CG - A Place to Hang Our Hats: Security Community and Culture - Domenic Rizzolo

all right cool uh hi everyone my name's Dominic Rolo and I'm going to be presenting today uh my talk is called a place to hang our hats it's about security community and culture and feel free to tweet at me I don't really check my Twitter but if you want to insult me and feel better about yourself or leave any kind of feedback or tell me how cute I look in my corporate chill shirt you can let me know on there I'm at atot Dominic um so let's get started because these things tend to run kind of long uh so a little bit of disclosure first as I said I'm a corporate chill I work at Duo

security out of an Arbor Michigan so everything I'm saying is lies and you can't take anything seriously because I'm trying to sell you something all the time um I'm actually an intern I'm only 21 this is my first ever con visiting or speaking it's my first time to Vegas uh being 21 yeah it's been pretty exciting um I was hoping not to have a hangover moment this morning and end up in the middle of the desert uh but I'm here so very happy to be here um and I go to University of Michigan so I am a uh third-year computer science student there um so a little bit of background on myself um I am kind of a noob I'm

gonna be honest the first time I used the internet was in 1999 to get onto neopets.com Cool website my sister showed me where you could play with toy animals online um so I'm not really an old school BBS guy I never fiddled with a modem so I come in with a very unique perspective and what I want to bring to bsides is kind of a talk about what security community and culture look like to somebody who's completely an outsider you know somebody who didn't know what Frack was until their boss bered them for a half hour over lunch about not knowing what Frack was so that's the kind of experience I kind of wanted to

bring to this Con and kind of you know it's easy to say like oh kids these days don't know what they're talking about or script kitties don't know what they're doing and so I kind of took some time to figure out you know what has been going on the past 15 20 years in the security Community um so where I started I started out on a research project at the University of Michigan called um cyber warfare history project and if uh the word cyber is throwing up a red flag for you um I've gotten to that point too so what that involved was reading every New York Times and Washington Post article ever with the word cyber in it and

looking for one about cyber warfare and logging uh the experts and the actors mentioned in them um so that was very interesting uh it went back actually all the way to the 70s and you know you have all this ridiculous stuff in there that you know I would never think to speak on as an authority now you know because it it's so untrue and it's so exaggerated by the media but it was really interesting and kind of got my interest pequ in kind of the infoset community in general um and so I've kind of moved on on I'm kind of a noob expert now so I'm like Elite Noob so I know all about logic bombs I'm pretty smart dude um but

I I think it's really interesting so if if you're looking at all the media reporting on the infoset community um kind of up to the 90s in the early 2000s before people realized how much money they could make off the security community and you know forb started um talking about every data breach it was kind of this idea of the lone w hacker or the group that's hacking you know and they're going to take down the entire internet and they're going to Bunk May East and may West and then we're all going to die in flames you know so um reading this kind of stuff as an total Outsider you kind of think this is true and and you do get scared and

you do get spooked and it's so ridiculous now at this point thinking about that but um if if we take a look at the narrative here we're kind of like okay yeah sure that's that's totally accurate no one thinks that's inaccurate um so I wrote up a little algorithm uh on if reporting is good and if it's you know on infos SEC reporting and kind of my thoughts on it are um like we can talk a lot about the failings of the media you know we can talk about people who are writing articles about technology aren't Tech literate um they're more interested in kind of making a Fast news day then they're interested in you know um

reporting accurate facts you know a lot of media reporting is getting people to click on your clickbait so you can throw out some headline that's Russian hackers have 1.2 billion passwords and you know it doesn't matter if they've cracked the hash we'll just throw that out there because that will get you scared in changing all your passwords and make you click on our link um so there are some pretty big fundamental problems with the way that hacking and hacking groups are reported on the media um sidebar in this presentation I'm going to try my best to avoid the terms that I've been told not to use so cyber uh console cowboy was one of my favorites I thought that's

