BG - The Cavalry Isn't Coming: Starting The Revolution To fsck it All - Nicholas J. Percoco & Joshua

oh M fox for Chicago yeah okay we've got uh Nicholas foro and Josh Corman doing the calaris in coming okay go ahead thank you welcome everybody thanks for coming thanks for joining us so guess a little bit of an introduction about who we are I'm Nick pero some many been see me at different conferences and things like that I've spoken a lot of places around the world um my day job I run the trust W spider Labs team and also I started a small conference in Chicago thought content I've seen some t-shirt today see people may have joined us there this is Josh hey I'm Josh Corman in my day job I'm a director of security

intelligence for aami um but a lot of the research I do at conferences is really under my cognitive dissidence blog and I tend to be more like the philosopher uh kudet trying toh question things and make things better so in this particular case you're going to see more of that philosopher stuff so give you a little bit of background or also give you a little insight of what this what this talk is all about um this is not a presentation said may seem a little bit odd um this is really how we wanted this to be is it's a conversation it's a conversation between me and Josh on this topic that we're going to we're going to talk about and a

conversation with you so often times people get up in front of people and say we want this to be interactive and then no one [ __ ] says anything during the whole time right so we want this to be interactive um and um but with the caveat that we only have the clock is ticking so if you have something to share please do so um but understand that while we're under a Time Country so are you so you can't take a 40 minute rant in the middle of our talk because then nothing really gets done so just a little framing um the scope of this is um I'm very concerned and a lot of you

are very concerned and we don't really talk about our concerns so we're going to um I want to scope this as I want us to look at our recommendations our suggestions our catalysts here as in the scope of our profession not you as an individual brand not you as an employee of company XYZ we do a lot of good things and we don't really do anything for our profession's community interests this is to cause that conversation the second thing I want to say is for a lot of us acing started as a hobby and when we weren't paying attention somehow became our profession and but more importantly and what's really stressing me lately perhaps the same is true for many of you

is that profession is now permeating every aspect of our personal lives I'm a father I just try to buy a car I am very worried about my body now that we're depending on software in places where it is not merited in medical devices like J R great talk and research uh that others are doing like the talk you're going to see from Charlie Miller on car hacking the fact that you can go to showan and do a search for default username and passwords on control systems that affect Public Safety and human life not trying to sound ranty but as a person as a citizen I am very concerned about my body my mind and my soul for on the Mind

part perhaps you haven't noticed but there's a trend towards the criminalization of research this should scare every single one of you and we can either sit back and watch the criminalization of research or we can try to be a voice of reason and credibility for our trade that adds a unique value to the public good and for soul I think a lot of you saw my research and know Anonymous and chaotic actors I think the reason I was drawn to that is we are so you're seeing a mash up between technology and civil liberties and if you haven't paid attention in the last couple months civil liberties are losing part of that cuz people are evil and the part of it's

because people are misinformed and we are the voice of reason of technical literacy on this stuff we haven't used that Voice that's the background so a couple of weeks ago I decided to do a a juice cleanse is everybody familiar with that we basically drink like six juices per day for three days and not only are you starving but you're supposed to unleash toxins from your body well so one of the side effects at least for me of that um of that juice cleans I did for three days was um was very vivid dreams so if you're familiar with you everybody here has dreams but have you ever had those dreams where they're so vivid and when

you wake up you're sort of confused you know like Is that real or where am I sort of in that moment well I had a series of Dreams the last couple of weeks and I'm the kind of person when I have dreams I don't really think too much into them as far as you know is there some hidden meaning to this dream or I really just think it it's just my brain dumping you know sort of garbage disposal just dumping information but they but they actually fell into the context of what we're going to talk about here um one of the dreams that I had um basically I was sitting on a bus you know remember being sort of confused

in my dream like why why am I in this bus where are we going and there's all these people look you know people like in the audience here sort of on this bus heading in a direction and um and and I soon realized after looking at what people had in their hands they had computers and and different things they you're heading to apply for software development licenses and not licenses as far as software licenses these were like driver's license to allow us to actually code and so I thought that was really interesting I wrote this down but took some notes um a few days after that I actually had another dream that um and I

travel quite a bit so I walk out of my hotel room all the time how many times you walk out of your hotel room and you see that USA Today paper or that you know that New York Times or something sitting out your at your floor on the floor of your outside your room so I walked out of my hotel room and I looked down and there was a headline on the paper it said Florida man I follow Florida man Twitter quite so I think that's why it was put in there but Florida man is arrested for hacking tools and I I remember being you remember thinking in the Stream and we flipping open the paper and you see like

