IATC - How to Treat Your 'Hacker' (and Responsible Vulnerability Disclosure) - Monta Elkins

this is besides Las Vegas I am the cavalry this talk is how to treat your hacker and responsible vulnerability disclosure oh they're good yeah and it's by the award-winning the award-winning monta Elkins a couple quick announcements we're gonna make we'd really like to thank our sponsors here at Bayside's Las Vegas specifically our inner circle sponsors critical stack and Valley mail and some of our stellar sponsors there's just so many Amazon blackberry and the NSA to name a few so thank you NSA and amazon of blackberry your support is really appreciated our talks are going to be streamed live and as a courtesy to everybody please silence your cellphone's now so go ahead and set them to silent if you haven't

already if you have any questions I'll run over with an audience microphone which I can't find right now but we might have him go ahead and want to go ahead and repeat the question if not so just to make sure everybody on YouTube can hear you that's it I'm gonna read a quick bio of Montana Monta Monta once a month log a long game yeah or not it just reloaded of course okay nobody's nobody's watching nobody's watching

so Monty Elkins is the hacker and chief of Fox card solutions which is an ICS patch information provider a security researcher and consultant and US Patent grantee he is considered by many of his friends to be the Chuck Norris of the ICS cybersecurity industry my monta has been a speaker at more security conferences than he then his enormous ego can remember including Def Con besides cs3 GE digital energy ICS jwc to Seba ICS it's so many he's also at the Sands ICS summit and was named cyber security professional of year by energy sec in his spare time Monta Monta creates a totally safe for work coke for strippers electronic coke cans token strippers electronic projects YouTube

channel yeah yeah it's one you have to see yeah all right thank you yeah yeah it's token strippers you could search for it I would do it at work but token strippers Monta if it stands for diet cooking wire strippers so it's electronic stuff yeah but all right so in any case thank you oh hang on though afterwards I have that was that was so good I have a thousand in cash for you featuring Nikola Tesla right there all right welcome I'm glad y'all are like this morning we're going to talk about how to treat your hacker in quotes and responsible vulnerability disclosure so that starts something like this hey somebody just called you up

your company up and says we there's some security issue where you are at that point what would you do if somebody gave you such I notice such a heads-up right are you prepared have you thought about that a little bit ahead of time you don't want to be surprised when that happens so we're going to look a little bit look at it a little bit so of course I play in the in the ICS secure space super quick intro for people who who are new to the area perhaps with that's that's manufacturing and it's water and wastewater and pharmaceuticals and and dams and electric generation and transportation that that's industrial control systems in a super small

nutshell sometimes when I'm introducing it to new employees at work I use this book by Rob Lee called SCADA and me it's ok he said I could use it I remember it's gated me it's a book for children and management so it's I recommend it I was given the talk once at work in the CEO the company came by and I'm like hey by the way you should probably look at this book it's it's written for children and management anyway the end of the book is sort of the intro to here so a little Bobby is learning about SCADA system he's like so I heard I have to protect SCADA from hackers are all hackers bad oh not

exactly but that's a story for another time and this is that other time so I'm also on a bit of a quest to reclaim the term hacker you know it sort of had its ups and downs over time it went from sort of being a good thing to being a bad thing I think it's it's coming to be a good thing again but we have a couple of definitions just to start white hat and individual users and computer networking skills to overcome a technical problem doing something cool black hat is a person who uses their abilities to gain unauthorized access to do something that they are not supposed to do potentially permit commit crimes at the end of the day this is really

though the secret of hacking the real hacker asks themselves not what is this tool designed to do but what is it capable of doing right that's the difference not what did somebody say it's supposed to do but what can I really do really do with this tool and we we don't see this term too much anymore but instead of black hat crackers sometimes being someone who cracks systems or attacks them so back into hacking along this theme what does it tool capable of doing not what was it designed to do right so this are a couple examples of like you know a couple isn't designed to catch dust when you're drilling in the drywall of your

