IATC - Track Introduction and Overview - Part 2 - Josh Corman & Nicholas J. Percoco

all right let's get started yeah sounds good all right so welcome to the kickoff for the I am the Cavalry track um and just to be really really clear we are not the Cavalry you are uh so we're going to give a quick five minute primer for anybody that's brand new to this but we we actually launched here two years ago here at bsid so it's our two-year birthday yeah um and we're gonna both frame the day but also explain what the Journey's been like thus far and why we're very encouraged by it so two years ago where were we yeah I mean I think you know a little historical piece you know it started out with a lot of

conversations between Josh and I um you know my motivations for getting involved were wereit were different we're different than Josh's um my motivations for for having these conversations and starting to talk about this had a lot to do with um the criminalization of security research um it was where my motivation started and then it shifted to you know having conversations talking about human life and Public Safety yeah um yeah yeah so just as a short introduction uh two years ago we were finally motivated enough that what we saw was the problem statement they kind of unified us was that our dependence on connected technology was growing a lot faster than our ability to secure it

more specifically in areas that affected Public Safety and human life so automobiles maybe you saw those in the news recently um medical device hacking critical infrastructure the internet of everything basically being the internet of hackable things so what kind of unified us whether it was my research on Anonymous or his uh juice cleanse nightmares about how we were going to have to get licenses to be security researchers or programmers or that we might increasingly criminalize this like we've seen in France and Germany and South America and even domestically there's things like wasar and whatnot fact right now janelis is talking about a lot of the laws that threaten uh if they're implemented incorrectly they really threaten our profession and Hobby

and what we do in in a way that would not be so good for Public Safety so initially when we launched we said we wanted to address issues that affected body mind and soul body was the public safety issue mind was the increased criminalization of of um security talent and soul was the mash up between civil liberties and cyber and yes we're going to say cyber a lot here because the people we're speaking to that's the words that they use right and cyber's on the news every single night and Congress Critters use the word cyber and part of being a good ambassador in the heart and soul of the Cavalry movement is to be an

ambassador if you go to France you don't speak in English it's but you know you want to learn the language learn the Customs you want to have the empathy to meet them more than halfway and find some common ground so the idea behind the Cavalry is we' looked high and deep as far as we could we got pretty far along in our careers we found the adults in Washington we found the adults in Europe and what we realized is the Cavalry isn't coming no one's coming to save us for things like this we are the voice of reason we're the voice of technical literacy and if we don't try to do some things and experiment and

fail fast and iterate then we're just going to be screaming in the darkness and talking amongst ourselves in the Echo chamber so while I have deep love for both of The Debaters on the keynote stage that cynicism isn't solving anything and finding more and more zero days isn't really changing the incentive structure within which we find ourselves so the cavalary was really just a personal statement that you would make that you're going to try something and you're going to try to raise the conversation get outside the echo chamber and be that voice of reason so we deliberately targeted public policy makers the general public and those four Industries uh very quickly though Bo who wasn't even at our lunch because he was

resenting opposite of us um really jumped in head first uh what was your I guess your introduction motivation uh yeah so I kind of got introduced and to to Josh over uh some yamazaki yamazaki yeah um in the speaker room that day and and really my motivation was just I saw that we have the ability to change things to make things better um now more so than ever uh and so taking that um Instinct and putting it into action I saw a lot of Promise in what uh some of the security Community had done uh and this being one of the the leading efforts as well as some of the things that a bunch of other people were

talking about so the ability to actually influence change and to be effective to not just uh continually be frustrated and banging our heads against the wall because you know we couldn't find that better way yeah yeah I guess I was going to say we we introduced on that first day we introduced some a concept that we we called fuzzing the chain of influence which sort of goes back to you saying we're going to try we're going to fail we're going to keep trying we're going to keep failing and then we're g to we're g to find find ways to influence the right people and get the right people motivated um and I think that's still true today and talk about some of

the things we've been working on but so you'll see throughout the day we're going to have a couple different chunks on the agenda um we're going to have Karen who's been really passionate um enthusiastic person willing to try to fuzz that chain of influence and be a good voice and be a good Ambassador we're also going to have uh focus on duoc so Chris Nickerson Tim krack Bo and Todd Beardsley from the metp project we're going to talk about how do you actually lead volunteer stuff because our culture generally doesn't like to be joiners right we're very solo actors we don't like to do things in groups so how do you actually get uh progress and

tangible results uh in a docracy we're also going to have um quite a bit of update on our progress with medical and we've had some pretty stunning um breakthroughs recently on making medical devices safer by working with the right stakeholders in the government in the medical field the right white hats at the right time pulling in KD mourus and others for the iso uh coordinated disclosure type stuff so we're going to give an update on that later today we also have had probably the most impact on the automotive industry and while we didn't have a sexy video on on wired um we built really serious trust relationships with these guys and we have a few things to announce um on that

