IATC - A&Q - Communications Presentation - Keren Elazari

um was not expected I received an invitation to speak at a conference called Ted at the 30th anniversary of Ted so for those of you not familiar with Ted it's a pretty uh cool event that they've been running for a couple years now and they videotape all the talks there and then the talks go on the website and get watched by millions of people and I was overwhelmed terrified excited and I was thinking oh my God I am definitely going to get hacked for talking about hackers at head because you know just like the guy said earlier how am I going to make the story accessible to the public and not you know enrage the hackers and because I

was so certain I was going to get hacked I set my mother and my father down for a talk and I explained to them that people are you know might want to hack them so they could get to me and I found myself explaining stuff like two- Factor authentication and spear fishing and all kinds of complicated Concepts like that to my parents and then I realized something I actually realized two things the first thing was that Randall uh from XKCD I don't know if you know the comic but I'm a big fan I realized he was going to speak at the same session at Ted as I was and I was like relieved okay all the hackers are just gonna

watch his talk nobody's going to notice me that's fine but more seriously I had a bigger realization that was that I was getting a once in lifetime opportunity to hack into people's brains to hack into their minds to kind of plant an idea in the very public platform to a non-security audience to get to people like my mother or your mothers or my dad people that are not in the security industry and explain to them how hackers can actually be a positive thing and not just a criminal thing which is what most people outside our little Echo chamber think of hackers so I used that opportunity and um the way that I found to do that and it took me a long time uh

to you know gear myself up to it is that I created a virus really I created something that is going to try and stick into people's minds and the way that I crystallized that is with coming up with one simple idea that I hoped would get people engaged and then would be easy for them to share onwards kind of like virus and my virus or my idea was that hackers can be seen as the immune system for the information age because it falls to hackers to ultimately and inevitably find the vulnerable aspects in our rapidly changing world and force the rest of the world to fix things and you know I'm very humbled and excited and

happy to say that I think it worked um I was inspired by the words of Barnaby Jack the late Barnaby Jack who said you know sometimes hackers have to demonstrate the threat in order to spark a solution and when I took to the T stage I didn't really know how people are going to you know love hate the idea of hackers as a positive force but um as it turns out more than 750,000 people have seen the talk and shared it so I I think it's safe to say that the virus kind of caught on I'm very proud and humble to say that so right now I want to share with you a couple of the things that I learned on

the process when I was crafting the talk because Ted uh they kind of invented this format right uh for the short talks and the ideas worth spreading and they invested a lot of time in coaching the Ted speakers and I got a lot of you know good speaking training out of it and now I want to kind of try and pass on a few of these ideas really briefly to you and then answer any questions that you might have about communicating and how do we talk to people outside their in our industry and our community so the first thing and perhaps the most important uh thing to remember kind of the takeaway idea here is that we have to mind the

gap there is a gap between ourselves the security industry the security Community the people that come to Defcon the people that come to my hacker events in Tel Aviv Israel and the rest of the world if it's Congress people or financial industry people or car manufacturers and in order to bridge that Gap we have to reach out we have to put our hand out there and kind of bring people over that and that is going to be a gradual process and I want to share a few ideas on how to do that so again borrowing from XKCD my favorite web comic this is kind of like a map of Internet communities one of the best

pieces of advice I got from the Ted speaking coaches was to look at the talk like a journey like a journey from point A that might be some place that the audience knows very well like Facebook and talking about problems at Facebook and Bug bounties at Facebook Etc but going from there someplace that the audience knows well taking them like a tour guide as it were around the world in all kinds of Dark Places and Illuminating things and ideas that they perhaps did not see before did not think about before and then you might find yourself beyond the great firewall of China talking about internet censorship and talking about values and civil liberties and why the internet is

so important and by connecting these two places by taking the audience from point A to point B if you can do that when you're talking to you know it doesn't really matter the type of background that the audience has if you can take them from point A to B they will be grateful for you being that tour guy being that person that's reached out and you know put a hand out there and said come with me I'm going to show you this world I'm G to illuminate this world for you and this is what you going to learn and you know I've embraced that advice and it's been extremely um instrumental and and helpful I think all right so

when we do go when we embark on this journey there's something we have to watch out from and you know how the maps in the old days used to say here be dragons don't go there so I want to you know kind of try and build on that and say here be jargons we have to watch out from jargons and terms and you know obfuscating our bilateral conversations because that's exactly the sort of thing that gets people away from our message and I kind of Thum rule piece of advice whenever you're talking to a an audience that has different backgrounds most chances are that an average audience outside the security industry they could probably latch on to

one or maybe two you know Concepts ideas new terms right so if you want to explain zero day vulnerabilities that's great go for it do that but don't be throwing in you know malware polymorphism or DNS fast plux or malvertising because that's the stuff that's that's going to you know freak them out and say oh no that's too complicated okay I can handle that stuff if you do it like in bite sign and you take one term at a time and really don't overload it you'll find that you get more effect in your communicating um and speaking of terms you know one of the things that we do have in our industry we love terms we

