Evolution

[Music] higher performance communication resources and faster and more reliable technology higher performance communication resources got keep this thing from falling asleep on me while I talk I should have changed the settings but so hi hi um as Sean said I'm I'm Neil Wier also known as grifter I didn't know it would say Neil Wier actually initially I thought it would just be grifter because at least in my brain like nobody knows who Neil Wier is but um but I've been grifter for a really long time so uh who am I so by day um I work for RSA um I do instant response and hunting um for them so that pays the bills that's nice I work out of my house I

just live up in cville just north of here and I have been a citizen of Utah a utan for almost 18 years now so I've been around a little while uh he mentioned I'm a def Kong goon so I am the department lead for contests events Villages parties and the demo Labs so all the things basically if there's something that's going on at Defcon that takes place that isn't about someone walking up on stage and presenting then that's me so uh if you're interested in doing one of those things just let me know grifter atdec con.org and we'll uh we'll see what we can do I am black hat staff I started working with black hat I want to say in

2003 um here I'll go to I have I have pretty pictures I mean let me go there we go um so I started working with black hat back in 2003 I started out as a volunteer one of the other things I did with Defcon was that I was the administrator of the Defcon forum so during that time I'm complaining on the forums about how much black hat costs because I'm you know 23 years old or whatever and I'm just like this is insane it costs too much money if you just have your own business or you're a student you can't afford to go and uh Russ Rogers some of you who have been in the community probably know Russ Russ

said hey if you want to volunteer I can probably help you out I introduced me to the folks at black hat I went out and volunteered for one of their window shows up in Seattle they used to do a Windows show um and they me and in between that show and the US show there was the trip to Amsterdam so they had a Europe show and the guy who used to do what I do now had packed up all the equipment like that it takes to run the black hat Network to ship it off to Europe and he palleted it up and he put it on the loading dock to get everything going out to Amsterdam and then left it

there and they went to Amsterdam so so he didn't do that anymore um um and they called me and said like hey we really liked you do you want to run the network at black hat and I was like sure and they're like you can bring a team of people they can help you I was like this sounds awesome great we'll pay you we'll fly you out hotel's taking care of everything I'm like it's better and better and so I brought two people like I brought two of my friends to run the entire black hat Network it was a mistake um we got it done but now the black hat Network is deployed by 70 plus college students

and run by 21 industry professionals and then the two main people are myself and stumper or Bart stump for those who are familiar with Bart from the hacker space or anything and we um so it's it's grown quite a bit obviously uh I am the founder of dc801 that uh that came about through um 2600 Salt Lake City which we'll get into in a second here I am one of the founders of a 1 Labs the hacker space here in Salt Lake City if you didn't know we have a hacker space in Salt Lake City we do um we have 3200 ft of space we have a dedicated lockpicking room a hardware hacking room we've got a

dedicated classroom a laser cutter all kinds of shenanigans go on there all the time so check us out 801 labs. org and then um like Sean mentioned I've published three different infos related books and I've spoken at Defcon black hat RSA shukan um hackcon various bsides stuff like that so um I've been around a while so that's why this is just going to be kind of like Story Time with old man grifter um when I they said hey do you want to do a keyo I was like what could I possibly talk about and they were like well you've just been around a while so what was it like in the early days like how did you end up becoming a

hacker and I'm like is that interesting and they're like well a lot of people didn't start out like in the BBS days so so bring it so I'm here to bring it the old days oh so um so yeah I was uh I'm from New York so I was raised on Long Island um my parents divorced when I was very young but my dad lived with his younger brother my uncle who was into computers at the time that was weird he's only about 10 years older than me um but I was a very hyperactive I know that's really rare in our community um a hyperactive kid and so I made him crazy but then one day he was doing something

he used to fix computers and any Electronics so he had like a VCR open on the floor or whatever and I'm like what's what are you doing what's that what's inside there like I didn't ever seen inside one and I was about eight and uh and he's like oh I'm fixing this for somebody and I was like what's that and I went to reach in and I was I was about to touch the top of a capacitor um and so he's like oh like dude oh that could have been very bad for you and I was like why and he's like well it it's basically a little capsule that stores electricity and the electricity can still stay in

there and and I was just like my mind I was like like I'm like what do you mean it's off though and he's like yeah but it'll just hang out and that started like a love of electronics like I was like oh well then what does that piece do oh that's a resistor well why is that there well it makes you know it makes this happen and I'm like what's this over here what does that do and he's you know he explained all this stuff and it just completely it changed my life like clearly it changed my life um now I was big into video games at the time being eight and so I my first online