front this afternoon um but one of the things we want to do is um show some of our progress we'll probably get to that in one or two minutes here um there's a I had some things I was going to say today I'm going to change my mind a little bit after having a fairly cynical dinner with lots of really good researchers that just have convinced themselves that nothing's going to work and I think maybe one of the defining character istics of this and Katy murus was the one who put it in our heads in the first place it's not our technical skill that's making this thing work it's our empathy and I thought I was born

without it right it's not the kind of trait you would think um would be useful here but she basically said Josh if we want to change the world we have to change ourselves first and we're really defe we're really negative we look for what's wrong with something um if we're going to be effective teammates we need to build those muscles and the further we get into this experiment two years later every single thing that's worked has been because we looked for what was right with something and we used the language of the Target that we were speaking to whether it was Congress Critters the FDA a device manufacturer you know they have similar goals to you

they just have different experiences than you and I think the heart heart and soul here is when you see a a coordinated disclosure policy come out from United most of our friends pointed out everything wrong with The United disclosure policy instead of saying they're going to crawl and then walk and then run and what we should do is celebrate anytime someone says we're not going to sue researchers who test stuff and and report to us we want to start that learning curve and what isn't seen because we don't get the headlines and I don't mean to be negative here but for a moment what isn't seen is the treatment that United received from our friends

mocking their according disclosure policy got a different airline to to decide not to do one right because these guys are they're putting a little baby toe in the water to see maybe we'll just let people hack our website and when their toe got bit off by vicious piranhas who would ever get into the water right so I'm not trying to judge us I think the idea here is for this to work it's not so much our technical prowess in our zero days it's our willingness to be a helping hand instead of a pointing finger it's our focus on future success instead of past failure it's um coming with an open heart to be a teammate instead of being

someone telling them what they're doing wrong it's encouraging the the good choices they make so they start a journey and what we want to do is if you look at Microsoft it took them from you know probably 15 years for their meantime to Enlightenment they used to you know our friends used to frame their letter on their wall saying uh Here's the the the threat I got from Microsoft legal about thebug I was going to report and now they have blue hat and they have sixf figure cash prizes and they treasure the collaboration they need it their software development teams depend upon collaboration with third parties if that was a meantime to Enlightenment at 15 years we really need and want to

compress that to 3 to five years for auto and medical I think like that so I would just encourage you for the next couple months and the fact that you're in this room probably means you have a better attitude but there's plenty of things these guys are going to do wrong on their learning curve but this is year one of their learning curve and what we found is when we're patient with them and when we engage them we get invited in we'll do a full day workshop with the Food and Drug Administration two what two weeks ago they'll have us asking questions we'll accelerate their learning curve we'll understand why they're stuck and they can't do XYZ like

we want them to but will find out they can do ABC instead and I think that open heart is going to it's the one thing that's going to change Our Fate because right now we are you know fighting a losing battle and how do you win in a losing battle you you change the rules of the game so between gen analyst myself there's some government folks in the room I think I've done 200 Congressional briefings Jen's probably done 300 and we gotten to the point now and you're going to hear about this later in the car medical thing but the Committees that are asking and forming law for automotive cyber safety are basing a lot of their questions and

Source material on the festar that we launched one year ago so I would say two years into this the experiment is working now it's slow you have to build trust and the people who have gotten involved have learned it's less about tech prowess and more about translation um but if you want to decide that nothing's going to get fixed um there's plenty of people in the Echo chamber to uh to to console you uh if you want to try some new things and you want to build some of those soft skills um we're finally seeing the fruits of that and we have a couple surprises peppered throughout the day one of those surprises is uh right

now right uh so we've got some very good friends in a lot of great places like um in Europe where uh thanks uh like in Europe where um it's a little bit different than the US where we've spent a lot of our time in the US just because we're geographically located here um we've been able to to do to take kind of a different tack in Europe we've had some really good Outreach next to folks like clous um and others who have really picked up the the idea that we can get safer sooner uh and one of those is a company called Drager and uh this is a a quick video we pre-recorded this because we know the demo Gods being what

they are we can't count on any live demonstration over Skype so uh this is uh maybe say who is drer yeah so they'll introduce drer drager's a a large medical device manufacturer over in Europe they do a lot of other things as well as medical devices so I'll I'll let Hans introduce himself and drer in this short

video tech fail hey guys I am hnis Molen the product security manager of drga and thereby responsible for maintaining and improving the security of our Medical Products we are a 125y old family company from Luc Germany with nearly 14,000 employees creating technology for life if you think you haven't heard of us you still might have seen us for example in hospitals with our ventilators Monitoring Solutions or anesthesia machines or you might have seen our oxygen tanks and masks being worn by firefighters or Marines using our diving equipment whenever it comes to compressed air you are very likely to come across our products customers users operators and patients that are connected to our devices they literally entrust their

lives to our products which is why their safety is one of our top priorities people get used to interconnected devices in their everyday life really fast their demand for smart appliances grows way faster than they in Need for security it is important to make sure that our devices and systems are hardened enough to withstand a connected environment Josh will instantly replace connected with exposed so to stay with this term exposing them adds a whole new class of threats in the past it was just the device in a close environment adversaries needed physical access to hack the device this in turn means when a device was hacked there was a targeted attack against that particular device now this changes when we start to

