Damn kids. They're all alike. … we have a date with history

here because Brewcon is a sponsor of the conference. Brewcon is a conference in Belgium that organized together with a lot of other people including Xavier who is in the front and who didn't expect to be called out. By the way if you're standing up there are still seats here in the front. So if you want to sit you can just move here. I was thinking about doing either a technical talk or doing a talk more about what I think about the industry, the community and how we move forward. And I think the latter is more relevant right now. Because as an industry, as a community, we're challenged almost every day. We look at governments that are looking to

regulate what we are doing. We have to make a difference between what the industry and what the community is. So there'll be a lot of dead people in my talk, unfortunately. But mostly ideas and ways that I think about the community and I hope I share some insight with you. First I want to mention P-Sites as an organization, Jack Daniel and the team that came up with it. I think they deserve a round of applause as well because they manage to gather people around the globe, around the central idea that is B sites, which is sharing information. And I think the key of that needs to be the message for today as well. Share as much information, learn, and like Diago said, have fun, right?

So the first guy I want to touch upon, who's familiar with Len Sasama? Who knows him? So that's very few people. It's exactly today, four years ago, that we lost Len. He died in Leuven in Belgium. And I think more people need to be familiar with what he represented and also his heritage. He's not here anymore, but there's a lot of legacy that we still use on a daily basis. He was one of the key developers of the new privacy, the GBG. He worked for Symantec, he co-developed GPG, he's done a lot of research. He was involved in the research with Dan Kaminsky around DNS.

I think it's important that we as a community, often we just look forward and we just know who we are, but we don't often look back and look at the giants of which we stand on the shoulders of. Does that make sense to you? I think there's a lot of people that have done research before us and we see a lot of people talk now at conferences pretending they did something new, but there's a lot of research before that that we need to recognize and people like Len have contributed to what we do today a lot.

So I want to start with the Hacker Manifesto and I hope everybody is familiar with the Hacker Manifesto. If you're not familiar with it and you want to read it later, Tiago has it that will on his back so you can ask him to address and he will gladly show it to you. I wanted to take some words out of the Hacker Manifesto because you are familiar with it, but I wanted to think a little bit about what those words mean today. Obviously the Hacker Manifesto was written in 1986, so what it means today is probably relevant. It's definitely relevant for me. The first thing that he says is my crime is that of curiosity. And what does curiosity mean? For me it doesn't mean

that we just break shit for breaking shit. It's obviously fun to break shit, but for me it has to have a meaning. I think as a group here, the fact that you're here, it means that you share curiosity. but it definitely needs to be targeted. It needs to have relevance for society, for your group, for yourself. But I think the main thing is that the curiosity is not something that damages, but that moves us forward as a group, as a community and as a society. Then something I've been thinking about for the last year, He says that judging people by what they say and think, not what they look like. In our community we've been attacking a lot of

women, even children. We had a keynote speaker that spoke at a lot of conferences in the past few months. He's nine years old and a lot of people criticized him because he's not relevant for our community. But I still think that people like that contribute to our community. And we should be very thoughtful before we criticize somebody. and thinking back to Len as well, Len suffered from depression and that basically led to his death. We have to realize that everybody in this room has a story and we don't know that story, right? I don't know if somebody's mother died, if somebody's sister, or they've been arrested by police or whatever. Everybody has a story and we have to recognize that that story exists and don't judge people just by

what we observe from them. We can learn from everybody and we don't have to judge the people that we are working with or that we encounter in this community. Then he also says, my crime is that I'm outsmarting you. And that goes a little bit back to what I said about curiosity. I don't think what we do as security professionals and as hackers, I don't call myself a hacker, the community in itself recognizes itself as a hacker. Our crime is that of outsmarting you. I don't think it's just about outsmarting people. It's not proving that you're smarter than somebody, but using your brains and the skills that you have to advance society and advance community. It's not just

to damage stuff, we're not graffiti artists, we're not In the end, we as a community are not criminals. We go home, at the end of the day we have a family, we have friends, we have a life. It's not just about being smarter and being proud of being smarter, it's about using your brains to advance society again. Then he also says, I am a hacker. And like I said, I myself don't always identify as a hacker, because I think there's people that are much smarter than me. are much more of a hacker than I am. But what does being a hacker mean? What does that mean to you? Again, I think being a hacker means that