experience with the pirate bulletin board system uh and that's how I learned like how big a bite a kilobyte a megabyte how big that was and how that related to transfer speeds and B because I was like how long will it take me to get this game CU I had like printed off a list of the games and then how big they were and I had no idea what those numbers meant I was just like what is this how long and he's like that's going to take like an hour well how long for this like that's going to take all day like and then eventually I learned what it meant um you can see like this is even I just

typed in like BBS and I got like the uh World War I uh that's got color in it so that's that's pretty sweet um but I got on the pirate BBS and I stayed there for a couple years like I just kicked around on that pirate bulletin board system I used to post things and nobody had any idea I was 8 nine 10 years old they had no reason to judge me other than by the content of what I posted on that BBS and that was really cool as a kid they just had no clue they just assumed well if you're smart enough to configure a modem to actually get online and you're able to get on here

and do these things then you're one of us and so when I was about 11 somebody invited me they gave me a number and they said hey you might like this BBS which was a hacker it was my first hacker bulletin board system and I read everything like including like the conspiracy theorist docs that were on there that were like UFOs and the government's working with the aliens man like I was like yeah they are like but I I'm like but you know all that stuff was there and like how to make bombs and do all this other stuff and I'm like this is incredible like it it was another opening into another world and

so um I didn't have a computer at home I grew up in a pretty poor area my uncle had a computer so when I saw my dad on the weekends or vacations I would I would hang out I would hang out on the computer that's an understatement so I would not leave the computer um I would not leave the computer to the point of hallucination like I literally would not sleep until it was like worms were coming out in the sides of my eyes and I started to like freak out I was sure that something was on the other side of the door and that if I open that door I would die like that level of not

sleeping so I just hacked all the things um and it wasn't out of malice again I was young and so I was exploring so I was like okay well I'll like today I'm going to go look at a system that's in Amsterdam again poor kid growing up in New York in my mind I was traveling to Amsterdam like I knew that if I could get into that system that somewhere in a closet in the dark in Amsterdam there was a little light that I was making Flash because the hard drive was you know seeking or the network light was flashing somewhere and so in some tiny no one witnessed it way I was physically affecting an

environment on the other side of the world and so again for someone never thought they'd get out of this crap situation they were in in New York that was huge like I was like I've been to Amsterdam now okay where's it next London's next Washington's next um they would throw away the key like if like today I like if you hack the things that we were hacking back then today we all the hackers like there wouldn't be this scene because we'd all be in Guantanamo um my first Tri to DC I went my wife I was like I've been in there and I've been in there and I've been in there and oh man that's what that building looks

like and she's like what in the hell like I was like this is what we did like we weren't going in there to do anything dumb we were just looking um it was our way of seeing the world but again poor kid I've only got a computer or access to the computer on the weekend so what ises a kid who only has access to a computer on the weekend do well he goes to the pay phone by the deli by his the corner of his house and he plays so I started freaking so freaking was like my love you know I did that all the time I actually brought some props with me today because I thought you know

there's that scene in hackers where serial killer is like in the back of the truck and he's putting on the helmet and then he goes in he's got the butt set hanging off of him and you know but their whole real purpose for being there was because they wanted to learn some stuff and they needed a manual and so it's not just a joke in a movie if you wanted to learn about the phone system you had to get the manual this says issue 1989 on it um and 9x so again New York New England exchange so that was my stomping ground all over the phone system and uh I actually went and looked in Google Earth at the central

office that was in my hometown and the picture on Google Earth has the gate open where all the trucks are and I went You' never learn um so yeah if anybody wants to check this stuff out when I'm done we can do that but so then I I I went to the military and I figured I should stop hacking all the things because it was my way out of New York I went in the military and I came to Utah uh while I was in the military here I didn't really interact with the hacker Community I just figured it was a bad idea I I kind of regret that I should have started earlier but in February of