head but it does a pretty good job you ever do this isn't you will now okay or the little post-it I'm using putting stuff in the wall how to open your bottle that's important skill here if you don't have a corkscrew a hammer not like this like like this alright alright not what was it designed to do what is it capable of doing all right skills of a hacker alright so what's a vulnerability vulnerability is a weakness which can be exploited by unauthorized folks and then we have like exploit which is a way to take advantage of a vulnerability right a little bit of distinguishing sometimes people don't distinguish between vulnerability and exploit particularly well but so an

exploit for this gate system might be oh look we have an exploit we can drive around this thing to the left well you could fix that right you can block it but it really didn't solve the vulnerability because you can also driving up to the right all right so that's our intro now back to back to the fault somebody called you up and said there's a problem either in if you could be a vendor and in that case it might be a problem with something that you've created or you might be any other business and something that you use bought set up or configured has a problem your company web server is spilling all your client data out to the

Internet right what do we do with that so I propose this first rule of thumb that if somebody calls you and tells you there's something wrong with one of your systems let's assume that they are the good guy now it's not necessarily true but let's assume they are the good guy there are a lot of other things they could do with this information like I'm most concerned about the person who finds us out and they don't tell you about it right they're gonna keep it they're gonna do something else with it so if they've discovered this and they notify you in some way they call you up right start out by giving them the benefit of the

doubt that they are they are the good guy they're trying to do the right thing instead of hiding it keeping it using it abusing it they want to let you know so you have opportunity to deal with it so what good is this notification well if you're a vendor right that's kind of obvious maybe you will want to create some kind of patch to fix it there might be some other mitigations that are possible instead of a patch or until a patch can be applied and you might document those as a another business a customer a user of a product or service of some kind this notification can still help you of course if there's a patch you can apply

it but if there's not there's still things you can do if you know the bone building exists and you know something about it so if somebody has documented this fairly well whether it comes from the vendor or CBE or someplace else you can take steps to defend yourself against it even without a patch right you can add additional firewalls shut down that service change the configuration so that information is valuable of itself even when even when a patch isn't available so we said that we might consider give them the benefit the doubt if somebody let you know that they are they are the good guy right they might legitimately be able to sell this vulnerability information to somebody

either the information that's lost are the knowledge of the vulnerability itself and there are open markets do that and that's a legal thing to do as a matter of fact some companies will pay lots of money depending on how good the vulnerability is so it could be tens of thousands hundreds of thousands you know you get a good exploit for for an iPhone or are really into you know Windows 10 that could be you know hundreds of thousands maybe a million bucks so that's a that's one of the alternatives so remember if somebody called you up to let you know this they are they're bringing you a gift right this potentially has has market value

elsewhere and they decided not not to do that so who do you think buys these who buys vulnerabilities software vendors why would a software vendor buy it so they could fix it yeah who else hackers yeah because maybe they want to take advantage of it yeah yeah maybe intelligence agencies who want to use it so there are markets there different people with with the different motivations occasionally maybe security companies because they want to know so they can protect their customers

there are various people that might let you know about a vulnerability in particular Google they have project zero I don't know if we have any of those folks around so if they have if they find a vulnerability they have a 90 day disclosure policy so that after they find it they're gonna let the vendor know and then they will disclose it publicly so we've already discovered what's the value of disclosing it publicly if there is no patch well because there might be other mitigations there's also some some other benefits to that disclosure disclosure can be a motivation for a vendor as well it's like this is going to become known alright so we expect you to continue

work or begin work on fixing this I'm fixing this item so other people may tell you along the way you may have it your customers might tell you the security consultants that you hire might tell you if you're building some kind of industrial control system plant you often have an integrator putting all the pieces together they may discover a vulnerability along the way you may hire researchers also somebody who has you in their supply chain they may come to ask you do you disclose vulnerabilities do you post mitigations you have a good process for letting us know if a product we bought from you has some vulnerability and how how we could deal with it right that's useful information