you want to use systems or want to look how systems work or how they shouldn't work, right? You use the features of the systems, of the things that you test, that you research to have a positive influence. I think we as a community need to be more positive about what we do. and we need to reach out more to society and to the people that actually need us. It's not just... Everybody today is sharing information with big companies, they don't know what their privacy means anymore, and we as a group have a keen understanding of that. And I think we as a group can contribute to that, to society. So being a hacker, you have to be

really mindful. It's not just a badge that you put on and be proud of and as a guy probably who girls with, because nowadays people are very impressed with what you do. It's a huge responsibility, right? At least to me it is. One of the problems I've identified is the difference between community and industry. Back in the day when I started and when most of the, okay I'm old, that's good. When the old people started, there was a security community and there was a security industry. You had the checkpoints, you had the Cisco's, you had the Cymantex, the McAfee's, and there was a very small overlap because the community in itself did a lot of work

on its own for free and they did research, there were conferences that were organized like CCC in Europe, like DevCon in the US, but it's not...

like that anymore. Nowadays, the community and the industry overlap a lot. And that brings a lot of problems in how we communicate. Nowadays, I work for Rapid7 as a day job. There are people that work for McAfee, there are people that work for, as an independent consultant. Everybody has their own master to serve. And that impacts how we communicate. I think as a community we need to make sure that everybody understands. If I have a discussion with you about about a hack or about a vulnerability, you shouldn't bring in my employer. When I'm here at B-Sides Lisbon or at a conference or when I communicate with you on the internet through Twitter or Facebook or

whatever, I myself and I don't represent my company. But nowadays a lot of people will see that overlap and when the argument doesn't go the way they want it to go, they will bring in the employer. They will say, well you work at McAfee, your opinion is invalid or whatever. I think we need to make a really clear distinction and that distinction is the only way that our industry or our community will survive. I think it's very important to make that point. Now, who's familiar with these guys? Yeah. So they all testified before Congress in 1998 and it has to be understood that they were hackers, just like you and I. well, just like everybody in

the room, they were hackers. And they were invited to testify before conference and they painted a very dark picture of where security would go. Unfortunately, conference didn't listen in 1998. Now we're 2015 and finally the US government is listening. The guy in the middle there just joined the White House and he's gonna work on a project there to regulate security. I don't know how it will go. It's very important to recognize that even though

they had their hacker group, the Loft, they now all work for very reputable companies or even government organizations. But in the middle, he worked for DARPA, he went to Google afterwards, he's now working for the White House. The guy next to him, he's now the founder of Veracode, So they move forward and we as a community, we as hackers need to move forward as well. We cannot always remain kids. We need to take our responsibilities, we will start working for companies and actually use our skills for good.

Somebody else, I told you there were going to be a lot of that person in my slide. Barney Jack is a former colleague of mine, he died in 2013.

And everybody knows him from the ATM hacks and the insulin pumps and the bass maker hacks, right? But he was much more than that. And that's why I have him in my slide deck. We always experience people very superficially. We look at what they have brought to the surface, how they presented that black hat and how they were awesome. But they were even more awesome in the undercurrents of the security industry. Barnaby Jack contributed a lot of research before he even stood on the Black Hat stage. And I think the importance of what we do is not by standing on a stage like I do today or like Barnaby did at Black Hat or people do at Defcon. It's about how we contribute in an unselfish

way. I think we need to be much more unselfish and also don't make rock stars. In the community we discuss a lot about rock stars and people that are, again, very selfish. We perceive them as selfish. But I believe strongly that the community creates them, they're rock stars themselves. If you look at people like Dan Geer, Dan Kaminsky, they don't desire to be a rock star. They desire to be a person just like you and me. And in the end they are like that. If you approach people like that at a conference, they will be very nice to you and they will share information, share knowledge all the time. But we shouldn't make rock stars of our smart people. By making rock stars of

smart people, we are basically bringing them down. Now, is there anybody that has studied economics or is in finance? Okay, there is a question for you. Do you know the Monia computer? No.