a metas spit logo and you saw information on nmap we was mentioning nmap and different things apparently this Florida man had you know hacking tools on his laptop and was arrested in Florida possession of that so I had another dream this is the third and final in this in this series and soon I started to realize these weren't dreams at all um these were these were nightmares that I was having it was a real nightmares grounding in reality but the final dream that I had I was walking down the street in Chicago and it was about dusk sort of like the sun is going down and I walked down an alley um and up to a door and up to the door I rang a

bow and there was in a camera in the in in in the doorway and um then the door buzzed just like any apartments in the city Buzz I got buzzed in and I went up a flight of stairs and walked into a into an apartment and essentially you know I looked around and there was some maker Poots over here there were some computers a lot of screens and monitors and piles of tables in in the corner and there was guys and girls Milling about on talking and social activities and essentially was a hacker space I visiting a hacker space there's some faces and things that I recognized that the Chicago community and then during the dream sort of shifting and the

electricity went out sort of Lights Went Out you know all the sort of humming in the back and it was just really really quiet um and people started wondering oh it was ComEd you know ComEd the electricity went out and then with seemed like shortly after that um there was some loud banging on the doors the doors were kicked in and some men came in that were wearing black pants black shirts and came in and said we were under arrest and they said we were under arrest for violating some act and I don't remember recall what it was but it was some Act act and they were arresting all of us and arresting this everybody

that was in this hacker space and then it got a little darker became even more of a nightmare um they started you zip tying us placing us against the wall and started having people come out and it was a really odd situation where I started seeing I could see you know people I knew friends of mine sort of lined up in the hallway and we were sort of cuffed and zip tide and one by one they were leading us down the stairs before they were bringing us down the stairs they took an object it almost looked like a an iPhone or a sort of a bar and they put it over the side of people's heads and the people dropped

and then they carried the people down the stairs and they brought us out of that hacker space so now these These are nightmares um that I was having but they are grounded in a bit reality obviously I just my brain didn't just come up with these these are things that were seen things where we could go in as a community and um it could have very very bad implications so you know aside from knowing that I will now never do a SPS um I uh this isn't that far from reality so those were the dreams but let's let's punctuate this whether you love or hate weave look at the weave case several of us in the Rome actually talked about

drafted signed Amicus briest to the court not because you were defending we per se because if what he did is criminalized most of what we do is criminalized that's not a nightmare from a juice CL uh the very aggressive prosecution of Aaron Schwarz prior to his suicide that's real a lot of you guys know and respect these folks uh I don't remember the name of the law there's a lot of Texas outling Port scanning you cannot legally port scan in Texas and in France and Germany certain hacking tools have already been criminalized so the public paranoia towards hackers I don't know if you saw like Obama during the sow thing saying I'm not going to scramble to the Jets

for a blah blah uh hacker right so there is a very strong concern I mentioned this during the building of better Anonymous research that jff and I did of I am very concerned of some sort of Neo mcarthism right I am not now or have I ever been a hacker or uh I'm sorry that met tool was used for my job right so this isn't paranoia these are actual things happening the 3D printers and the scares over M guns an uninformed public and powerfully uninformed will make powerfully uninformed decisions right so this is uh very concerning and you don't have to be hyperbolic or spread Fu these are things that are happening right now so often a lot of my talks lately uh

partly for personal and emotional reasons have been about hitting rock bottom in fact at this conference alone there were at least three toxic sat in ad mentioned burnout as a legitimate issue have tenant some um we're not trying to wallow in our pity we want to capture that there is a a palpable sense of fatigue cynicism frustration um in the community and do something about it and I started realizing that capturing the fact that we have burnout isn't enough it's human nature that we don't make changes it's going to be mouthful already people don't change until the pain of maintaining inertia exceeds the pain of making change so put in Alcoholics Anonymous terms people don't change until they're sick and

tired being sick and tired I'm there I think a lot of you are there the fact that several of the talks weren't even about technology here they're about making booves or 3D sex toys or recreational drug uh modifications it's almost an implicit signal that we're not feeling like we can actually make the impact we want so there's something negative about rock bottom but is also something very valuable right because when you know you hit rock bottom you're you're free to actually be empowered to make changes radically uncomfortable changes but you can experiment CU if we're going to suck if we're going to fail it's some these fail new and novel ways it's not a Deus