interconnect all those devices maybe over a hospital Network by exposing them they appear in Port scans they can become subject to several forms of collateral damage be it from mware like cryptol Locker by automated scripts to run mining operations cryptocurrency mining operations for example or just the average computer virus connected devices can also be one stop on an adversary's path through the network to steal information like patient data but no matter how much you spend on training software quality assurance testing and verification there is still the programmer's law of nature with its inevitable number of 5 to 50 flaws per thousand lines of code and suddenly you go to fail there are several types of

vulnerabilities the ones you fixed the ones you know about and the ones you don't know about but the worst kind of vulnerability are those that you don't know about but others do for us vendors a lot of those others might be you excellent security researchers acting in good faith and being a willing Ally to us at draa we would like to make it easy for you guys to reach us which is why we are preparing coordinated disclosure statement the statement is in its review process right now and in addition to internal feedback we are also getting very valuable feedback from the security Community for example from the woods once published it will be reachable via dro.com security it gives

you the contact email address which is product dsec dro.com together with our pgp public key so that you can encrypt the sensitive information that you sent to us you can find the key also on public key service we give you some guidance on what you should include so that we can reproduce the issue faster plus we'll describe what happens then and how you will be kept up to date or even be involved in the resolution for now it remains for me to wish you a great time in Las Vegas thank you very much for your attention and keep up the great work we are all the cavalerie very cool yeah so in case you missed that or in casee the video didn't

record it for posterity um that's a major medical device company committing publicly to engaging with this community um on equal terms on equal footing uh and an incredibly clueful way um drer and uh and Hans are very smart about what they're doing and how they're doing it they're very plugged into the security research Community um and some of the work from some of the people in this room have inspired them to be better so that's uh another commentary on everyone in this room being part of uh getting things safer sooner yeah so I mean if you have worked in the medical device field their are legal teams and their PR teams are very closed just like

in the automotive industry just like the airline industry so for we basically found a really clueful passionate hacker teammate in pretty much every one of these organizations desperately trying to do the right thing and one of the things that I really liked about Hans was he tracked the the Cavalry stream he tracked the F the festar automotive cyber safety framework which is designed for cars but also meant for medical and he's changing his program every time there's some positive press he uses that as internal collateral to to do what he always wanted to do in the first place and there's people in this room at other medical device companies if you know Mike Murray he quit his own company

started to go work inside GE medical to make things safer sooner from the inside and he slowly adding people like Jose COI and other hackers to his staff to work on the inside so I think this idea that um these these indices are clueless isn't really the case what you have is really smart people trying to do the right thing who needed teammates on the outside and if you ready your heart for it and if you get engaged uh there's plenty of injection points for these things there's also typically plenty of job opportunities to maybe stop being a whatever we're doing here and getting upset with it and maybe go inside and fix it so I'm super encouraged that this

is uh typically something they won't want to do but we're hoping other companies now follow suit and add a coordinate disclosure policy and when you go read it if there's things wrong with it we will quietly work with them to grow and mature it but please praise its existence because the alternative is a legal and adversarial tone with these companies so we're a little short on time for the opening ceremony about five minutes left if I recall is that correct about five minutes of speaking and then we can throw it open for Q&A okay so I was too long winded before before but one thing I want to point out for people that didn't see it is one year ago on

our birthday we published a f-star automotive cyber safety framework and we're going to go into great detail on that later but if you look past the word Auto there basically starts with premise zero is that all systems fail so we've been taking the attitude not of scaring people just saying these things will fail whether it's accidents or adversaries they will fail so there really five ready postures towards failure the Casual one I I basically say is tell us how you avoid failure tell us how you take help of in fail failure tell us how you notice and learn from failure tell us how you have a prompt and agile response to failure and tell us how you contain an isolate failure

the more formal names are what is your safety by Design so tell your customers how you do your stdl second one is do you have a published coordinated disclosure policy saying you will not third Sue third party researchers acting in good faith which is a form of insulation for us against things like dmca and CFA civil suits number three is uh do you have a black box to to learn from failure these guys were simultaneously screaming at us that there was no evidence of hacking well none of them had any mechanism to ever have any evidence of hacking so we want to break that circular logic number four uh do you have secure updates so is your

response time to a hack a manual USB key sent in the mail with a 3% uptake that could be implemented incorrectly or is it um a full remote overthe a update securely like BMW did where all of their customers were patched before anyone knew they were even vulnerable right so what we're trying to do is help them get over the hump on secure updates and the last one about critic separating critical systems from non critical systems is who cares if the stereo gets hacked who cares if they blasted on the hip hop station as long as it can't also shut off the brakes or kill the engine and because we haven't segmented critical systems from non-critical

systems we don't want to fix one bug in one infotainment system in one Vehicle Manufacturer we want to fix the industry by making sure that their future designs are separating the critical from non-critical and by focusing on less about B PCI checklists of security products that don't work we've really focused on avoiding failure taking help avoiding failure noticing learning from failure prompt and agile response to failure and containing an iceing failure and Bo and others later will tell you what they're doing for the medical festar um but this as the foundation of how do you create areas to collaborate together has been one of the reasons the empathy has been working so we have the