like jargons we have terms that sound very impressive like Cyber attack but are actually kind of vague have you ever heard or seen like a headline that says millions of cyber attacks are stopped each day right have you seen those so I always question those headlines and I'm saying okay what are they counting is it millions of packets is it millions of Port scans is it millions of infected endpoint devices is it millions of communication sessions to the botnet CNC server what are they counting so if you want to use terms like that that are kind of vague and not specifical that's fine as long as you kind of bring up to the table and you say this is the term

that I'm using make it concrete use some numbers use some facts now talking about fact uh another thing that I learned and I think Josh mentioned this earlier is how important the power of Storytelling is right we all know it's an effective way to communicate but one thing we don't usually realize is that different audience members even right now different people here resonate with different stories and they might come away remembering one thing like maybe you'll walk out and you say h it was really cool how how you know B saved the lives or those premature uh born infants with the incubators or you might be thinking about the Congress person's talk and you know the other guys that he

was mentioning so one thing that I learned to do is that to use all kinds of different stories and in my 16 minutes a Ted I had between eight and 10 different stories or anecdotes that kind of resonated with different audiences and then you know on average every minute if you say if you kind of calculate it every minute or every two minutes I had a different story or a different anecdote so people in the audience can resonate with one and if they don't another part of the audience can relate to the next point and so that's Show and Tell for you now I have a question um moving on to my next Point can anyone tell me or you know maybe off

the top of your heads what's one major phenomena that's caused major power outages in the United States has also stopped uh trading on NASDAQ twice that's right you guys are great Okay so so that is the unexpected answer that it is squirrels that's true uh New York Times did a piece on that in last August where they kind of did a pretty extensive review of all the cases that squirrels had actually caused uh power outages and this is a very serious problem yet you don't see billions of dollars poured into persistent squirrel repellent technology right it doesn't work that way and this is because I mean one one aspect of that problem I think is that the fud right the fear

uncertainty and doubt of cyber warfare is something that serves you know certain government agencies certain vendors certain stakeholders at keeping that discussion at a very high level with very scary terms very you know with fear it's a scary tactic and a control tactic but it kind of breaks away from the reality so what I would like to suggest to you guys again when you're guys and girls when you're communicating to various audiences is trying and fight the fud and you can do that with facts simple facts right you know show Numbers show details not just anecdotes but have those backed up and I think that would be a valuable thing to add to your um

storytelling as it were now uh another aspect of the fud situation is that fud flows both ways that means that not not only is you know the government or certain vendors putting out fud out there they are also influenced by fud and Congress people and you know senators Etc are also influenced by it now as long as those decision making algorithms are not going to change what we have to do as a community is Chang the inputs that are going into their decision-making algorithms and you've heard a lot today about being at the table and you know initiating and engaging those conversations I think that's a a powerful tool for Change and in just a year so much has

happened all right uh just as you know before I move out to the Q&A part of the AQ or the answer and questions part uh just a couple of resources so one question that you might have before you're communicating to an audience which is inside or outside the security industry one question that you might have is why bother why should I bother to improve my communicating technique and why should the audience care and I think you know why is is a very big question and so my first resource that I would recommend to you is something called start with why hands up if if you heard about it okay great that means a lot of you haven't heard about it so

it's new for you I'm happy so this guy is called Simon cynic uh his tedex talk has been watched like 18 million times and he has this very you know crystallized idea of how to craft your conversations and your messages surrounding why the question of why should people care why should you do something I think this is a very valuable resource you can watch the tedex talk you can read his book you can visit the site and more kind of downto Earth practical piece of advice for public speaking as this fantastic book O'Reilly press Confessions of a public speaker uh this guy Scott Burkin he was doing Innovation at Microsoft for a bunch of years and then he kind of

became a public speaker a professional public speaker he didn't really notice how it happened just like uh many hackers kind of turned their hobby into a profession so this guy became a professional public speaker in the tech industry and not only is his book fantastic and filled with practical advice on public speaking uh on his website there's a free pdf uh checklist called how to prepare for a talk it's very helpful and I recommend you check it out Scott burkham that's this guy and do we have how long do we have for the questions about 10 minutes that's great okay so just one last piece of resources uh this guy Mercurial I guess maybe some

of you know him in person I don't uh but he gave a talk at um maybe Deron or somewhere I'm not sure about communicating for hackers and he has published on his website an actual framework which is kind of like more like a technical step-by-step manual for you guys that you might want to use um all right I think with that I'm happy to you know start a conversation with you guys about you know conversations so um any time you you have a question or a comment okay why don't I get you kind of started with it so what's your I often get asked by people what's the biggest challenge that you have communicating do you have

a question yeah go ahead

how you change that okay so I'm just going to repeat the question for the audio recording the question was how you really impact some change with the way upper management at uh your organization views security and it Investments right did I kind of get it right so uh again I would go back to the you know Square One start with why why should they they care about security and usually with with upper management it is not things like security and vague risks because a risk is kind of like a a threat that might happen it might not happen that sort of thing is really not what they usually care about what they care about is