attitude it says that we now have permission to try things that we otherwise wouldn't have so what I mean by uncomfortable experimentation um this is the part of the talk that's going to make some people upset it probably would have made me upset but I've come on this like Soul search the fact that we have to start holding our nose and eating our Li of be so we're going to bring up some fairly douchy topics hear it out because basically if you don't think these things are wor are going to work you think they're feudal you might be right uh but you're also implicitly admitting defeat because in Li of these we aren't successful either

so I don't want to just have uncomfortable experimentation I want to have radically uncomfortable experimentation let me uh identify a few of these and remember them for future fighting when we get to the end of this there are things that we there are levers of power how other professions get Shi done some of them are 501 c3s we are familiar with this one because the E is in fact 501c3 now they have a narrow focus in Charter and they are valuable to us but we've talked to them and they agree that they are necessary but insufficient so there are other 501 c3s that are educational or even think tank so you can have like an Institute for cyber

sanity for example we can have research fellows from The Institute for Cyber City who give opinion on public policy who score um public elected officials on their cyber literacy who create and Frameworks to present facts to the public think the truth campaign for smoking perhaps there are 50 and C4s this is the one that's going to make you crit we don't have a Lobby that's what a Lobby is and how things change in this country is through lobbies that's your value lever to influence the legislative branch you can use thing tanks you can have position papers but you can't directly influence elected officials without a 51 C4 there are professional organizations and no I do not mean sisp there are

professional organizations like the the American Medical Association which embodies the voice of the profession of doctors there is the bar association which organizes professionalizes lawyers they have features like prono work where it's encouraged and a natural part of being that and they demonstrate their public benefit to society with Pro work so there's professional organizations probably the lych G of all this is an integrated PR media campaign and this includes CNN this includes the major news outlets and this means instead of letting semantic Executives glate about signature anivirus that doesn't work or instead of letting a rockstar Diva narcissistic vulnerability pimp P their company or their personal brand that we actually decide who our best spokes

people are for various topics and with a common voice and a common set of talking points have incredible message that my mother-in-law could understand this might involve stupid words like cyber it might we don't have to do some experimentation that's your hearts and Minds that's where you create the permission to engage with Senators congressmen legislative judicial and honestly we're going to have to try all of them this isn't either or one of the people in this room saw want to start a pack like action committee the reason I push back on that one is because you actually back candidates in a particular party and I think if we become partisan we're going to fail we should focus on

the things where we can all agree such as protecting the ability to do research next so no one thre anything that's a good side what no one threw anything a good no alcohol drink yet we have a beer right there there we go okay a whole row of beer um so so you this it's sometimes hard as as a person to to realize but you know everything you say do you unless you're locked in a box someplace you influence people you know just by walking down the street or walking running a conference you are making influences just just by having conversation or you know standing up here in front of you now in the world we

live in especially in the in the hacking Community um and we're talking about changing things in in policy makers Minds um the influences is sometimes masked by who we are as a community in the minds of the people who are were trying to educate or people were trying to talk to you when you have a hacker that's asked to go um Talk to policy makers and they're sitting in the same room and the hacker explaining how things work or explaining how the risks are to this technology that they that they broke the policy makers are not seeing often that this is an expert here this is someone who's trusted because of the way the media portrays our community

and things that come out of our president's mouth even where Obama said you know 27y old hacker is not going to cause us to scramble Jets they see it happen in front of them and there's an implicit lack of trust in many cases of that person sitting in front of them explaining how things work and often times I I work with my own team and we do media we were just talking with CNN yesterday about some things and it's very easy for us to speak what we don't even think is very technical and you lose people right away and so the messages a lot of the meaning behind those messages get lost so when we're

talking about the chain of influence what we often we want to see is that you have people who love to break things how many people here like to Break Stuff a lot of people um you like to break things sometimes when you break things you break things because it's fun you break things because maybe it's a little funny that you can get something to do something differently than it was inted to but you often Sometimes some of you may not really care about the fix um when you break something you know if you you know just think of the things that you've broken in your life do you often always go and call the manufacturer up

and say they should fix the problem sometimes sometimes you like the broken issue with that product but there could be implications that are caused by it that could have negative effects so we Breakers are great and we need them in our community do we need the breakers always talking to the policy makers maybe not in fact it may be the wrong person entirely I want to recognize some excellent work J Jay rag up in the room you stand up so Jay if you didn't see this awesome presentation yet from yesterday um or even the very first one he did he's a user of insulin pump he hacked his insulin pump yesterday with several medical devices we need more of