to have so even outside of your life you know people may be asking you what you what is your vulnerability disclosure policy like and some places in industry we have requirements like in Newark sip critical infrastructure protection their requirements - when you add a new cyber asset to do a vulnerability assessment on it and then to come back and do vulnerability assessments on a regular basis so I think sometimes companies believe that well we've got this product and we will send it out into the universe and we will sell it and nobody nobody will notice nobody will pay attention that's not true right some people are required to pay attention some people are required to to

test your product if you're a vendor so those things get discovered and they have good reason to be if you were trying to set up a system to do this there are a couple of ISO standards that can help you believe it or not there's ISO 31 11 and 29 147 the first one is a vulnerability handling process this is your internal how do we deal with the vulnerability for notify and how do we take care of that the other one is vulnerability disclosure how do we notify people about the vulnerability of what kinds of information do we provide so those are some good reference documents if you're trying to set this up in your

organization you don't have to entirely make this up from scratch picking using a standard has has an additional benefit in that if you could and there probably other other standards out there I'm not so concerned which one but if you pick a standard then you have sort of one argument in an organization the argument is oh which standard are we going to pick because once you pick the standard now there are a bunch of things that it says to do and you don't have to have an argument about each one of those things your argument was we pick the standard now you might be able to develop a more comprehensive standard you might be able to develop one that's

more tailored to your organization the downside of that is then every step you want to take as a security practitioner becomes an argument again right you're arguing with with with management and you know and with finances and and that kind of thing so picking a standard in itself has a dish and it's not just even in vulnerable to disclosure but picking a standard has that benefit of cutting down on the number of arguments you have I don't have to argue about each step of this thing we've already picked the standard that that we want to do I think industrial control systems are kind of late for this party a lot of other things like popular commercial

operating systems have had a lot of attention in the past because of the you know maybe not quite accurate stereotype of a hacker in the basement who has access and some free time or curiosity or ability and explores things like windows looking for vulnerabilities and notifi is Microsoft or the manufacturer and they develop a process for dealing with those industrial control systems tended to be rare and expensive and so they didn't get this scrutiny the same amount of scrutiny over the past 20 years or so but now thanks to lowering prices and things like eBay all right you can buy old equipment for cheap and start doing testing in your basement again so industrial control systems are now

starting to get more scrutiny that's some of the other operating systems some of the other more commercial popular type of applications have already gotten so they're a little late to the party maybe there's a little catching up to do because of that maybe not quite as mature alright so if you get this call by the way who and here are electrician's anybody electrical okay well so by the way you're supposed to ground these devices you run the green wire to ground to keep people from being electrocuted that's that's ground in there okay okay all right so things not to do if you get this call don't hang up don't ignore them your vulnerability is not going to

go away because you hang up a matter of fact ignore them and it'll go away chances are good they're not the only person that knows about this vulnerability they're just the only person who has bothered to let you know they know about a vulnerability right other people may have and particularly more well-funded people probably already know about this vulnerability so it's definitely not going to go away just because you don't listen to them it's still there it's still exists um don't start out by claiming there's no problem Oh our product is wonderful you know what are you talking about our website is great our customer lists are safe yeah right listen pay a little attention they're going out of their way

don't threaten or begin legal action we'll talk more about that in a second don't assume the worst of this caller without any data again just because of that you know isn't a guarantee that they're benevolent but it's a pretty good indicator all right they they brought you something they brought you a gift that they potentially could have sold or used elsewhere so don't necessarily assume that your system is configured optimally without any data right you might have not set it up according to the best best practices and so forth don't claim there's no problem immediately all right legal action all right so house on the coast in California anybody knows whose house this is Barbra Streisand's this is her

house and how do we know this because back in the day there was a photographer that had taken pictures all of the California coast 112,000 coastline photographs and her house showed up in one of them and she was concerned about her privacy and she wanted this taken down and so she initiated a lawsuit yes their lawsuit so before she initiated the lawsuit this picture of her house from the air had been downloaded six times two of them by her lawyers one month after she began this legal value battle her house picture had been downloaded four hundred and twenty thousand times because of the publicity of session I include the picture of three times here just for reference okay