2000 which was the last year that I was going to be in the Air Force I decided okay I'm going to go to the 2600 meeting that's here so I looked it up I'm like there's a 2600 meeting it's at the zcmi food court Downtown I'll go check it out I went there and there were six people one of which is Travis who's sitting up here it's just crazy like we're old dude officially um he still works for a phone company um so um it's funny how we just went to the other side cuz it's like now I'm trying to stop hackers and you're trying to keep this phone system safe from us basically little versions of us

um and so I went to the first 2600 meeting this is a little self- serving that cover is the first time I had an article published in 2600 um that's the issue so I was pretty proud of that um but I went to 2600 for the first time and there's six people there seven including me and I said hey like I'm from New York like our 2600 meeting is in Manhattan there's like 60 people can I like help try to get more people here and they were like sure yeah that'd be great totally that'd be awesome so I started printing out flyers and putting them in the 2600 magazines like Barnes & Nobles and borders and stuff sticking

them at corkboards and universities and things and then within a relatively short amount of time within a year we probably had 20 something to 30 people there and another year after that we had 50 to 60 people every month descend upon the Z Sami food court in Salt Lake and just have basically like a mini con and it was awesome and we had talks every month and we published them we put them all up online and uh and it was great and we'd road trip down to Defcon together and I was tell I was talking to someone earlier about it so on one of the original Defcon road trips I want to say it was n9ine or 10 we um like Wireless

was new and we were pretty excited about it so we're like well what can we do with this I know we get all of our intent so we all got all of our antennas in every car we put an antenna in and we created an ad hoc wireless network and we drove down I-15 with a network between all of the cars and we set up an IRC server and we chatted with each other from car to car like so we're like wo like you know yeah it was so ghetto but it was like the best thing ever like we're like yes like we had antennas taped to the windows we had an old um we

had a scrolling LED display that I got from work that I uh would stick up in the back window of what we called the van of justice that we drove down there and we would just troll the cars behind us the entire way to Vegas like we had a really good time um but yeah so the community here I was pretty surprised it was huge I it's like what an impressive group you know like this is for small for population but big on caring about security and what we were doing um and I took that even further I wanted to be part of it so I did I started gooning and I've been gooning ever since like I

said now I'm running all the contests and events and stuff and then actually tomorrow morning I will take off on a flight to Vegas and be on site at the Paris and valleys to do planning like we're planning right now so like you guys are like hanging out and like like we're working like we're trying to put on a big party for you guys so there's a lot of work that goes into that and we've been working for months already so tomorrow's our first onsite um let's see other Utah stuff I guess um going into black hat one of the things that kind of also helped jump my career forward was I was at a bar if you're at one of these

things always go to the events afterwards talk to people shake hands say hi do all that stuff I mean I highly highly encourage you I'm what I call a high functioning introvert I don't like doing that but I'll do it anyway because you should and in this community if you're not active you're invisible and so publish things get out there talk to people but I was in a bar and a guy said something about a book and I was like that book is terrible and he was like why and I said because of this and this and this and he was like well what do you think about this book well that one's all right what about this one that

one's terrible we talked for like 45 minutes to an hour and he was like wow man cool well I really appreciate all your opinions on the books and stuff like that let me give you my card and his name was Andrew he's the vice president of publishing for the publisher that I was just destroying for for the last 45 minutes and like he obviously he sees my face I was just like oh you know and he's like look man how about I just start sending you copies of anything we're putting out and you can tell me what you think and eventually that led to me saying like hey I think you guys should do a book on this this topic is

really hot right now and he said okay well why don't you write it and I was like I don't know about that and he said well look I've been giving you free books for like 3 years it's about time you start give me some money so he had me there so but I did what most hackers do um you know I just kept going to black hat and I kept going to Defcon and I kept playing with tools um so I set up home labs and I started doing stuff because now you didn't really need to break into anything anymore to learn I mean you still could but you didn't have to it's stupid why

risk going to jail when you can just spin up a couple VMS so I learned a lot of things and that was fun you know I hacked stuff or whatever and I kept doing that year after year and then eventually I burned out like I was just like like doing it for work and doing it for play and doing it for everything I was just like I can't do this anymore where my wife and I were going to start a family you know my kids coming and I'm just like doing I did three books three years in a row if you've ever written a book you know how insane the deadlines are and stuff like that it's intense

plus carrying on a day job just absolutely Insanity so I actually walked away from security as a day job for a couple of years um I went to work for EMC who owns RSA now I went to work for EMC doing storage stuff which i' never done before in an SE role which is sales which i' never done before but I wanted to do something different like I was like I can do the security stuff for fun at night or whatever but I can't like I'm not learning or I'm not excited right now and so I just kept doing that um eventually I you know I realized that I hated that and I went back to security um but um but it was