heart of a servant the willingness to to speak their language meet them at their level start them on their journey and most of them were doing some efforts within one or more of these product categories or these solution categories the idea is not that we're going to prevent these things from being hacked it's that we're going to be reer when they do and the ultimate goal and my final word on this I guess is our intent two years ago is to make sure we were safer sooner and I think the last couple weeks we've seen and some of the surprises throughout the day is it's working so we really hope that you uh Advocate participate and uh start building those

empathy muscles open up for some questions questions yeah so we've got um about five or six minutes for questions uh we also uh courtesy of uh the uh the phone system the oldfashioned thing that uh still runs pretty well uh we have Hans Molson from drer on the line in case anybody wants to ask any questions of him Karen do you have a question or you just stretching there's there's also a microphone right here which you guys probably use that this way it'll get captured in the recording

yeah hi so the question about uh perhaps using the reputation of the people who are participating in order to support the vendor efforts so right now as far as I understand from what I've read this done behind the scenes like in direct work with the vendors and you've said that there is a lot of cynicism going around about the vendor effort so if if it would be portrayed as a joint like effort with some of the people who are reputable researchers in the security community and present it as baby steps as you called it earlier perhaps this would lower the level of cynicism or at least PR in some way so you're saying that when they come out with their

accordin disclosure policy if one of us was jointly right if you were just or at least framing it right saying okay so this is not the best that could have been expected but this is what they're trying to do and we are behind it coordinated support of their of their of their announcement of that right of policy I think I think the thing that breaks my heart is um there were people that were planning to say we're not going to see researchers and they were going to announce it this week and they're not going to do it anymore because of a bunch of reasons but if we understand and I don't want to treat them like children either I think

they're doing really good work they're trying really hard some of them been trying to get accordin disclosure policy for three years um I'm just suggesting to us that some of us can change our conversation in the Echo chamber to point out what people are doing right right so lately I have I used to ask people what was the best thing the worst thing key takeaway from any talk they heard I've started asking people what was the biggest surprise or what was the best part and that's all I ask because I'm trying to change the pH balance of the way we talk to each other or how can we build on this so look at it like a little Ember instead of a fire

like we can you know put the Ember out instantaneously or we can you know cultivate it and Foster it and turn it into a bigger issue so I like your suggestion though um we could do more overt support and I think we did that with BMW when they got hacked everyone was making fun of them and we said here's the five star here's two of the things they did really well this is actually a success story they didn't sue the researchers they didn't over the a update during the over the a update I don't know if you know read if you read our postmortem they actually were passing the updates in the clear but they noticed it and

voluntarily told everybody in their announcement so that other people that might also have been passing the rep dates in the clear could start using ASL so I I I think um we should be focused on where we we need to be as a society and where we want them to get to and then understand it's going to take a lot of time to get them there I don't want to be patient about it but I want to be realistic about it and that's where the give and take comes in anybody else I think you take some positive examples from welln res that are active in this particular area come out and say look I reported that V and they actually

Co and they responsibly and fix because all you see most of the time this disclosures is how badly the vendor reacted right they try to hide it they they said fix it fix it or their fix was broken and that's yeah I think there there needs to be some positive examples where researchers are satisfied to some degree with the response they they and that that becomes yeah exactly me I think we need more of that um I think what researchers we know run up against is that many of these organizations are so immature and their handling of these things this is the first time they've ever had a critical vulnerability reported and so that's where we're more companies having the

coordin disclosure policy we're going to be able to see those things so the next time you know you know Drago receives a somebody follows that process and basically goes through and actually has some success we should then highlight that and celebrate it that this is a success if someone was to submit it to a company that does not have one of those policies that's where the you heard the horror stories from yeah the um I was asked a couple times and my answer varies depending on the day they ask me but I said if you could only do one star which star would you do and I think it's the coordinated disclosure policy because I think that changes the idea

that researchers are a threat to researchers are somebody that can help us and as they get more bug types they'll start to get better pattern recognition because the Microsoft sdl is pretty darn good right now and they still have a lot of bugs every Super Tuesday um so they they went from the idea that people might find bugs to oh wait people are going to find the right bugs we could prioritize the bugs we look for patterns of bugs and it fueled a positive virtuous upward spiral and I think once we can see that they can start to see us as teammates and a valuable um addition to their on on staff security team that's probably the

right thing which is why I was so discouraged to see us scare away a few this year I still think a few of them might come through and that's why we're I'm extra thrilled with uh Drager here for taking a leadership stance I think what's going to happen as well is the free market is going to see wait this company cares about security more than these ones we're going to put our business there so it's not simply passing laws like you know Rob Graham was pooing but we are actually working um with several committees to make clueful geek design policy changes as well that might actually make it easier to do the right thing all right I think