so the action and we give it a name right the Barbra Streisand effect all right how do we know a random house in the middle of California because of this lawsuit and that's the Streisand effect that sometimes performing those actions to try to hide hide some kind of vulnerability might actually bring it to life lawsuits may also have chilling effects so it might make you your company your organization look like the bad guy all right no we're just gonna sue people instead of fix things maybe is importantly a more importantly researchers might not contact you in the future with vulnerabilities and you've lost fiber resource all right they might do something else with them they may not

bother they may sell them they may keep them you know they may hide them somebody else can can find them and take advantage of them so just that a chilling effect of keeping people from bringing you these gifts reporting this to you I'll have some cost what day is it all right so we're security crowd what's a node a come on you're awake all laugh I heard you yeah you've like had zero days since a patch to fix it what is this a pony I always asked for a pony there you go this is your Pony sir Wow I don't always forget thank you that is hilarious is this really my pony that's what I always

ask they like what else do you need I'm like a pony Sooni perfect thank you very much I like my pony actually I asked my last boss every time what do you need a pony so many times he brought me a pony I have a rocking horse about this big at work right now that I put all my conference badges on so but now I have two ponies I'm sweet all right so you've had zero days you can't just jealous you don't have a pony you had zero days to fix this a couple of buddies of mine and well we'll touch on them a little later ran a research project so DM p3 is a

protocol used in an industrial control systems guy Adam Krane was creating an open-source version of it and to test his open-source version of this protocol he created a fuzzer for this protocol you want to make sure his his protocol stack didn't have any vulnerabilities it was project robust and so he did and then he got up with with another friend a guy named Chris Sistrunk who had a large lab of industrial control system equipment and they got together and they said huh I wonder what would happen if we ran this protocol fuzzer on all these devices that are supposed to understand this protocol any guesses what happened right it was a bloodbath right tons of

equipment had vulnerabilities nobody tested before they fell over that you know all kinds of all kinds of nastiness they went through the process of notifying vendors and we'll touch on that a little more in a moment but at least in one instance they came across a vendor who said we're not gonna fix this ever right but it's a vulnerability but but we're not we're not going we're not gonna do anything this products too old you know whatever we're not going to do it so from there comes a term I think coined by another friend of mine read the forever day so now we have zero days and for every day so the for every day

is a vulnerability that is never going to get patched in your control system probably don't get me wrong Oh days Oh days are a problem but in a control system probably a bigger problem is your hundred day all right the patch has been out there for about three months now and you still haven't done anything about it so that's probably if you're really trying to set your focus in a control system yeah days are fine let's worry about the one day right and the 300-day and sometimes the 3000 day right it's also we get a patching cycle started that helps us deal with their vulnerabilities part of doing working in vulnerability disclosure is kind of understanding

perspectives on on the people who you were dealing with and there are always multiple perspectives this article came out not long ago Davey says warning Google researcher drops Windows 10 zero day security bomb that was that was his headline the story was was vaguely a vulnerability that Google had discovered they had talked to Microsoft about it they give him the 90 days and at the end of 90 days Microsoft had not had a patch yet and and so it was disclosed I started talking I started talking to to Davey on Twitter and I proposed another perspective on the same story at least another headline another summary the summary could have said Windows 10 oday info released by Google according to

responsible disclosure guidelines allows you to consider possible risk and mitigation to the security of your systems now well that sounds a little different right I mean it's about the same thing but it's a different perspective the perspective that a letting you know about a vulnerability gives you the opportunity perhaps to mitigate some of the risks right there is an upside that's why we do this thing right if they were no upside you call us all jerks we all go home alright but now you have the possibility you might shut the service down or maybe you can change the config or change the firewall rule or maybe move to another vendor whatever it is but if you know about the

vulnerability you have some possibilities so you know I asked him about this he's like well that was his head lino and that's fine and he said I could use this with permission so just from from a kind of perspective right are we was you know was it really an old Windows 10 zero day security bomb you know or was it advanced notification just different perspective all right so you work at a company somewhere perhaps what do you do we talked about a lot of things not to do what can we do make it easy for people to contact you right I have liked security at your domain.com it can be hard to find the right people