good it was good to step away um I wanted to do security you know for fun again and we started doing stuff um like the hacker space like I met um you know like soit and lean and nemis and those guys um I'd met meta cortex we worked together at at Juniper and so we decied decided that we were like going to try to do a thing you know and it's like we got a small space that cost too much money and we did that for 2 years and that was a th000 square feet and then we were like we got to grow or die like and so we got the space that we have now which if you've ever been there

looks like the 1970s threw up all over it it's terrible like it was literally an abandoned building when we approached them about renting the space and they were like yeah you need to give us this much and we're like we're poor like that's not going to happen like but we'll give you this much cuz right now you're making nothing thing and they were like you're right so so we won on that one um but we're having fun you know but so my thing was like coming back into security it's like well what am I going to do so now we're going to talk about what everybody talks about lately which is red vers blue I wrote notes here because

prey doesn't have presenter mode what kind of garbage is that I was like what that's ghetto you going to zoom all over the place and you just can't even give me note space but yeah so we're going to talk about red verse blue so I was always very red focused and everybody knows that the red team is super sexy it's a bunch of ninjas rolling around throwing boom boom exploit what's up now you know and it's like and that is fun don't get me wrong like popping a shell in a box is like when you pick a lock if anybody any of you guys spend any time in the lock pick Village or anything it's like the first time you pick a lock

you get really really really excited I High ners he's waving aggressively from the back um so you get really excited like you're like I just popped that lock that's amazing and popping a shell feels the same way is it satisfying every time you do it but like what are you doing like what are you solving like okay great that's broken well we all know it's broken I hate this it's like dangling over here on the side of my head um so yeah you should learn to hack everybody in here should take some time and learn some red team skills absolutely absolutely because that's the foundation it's where we come from it's where a lot of us came from and then it

morphed into a job when I got out of the military I I did F-16 avionics like I did not want to work on f-16s I was like those jets are pigs I don't ever want to see them again um they're like well what are you going to do I don't know well what do you know how to do I can break into computers like well people will pay you to do that like you just break into a computer and tell tell them how you did it and I was like well sign me up for that [ __ ] like I'm like okay so I started my own company and I did it for five years but

um during that time I got a chance to do a little blue team stuff too like I from Word of Mouth people would be like well I don't know like someone would get popped and then they would say I don't know someone who can fix it but I know who a guy who would do it so if he could do it maybe he can tell you how they did it and then you can get your head right so I did a little bit of ir work at that time as well and that's how you know it's like but understanding that like vul like you know vulnerability assessments and Pen tests are not what information security is there's there's a whole lot

that's involved uh Beyond just you know popping shells so I guess what I'm saying is learn all those things do those things and we need people with those skills but don't just get in a rut if you do that I'm going to piss people off but that's what I came up here to do so pentesters are a dime a dozen like I'm sorry but pentesters are a dime a dozen and good pentesters are even they're like there's a couple of those so you've got to Wade through this sea of nonsense and it's like I'm a pentester like no you just use metas sploit once it doesn't make you a pentester like nah man I'm a hacker for hire is what I do

like it's like okay Cowboy like that's great like a real pentester does the work and then they come to you with actionable data afterward and they say here's why you failed and you know how often they're going to say here's why you failed every time that's right every time so what like what does that help like what are you learning there what are you learning to do like defense wise I encourage you to do the haing but run wire shark right next to it and watch what's going on on the wire how does that attack work what does it look like so that when it comes time to join The Blue Team you know what you're doing yeah

we're Smurfs come at me bro I just did I did a Google image search for Smurfs and the one with the rainbow shooting out of his butt like I was just like # info SEC um so like he looks like like he's really bearing down on it um so yeah so come to the blue team if you've been doing red stuff for really long time I promise you we need you you're in an area that is oversaturated with people who are you know basically making a bad name for what it is that you do and are you actually helping to solve the problem or you just keep pointing it out we need people with genuine skill to come over

and start fixing the things that we already know are wrong if I go if I tell you I'm going to Target your company like okay I have a specific assignment it's your company I've got time and I've got resources what are my what are my chances of success 100% 100% if you go out on a pent test and the scope is open I you know how that goes where it's like oh you can't do this and you can't do this and you can't do this and you're like why am I here like why don't you just pay me and we'll check the box together and I'll go um but if you've got a fair scope if