what everyone called thems but apparently not authentification is not a thing uh go figure and then cracker just to avoid any uh slur confusion so um also cyber Pearl Harbor I have to say of everything I I uh did doing all my research for this talks reading about people Leon Panetta declaring the big risk of cyber Pearl Harbor was maybe maybe my favorite um so if we look at actual kind of groups and forces behind um I guess driving security culture um one of the big ones that people of the time or people who came afterwards have read about or know about is LOD and mod right this was all over the news this was all

over 2600 meetings and the BBS boards uh this was like a big Feud that apparently wasn't a feud that you know people were hacking back and forth and it kind of set off the media Firestorm of oh look we can you know we can say cyber conflicts are you know it's like gangs oh they have gangs they have names you know they're calling themselves after super villains so it it became very easy to sensationalize in the media um the doj um kind of going after young guys who are using the internet maybe not for totally nefarious purposes but to try to get as much information as they could was also a precursor to kind of the The

Craze over hacking and hackers um and then moving into the 2000s you have groups like you know LC and Anonymous throwing flame Wars at people taking down their websites you have the Syrian electronic Army you know you have groups like woowoo Loft and whichever group that you think it's agreed just that I didn't talk about specifically um kind of at least from a media perspective epitomizing this idea that oh our kids are getting together and you know taking down websites and hurting the economy um when that actually wasn't necessarily what was always going on um so this is kind of my guiding question for the rest of the presentation um and it's are we seeing significant changes

and declines in hacker culture in the size of the hacking Community um and I'm talking about you know not like somebody running scripts to try to steal your credit card or somebody copying a Defcon talk to try to skim their local ATM I'm kind of talking about people who contribute information and share information across the community and is that Community kind of decreasing at least in the number of people who are open and totally um in it just to share information um so here's my proposal um that kind of growth in oh man excellent sorry guys um that growth in the security Community yeah I in as an intern I've had about 13 different kinds

of software installed on my computer and phone to make sure I don't get owned so um that's the first of many probably um so growth in the security Community has changed values in its makeups and the growth I'm talking about specifically is Corporate growth so growth of you know so-called white hat or pentesting organizations um that of kind of you know why would you be in a hacker Collective or a hacker group when you could just be in a sort of corporate group making money off of it uh growth and kind of law enforcement you know they're never quite ahead of the curve but at least awareness of you know what they can prosecute and expanded powers

of what they can prosecute and then kind of growth in the population of the field in general has made there so many actors that there aren't really these heroic groups anymore that you see and you're like oh these are the big hacker groups so people kind of don't associate with each other as much so um let's dive into that if you think that's total bull I'd love to hear about it um so this is a map uh from the Department of uh the bureau excuse me of uh Labor Statistics and this these are security analysts by State uh except for Wyoming because apparently there aren't computers in Wyoming anymore um so this is of May 2013 of people uh

who self-identified as being security analysts uh so as you can see states with larger populations um and it's not surprising the distribution of people working in the security industry um so you do see you know not concentrations in states that have huge natural resources like Montana Idaho North Dakota South Dakota and you do see a lot in kind of these traditional like Tech avvy Market States um and so as far as salary concerned it's a very similar picture right so you're going to see a lot of people working in this infoset community in big States like California Washington you have a lot in New Mexico Illinois um and then around the DC area and kind of up

the tech belt on the East Coast which is really unsurprising uh that the people who have you know the states excuse me that have the highest mean wages for infoset Community are the ones that are often associated with Tech Community in general so kind of what I took from this is that a lot of people who are work in and around Tech and have been working in and around hacking traditionally um are you know staying in the same areas and they're working for companies now because you know there aren't this many people making money off the infoset community making this much money off the infoset community um and in instead of you know hanging around on Friday nights