to contact all right who but who usually gets this call who's the most exposed people in in a company tech support maybe what some cares yeah yeah yeah yeah customer support sometimes sales all right so they're the most likely ones to get the call because they're easiest to find they're the easiest to locate they unless you've talked to them unless you've trained them unless you've sort of set the system up they don't know what to do with it they're like hackers we don't want to talk to you right and in there you just took this gift and you threw it away all right so make it easy to contact abuse publish a phone number oh we don't

publish phone numbers look you write you know that people find her apps you everybody's fun that was available perhaps include a secure way to contact you you know I mean it's fine for them to send the vulnerability and plain text across SMTP but you know you could do it across PGP or GPG so if you want to include some secure communication method say thank you I brought you a gift Lisa at this point right I brought you a gift so say thank you hey well you know let's figure this thing out what can we do about it change your contact information get them in touch with the right people or the right team in the

organization it's probably not tech support and it's probably not you know sales right it might be a a team or security team or bug-fixing team or a product owner whatever the right person is identify that person and be able to be willing be prepared to set up that communication acknowledge the bug and let that individual know that you are working on it or not yes or what your time frame might be because we're working toward a kind of coordinated disclosure we want this - we want this to work out well supposedly they give you a little notice ahead of time and you can release a patch when they release information about this vulnerability don't go dark on them

either you might be working working yourself you know day and night to fix this thing but if you don't let the person who let you know that you were doing that they may think that you blew them off all right then they get upset they're ready to publish it they're not hearing from you you're not doing anything about it I'll just I'll just let this vulnerability I'll publish it early so give them some notification about what your expected timeframe maybe it tends to keep them in the loop and keep them a little happier if you are nice to them you might be able to ask them to test your fix right you reconfigured your website that was

spilling all your company data you say hey can you look at this now is it better because unfortunately sometimes we've seen patches come out that don't fix the problem right then you look bad it's like oh thank you bye you go work on it for three months like we got the fix and it didn't work the guy comes back no that wasn't it right so the the analyst whoever discovered it if you're nice to them they might test it for you for free maybe not but you know right so be nice stay in contact they might help you along the way you're trying to work for coordinated disclosure again that kind of that trade-off they're gonna give you some

time to try to patch if they're gonna they're gonna make it known anyway because there's value in that other people can defend themselves if they know that they might test your patches you get never the win-win in these cases look if you're looking at a security if you're looking at a product and you're trying to decide maybe between a couple of different vendors and you see one vendor has patches and vulnerability disclosures for their product and another vendor has nothing does that sway your decision in any on which bin vendor you would purchase from which one do you purchase from but this guy is zero vulnerabilities closures zero and you buy from this guy why would you do

that because everybody has vulnerabilities right that's saying something about the maturity of their program in handling vulnerabilities they will acknowledge them they'll patch them they will let you know right we have no vulnerabilities right don't believe it no like that's for mymiami talk so what do some of these people want when they contact you some people just want make the world a better place frankly they work in the space they have customers or are they like Electric Power you know they wanted to stay on sometimes all they wants to make the world a better place help them open they probably want some recognition right when you release your vulnerability disclosure you can say discovered by

so-and-so or such and such company right that that's a little bit of a trade-off they brought you a gift they gave you something they were working to find valuable information for you without pay the minimum you know that you could do is and it's fairly cheap as to get some recognition for their work that might build a reputation as a security researcher and and so forth you know just trying to give them an easy time they brought this thing to you right try to make their life easier you know a security researcher is he's a really great guy he does a lot of this work and and he posted on Twitter sometime last year and I

he was just ready to like pour gas on it and drop a match he's been fighting to find the right vendor and to let him know and he can't find him he's getting fed up you know what that trying to do the right thing so if you have the opportunity give them an easy time all right so here here are some quotes from from some other researchers by the way I didn't know there were information security restrooms but there are just so you know this is Chris's truck these says some favor of responsible disclosure a vendor should act and keep communications open we have some videos that went dark a few gave cease and desist orders his partner Adam crane but