you're allowed to actually perform like an attacker you will get in and if you don't hang it up because you don't belong there so get those skills get the red team skills but come on over and come to the side that's actually trying to fix something so we're trying to make it better you know and and instead of just breaking things all the time come where it's really hard where you are getting things thrown at you every day constantly you know uh marketing will tell you hundreds of millions of times a day you know the same systems or whatever but at least in some cases a couple hundred times a day depending on an organization and the real real

threats maybe a dozen times a year but be better than all the rest of the people who are trying to hack you see if you have the skills as Mr the plague said come earn your Spurs um now we lose people from defense all the time because they want to go be sexy hackers for higher and that's a little bit sad um because you can be part of like the new sexy now this is from Predator so I was like I was like I did a search because I'm like I want to talk about hunting so I'm like okay let me look for like Hunter or hunting Predator look at look for pred because I'm like yeah turn the tables

the guy's trying to kill all your buddies but you're going to turn the tables on and blah and I'm like what is he doing in that tree I was like you getting intimate there he's looking straight at it like I love you that's intense but I just thought that was fun so that's the real sexy see that is um that is Teresa Vale she was Miss Kansas 2013 and like one of the finalists for missusa and she is a genuine hunting badass like real hunting like oh there's something over there let me kill it which isn't my thing but but that is um but they wouldn't let her for her Talent they wouldn't let her do archery

because there were like no projectiles on stage and so I'm telling you if she would have been up there like Google her like go see videos like she's like Robin Hood like she would have won that because that's that's America right there she's like a sergeant in the Army too like she's hardcore um but one of the things about being a hunter which is what I do is that you get to use the red team stuff you know like you have to stay on top of what attackers are doing what are the tools they're using what does that look like on the wire what makes that an anomaly and so you have to know your network and

know everything about it and what's going on you know at any given time so I put up a couple things there you can see um from hackers the Ellingson mineral Corporation or EMC um and if you remember he says God wouldn't be up this late now granted he was also sleeping with her so he knew when she would be logging in and wouldn't be but he knows this is an anomaly this account should not not be logging at this time and that's what a hunter does is they know when are these accounts supposed to be logging in should they be logging in from these geographies do we do business in this area and all the packets going to the

right places and they have situational Awareness on their Network you know that's a copy of the cucko EG which if you haven't read shame on you um a 25 cent error in the logs on processing time you know told Cliff stole to dig a little deeper and see what had caused that anomaly and in the end spoiler alert it's right on the cover of the freaking book tracking a spy through the Maze of computer Espionage it leads to a German spy and this whole this guy's hopping through all these computers pulling military Secrets down and uh it's really really good but again the point being he knew something was wrong and I threw of course in the Super

Troopers where he's uh he's got that great grouping right on the body when he's about to test the bulletproof uh jock strap or whatever and he's like oh I've been shooting clean all day and he's like what about that little guy and he's like oh that little guy right there I wouldn't worry about that little guy right there like you should worry about that little guy when you're doing hunting is that little guy that's the one that's going to make the difference that tells you whether or not your own so understanding you know situational awareness and knowing how to use the tools that are available to you and we hate vendors as an industry we all hate vendors right

boo I work for one boo me um but um I I put on there the different different types of bows both of those are bows both of them can be used to fire an arrow of some kind but they are clearly not created equally so while you're doing all your vendor Rage or whatever find the one who's going to give you the tool that actually works and tell the one that's trying to sell you the Little Kitty toy to take it packing um there is a lot of belly aching made about like you know like a personally even from me like I don't I don't love the expo hul at black hat like I don't

love it we used to have like a couple sponsors they had tables out in the hallway or whatever but businesses change um and so we're upset about those vendors and things but I just got back from RSA conference which is two enormous Expo Halls you could land planes in they're so huge um and I let two companies scan my badge they were like 700 vendors two that I was like all right I want more information like so find the ones who have the tools that actually matter um so there's um I was thinking about the situational awareness thing how many people here would classify themselves as paranoid yeah the rest of you um I'm Coming For