you spending not the tr get more like you many people like him who um instead of researching the 700 Android malware vulnerability um which I don't give a crap about anymore I I'm on a cfp for a couple conferences 70% of our submissions were Android malware it was ridiculous right so I'm not saying it's useless I'm saying if you have a choice between something that can affect human life in public safety or yet another Android malware plug not only will you differentiate your yourself more you'll actually be protecting your friends family and your future by ratcheting up the things so I want to congratulate you and thank you for the work you're doing I'm hoping people follow his lead if you

saw his presentation it's very frustrating for him to get access to medical devices you can sit if you want uh to get access for medical devices uh he encounters opposition from the medical device manufacturers there's a chain of influence through the FDA the bo Drug Administration there's some hearts and Minds to cover that could be missing think like the blockage Mark killchain of how we lose intellectual property there are stages and he's probably the absolute best person to have done the research stage could we team with people who have experience in Industry working with legislators working with legal journals to continue that and instead of focusing on the activity of a node on that chain could we focus on the

throughput and the results and it's actually not about succeeding we think we're going to fail five or six times in a row it's about fuzzing the [ __ ] out it right fail fast iterate yeah so fuzzing the chain of influence like like Josh just said we don't know if we're going to succeed we don't know the perfect formula for it but if you take the group of Breakers that want to align with some industry and then we also identif is anybody in the room like to fix anything might have a couple people right happen you like to fix things so we take the results of the breakers we hand it to the fixers we say let's before we go out

and make a big news story about it let's come up with fixes as well let's find let's let's really resend our energy to figure out how we prevent against these problems but then we also don't just go and take the breakers and the fixtures and put them up on CNN we also involve people who are outside of the hacker Community possibly but have have ties with us maybe someone who's you know ceso at at an automotive manufacturer or someone who's who works for a medical device manufacturer who maybe attends these conferences but doesn't necessarily see themselves as part of the hacker Community but more part of of their own industry and those are the people that we can work with to then get

the right messages to the policy makers so one thing I'm going to use is a concrete example and and Jay knows way more about the but I really pressed on this for the last year how do we get reform in the medical device field you know you could argue the insulin pump is just one device type and how many people have diabetes maybe we should focus on fixing diabetes instead of just you know the paliative devices there's all sorts of arguments there but I'm looking at this as building our strength and building our muscles and building our experience because if you can get precedent set at the FDA that there's a new criteria for re re iring a level of

care for adversarial resilience for any new medical devices you can change all of them right so let me just give you an example how sort of perverse this is I'll was try to do it in 60 seconds or less I went to the industry and I said how do we take things like the mar B Jack uh research like J's research and turn it into FDA and I met a guy named Kevin Fu and he's a PhD and he works with the FDA and he knows exactly how the system works and I said okay why don't we like get them to recall those devices and he said no they can't do that because the FDA says I can either

prevent a life-saving technology from entering the market for a theoretical attack or take a gamble on something that hasn't killed anybody yet okay failure and he he accepted that answer and I said okay that's great for these devices why don't we put something in that says by 2015 Anyone who puts elective attack surface and unnecessary Road access protocols is going to be held to a higher standard of care and that way you can approve all the stuff in the channel L and he says well Josh um the SEC is concerned about raising the barriers to entry for new entrance into a high growth market for the US economy so they said if you raise the bar too high

you're going to suppress new entrance who have 12 or less employees so that's an issue but he knows those issues then I said okay well why don't we do something where um they can still get into Market they just don't have to put uh the Bluetooth on everything they said well Josh it's the it's the bacon principle it's like everything's better with bacon everything's better with bluo so basically they're all doing it unnecessarily just because it's a competitive advantage in the marketplace so I looked at this as yeah this is going to be a really hard problem but if we push through and fail fast and iterate we can do that thing that makes the hearts and Minds campaigns of my

mother-in-law and neighbors concerned over this looming sort of damic Lees we can find the Senators that have insulin pumps or medicis pumps in a coordination with that we can go to Kev Fu and say we appreciate your topical knowledge you need to try harder and we will help you and we haven't really done that coordinated integrated campaign and for at least one or two topics I think it's time to try so another way to look at this sound yeah you got another way to think about this is basically you know hacking our future um we have the capabilities um we we hack technology mean there's dozens of talks or hundreds of talks this week about you

know breaking different types of technical devices so if we can hack X fill and X we we can do we can we can hack this so we have you can not the the