with their friends trying to break into mob system um another interesting corollary is kind of the map of where the concentrations of mean incomes are the highest for infosec workers um is pretty similar to some of the early arpanet Maps right so you have a lot of places that are focused around big research universities like Stanford like Northwestern University of Chicago um like UVA um so all of these states that you know have the best people in infosec are also where a lot of the earliest people using computers and trying to hack in networks were um so I thought that was really interesting um it's not proof it's just interesting um so another field of growth we've seen is

the FBI so the FBI has seen over a 350% growth in its support staff over the period of the 90s so the '90s is kind of depending on who you ask a time that um the internet started to come in you know hacking and uh became less of a wild west than it was um obviously you know if you ask somebody who ra who started in the '90s they'd say oh you know the '90s was the Wild West started you talk to somebody who was out at MIT in the' 70s say oh the 70s were the wild west but um you saw significant growth in kind of the Intelligence Officers who are non-field so this isn't like Moulder

and Scully these are the people sitting behind the computers um supplying information so the demand for um intelligent workers who can use computers effectively has gone up as well as kind of their resources to pursue people who are operating outside the law using those same kind of techniques um uh also the FBI during the this period had very uh important jobs like chasing down dangerous gangs uh like the Jugos uh who were classified as gang by the FBI um we've also seen huge growth in NSA over the past decade um that's General Keith Alexander his personal portrait right there um but 11,000 new employees uh were hired um over the you know decade plus three years so that's

Bakers Dozen Years but um the fort me facility actually where the nsa's located is actually now larger than the Pentagon and the budget has doubled over that same time period um something that was very interesting to me too is the number of private Contracting companies um has gotten much larger it's looking at like most recent numbers it's almost tripled since before 911 um so you're looking around somewhere from 600 to 700 private Contracting companies alone for the NSA um and I think that's interesting because again we're looking at companies that are hiring people who are doing infosec you know even if you're not um specifically you know doing crypto you need if you're working for the NSA you're going to need a staff

of security people if you're a private contractor um and I don't think that's ever gone badly for anyone um I don't think anyone's everever had a private contractor kind of go Rogan them for the NSA so pretty profitable Fields um my CW word is up there again I'm sorry about that um but this is a graph of kind of what has been um prosecuted or identified um as uh cyber crime um and these are from the ic3 reports but what I think is really interesting is if you look at the time period over which it's kind of exploded into some exponential growth um oh yeah cyber cyber cyber that was my apology um you'll see it kind of coincides with um

some of the strengthening and original passing of a lot of these um laws targeted at Cyber crimes right so you have the CFA you have the USA Patriot Act which was mindblowing to figure out that that's actually an ACC um so some poor Congressional intern had to come up with uh language to hop over to make USA Patriot an acronym probably a pretty strong backronym um so if you kind of think about the time period in which these started to be enforced by federal judges you know it's not that there's a lot more um people hacking over this period it's that suddenly you know businesses are saying hey we can report this for a loss hey we can

collect insurance on this um let's report it as a crime because you know we actually know that it's going on too it's not going undetected in our systems and um yeah so um uh on the left is the graph of the kind of uh prosecutions in federal court uh over the cfaa ACT um and a big example is kind of gucer on the right uh so those of you that don't know he was pretty leak and he got into some AOL email accounts associated with the Bush family and he released some of uh George Bush's personal oil paintings so this is uh the homie Vladimir PU right here um in a pretty accurate depiction so um punishment kind of the

punishment versus the rewards has kind of decreased greatly over this period of being associated with hacking in groups um so if we're kind of looking at this you know we've seen a big kind of a boon of infosec um jobs of tools that we have um more people are relying on security infrastructure and to be frank a lot of people are relying on poor security infrastructure um disclosure has become more frequent so wouldn't we expect to see you know more hacking collectives like The Loft wouldn't we expect to see kind of a Resurgence of the hacker group as a part of the mainstream culture um so something I think that takes away from that is this idea of cyber crime um