You I Will instill that paranoia in you so I am incredibly paranoid um I also my thing is is that I don't think it's paranoia if someone's genuinely out to get you and people are genuinely out to get us so um right I sound like a crazy person uh but what that means is that I am very big on situational awareness I know where the are in every room I go into and I know who should be going through them and if I see something weird it immediately goes off like an alarm um when I sit down in a restaurant I sit so I can see the door I put my back against the wall I'm

thinking about the exit that's there and there and I'm also thinking about the exit that's in the back through the kitchen because if it turns into an active shooter situation I'm going out that way I'm not trying to go over there I'm also if I'm backed into a corner because that's the way the restaurants set up and they're ones that I like they have really good food but they have the crappiest like if something kicked off you'd be doomed um I'm thinking are the chairs or tables bolted to the you know ground Allah in and out or something or can I pick this up and Chuck it through the window and now I've created another exit so that

level of crazy but apply it to your network know your Ingress and egress points what should things look like what is normal today and if normal changes what are you going to do like have a plan you know um and understand that at some point it's going to happen and because of that it's going to happen someone's coming in they are after you I wanted to talk about this so one thing that I noticed and it makes me absolutely insane is that we as an industry love to tell our colleagues how wrong they are all the time when someone gets breached we stop for a second we look around we're like wait how did they get

in wait are we vulnerable are we good are those patches in place they are well I'm getting on Twitter then oh you guys should have done this and this and this why didn't you secure your networks oh you should have done that oh good luck using whatever oh bye-bye to your customers we are terrible like we are like 8-year-old little girls like you know being like mhm no she said that about me no yes did well I'm not friends with her anymore like we will cut people off these are people we've known and worked with and we're just like oh yeah now did you read about the whatever whatever breach you know now someone's like great well I I spent x amount of

time working at Target but I was there during the breach so now I can't put that in my resume um and we need to get rid of what I call the security Scarlet Letter which is whenever somebody gets breached we put a giant be be on their chest and we tell them to walk around and they've got to do the Walk of Shame at the conference circuit for the next year to two years and we bring it up all the time or someone gives them a hard time like you know you're having a beer at the bar and someone's like oh yeah just ask so so what's like to get popped we these are the same people that

again we can stand there and say given time and resources your chances of being breached are 100% so why the shame another thing that happens due to that shame and we do ourselves a disservice is that it means people shut up when it happens or they try to cover it up or they don't want to talk about the details because if it is something mundane they think well then I'm going to get laughed at by everyone people have to resign from their jobs because they get breached and so we need to actually create an environment that allows people to talk about it to say like this is what happened this this went wrong and it

sucked and this was the level of suck it was on it was national news or worldwide news but here's why that happened and here's what made it bad and this is why you guys should make sure that you don't end up in the same boat that we were make those changes take the steps don't end up like me and here's the full report here's the postmortem of everything that went on I hope you guys learn from it and we get better as an industry instead of shaming each other and getting worse so we need to share um I was at schmon what a couple weeks ago month ago at this point and there was a panel of a

bunch of Educators who were up there these were guys who were teaching network security courses or secure coding and stuff like that and one of the guys made a comment and he said well I don't understand why we're the one industry that's given a pass we're allowed to fail day after day after day and it's just supposed to be accepted like these giant breaches keep happening Target happened Home Depot happens now Wendy's you know so it's like these giant breaches keep happening and Ashley Madison you know makes everybody shift in their seat a little um but um he so he says why is that why is it okay and I like it immediately pissed me

off like you know this is aoo ball moment you know CH and I shouted because I'm an idiot um and I shouted from the crowd that blaming Security Professionals for bad security is like blaming a firefighter for the fire like we're the ones trying to fix the problem fire still happen today like despite education programs and smoke detectors and all those things something still lights on fire but every time the truck goes down the street you don't think I wish those guys did their job better firefighters are really failing us you know it's like it doesn't matter how much you educate people and it doesn't matter that they know that it's a problem and in our industry not

everybody does we're still battling that we're in the early days of being like hey here's a smoke detector you know fire bad don't throw water on a grease fire but people still do it all the time and they burn their freaking houses down here's an idea don't deep fry a turkey in your garage but people do it every year every Thanksgiving somebody Burns their house down is that a failing on the firefighters part no so when a breach happens is that a failing on us absolutely not it's the developers no no oh that was that was bad now I told you I was up here to piss people off um so what I I think or where we can learn

from is actually from the airline industry so years back Airlines were you know like a plane would succumb to gravity it's on it's on all the time um and like slam into the side of a mountain or just hit the ground or whatever and it was like what is going on here and how can we make air travel safer and so they decided to just start sharing all of their information so like what can we do okay well why is it that this is happening and they looked at like one of the number one things that causes accidents or even crashes is a pilot and a co-pilot who don't know each other because the co-pilot feels like they