not him Adam crane the guy doing the the protocol stack he got he got he got more he got more problem from vendors I think because he thinks at least because he was more of an industry outsider you know some kind of threats of legal action and so forth and then we're also vendors he mentions OSI soft thanked us attributed us and asked if we test their fix they were such a joy to work with right and I don't think that they're bad company because they've listed a vulnerability and a fix for it right I think they have a mature security program because of that and I don't know some of those guys they do really care

about their security anybody remember the Kaminski bug alright DNS so Dan has this I was asking him right he he was trying to coordinate one of the biggest sort of responsible disclosures probably in history of tons of companies and and Internet service providers to fix this DNS bug you can look up the Kaminski bug if you don't know about it his his advice was if you are a researcher or a company just don't be a jerk right try to be nice try to be reasonable try to be responsible try to listen to folks even even created this flowchart which y'all can read all of you know and memorize we have a quiz after well I will point out this one thing is

flowcharts a little older but it says you know if you go through all their all the right stuff and notifying them the company should be okay right this should all work out because it's 2012 and everyone has a security team now so I just want to remind you all it's 2012 and all the security stuff is worked out other people do bug bounties they will pay you if you will let them know about vulnerabilities which can make a lot of sense why do you do this no sometimes it's its financial it might be cheaper to run bug bounties you might not be ready to run your own team to do these things lots of people do it you know

Google Facebook Microsoft a bunch of the US Department of Defense ics-cert and us cert not only do they publish right they publish vulnerabilities if you're in the ICS space you should probably subscribe to the ics-cert smullin ability newsletter or news mailing lists you'll get a handful of these a week different vulnerabilities for Isis equipment but they can also be your ally if you are trying to disclose a vulnerability they can maintain your anonymity if you want to if you're afraid of the company or for some reason you don't want to be exposed they will maintain that for you they will help you contact companies they do this on a regular basis so they Joey know the right people to talk to

and they drone they're the right voice to do this in so they are your friend if if you want in this place in this space so a little more thought about perspective right I'm I'm a big believer in understanding other people's perspectives now it doesn't mean I'm I agree with their perspectives but it's useful it's useful to know them so if you are security researcher and you're discovered some vulnerability and you're trying to talk to vendor some of the things that may be going through their head is aren't all hackers evil or I don't understand this you have to be evil right you were talking about something wrong with my system you must be evil all right if you

might be approaching him with a gift of hard effort are you took on to harass me I look bad if I mitigate and acknowledge a bug and work to fix it or maybe they just have no way to deal with it they don't have any kind of system to deal with a bug or to prioritize that they have work to get done right they don't know what to do so they're sort of they're sort of caught flat-footed maybe if we ignore you or sue you you'll go away all right again don't necessarily agree with that but it helps to understand what they might be thinking when you're trying to negotiator and you're trying to talk to somebody or do

you have any idea how many installations we're gonna have to fix or how many different pieces of software we're gonna have to test sometimes they're thinking we have to make a profit we have to make money we have to be able to pay our employees and we do that by creating new products writing new software not by patching old stuff at some point that's a legitimate concern right sometimes software might be 15 20 30 years old and it's gonna be a forever day you notified them they're not they're not going to fix it and and that's legitimate but at least you know think about their perspective if you're talking to them the amount to test changes right we do

some of that at fox card test patches coming out for like a whole wall of sample hm is the new patch comes out we test it against all these machines you imagine all the different kinds of configurations and machines and industries that their product is in and they and they need to test that test that patch test that change before they roll it out right that can be an immense thing for them to think about so you know give them a moment to a moment to process that we're really busy everybody's really busy BIM - right you're busy they're busy I like these are your kid are you kidding our customers don't want patches all

right he left why don't they want patches what it break things it's a paint install you're gonna shut my assembly-line down this thing supposed to be running 24/7 all right some of our customers would pay us not to patch this because they have to install them again I don't necessarily agree with them but I understand that perspective they might also have the perspective of thank you very much or I'll get right on this all right but those are things to consider their points of view of when you come in this remember - if if you are doing the reporting you could be respectful realize that patching can take some time even if they want to and they work on it

