BSides LV 2023 - I am the Cavalry - Wednesday

window s [Music] [Music] [Music] history [Music] [Music] [Music] but I don't wanna jinx it baby [Music] but I don't wanna miss you baby [Music] [Music] maybe you'll give me [Music] away [Music] don't leave me alone [Music] [Music] foreign [Music] [Music] oh [Music] my God [Music] [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] [Music] moving up [Music] [Music] all right [Music] foreign [Music] [Music] [Music] Move Along [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] foreign [Music] [Music] foreign [Music] [Music] oh yeah [Music] foreign [Music] foreign [Music] girls [Music] foreign [Music] [Music] foreign [Music] [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music] [Music] thank you foreign [Music] [Music] [Music] thank you [Music] foreign [Music] foreign [Music] [Music] okay we try to get started I did try okay seriously yeah the possible collaboration to a greater extent all right we ready to go welcome to day two of the I am the Cavalry track 10th edition once again try if you weren't here yesterday say happy birthday all right um if you weren't here yesterday I'm going to briefly frame what's coming today before handing it over to our British colleagues I'm Josh Corman I'm one of the founders of I'm Calvary from August 1st 10 years ago um the idea is our dependence on connected technology is growing faster in our ability to secure it in areas affecting Public Safety human life economic and National Security and we've been trying to change the world with the Coalition the Willing on wherever bits and bytes mean flesh and blood today's edition um just to outline the flow is larger chunks than yesterday the first of which is the British are coming and they've been gracious enough to take that cheeky framing um where we don't just do U.S policy we have had a lot of U.S policy makers but we've been working internationally and some of our best successes have been on basic iot cyber security hygiene and we wanted to continue that work in a working session in a listening session which will be next number two I'm really uh emotionally looking forward to Dr Suzanne shorts from the U.S Food and Drug Administration who regulates medical devices has been the most courageous creative guppy hacker teammate we could have ever hoped for and we've moved mountains with her brave leadership and her team's Brave leadership so we're going to do some Reflections on a decade of saving lives um how she met us what her apprehensions were how Guppies want to be spoken to what they're afraid of so that if you want to change the world in the future the first half is kind of her Reflections on a decade of change followed by extracting these into repeatable lessons and blueprints and road maps for how you might do the same with or without us and she'll have some special Super Friends joining in that chorus in discussion and then lastly after the Break um what do we call it a hackers guide to changing the world when we were reflecting on if we were to make a a recipe book or a blueprint or a road map for how effective movements can happen that don't take nine or ten years to get some results if you could compress those things for the things that didn't didn't work what were some of the core beliefs or practices or schools of thought that influenced and affected those outcomes so a little bit to kind of give you sign posts to things that you could go study up on but also it could be one of the potential features of the Cavalry going forward is maybe a Cavalry Academy or an incubator an accelerator for plural change the world movements we've already mentored a few and we might want to turn into a boot camp so if it took us 10 years to do the things we mentioned yesterday you know how do you make those happen in three or five and how do we make it so that more people could do it without having to you know jump into the government occasionally so the flow again is we're gonna start with the British are coming followed by a really deep dive on the successes with health care and the Food and Drug Administration to be extracted into lessons and then maybe a boot camp and probably it's going to quickly turn into a discussion from you as to what you think we should do and maybe who's willing and able to help before we completely transition one of the most um pivotal pre-launch teammates who's Professor Andrea matusian law professor she's been coming to Defcon for God knows how long but I think I met her when I started researching the rise of hacktivism anonymous so probably around Defcon 16 or so 17 no that would have been 18. um but she's been coming longer um she has very different perspectives than we do but was pivotal and if you've ever heard me talk about the Cuyahoga River Burning uh that's from her um and she gave me a lot of encouragement at thoughtcon and everything in the build up um and continues to be a pretty good Ally and if you like the fact that research has been largely decriminalized you gotta thank her she knew how to formally petition the Library of Congress for uh dmca research exemptions which were temporary and then we made advocacy to make them permanent so it does take a village to raise that child but she played instrumental roles often and is often the voice saying that if we don't somehow professionalize ourselves in some way shape or form to separate charlatans from good faith actors it may be done for us so she gave me a couple of minutes of remarks and as one of the founding lights and brains and complementary skill sets in our team of Avengers bless you I wanted to quickly play an address from her that I didn't get to put in yesterday hi I'm Andrea machuition I'm a professor at Penn State in the law school and in the engineering school I've had the pleasure of watching the Cavalry grow during the last 10 years and I'd like to really congratulate Josh and everyone who's contributed to this worthy effort every little bit helps to make us safer so I'll share two quick stories one involves uh great dinner with some interesting early conversations around software safety and the possible collaboration to a greater extent of the hacker community and Government after thoughtcon in 2013 in Chicago and there may or may not have been a really unusually large boot of hack for sure beer involved but some of those thoughts that ultimately made it into the Derby con meeting where the founding principles of the Cavalry were sort of gelled together and the first group started work at that meeting I shared the story of the Cuyahoga River a river in Ohio that was literally on fire and