can't question the pilot well that's the senior guy like he knows what's going on if he says that's the runway we're going to go on then that's what we go on and then it turns out to be the wrong Runway and now they crash into another plane on the ground and hundreds of people are killed or there was an instance where um very senior pilot a not senior co-pilot and he says over the intercom like we do they had an emergency situation an engine is on fire so the right engine is on fire we're going to turn it off and everybody's like right engine's on fire you look at the right engine and it's fine but the

left engine's on fire and so the crew serving drinks and stuff like that is like well he probably just misspoke and then he shuts off the good engine and everybody dies because the other people just thought well that's that's the top dog you don't question the top dog which is why we need to have our tier one analyst having just as much control to say to a tier three analyst I think we have a problem and everybody should listen doesn't matter what your rank is in your organization if you are insecurity and you feel like there's a problem that there's something that stick s out that there might be a breach you say something find someone who will listen

and say something and if they won't listen make them listen because it could be the difference between taking care of something before exfiltration or ending up on the Evening News another thing that that Airlines have done is if somebody makes a mistake it's just a mistake mistakes happen all the time we're not going to punish you for it so a pilot's taxiing out somewhere and they turn onto the wrong Runway they're not going to get fired but they want to find out what happened why did this happen did he get less sleep than normal are they um you know is it a different crew is it a different aircraft not equipment that he's used to

was he distracted by something what are the factors that led to just turning onto the wrong Runway and they write a report here's what happened they ask a bunch of questions they're like thank you and then they share it with everybody hey guess what we found out that in this particular situation all of our flight crew normally stays at the Marriott and they are always at the Marriott but on this night the Marriott was full because a bunch of hackers were there for a convention um so we put him in the Hilton and the pilot was allergic to whatever detergent they use at that Hilton and so he didn't get a good night's sleep and it made him make a

poor choice and he turn on the runway and now everybody knows do everything you can to try to keep the same thing so that we can make sure that these events don't happen but they share it and everyone knows and the guy doesn't get reprimanded and that means when people make a mistake they just go I made a mistake and we can all learn and we can fix it whoa just popped off my ear we do the same thing with threat Intel so threat intelligence for whatever reason at some point we decided that was worth selling which drives me crazy when you you talk about again talking about a breach what happened after it oh well

here's what happened no one wants to share that data why oh you know that's it's it's private we can't really talk about it oh hey you got some thread Intel there's some actor out there who's doing this that and whatever they're hitting your network here there yeah that's our IP so you know we can't really share that with you not sharing threat Intel is like if your phone beep and you got an amber alert and it said a like a van with a gentleman it was seen trying to kidnap a child in this area for $299 will tell you what he looked like what the license plate number is and how you can hopefully protect your

children like really if if we would lose our minds if something like that happened if they were like hey yeah no there's somebody bad around here therey there's a guy trying all the doors in the neighborhood well what does he look like well you give me 20 bucks I'll tell you that is what thread Intel is like we should be sharing that hey guess what man we're in the same fight together we're getting attacked by these people it looks like it's coming from here they're using these tools they're coming from these IP addresses this is the technique that they seem to be applying you should go and try to make sure that they're not coming at you too

and we high- five each other bro style and then run and go check what's happening on the network you know um I think this is the only tweet I put in here which is Richard bck saying uh again going back to the Scarlet uh security Scarlet Letter blaming the victim feels good when you can't touch the attacker but remember that the fault truly lies with the adversary so if we could stop blaming each other for when things go wrong that would be great now comes the pissing off bug bounties suck and here's why bug bounties are great for the company you get all these talented people and they're looking at your stuff and they're trying to find bugs and

that's that's good right that improves security for everybody and that means that somebody who's really good at finding bugs can look at all these other companies and it's not just you know Facebook who gets to take that person and put them in a closet and make them find bugs well awesome but when a lot of these programs when you find a bug they say oh here's $1,000 kid now shut your mouth so again going back to sharing you can't talk about it now I've been doing conference stuff for a while again I've been part of the Defcon staff since Defcon 9 and black hat 2003 and what I hear all the time is oh the quality of this talks have dropped

off or oh like you know it's that like Nostalgia for the good old days the people just like you know dropping OD days on stage and stuff like that and it's like well if you if you take those bugs and you just sell them then what do you have to talk about at the conference and if they saddle you with an NDA so that you're not allowed to talk about it well what good does that do the rest of us so it used to be when someone found something really potentially harmful they would write up a talk they hopefully do responsible disclosure they talk to the vendor the vendor would do a patch and then they