it can be a big process ask for recognition you know that that seems a reasonable ask see if they have a bug bounty program be willing to coordinate disclosure with them right if you're really trying to make the world a better place let's notification is great letting people know about vulnerabilities is a good thing but coordinating disclosure can be better perhaps offered to test the patches consider talking to cert if you if you need to all right I have one small related tip by the way just a personal rant of mine firmware is software there's nothing magic about firmware all right so if somebody says oh this is firmware we don't have to fix that well

that they're full of crap oh you say well firmware like oh well firmware can't be written to write it's read-only well in the best case that means if there's a vulnerability it will always be there and second of all that's a lie any any equipment you've bought in the last five or ten years it's programmable just take my word for it it's programmable so don't believe that because it's from another one is I was asked to evaluate a security vendor one time for my company I went to a conference I'll talk to them tell me about the features it's an appliance and and you know we did a lot of patching work I'm like oh how do you

attach this they're like we're running security enhance Linux on this appliance we don't have to patch it I'm like well HUD I'm like look I like security enhance Linux it's a great product it's a great tool I like I'm a Linux bigot I'm you know I'm in but you still have to patch it so then the problem becomes how do you say thank you very much I'm busy at the moment all right so that's us I'm talking about bonus closure hopefully get some perspective whether you're researcher whether you're going to notify companies or if you are working in a company or business that might get this call one of these days hopefully you will get the

call somebody will let you know and not keep that from you or keep it private and so I have suggested to mr. Lee a friend of mine that this should be his next book hackers in me by Rob Lee and Monta instead he did like threat intelligence and me whatever all right this is how to teach your hacker and responsible for disclosure if you want hit me up on Twitter I'm at Mont a Elkins we can have a discussion oh we've got what a couple more minutes five more minutes seven more minutes so if you want I am interested this year so we did a real brief discussion of sort of a very simplistic definition of

vulnerability but if you'd like to talk about what a vulnerability really might the real definition might be hit me up on Twitter and then we'll start that discussion I'm I really want to explore it a little more right we go through things like our default passwords of vulnerability our protocols like Modbus that have no inherent security are they vulnerabilities right at some point we didn't consider some of those things vulnerabilities at some point as time goes on we start to consider them vulnerabilities so you know what really is a vulnerability I think that would be a useful discussion other than that email Twitter thank you all very much Oh give it up for Monta yeah any any

other questions you got another matter what it's time to shut down we had a couple minutes any questions just raise your hand I'll bring the mic to you I was I was thinking if there were none that was the perfect talk because I answered them all ahead of time now this is you already answered this but I missed it what are those ISO standards that that slide I'd like to take a picture there all right no that's an easy one I like easy questions there you go and that's that's actually the summary flow chart from one of those documents that sort of describe what they both do I think I can quote that part without

violating their copyright for educational purposes just like all those pictures of Barbra Streisand's house Comorian Monta Monta but I'll answer I'm easy yeah a long time longtime listener first-time caller so I don't know if you're familiar with the story and I think the gentleman's name is Sam Bowne he's a teacher up at San Francisco City College don't know the story bad do you know him he he spoke like right before me my first year at Def Con Oh anyway years ago basically did it is he found a hospital when it merged acquired another hospital an FPT FTP server became forgotten and records were being stolen off there and he basically got vilified in the press because the hospital didn't

say oh thank you they said oh this this cybersecurity teacher is showing us to hack our Hospital so I was just I guess it you know how do you protect yourself against against the repercussions of another system so yeah you know I just met him briefly at Def Con like 10 years ago but he seemed like a great guy I think I saw one of his socks that funny he just happened to know so I'm sorry that that happened I think you have to make the call yourself but that's where something like a cert can anonymize you they could be your friend and they will not release your your information if you make that that agreement with the cert

team so they can get it to the right people and you will not be specifically identified yeah any other questions awesome give it up for Monta again oh thank you all and like I got a pony