very much appreciate our government partners who are here with us right now even though it's 10 o'clock in Washington DC but that's okay you're here with us right now and and I am the Calvary it's it's not a swipe it is not a swipe at our government partners I appreciate that you here with us it's helping all of us understand that we ourselves have a role

to accomplish in terms of sustainability and surviving and and moving forward and to do so in partnership with with the government with academia with trade associations with trusts and and and investors like Hewlett and others who are focused on you know preserving preserving freedom and and life as we know it so I appreciate your message just let's go another five years thank you and uh we've got about thirty more time for about 30 more seconds if somebody has one last thing and then we'll adjourn to the closing ceremonies over here information security became a focus of mine about a year ago and during that time I've seen responsible vulnerability disclosure be the standard so from my perspective you've made an

impact like that's my normal mode if I don't see people doing that I'm like what's wrong with them because I get it together guys - thank you yeah thank you and that's really interesting perspective for some of us you know old crusty hackers we forget that there's young blood coming up that doesn't know any way other than what has been put in place in last years so I'm very very happy to have been part of making that change happened to where you just grow up in this world it took a lot of hard fighting on our part but now if that's the if that's your only reality that you know that's kind of cool but when I

tried to check our top five and we forgot more things than then we remembered but I struggle with what was my favorite moment was it killing three people and the ER hacking simulations in Arizona was it getting two congressmen to come to Def Con last year was it you know testifying on a bill I helped construct to do things like basic cyber hygiene for IOT devices and I think my favorite thing is getting to work with incredible people like like Bo woods and general so I think my favorite part of this is a friendship by for Bo I'm like a mob [Applause]