galvanized different groups in society to push President Nixon to pass circla the Clean Air Act and the Clean Water Act as well as create the Environmental Protection Agency and so it was because of this River being on fire that we ultimately ended up with one of the most aggressive legal regimes around environmental law and our environment though not perfect is significantly better than it would have otherwise been and the Cuyahoga River became usable again so that's where I saw us heading and I think it's still where I see us heading but for the second decade of the Cavalry I'd like to share another story this is a story of two dams one happy one not happy at all in 1928 The Saint Francis Dam collapsed killing hundreds of people it collapsed because of shoddy engineering a lack of maintenance the ignoring of reports of third parties who were trying to avoid a disaster and the absence of robust engineering standards inside the engineering community and a deficit of legal liability for failures to take due care in the way that engineering projects were being built in the wake of this tragedy of hundreds of people dying because of shoddy engineering the engineering profession stepped up started self-regulating and started engaging in rigorous peer review also liability it was imposed so by the time the Hoover dam was built just a few years later the process of engineering looked completely different and the public had faith in the Hoover Dam and in engineering again so there's a model that we may want to think about as we enter the next decade of software and system security and I hope the Cavalry will continue to do good work and thanks for letting me be part of today all right thank you Andrea and again the the spelling is difficult for pronunciation but just say magician mattition like tissue so Andrea has been amazing and kitschy and wrote a seminal legal brief called the internet of bodies um not so much that bits and bytes can lead to loss of life which it does include but also just as we increasingly become cyborgs do you even own your images in your retinal scan or can they shut off the lease and the support on your bionic arm so uh her belief when we met was if you could hack the legal journals then when there is case law that comes to the courts and they search for these things they're going to find things that we helped write there's lots of ways to be a hacker and she continues to impress and Amaze both training her students running the pilot lab for iot but also um hacking the Lexicon and the legal body of work that could be brought to bear to introduce things like liability so um controversial topics but um a lot of these Concepts made their way into the president's National cyber security strategy earlier so uh again uh thank you if you're watching Andrea and uh shortly I will welcome to the stage our next thing but if you just got in the room today's flow will be the British are coming a conversation about engaging us for good ideas on some some policy they're considering number two will be Reflections on a decade of saving lives with the Food and Drug Administration uh Suzanne her amazing team and recipes for how to repeat that and then after the break or in the afternoon we're gonna do a hacker's guide to changing the world so thank you for being here I'm gonna transition now to our next panel good morning everyone good morning no one's aware can I live good morning and good morning to our British gas welcome so uh we're we're pleased and delighted to welcome uh not one not two but three special special guests from the United Kingdom to come visit with us and um if you can wave your hand when I call your name so we people know your names uh starting uh Charlie Gladstone welcome Charlie Mr Peter Stevens welcome and Mr David Rogers so uh we're going to learn a little bit about what's going on what works and what works maybe less well over in the UK um Roger that um uh as they talk if you come up with questions issues uh raise your hand and then I will subtly run over to you and you can ask your question all right so we had an outrageous speaker request yes corman's fault I think as usual but um it was for uh Jen easterly to uh excuse me wrong uh look Jen Ellis uh I'm meeting the other one later today uh to uh wear a tricorn hat and Shout the British are coming the British are coming right so uh I'm my question is who now is supposed to play the role of Paul Revere here all right I can do that good good son of Liberty here and it's a little fluffier than I I was I was trying to throw Jen like a little bit of a yeah a fashion element but okay so the question is then if I'm going to be Paul Revere Who's Gonna Be My Horse by sea laughs [Applause] one more for the camera okay thank you sorry well uh how would you follow that yeah yes yes I've been uh well um thank you for coming to our talk which debates the uh the merits of the American Revolutionary War [Laughter] actually been asking chat GPT how we could have done better the Battle of Trenton how the Hessians could have won but um yeah actually we did we did discuss this didn't we we forgot to bring our Red Coats I'm sorry about that we did want to make it out of the airport well it's funny that you should mention that actually so I did bring some tea with me so whenever I come to America I do find that they have a problem with Realty so I've brought you some tea um I promise you I'm not gonna tax you too much but um but anyway um so thank you thank you for hosting us um we're very pleased to be here and um I'll just very briefly introduce my colleagues sat next to me I'll start from the start so um Charlie Gladstone who's from the government so Charles do you want to introduce yourself yep hi everyone I'm Charlie Gladstone I'm from the relatively newly formed department for uh science Innovation and technology dsit for short um and yeah I'm here representing the UK government on all of our sort of current work relating to Connected devices so uh great to be here and thanks very much to Josh to Jen for organizing and uh Peter Stevens from the oecd thank you uh thanks everyone um so I am currently at the oecd I previously led the UK's secured by Design division so that was the focus on product security um and all the work we did in iot from 2018 to 2022 um so a lot of the work we've done from post-mirai to development of legislation um was was my team um so yeah great to be here great to be thankful Josh for the invitation again and thank you Jen who's here in spirit if she's watching um for all the work that's happened and thank you to I'm the Cavalry I can testify that