I want to bring up this in my recent talks. Monia computer is basically a simulator for an economy. The guy on my left, your right, his name is William or Bill Phillips. His story is very interesting and it illustrates for me what a hacker really is. He wasn't even involved in computers. When he grew up, his father had a farm and he really wanted to go to university. But when he wanted to go to university, the huge crash in the New York Stock Exchange happened and even though he was far away from New York, his father couldn't afford to send him to university. So he's from New Zealand and instead of going to university, he started working in Australia. He

became a cinema manager, he did a lot of odd jobs, just made his money, he did a lot of small things. And then he ended up in China. And when he ended up in China, it was just around the moment when Japan invaded China. So he ran away until he could no longer run away. And he became a prisoner of war. So when he was a prisoner of war, instead of using all the skills that he had gathered by doing all those hot jobs, he started working for the people that he was captivated with. So the fellow prisoners became very cold so he made heating devices. He had no engineering degree whatsoever but he found a way how to make heating devices and basically how

to help people survive the prison camp. Then obviously he survived that as well and then somehow he ended up in London and went to the London School of Economics and that's where he invented the demoniac. which again is, they call it computer, but it's just a lot of recipients that are connected with tubes and there are valves and it simulates when you inject money in a certain part of the economy, how that affects the other parts of the economy. And that to me is what a hacker means, right? Everybody knew those systems, he just found a way to represent in a model and in a computer.

that the model is still used in the computer, you can see in a lot of places, and he won a lot of prizes for his work. But he started from scratch being a farmer boy, to becoming one of the biggest influences in economics around the world. Now, does anybody recognize this?

So we often say that security is a new industry, This is a threat model that you can find in what they call the WHERE report, W-A-R-E. And the WHERE report basically is a report that was mandated by the US government when they went from single-use computers to multi-use computers. And if you look at this threat model, it includes everything that we still have today. It's very important to realize that what we do today started more than 40 years ago. The report was released I think in 1972 or something. You can find it online. Nowadays there's a lot of companies focusing on the human threat, the insider threat. You see that back in the 70s, they had

the operator, they had the maintenance plan, they had a system programmer. So everybody was really already identified. All the issues that exist with multi-use computers, the issues we face today, are still relevant today and we're still doing the same things. So that goes back to my original point where I said that we have to be mindful of what has come before us even going back as far as 1970 reading the WHERE report is very useful as a hacker, as a security researcher to understand where we come from. And not all Not only the people I mentioned in my talk are important, there's much more people that are relevant for your research. Now, we come to today.

So I was talking yesterday to somebody at the dinner. We're discussing about how Australia wants to ban teaching cryptography. So the government in Australia really wants to prevent people from learning about cryptography. because that makes it much harder for them to get criminals. Obviously, when nobody knows about cryptography, only the criminals are going to use cryptography. I think everybody should have access to cryptography, and I think it's a bad precedent that Australia would want to do something like that. We also know that the USA wants cryptographic bank doors. and of all people, the now CSO of Facebook, former CSO of Yahoo, is the one battling the fiercest about it. But we have to be aware that

governments want to do this. It's not directly us as individuals that need to battle against it, but if you have something to contribute to the forces that try to influence the government now, I think it's time to step up and actually contribute to that. We also see that the UK wants to limit access to strong crypto. So the UK really wants basically strong crypto to be unavailable to the general public. And they want to regulate who can have access to strong crypto. I think that's a bad way we're going to do that. If you look at things like the Wassenaar agreement and the both the US government and the EU government are looking to dual use and seeing basically exploits and

security research as a weapon. So nowadays what you do is seen as a weapon. What you know is seen as a weapon. And you as an individual or we as a community start to be seen as a threat. I think we have to be cognizant of that of what that is going on and think about how we as community can be more positive to the world again. Obviously in this room there's probably a lot of hacker security researchers but there's also professionals that look to understand and to learn about what we do. And as community I think we need to come together more. That's also why we organize Proof-Con. It brings together professionals and researchers, individuals, but it's important to be open to that and not to look at