ball so that's just I guess a little B of analogy there for for for for our community but if you can if we can actually go and hack something why can't we hack this like Josh said let's coordinate let's build a process let's build a community build think tanks around these these these life benefiting Technologies it's going to benefit us and everybody else in the in the world and and work our way through it you we we have as far as even selling these things we have some of the best social Engineers on the planet we do we do there's social engineering exercises there's red team engagements there's things that go on on every single day within our community and it's

not about you know lying to people it's about understanding how people work how people think in order to get an emotional response get them to react in a certain way that drives our community's agenda so with that you know really where do we start you where where should we start yeah you know one of the examples I we cut from the slides was if you look at how a presentation how you jailbreak an iPhone it's not just an off by one anymore pretty convoluted you got to do quite a few things to escape the sandbox and do this and get RP of destillation and move laterally if you were to map out that architecture with

the box and wire diagram there's a similar box and wire di diagram for how claws are passed there is and it's not nearly as reliable as an OS but it will take some soft Sciences but we have that basic NE native Talent we know how to do it and it might take a hardware hacker and a Chris Nickerson or and a A Relic or and a Lan but we can do it we've done it elsewhere so we're going to frame out three planks of a platform here back to my fears for my body my mind and my soul um this is a straw man to be debated I'm going to suggest to us that if we are

very concerned about the criminalization research we don't start with our needs we start with the Public's needs and I'm going to suggest that whatever we form we focus very first with a concerted effort on security research that affects Public Safety and human life the public there's a reason for this and this will include we can choose the scope but my my hunch is we should include life-saving medical devices embedded OSS and Automobiles and embedded Control Systems directly exposed to the internet things that actually affect life and death how about the power grid power grid counts absolutely we can actually prioritize it and we'll tell you how where we want to discuss that prioritization next SL the

reason a reason to do this is if we can carve off by demonstrating a unique I mean the definition of unique a unique service that this demographic and community that security research serves to the public good we can preserve and protect a pervasive ability to do security research without criminalization we can't just say stop oppressing us we can't just say we want to break stuff we have to demonstrate first and foremost demonstrate a unique public good to preserve and provide air power for contined security research without criminalization this is a real clear present danger and that's something for us and for everybody back to the other point um technology is re-calibrating civil liberties right most of our us-based

civil liberties are based on the notion of borders the internet has has no borders right there's all sorts of discussions you can do on this if you're interested I have prior bodies of work on this but there are very serious threats to this and our community has yet engaged so if you squint you know this is essentially a plea for protecting our bodies our minds and our souls and whether you're a left brain person or right brain person one of those is going to resonate with you as a security researcher here in Vegas this week or as a citizen uh like my neighbor doesn't give a crap about this kind of stuff normal they probably would care

about their public so we have some next steps so we said at the beginning this this isn't a completed presentation as far as us giving you all the answers and all the solutions to these these issues this is a start of a conversation so we have we have some ideas about what we should do from a Next Step perspective and um one of them is actually naming the movement and what do we call this we call the presentation cabul is in coming and we have um some little stickers and things that say some things on it but we don't really know what to call this um it has to be something that resonates with people it's meaningful and also it's not

too complicated that it's not going to resonate with the people outside of this community I think we should build out this list but you know just as an example when I gave my keynote at Beast Side San Francisco I for lack of a better term called this altruist SE right I realized that while I have altruistic motives not all of us do some of us are narcissist narcissistic vulnerability pimp some of us do it for money for ego those are all good but what we can agree on is we're concerned about the criminalization of our trade so we we want to play with several for either the think tanks or the overall movement but we want to have something

that's both um inspiring to our demographic but also accessible and nonthreatening to the public because that's ultimately who judges are made all right so hold that thought next so then we also have Forman executive advisory boards so this is not about you know Josh and I up here this is about the idea and and where we need to go so we've been spending some time over the last last week or so last couple of weeks talking with people here in Vegas um but it's not just people from the security community that we need to be part of this it's it's people like Kevin L Kevin who yeah in Industry um we I learned recently that one of our best gr

researchers just joined an auto company so we can work through his subject matter expertise as he gets situated on how things work for that one car manufacturer uh Mara Hoffman left eff but she's very sympatico with this idea uh there may be some way she can help from the legal World um Andrea from upen and whorton she's a law professor she's been very helpful so we're kind of assembling a coalition of the Willing um for the various points of that kill chain and what we want to hopefully identify as a few of you that want to take a leadership role like a voting executive member role for one or more of these organizations or even if