when I was back in my old job in government I used to have an I am the Cavalry sticker on my phone um which I used with with pride no one knew what the hell it was um so uh that was a hell of a hell of a testament so thank you very much yeah looking forward to the conversation and listening to your questions as well and hoping to do our best to answer them and also to jokes about the relationship between our two countries in the last 250 years so yeah we've got a few we've got a few yeah thank you you make some British references you know we can stick some Monty Python in there we can do the four Yorkshire one sketch if you want oh I see we can't unless you give us a script but um yeah so I'm David Rogers uh you're going to hear a little bit more about um what I've been doing in the past with Josh and Beau and Jen um but I guess um so I I do work with the government um but I also chair the mobile Industries fraud and Security Group globally and to do a lot of work on iot and car stuff and general hacking um so um oh thank you well stickers um so what we what we wanted to do was kind of Meander through you know how do we how do we end up doing a load of iot stuff in the UK and how did it really become so successful because it has been and um and we wanted to explain that and also the relationship with other countries and how that had worked and how we achieved success with that and hopefully how that could be a model for the future um in other areas and obviously yesterday we were talking about things like agritech and stuff like that you know the iot problem has not gone away um and there's going to be a lot of things to tackle for the for the next you know 50 years or so um as it evolves so we thought that we would um start off with a history in the background and then we would talk about how that then entered the legislative process how that actually um well even before that how it entered government and and how that was handled and then how that entered the legislative process and then how government then took that on and took that internationally and and what what they're doing now and into the future so if you think of this as kind of like a timeline it's like it's it's a film Benjamin Button right so it's going an age order but backwards or maybe I've just aged that much in that process um has anybody heard of the band the sugar babes yep one person vaguely well sure it won't work that way so I'm Keisha apparently but I was Heidi you can go and look it up on the internet um so let's start from the start um connected stuff has been around for a very long time and has evolved from existing technology so I'm in a mobile phone industry and a lot of the stuff that we've developed over many many years is originated from the days of the Telegraph and before that from semaphore signaling and before that from all sorts of other of the methods of communicating and over time what happens is it's just it's an evolution and we have things in Internet protocols that exist from those times as well um and so as as we've developed these connected things um we've taken a lot of that Legacy and really we didn't have a good idea of what security looked like for a very long time security particularly in the sort of 70s 80s was really in the domain of governments or nationalized organizations especially telecoms companies and um as we all know from from all the various hacker stories there are many many ways to break into things and if we look back at some of the the hacks that took place you know in the 80s and the 90s these days we might consider them to be quite trivial you might not even consider them to be hacks actually um so um where the point that we've kind of reached now is actually um the level of sophistication in in products and services in general is very very high and the level of skill required to to break into stuff is often very hard but we've actually carried a lot of legacy and we've forgotten about some of the quite easy things and so that's where we ended up with with looking at some of this iot stuff um but nothing stayed completely static so uh the motivations for introducing security were different over time so uh in the mobile industry for example we had a bunch of people who were hacking Sim locks although we're trying to commit forward on different devices and we had to put countermeasures in to to defend against that um and over time we started to get the technology that we needed to protect some of that stuff so we started to have a requirement for Hardware security on embedded systems particularly in the mobile industry um and we started to understand that you know we really really did need timely for firmware of the air updates um but we just simply at the time didn't have the technology to do it so in 2005 so I was working for Panasonic at the time you know it was very difficult for us to be able to push out firmware over the air because you know there wasn't the bandwidth there wasn't the memory on the devices so we had like physical uh constraints around us even though we knew what we thought we wanted to do with security we couldn't quite get there because the technology wasn't there yet and um it was a hell of a lot of work in that industry because of use cases on mobile devices like Banking and um you know other Commerce related things that really really drove the need for a new chipset that would provide a foundation of trust in devices so that led to the development of things like The Trusted execution environment and and uh deployment to things like secure boot things that we like really really take for granted now but we just couldn't do before um so while all of this stuff's going on the mobile industry and these kind of big battles going on between uh the sort of embedded system hacking community and the mobile industry so steadily getting better and better and better on both sides and you've seen actually I was looking back at the 2013 black cat talks just then I was looking at some of the the mobile talks that were happening then um that uh sort of similar hacking community that originated in the car radio hacking Community evolved into the jailbreaking routing scene so a lot of the same people got into that as we got onto open platforms open mobile platforms from 2000 and 2010 onwards and and that really kind of spurred things on uh significantly um and all all the time there were a bunch of connected devices that were connected in people's homes like webcams that were encouraging people to um you know set up direct connections as their home home networks and we're wide open to to viewing or manipulation or