so organized crime syndicates um and even state sponsored have taken on a lot of hackers as a assets so big examples are coming out of um Eastern Europe I actually had a conversation with uh somebody out of the FBI Chicago Field office and he I was asking him you know what do you guys see as your biggest threats in the infoset community and he's saying organize crime in Russia because it's organized by you know the Russian Eastern European oligarchy and we can't do anything to touch them you know unless they they end up in Spain or a country that you know will extradite them to us so we kind of see this um almost gladiatorial backing of um

specific hackers or hacking groups uh by very strong organizations that's kind of taken down the the level of you know cowboys of the internet um you also seen uh growth in a lot of tools that are um anonymity focused which kind of disincentivizes strong kind of open group collaboration which seems counterintuitive but um every time a new tool comes up it's usually less than a year before you know a big gaping vulnerability is exposed and people who have been in the realm for a while know that you really you know look at all sick you need one leak for your whole ship to go down um so it's it's very hard to build trust in the current

atmosphere this is like not funny this is embarrassing now I'm sorry um okay uh another thing is the growth of responsible disclosure so kind of the old uh you know crackers and sneakers not the people who are pursuing information but the people who kind of like to play around and try to break software um now honestly have uh legitimate um cracking and sneaking Avenues right so looking at bug Bounty specifically um the most profitable bug bounty found not to be too specific but it was over 3.87 intern summer salaries uh which is a lot so if I found one of these bugs I could be not working for three Summers and you know lying back in the great

beaches of Travers City um and also uh we see kind of a an idea of the 90s and the 80s it's it's a lot of very technical literate um young people doing a lot of the hacking which I think is really interesting and having discussions with some people at um this and talking to people over the Internet a lot of people have kind of you know said look like I had a lot of fun breaking software had a lot of fun running the systems and using you know my red box but um you know I got married or I had kids or you know I had to take care of my parents so you kind of see a

lot of people growing up and saying you know the risk really isn't worth the reward anymore um so less teenage anks but you know you kind of have to say you know they're still teenagers is what's happened to that um so a big Avenue I see is kind of enterprise uh especially as a student at a university so I think a lot of young people now who are Tech literate and interested in computers have very easy Avenues to either get into a university with a good scholarship or jump immediately to Silicon Valley right we kind of see this cess pool of uh people conglomerating there fighting for like $3,000 like 20 foot Apartments um and on the college

scenes and like around these big research universities where you started to see the first kind of hacker groups form now you see big things like hackathons or like student entrepreneurial associations that are trying to get kids right into the money you know they' realized there's so much money in this why do we even have to pursue all the way you know like I don't care if I can break into somebody's system I can just start making money right away this is a lot easier than skimming off credit cards you know um so I think that's a big contributor to why there's kind of you know you see older audiences in a lot of these conss like

walking around there aren't a ton of young people um and there are definitely some of us who are interested and you know who've got interested but you don't see kind of the huge youth interest that you would see at 2600 meetings or things like that um so um of course there will always be people who are very interested in trolling um so you know this is my one of my favorite examples of one of those kind of huge troll bug Bounty emails you get you know you're never going to totally get rid of the community that was originally there to bother people and to Russell jimmies and to say hey we're better than you we're

so leap but um I I think seen a big Decline and I think that's the problem that we should uh be discussing so uh just want to say thank you to couple my co-workers Chris is here in the audience Mark stanislav's here uh they're pretty awesome and I want to also say thank you to kind of everyone here because I've through interviews through talking to people through meeting people here at the convention people have been very patient with me I know you know I may totally be way off in some of my assumptions you may think I'm a huge idiot but I haven't met anyone who's been openly openly adversarial which has been really nice no one's thrown

anything at me uh yet uh and it's you know how accepting the community is I think is a is a really great kind of pointer to me to say like this is something I would love to be involved in because people are so accepting and so intelligent and so willing to share their uh time and resources so um I'm sure you have questions comments heckles so um let's get down to it um are there any questions