you want a lower capacity could you maybe join our technical Advisory board for one or more of these things and this isn't just hand waving we are going to do some things as much help as we can get even participating in some of these think tanks we need people to participate yeah would you like to be a a distinguished fellow for the Cyber sanity Institute HD Moore CTO of Rapid 7 and distinguished fellow for the Cyber sanity Institute we're not kidding so how many people sorry question yeah here's one we have conflicting desires so so many of us are dependent on you know sf86 backgound checks and you know you start advocating for things and all of a sudden you're

not working that's true and those are some of the wrinkles we have to work out we should probably repeat some of that it won't be on video but yeah there are some people with backgrounds and with clearances where participation in some of these is is very remote in fact one of the people who brought us one of the best ideas is completely prevented from actually publicly participating so that's why we're going to pursue several of these a Professional Organization has less restrictions in a Lobby than a think tank so in a moment we'll say we're well we to get so by the way we're going to work out some of these Kinks once we get

something our experts whove actually run these before and we're going to hold the first hacker constitutional Congress at derbycon in 8 weeks whether you're coming there personally or whether you want a representative from your subtribe we have several tribes in our in our community uh we might also look into seeing if Relic and the guys can actually set up some remote participation over you know technology uh but just like the founding fathers of the country um we're not going to agree we're going to have slightly different priorities but we're going to bring them together and say what bubbles to the top that everybody can get behind and agree on guess what we're not going to agree on elected

officials and parties we're not going to agree on disclosure Wars from Days of old right there's lots of things that divide us we're going to focus on the few things that as a profession unit I like the first two platforms the first two parts are good the public Gooding security research but the third one is just going to divide Us in civil liberties we got the feds there's a hug storm about that and the E has already got that cover I don't think the should be REM all right so I'm going to repeat the the comment um likes the first two bullets of protecting body and mind um thinks that it may divide us to uh focus

on civil liberties because of the whole NSA prism thing and all sorts of other things that may be true um but I don't don't think it's about picking sides I think at least the engagement iPad with the Beltway and the intelligence Community were about are there ways to to preserve the mission intent that have no infringement on civil liberties and there are Technical Solutions so if we create a technical expert body to give technical opinion um we can at least remove the aspect of those debates that are a lack of technical literacy but if we get into like political things I think you're right so that one either he wants it removed maybe we'll have to

fight about at Derby or up and still derby um maybe we just descope it to something more tangible it's an excellent point it's one I care a lot about though there's tremendous threats on many sides of civil liberties and a lot of them are because they just don't get out cber works and I use their word not ours one one thing a lot of people may not realize but at least half of our industry our feds are are working for the feds and that Minority doesn't speak and that's why people don't realize that it's that all right so one of one of the other things we'll be doing is obviously holding that hacker constitutional Congress at every time if we all sit in

a room for 15 hours and we don't share the results with anybody inside that room um that's not going really benefit us questions the of Congress the concept to me of like some first principles we all can agree on it's a big deal yes I agree there are things we're not going to agree on there you I've been amazed at my friend F watching the resp to St got some we views on it incredibly different our community from you know hero whist blower they want you know and all within our community we're not going to agree on that there's first principles we can agree onization of research is something we probably all agree on instead of

fighting about whether sow's a whistleblower or a hero let's go making progress on Deal research I'd like to address that second you know Awards I think did a great job nominations this year addressing one of the things they said nomin fails right and one of the things said didn't take a said but didl we two things one was they said they had highlighted The Insider threat right there they're like it just shows The Insider threat is a problem people don't want to know pay attention to so the other thing is it we all know the internet is forever so these are two things that didn't take a side on St whether he was a good guy whistleblower or he was a bad

guy you know Pride but it definitely highlighted the aspects of like that analis Onis right yeah in fact uh let's try to recap that for the video um David was basically saying while there's many things that can divide us we could try to emphasize the the unearthing of our first principles that we mostly could agree on I think one of them was was protecting against criminalization research uh the other comment was the you liked how the pony Awards handled the Snowden situation which was um focusing on the insid threat versus some of the other debatable or or divis divisive points one of my disappointments in the old prism snow in debate is we seem to be having lots of

public discourse and debate but not of the topics I thought we should have right so we we completely skipped those and that's where analytical analysis that just breaks it down unemotionally might be something depending on the scope we choose to Sam point it might be something where we can say look here's an emotionally detached apolitical analysis of what were the the core issues in this particular debate and reasonable people can disagree on these three but these four also need discussion so uh that isn't really happening and it's very disappointing to me as a citizen because there's pretty serious stuff that hasn't even touched on yet in that so this is all this is fantastic but just but it's adding on top of what