Karen's up now or do we have time y okay yeah so Karen elazari is going to come up next um she's an awesome speaker uh she spoke for us last year she spoke at Defcon last year she's spoken at several Ted conferences so I think you're going to be really excited and uh she's got something special to say at the very end so make sure you stick around yeah there'll be little surprises throughout the day but listen guys and girls while we get set up it's going to take me a minute with the cables and stuff I want to offer you a chance to have some exercise so there's upgrades to first class today lots of seats in the front row you see

the talk you'll enjoy it more and uh you know just get up move around stretch your legs move your I might be amusing but it's not a standup so I'm not going to make fun of the people in the first row so I promise I won't make fun of you if you come and sit in the front you're very welcome feel free and I have another request housekeeping request can we keep the door just open and have people come in and out because it's way more distracting to hear that people trying to close the door and not you know failing closing the door so let's just put this here and I'm going to let The Magicians take care of that

stuff I'll get miked up in a second here's the clicker also um and uh there's going to be something pretty special happening at the last couple minutes of the talk so y'all want to be sticking around for that because it's something never before seen and never to be seen again maybe so all right you get that stuff set uping good um mik I need a la mic

one two three testing one two three guys at the back row Mar can you hear me are you hear me from no you can't hear me it's not coming out okay how about now how about now 1 2 3 4 5 6 78 you feeling good you hearing me in the back row everyone cuz I'm going to speak loud so we can have the door open and you're all going to hear me even if you're all the way in the back row so I need the people at the back row to let me know if they're hearing me or not yes you are okay uh another second to get this stuff set up we need this stuff

power plag is good yeah that's going to be there okay if I need what let's just plug it in man thank you muchas gracias and the audio is going to come into here so we need to have the audio coming into here so we have audio but it's at the very end can you connect it man thank you okay guys uh and is this the way the projector is supposed to look like which is a trapezoid shape sort of trapezoid shape okay let me get over here yes good good yes good this is working okay um we we test the sound later okay guys and girls boys and ladies gentlemen and creatures of other genders kinds

types and races thank you so much for having me here today I'm extremely excited to be here today and it's actually not because I love hackers and bides and Vegas it's actually because I was nearly blown up on the way over so so uh this is not a a mock picture actually I was on this flight tk79 flight from Istanbul to San Francisco and this flight had an actual bomb threat and uh we had to do an emergency landing we had the Jets escorting us over Poland we dumped all the fuel it's a Triple 7 heavy coming over the Atlantic so it had to get rid of all the fuel before we could do the emergency

landing uh the captain of the flight made the decision to do the emergency landing uh it was kind of freaky I was kind of you know very nervous about it and we had the fire trucks and the Polish SWAT teams and the dogs sniffing out all that you know all that circus happening on the jet um on the jetway in Poland so and all of this happened not because of somebody hacking into the airplane it happened because the captain actually thought it was an Isis bomb uh they found a cell phone on the plane and the captain made the decision you don't have to I mean you can make an airplane crashing if you like but you don't have to make a

character of it anyway this is the reason I'm actually very very happy to be here because the captain actually thought it was an Isis bomb and made a decision to do the emergency landing it's the first time that's ever happened to me if it's ever happened to you I hope it never does it's very scary so I'm very happy to be here today because I am alive and I didn't get blown up to Pieces uh however when I got into Vegas to add insult to injury uh somebody stole my bags and uh I don't know if it's the DHS the FBI the FED other you know threel agencies uh but all it took was my deodorant and my um backup SD

cards and everything else was intact so either it's a plot to disrupt deodorant Defcon or it's a plot to disrupt other stuff I'm not sure I guess we'll find out and maybe I can find my the deodorant as well uh if not I hope I'm okay smiting so uh here's the thing planes this is actually it really happened to me but this story ties into what I'm talking about today planes flying over the ocean is a real thing and they can actually still get blown up not because of you know United or because of Chris Roberts poor guy or you know great guy and you know lots of compliments and and other superlatives uh actually planes still get you know

threats and real bomb threats and get blown up and this really ties into what I want to talk to you all about today actually um jump right in there okay so I don't know if you can see it but I want to talk to you about how our world is made up of bits and atoms right that's kind of clear I think it's a statement kind of clear and for the past 20 years in information security we've been all about protecting bits data right bits and Dives and information and that kind of stuff now um did I just all move CU I didn't move it okay I have to watch out my slid have a mind of their own this

guy is Nick ne Negron from the MIT media lab 20 years ago he wrote a book called being digital and he said one thing which stuck with everyone he said in 20 years it's not going to be about the atoms and the molecules it's all going to be about the bits and the bites and in a way I think we can agree that you know he's got a point there but guess what we still have the atoms and actually now we have more bits controlling more atoms so that's very abstract but what I mean is that we have more ways to use information to disrupt physical reality and that's why I like what I am the Cav is doing because I

think it's all about the physical stuff it's all about the physical cybernetic you know uh atoms that could ruin your day of course bits could still ruin your day if you are a member of the Ashley medicine dating Community I don't know if you all heard about this uh this happened last week I think I was actually on CNN right after this moment talking to Brook B in The Newsroom she actually introduced me as a cyber hacker that's the first time that's happened to me so I'm now you know put in my intro once called cyber hacker on CNN I think maybe that's why they stole my luggage anyway uh Ashley medicine dating site you don't know it maybe their tagline