the outsiders of this community as stupid people or people that don't want to learn. I really feel that organizations want to learn and want to be more secure. You see a big trend from being compliant to being secure. In the past there was a lot of focus on things like PCI DSS, IC27000 compliance, but a lot of organizations now are moving away and really looking more into security. And the funny part about all those Western countries doing this, what is the country that you always hear about that is the biggest threat in the world? China. Okay. So, data is not always relevant. But this is the BGP ranking project from the Luxembourg cert. Luxembourg cert basically takes

all the IP ranges that are announced by the BGP, in the BGP network, and they link those to known thread databases. So you have database of CNC servers, you have SMTP blacklist, you have SSH blacklist. And if you look at that, I would like to say that green are the biggest threats or the most threats in their networks, but it's obviously the red ones. And I have to be cognizant of the fact that data is not always representative. This is a very funny graphic if you talk about China, and it proves that there's a lot of threats coming from the US, from Russia, from Brazil even. But you have to know that the two top networks with threats are actually Asian.

There's one in Hong Kong, there's one in China that are in the top 10 of the individual networks. We have to take all the data together and the US, Russia, Brazil are the biggest threats on the internet. Now,

instead of looking at exploits and security research as a threat, I like to think about how organizations work. In the US, or even in any country, if you book one invoice wrong, or you do something wrong with your accountancy, you're gonna be sued. You're gonna be fined. If you sell a donut that makes somebody sick, or that makes a lot of people sick, you will get a class action suit against you, and you will pay a lot of money. If you clean the floor in a hotel and somebody falls, they don't even have to break their leg, you will be sued by that person. But if you release insecure code to the world, nobody says anything. And I think when we talk

about that, releasing insecure code to the world is to a certain extent understandable because we as security professionals always want everything to be 100% secure, but we cannot expect that from organizations. At the end of the day, an organization needs to be making money. They need to release products that people pay for so they can create the next version of the product. But in the end, You have to work with security research, you have to work together, and you have to be accountable for what you put out in the world. If you create a product that people rely on for their lives, whether it's a pacemaker, whether it's a vehicle, whether it's software that companies use for their accountancy, you have to be accountable for

what you put out there. And obviously it's going to cost something, but you have to be accountable for that. Accountability should be part of the cost structure. And there will always be a discussion that the extra cost of doing security will be paid for by the consumer. But that doesn't always have to be the case. I think organizations make more than enough money to pay relative prices for security research. So I would call on organizations to work more with security researchers. Recently we've seen a lot of what we call bug bounties coming up, where researchers are paid through a third party. It's often run separately from the organization. But I think it's a very good step forward and something that needs

to be explored more. I'm not sure if T-shirts and gadgets are things that don't fit people to actually disclose what they find in systems. I don't have T-shirts at home, so I don't... I would not submit an exploit for a T-shirt. But I don't think money alone is a motivator as well. I think we need to be recognized as smart people, we need to be paid the right amount of money for what we contribute. But there is a soft spot where we can meet and where the community can work together with companies to actually solve security problems.

Now going back to everything I said, it would sound like the world is burning, but At heart I still want to be a happy person. I don't want to be cynical about what we do, about how the world is evolving. So I think all challenges that we see today with governments, with organizations, as a community, are actually opportunities to become better. We have to understand that people like the loft that I presented in my talk have moved forward from being a closed hacker group somewhere in a basement in Boston to becoming actual professionals. And I think all of us can do that in our own way. We have to understand what we want to do, but also what our legacy wants to be.

If we look at people like, for instance, Len Sassaman, even though he's no longer there, if you look at his research, there is research that he did years ago that still impacts you as an individual today. And I think for myself, I often ask myself, what do I want to leave behind when I'm done?

or when I'm gone. I don't hope it happens tomorrow, but maybe some other people hope that. I think we have to be mindful of what we as individuals, as a group, can contribute to society in the end. And that's a message I want to give for today as well. Let us work together, let us share knowledge, let us be one community today at Besides This World. And with that, I've said everything I wanted to say.