already is is the problem right so you're addressing another problem on top of the problem that already exists and and so the thing that I'd like to to consider this be a part of this being why do you still have the same problems after 30 years why do we still have buff after 30 years why do we still have net injection and look at how this might be able to go back and say look you should redesign this from the bottom and start over not just politically but but but technically but you can't you can't redesign it from the bottom up without destroying the systems that already exist so what's the problem just destroy the system but but that actually brings

up a really important point is the opposite of what you guys are suggesting is also starting to happen the opp the opposite you are suggesting positive steps to take to deal with the problem s and make it so that we can change the system there are other people at this conference that I have talked to in the last 3 days that are saying I am sick and tired of this I'm going to go to the dark side I'm going to start doxing politicians I'm going to start attacking and I think that's one of the more important things that we need to be considered how do we also stop that from happening how do we encourage those

people back to a more positive situation you both said very important things that I want to repeat for the video okay right I'm but I want to build on something you said I don't have a panace polyan view of this I do believe the part that starts to address yours is most of our public face to the world has been incumbent paliative care solution providers they don't want to cure the cancer they want to sell you the cancer treatment and those partly it's just that they don't get it because they're lazy and partly is they have a best an interest in Towing the line so I don't want to trash people um a friend of mine

was on a mainstream television show and he was interviewed about Stu it was a great opportunity and he completely blew it all he did was tow the talking points of his vendor it sucked I was so disappointed I'm like oh my God we're on a show I normally watch and it was horrible and it's not that he's a bad guy it's that we didn't have our list of here's the top three issues for our profession and we didn't Bridge from the questions asked to the answers we should have been doing so I think you can start to get towards your your point about we not only some of the bad practices we've been kind Towing out of habit by doing

that hurts and mind's part and having a credible and independent voice of what's working what's not working the loudest voices are the ones that want the least change so we can try this to to Martin's excellent point one of my motivations for doing this is if we don't create positive constructive swim lanes for people to express their frustration they will make their own and they are making their own and I'm very concerned about some of those it'll be counterproductive to our mutual goals and we're not we're not talking script kitties who uh are are new to this the system we're talking some of our veterans 20 plus year veterans who are sick of this and ready

to just what was our time limit wees it was infos like burnout is is contributing you they're tired of this I want to say this point there's a lot of things bring up one of the things I don't know it might be on that what are the things that we are going to as obstacles this path so what are the things we're going to encounter one of these is you know good guys going bad right good guys get tired of it another issue might be I don't know large Industries forming consortiums and bringing legal against people very without basis but enough to get so yeah so one of the basically we we have a list of our own but we think we'll

discover that complete list um basically what are the obstacles we're going to encounter we have a pretty long list of ones from just watching what J's gone through what other people have gone through there's been really aggressive lawsuits against some of our best researchers some of them you've heard about some of them you haven't um and one of the problems is we're not talking about those experiences in any sort of closed room W so we're not teaching each other how to avoid them so there are in fact best practices for how you insulate yourself and a lot of people who properly use eff they go there and advance of their research to know where the line the landmines are buried so I

don't think we have to complete this we have a pretty good list and we'll probably honor more as we get the dialogue going we have one more slide then we can freely open it up one or two right so if we do one thing in this conversation um again it wasn't a presentation it wasn't already polished there weren't a lot of slides there but I want to bit the flip um a lot of my favorite researchers you know Kaminsky HD all these people we know and respect when I talk to them about these things and I tell them how concerned I am they'll often say something like yeah but they'll figure it out and it dawned on me last year a bit

put my brain that uh the the calorie isn't coming there are no other adults if your fix for this is sitting to the left of you to the right of you or in your seat um that is really terrifying because we're not exactly the best typ with demographic I would think to engage in these processes we're really allergic to them but if you think someone else is going to do it you're wrong it's the people you here in Vegas this this this sweet now we might team other people but you know the Cavalry isn't coming sorry how much is of this is that we talk a lot to ourselves Echo chamber yeah M A lot of it one of my best

mentors and friends said Josh all the why are you still in security and I said what do you mean it's where you started he said all the best people have already left and I don't know if he's right or not or that was cynical but his point is lot of the people that kind of realized that we weren't going to get subst of change and we stayed within the preaching to the choir they've become boundary spanners and joined the development Community or the Devo Community or the government or uh research thing T so we have seen people quietly graduate and move on and that is a part of it but um let's not do that