says it all life is short have an affair life is short have an affair they have 37 million Anonymous users turned out not so Anonymous after all so yes bits could still ruin your life information could still your still ruin your life secret stuff could still ruin your life and you know um Sony Pictures had a massive leak last year pretty terrible stuff for the Hollywood industry but pretty great for shaliz terone Academy Award nominated actress because she was able to negotiate a fair fee uh an equal fee for her next uh gig starring in Mad Max if you haven't seen that great movie because she saw in the emails lcks from Sony that she was not getting paid the

same way as the guy actors so these leaks what they tell us is that secrets are going to get out there at some point and it could ruin somebody's day but it also could do some good stuff and that brings me to why people are so afraid of hackers we are hackers and what happens is that a lot of the times the that we do shatters people's illusion people think they're living in a safe World they think they have privacy they think they have secrets and whether the secrets are on Ashley Madison or they're on Gmail or you know wherever their secrets are actually I don't think they have any secrets from these guys because

these guys don't charge money for the service right you don't pay to use Facebook WhatsApp or Instagram what you pay with is your information you pay with your choices your decisions the stuff that you do the places you go to the people you like the people you don't like all of that stuff that's actually worth a ton of money the movies you you you enjoy watching and interacting with actually did you know that if you upload something to YouTube it kind of belongs to them and it's it's kind of crazy if you look into the r R of what it means when you upload video to there so all of this is happening because if you're on

the internet and you're not paying for something there are good chances you are the product right if you all heard this one before maybe some of you okay are you alens are you awake yes some of you good all right so basically this is all happening because of what our good friend Miko hippen and likes to say oh look I have a fire fire thing in the middle of my slides I just realized this is there a way can move a little bit the projector so it's not on this or can you see it okay you can see it okay so I have read and accepted the terms of use this is probably the biggest lie on the

interwebs because nobody has read and accepted I mean nobody has read them they just accepted they click through even us who are hackers and you know minded individuals we never read these terms of use anyway now I have a sister who is a lawyer and she tells me about this stuff and she says you know what it's crazy the stuff you all accepting she's not a hacker she's a she's a lawyer like I said and she's she's done her master thesis only about the stuff that we are all agreeing to do so we're agreeing to do some crazy stuff and this is what mik hippen from F secure calls the biggest lie on the interwebs and

basically here's the reality our information is worth a lot of money everybody's information is worth a lot of money and maybe maybe we don't really have a lot of Secrets anymore not us not the other people so really maybe the future of cyber security is not about secret information it's not about keeping things secret it's not about privacy or it's not just about privacy and secrecy I know this is a little bit of a uh controversial claim here but you know stick with me for though I more have a coffee I'm gonna I'm going to suggest also the flip side of that sa statement if there are no more secrets and if our information is worth a lot of

money and it's worth a lot of money to the big guys governments and corpse it also means that with the power of releasing information you know one person may a couple of people can change the world they can influence governments they can maybe uh take down a corrupt corate or you know uh help chariz terone get an equal pay in her next movie which is great for Hollywood actresses so maybe maybe just maybe in a few years in this reality where there are no more secrets maybe with the help of some hackers the governments and the corporates will be as transparent and as exposed to us as we are to them maybe it's one idea and as you all

know this is something I I mention a lot about a hundred years ago Supreme Court Justice brandise here in the United States he said that there is no better disinfectant than the light of day and that releasing information is a cure for many social illnesses and I very much like that idea 100 years ago but I think it still makes sense so it's not about Secrets it's about way of life it's about our atoms it's about the things that we're going to trust so I just wanted to get all that information and secrecy stuff out of the way before we move into the physical stuff and the physical stuff could be one of these boats $80 million super Yak you know

sailing on the Adriatic Sea stop me if you've heard this one before you all heard this one before no okay $80 million super act about a team of researchers from a University of Austin Texas using some GPS spoofing and a laptop worth like a thousand bucks can send it veering off course so it is bits controlling atoms information controlling physical reality and it's the same stuff the same stuff that they use to take this Yak off course same stuff they use to crash land the Drone and it's not new stuff they did it a few years ago at the University like I said University of Austin in Texas so what is happening here with a thousand bucks you

can take down a thousand bucks worth of fiberglass or $80 million worth of fiberglass that's a little bit scary so why is this happening it is happening I think because of two reasons one is Convergence and the second is multiplicity and I will explain when I talk about convergence for years people told us that very soon we're going to have one device that does everything you know if you've probably seen those images of how people used to have like a camera and MP3 player and a personal digital assistant and I don't know like a fax machine and now it's all in your iPhone or something like that so everything is converging the technology is all coming together and we are told

that this is you know GNA keep happening so some point we only going to have one operating system you know one major computer programming language but this is actually there's actually more and more and more stuff and more and more types of Technologies being connected and created every day so it's not convergent at all it's actually um very diverse uh but at the same time we still have a lot of core things which are shared among everyone and these are very vulnerable things what do I mean by that uh thank you all by the way for for joining this session I hope I'm making some sense because my brain has been very frazzled and I've been on a bomb