would get up on stage at black hat and they would talk about it or they get up on stage at Defcon and they talk about it but now the incentive is like well I'll give you a quick payout I mean there was just that the Facebook bug that just happened they said affect 1.1 billion accounts 15 grand it's not a small amount of money by any stretch but like how many people who know who who was it who found the bug does anybody know his name or her name no right we know it happened now that person took that information built a talk out of it got up on stage at Defcon and said I found a thing and it affected

a good chunk of the world it would be everywhere and we would know who that individual is but we don't what we know is that Facebook did a thing and there was a bug and Joe found it I guess I don't remember where the guy's name is but then they gave him 15 grand aren't they swell and Joe's like great well I got 15 grand but I still got to eat in two months so again bug bounties are great for the company but if you're one of these bug Hunters the top bug Hunters the guys who are just crushing it I just read an article they're doing about 200k a year which is not a small amount of money by

any means but if you have that skill take that stuff that you're finding do your disclosure write up your stuff get up share it with the entire information security and make yourself a career not just a boat payment like that it just it makes me nuts so that's how some of these names these big names that we all know about came to be they found a bug and they got up in stage and they talked about it at some Peril to themselves in some cases so yeah like I said that should piss people off when they watch this on YouTube hi Mom so uh another thing these are again random tangents with grifter um we have

a data problem so the problem is that we're using all of these old Antiquated systems and we've done nothing to change them to make it any better like it's 23 million credit cards this week uh 50 million next week well we're we're actually pretty good at this technology thing can we not figure out a way to make these payments happen more securely can we not figure out a way to make a social security number worthless it's great as a piece of identifying information but you shouldn't be able to do all the things with it and if you look at the back of a social security card what does it say should not be used for

identification what is the single largest piece of identification your social security number it's freaking absurd it says it on the card what a joke they still put it on the back of the freaking card and then anytime you try to do something including with any government agency what do they ask for your social security number and what and not Lin and not to laminate it yeah it's insane so I think that's another problem for us because the the industry credit card industry doesn't seem to care and they don't care because it means they have to invest money it means they're going to have to spend money to make these Technologies better and they're going to have to reissue all these

things look what it took just to get chips and we're not even using chip and pin here we're using ch chip and signature but just to get them to distribute out cards with a chip in them I still every card in my pocket still doesn't have a chip on it and right and so a vendor doesn't even take it I like I went up to one of the point of sale systems that had the slot for the Chip And I was like oh cool and they were like oh no like it's not on like you you have to swipe and I'm like solid you know who does use the chip Target um they do they use the hell out of that

chip but but it doesn't matter that it has a chip on it because when I decide to order something off of Amazon I just put the number in and I click it and it comes to my house and so the reason I put a form of two- Factor authentication on there is because I think that's what we need to build into credit cards we have the ability to put a rolling number every 30 to 60 seconds on a card why can't we do that why don't we have a system that allows us to be able to say okay I'm making a purchase on Amazon and then put in your code and then you type in your six digits after

you put in your credit card number and if it doesn't match then you can't make your purchase like why because it'll cost money that's why but if we can make these things worthless if we can take this data and make it worthless no money no problems all right whoops my cards are out of order um they're completely out I've destroyed everything up here I'm so low Tech um so in closing I was going to make a a couple predictions the predictions are it's it's not getting better any time soon and that's because we have a lot of problems that we need to fix um what that means is that a lot more focus is going to be on us and it means

that you know the pastures are green so if you are somebody here today who's just looking into security please join us we need all the help we can get but remember try to be part of one of the people who solves the problem not um who just goes there is a problem we're fairly aware um also ransomware we hear about ransomware all the time um there was just recently in the news the hospital that got ransomware and you know it was like they paid $1,000 to get their data unencrypted that was something that brought that hospital to its needs and they thought about oh you know we got to pay this Ransom like it's $1,000 well somebody just freaking pay

it so I think what we're going to see is in the same way that we see targeted or you know like dare I say it AP style attacks um we're going to see targeted ransomware the attacker knows the value of the data they're encrypting and so the bounty on that that Ransom is going to be significant and I'd say we're probably going to see our first million doll ransomware by the end of the year like it's coming they're figuring it out the stuff they're writing is getting smarter it's and the attackers understand that well I don't have to go in an Alleyway and I Club somebody to take their wallet all I have to do is push

this button and they give me everything in it so [Applause]

thanks