onesie twoy over the course of the next 30 Years let's get a bunch of us right now to make a decision so going back to thate you about this a little bit in the past um the challenge that I see about this so even the legal aspects talk about people that are here ones necessarily need influence or the ones outside of that sphere so have you thought about the fact that you Center for technology some of the other established groups there and become subject matter experts to those lobbying groups cting because there's going to be a lot of and challenges there you're probably looking at long Horizon actually impact change start right so the question was

yeah so for the C the question basically was why start a group another group instead of going and influencing the groups that already exist I think a success factor to your point will be that our initiatives that we choose to to invest time in will have to spend x% of time out of the echo chamber I think it's just obvious but but you you're touching on something important and if you look at like going he's at the ACU and if you look at the citizen lab guys up in Canada they're doing a lot of civil rights stuff with teaming with some of us I participated in some their things so we have little pockets of good

practice what we're really trying to do is not necessarily say that none of this has happened we want to take it for good the better the best and just keep iterating so the most important thing you said about Lum long time Horizon hell yeah of course this might take 5 to 10 years to see the first piece of fruit we got to start it's going to be marath not be careful I'm going to thr the right but I think the other thing that back to is how do we present the community because a lot of things you touched on we gotli people that don't show well I me I need to say put them in

front of anybody who's outside of our sphere and they're just going they're going to shut down so I think the other thing is we can address the principles that are important to us but we need outside inflence some the principles make sure that we can actually touch on a greater sphere yeah so to repeat his his comments um basically um you we're not going to be able to you know like you said boil the ocean and also the Showmanship of the people who we tend tend to get the recognition or tend to get the media play right um they don't show well to the people who we want to influence and so what we talked

about earlier but um but basically um we we do recognize we need to get the outside influencers to join us to be part of us so that we can send that message and also identifying spokes people with within this group so you know when there is this you know this funnel of of research or something going in a direction that maybe the person who actually presents it goes on CNN to talk about it may not be the guy who found it found the flaws because being the guy who found the flaws is going to be counterproductive he'll be next but I want to punctuate his point very few of us this is just a lius test it's not

proved positive there are very very very few people in the security Community who done a TED Talk he did a pretty good one some of the ones are really bad and Charlie Miller just did an amazing car hat with Chris bisac and it was done on for.com video I watched it on CNN on the flight here on JN FL they weren't interviewed and if they were they wouldn't have had I already talked to Charlie they wouldn't have had any recommended steps for what the car manufacturer could have done so back to that kill chain we do think that there's there's some media people that he's invested in I've invested in the v Fair guys there's some media people who know

how to speak to mainstream and in that kill chain we can take a really good piece of research from Jay or from Charlie and find the right translator to be successful for our identified Community interests and that's going to be a controversial point because you're going to have you know EOS egos but we want to focus on success and we'll figure out how to balance the right normal ambassadors versus the right secondary Seekers so that people get a good balance one of the things we figured out when we shared this idea this is awesome unestablished researchers really good research if you think about it by accident they're going to get a free platform as a service to

get interviewed on CNN or to the research for multiply if we do this right so there's an advantage to centralizing some of this uh relationship with public sector a question a comment the question was how do you propose on funding and the other comment is I keep thinking about when we talk about influencing the key people the right people that we really have to figure out how to figure out what is it that they care about about Android no one outside of this no one cares about uh bugs in what they care about is does my insulin P work is my car going to kill me can I feed my family is there you know am I going to

get a paycheck tomorrow um so it's figuring out how to you tie all this stuff all the technical stuff back to those no you me the the funing thing is challenging um we have a couple ideas is um the lobby is the most expensive one so we may not start there but that's that's on the agenda for Derby right I think we're out of time we will take as many questions as you want out there but in summary cavalary isn't coming it's you or nobody and the question is if not you then who and if not now then when so verbally do we have any new recruits all right I'm not kidding around man if

you can't participate in Nyon uh we're going to pass around these stickers we have a useless Twitter hand called I Am the Cavalry um but uh if you're at all serious about taking your own future into your own hands in a productive way and doing this experimentation we want any and all participation if you're a researcher specifically please help us with the identified swim lanes that would actually demonstrate public value Public Safety instead of some random Android thing but we'll fight more also this was the dry run we're going to do this at 10:00 a.m. track one PE slot on Sunday atcon and it'll be a much bigger fight so thank you for being our family in

testing this and [Applause] than okay I'm running it right now for would you move out of the way man hey excuse [Music]