threat and coffee and jetl and it's like the perfect storm in my brain right now so I'm happy that actually there are people here okay let me ask you all you all came over from all kinds of parts of the world you all speak a few languages I'd imagine what would you think is the most popular language in the Galaxy right now C Mandarin I heard another one Cobalt Cobalt okay good one good one other guesses C++ C++ so actually guys and ladies math math well math is good but it's kind of abstract so I'm actually you're right but it's kind of abstract so I'm actually talking about software language not a big surprise there and

it's more popular than mandering and English combined and this is of course Java so Java is on billions of devices really yeah God help us all and this has been around for years and we're still finding like zero days like every moment and the stuff is not running like on laptops and web apps right it's running like ATMs and medical devices and cars it's freaking running the Java the Mars Curiosity Rover on Mars I mean it's part of the OS it's not the only thing running it but it's part of the OS so it is convergent everybody's using Java but it's used for like a bunch of multiple different stuff so can we protect robots on Mars the

same way with prot Tech Mobile apps is it the same kind of mindset I'm not sure so this is like where the problem gets really complex it's not just about information it's not just about Secrets it's about the safety of this which is a laser Ro you know laser firing robot on Mars and it's you know tweeting about it so it's also about the safety of its Twitter feed same thing but all using Java but the problems are different so I hope this brings to home the complexity of the problem that I'm trying to to bring through here and all of this stuff these are the past um in the past 25 years this is what source

Fire have uh released in a report a couple years ago they looked at 25 years of vulnerabilities these are the most uh the environments in which most severe bugs were found so of course you could say it's the most popular ones people find the bugs there they don't look at the unpopular stuff well maybe that could be true but we're still using this stuff and a lot of it is very very vulnerable and we're still using finding more and more bugs even though we've been had 25 years of finding bugs and this stuff we're still finding more bugs and now all of this is connected to this new and all cheit uh pardon my French by the

way sorry if I'm hurting anyone's feelings with my uh yes your feelings Ian me oh you're so so gentle you're kind White Rose in the middle of the desert I'm so sorry have a drink yet over it so uh this new stuff and old stuff you know GSM is not new GPS is not new RFID is not so much new you know this stuff is not very much new some of it is old but it's connected in new ways never before connected in new ways to stuff running this stuff so this is the complexity of the problem I'm talking about it's not about Secrets it's about bits controlling atoms I think I'm starting to get the message through to you guys

and of course we have all kinds of vulnerabilities every day and all kinds of you know poodles and cell shocks and heart bleeds and you know stuff they haven't found a cool name and a logo for yet I'm actually waiting to see if Marvel is going to do a superhero movie where the characters are Sofer vulnerabilities because if they can give the lead part to a like a raccoon in a tree and you know I think heart bed deserves its own movie you know yeah here's hoping right so uh I actually recently maybe it's oh it's Bandit hi I hope you're enjoying the talk honey he's so sweet that's Grant's baby baby Grant Grant's baby hey hello hello um it's very it's

actually first time I had a baby in the talk I mean not had a baby like I said it might be amusing but I'm not gonna make fun of you guys don't worry uh okay so we keep finding bugs bugs will be around as long as humans write code and create technology we'll have more and more bugs and actually companies are under a severe pressure to put new technology out there faster than ever before and connect it to a bunch of other stuff so is there is no way even if they had the best intentions in mind even if they had like a fantastic security team even if they didn't have governments forcing them to put back

doors in it there's just no way they're going to secure all the things it's just not going to happen it would be naive of us to expect this to happen and this is why the world needs hackers this is why the world needs hackers because governments and and companies and people running all of these Technologies they might find some of this stuff and even if they're really kind-hearted and you know they want to make this stuff secure and they don't want to put any back doors in it well guess what there's still going to be a couple of those so that's where hackers come into the pictures and and I think that's like basically only hackers can actually be

that solution so this is an idea I previously uh discussed and called it the immune system for the technology age or the internet I think hackers are part of the immune system system it's about finding the problems and making you know making the problems go away by sparking a solution barnab Jack said sometimes we have to demonstrate a threat to spark a solution I'm very much inspired by that I think that's very much uh you know within the spirit of I'm am the calary but also want to you know I I want to go back to that in a second so this is an idea I actually presented last year at something called Ted and uh maybe you've

heard about this event it's a little bit of a big deal for me because the people on stage were like Bill and and Snowden via a robot and me so that was weird but look I almost got it to say lit so I almost got the view count to say lit now I have to say I didn't mess with the view count it's totally organic and I guess at some point it did say lit but uh you know I was very hopeful uh to get the message out it looks like it did get out so my message about hackers being the immune system kind of became viral in its own Spirit if you go to RSA or blacka you'll

see five different companies talking about the immune system of the internet uh which is you know good and bad I don't know I think hackers are the immune system of the internet and not like a security company uh but I can't sue them for you know spreading this idea onwards because that's kind of counterproductive so I want I want to go back to something which I think is important to all of us I think everybody's thinking and talking about this Jeep hacking stuff right and it's so complicated to even talk about without offending anyone's feelings I just want to say one thing about what is sometimes called um stunt hacking okay I don't think it's a bad thing personally

I think it has some impact uh but I think one of you know probably the biggest impact of this stuff is that for people outside of our world they start prioritizing control and trust and safety of like the atoms over the privacy and the secrets of the bits and maybe it's okay that they prioritize this stuff for a little bit because the atoms have not had the same amount of attention as the bits that we as an industry have been giving them however uh you know to put things in perspective I don't think it's just about atoms or just about bits or to make it even more clear we cannot choose one or the other

right we cannot just choose to protect this stuff and not protect this stuff it is connected inherently in a way that would never be separated we're only going to get more wired and more connected and this stuff is going to be like on the moon and Mars and you know but here in my pocket it's all the same same stuff and so what can we do about it a few things I suggest we can do before we move on to the more exciting part of today's presentation which is going to happen in a couple of minutes something pretty special uh a few things we can do we think about the atoms not about the secrets we keep thinking about

them and this is what I am the Cav is pushing forward protecting the physical reality stuff I think it's critical that we talk about it all the time I sure talk about it all the time and we try and find all the bugs like we help work do what we can can to make more bugs known because we got to make the Bugs known there's no better disinfectant than the light of day right this is very important and think about an ecosystem think about the fact that there's no Islands in cyber security maybe Richard Branson the guy who started virgin maybe he has a private island to which he flies with a private jet and he makes

all his calls on his private Virgin Mobile network which he owns and you know he has everything set up privately that's one guy for the rest of us we got figure this out unless you know you you know become one of Richard Branson's slaves guests at the island and then you're good to go um I I was actually offered a trip to this island it exists uh they have a Bitcoin conference happening there uh I declined politely so this is us guys this is how the world sees us and you know what it's kind of scary but it's also how we got to be we got to be armed to the we got to be

working together we've got to be you know making a difference in the world and we also got to make other people be like us or understand us and we gotta take this very scary image which I put in Lego to make it a little bit less scary okay actually somebody else made the image I didn't make it but you know Lego people are less scary so maybe if we are like this but we are Lego people people can relate to us more I hope that makes sense now before we move on I want to just bring home one last point it's really up to us in this room the cavy is not coming we are it we totally are it

so guys that's a big responsibility the future is all already here this stuff is already happening it really is about us if we can save this future or not so um thank you for listening and participating no no flaws yet please I want to ask you if you want to see the next part so oh I just realized I totally skipped my introduction about who I am well you don't need to know that I mean you can Google it or something I don't have a Wikipedia page but you can figure it out so actually a lot of yeah I guess uh a lot of what I am about is because of this woman and I think for a

lot of people it's like this Angelina Julie in 1995 film hackers as acidburn I was 14 when I saw this movie and I was inspired just deeply inspired keep the door open guys just keep the door open I'll speak up loudly keep the door open thank you it's very distracting the you need WD40 on the door you know what it is okay so this woman inspired me to be like a hacker and to think about it as something which is a good thing I never for a minute when I saw this movie I never for a minute thought the hackers are the bad guys I only thought the hackers Were Heroes and that's what I

keep thinking for the past 20 years so this movie has done you know quite a lot of impact you can make fun of it or you can admire it like I do but the movie has made an impact Angelina Jolie has made an impact on the cyber security industry I think an undeniable impact and so this movie just had its 20th anniversary and I had a crazy idea a few hours ago actually uh 72 hours ago somewhere in Sebastapol in Northern California where I was camping out with a bunch of hackers at something called Fu Camp which is an unconference and I came out there and I just had a crazy idea I realized hey it's 20 years for

hackers let's do something cool let's make a fan version of hackers from 1995 and this is a fan version in the spirit of what is called sweding movie if you don't understand this it's from a Michelle gondre film called Be Kind Rewind where they actually have a video library and they lose all the videos and they have to recreate the videos themselves because people want to rent Ghostbusters so they recreate Ghostbusters with aluminum foil in the library and they call it the sueded version of the movie and it becomes more popular than all of the other stuff so we tried to make a seded version which means it's a mashup cover version redo You Know Remix uh it might make more

sense than the original plot it might not um there were a lot of people involved actually like 30 people involved some of these names you will recognize and I'm going to let you I mean I suggest you stick around for the credits role at the end of the film that we may see in a minute because there's a lot of people you might know and love or hate you know um spoiler no no spoiler you know what let you find out for yourself uh just before I screen this to you guys I want to say this is a like totally a labor of love that these 30 people made happen in 24 freaking hours between

Friday night and Saturday night after I nearly got blown up on a plane so if it's kind of crazy you know bear with us it's wacky I think maybe it's adorable who knows it's never before seen footage and it will never before or Never After be seen again unless it gets licked I mean uploaded to the interwebs uh but at this point my friend at a console hello I'm speaking to you I need to stop the video filming so thank you all for watching