number one bottom line how much money are they making how much money are they saving how much growth are they showing their stockholders or private shareholders year on year and if you can find a way to craft your messaging surrounding that and showing how a relatively small investment in security and design and development phases will you know significantly impact the way that uh you can save money on security down the line that would be one way to do it uh to get you some more practical advice I want to refer to a talk that Bo gave at Circle cityon about a month ago I've seen the video of it and to talk about talking to like managing your managers I

think it was called or talking to Executive managers and he you know that's a great resource like an hourong talk with lots of techniques and explanations on how to kind of fuzz the protocol for the way upper management and usually Executives see things and understand things and how you can get security into that protocol using kind of like back doors although it's not really a back door right talking about the bottom line how much money are they making another side of it is just like the is he a congressman or a senator or uh okay the the the nice Professor that was speaking here earlier uh he gave the example of how Tesla is benefiting from

the good PR that they're getting by doing what they're doing with security so I don't know what industry you're in what kind of company you're in but that's another approach and creating a positive Public Image or even eliminating the chances for a negative Public Image because that may be even you know a bigger concern for them right and uh I saw I think another question right someone yeah

you know where the term fud came from where it originated fear uncertainty and doubt it was a sales technique by uh IBM when an ex employee of IBM sometime in the 70s branched off from IBM and started another company a competing company uh with a competing business model to IBM and then the salespeople of IB IBM used fear uncertainty and doubt to dissuade people from buying that company's product and that's also where we got that problem the persistent term uh nobody ever got fired for buying IBM have you heard that but to really you know return to a question have I seen a change yes I have very much so I think actually right now this year I don't

think it's it's coincidental that I the Cavalry is happening right now that Defcon has so many tracks and talks dedicated to the positive impact that security in all sides you know all As ects of the industry can do I'm also seeing that with a lot of the organizations that I speak with I speak to a lot of like financial industry and government agencies and defense contractors and what they're beginning to see is not just you know risk and fear and how they should invest in security but also see things like security as a business enabler having you know better secure products is going to mean we're going to sell more of them or at least we're going to avoid a bad

negative uh um image if we take those efforts to secure our our product so I am seeing that whether it is like more driven by the carrot or the stick remains to be seen but I am definitely seeing that positive side and you know we might say I'm naive or a hacker cheerleader or whatever but in the past year or so I've really you know seen more and more people kind of go back to those old school hacker ethic values of doing really important good stuff and influencing technology in a good way and I'm happy to see that I'm you know hopeful when I see that

yeah so suggesting investing in security as a competitive advantage and making sure that you you come off as a brand that's investing in security are positive incentives for companies to invest in security and that might go back to your company and another question from this guy no you were just waving your hand around yeah it's not really actually it's freezing what's that okay three minutes uh if are there any more questions because I have another story to tell you okay Story Time right uh by the way I'm extremely easy to find online um either by my website that's K3 r3n 3 so that's kind of my handle now it's Karen e all the e are spelled with three

that's also my Twitter handle my first name is Karen it's the Israeli spelling of Karen that is difficult for you guys you can just call me Special K which is kind of like my old school handle okay story time uh anyone know what this is Iron Dome that's right yay I heart Iron Dome this is actually the reason I made it out here because in the past month or so I've been living in Tel Aviv under rocket attacks and iron doome is the active missile defense system that's been intercepting the Rockets fired at T Aviv and other parts of Israel now this is don't worry this is not going to go political don't worry um so here's the

thing last week Brian Krebs broke a story about how hackers um allegedly affiliated with the now notorious Chinese unit 613890

and others these are the equivalents of North R Grumman and Roid Martin but in Israel and the story kind of evolved from there and then BBC reported on it again that the firms were infiltrated by Chinese hackers now here's the point I want to make about this story and about these companies uh getting hit with these stories um right now in Israel it doesn't really matter if this story is true or not it doesn't really matter what exactly was leaked or stolen or breached for a lot of people in the Israeli public and also around the world because last week the US Congress was also deciding on whether they should approve more funding for joint R&D

efforts on iron doome as far as everybody is concerned iron doome everything is hacked you know I went to my hairdresser um just a few days ago and obviously he's an important person in my life and he was uh while working on my hair he said okay so what's going on Karen I heard the Chinese are now now you know targeting the rockets and they're controlling iron doome they're sitting there in Beijing and they're controlling iron doome are we safe are we safe and again the story propagated you know from BBC to Business Insider to the guardian the Chinese hackers stole this stuff now what if an effect has happened what you know according to all

the the information that I actually saw about what actually happened is that possibly two out of the three firms that were implicated were probably breached like three years ago in 2011 and it was their web-facing you know document share portal whatever and they had some documents about uh other missile systems and to go from there into the Chinese people in Beijing are now controlling irome is a big big difference right but for my hairdresser he doesn't get that difference all he has now is the feeling that the system that's been protecting him is been controlled by somebody else and that's the risk of you know letting the fud of cyber warfare getting out there in the world and for me uh that's

one motivation to talk to people and explain exactly what happened and trying to get to the facts behind the fud so that's the story about iron doome thank you guys um as a quick trailer I guess trailer can you say that I'll be speaking Sunday at Devcon at 2 p.m. so you should have plenty of time time to you know roll out of bed have a hangover have breakfast come out to Defcon 2 p.m. it will be almost the last talk or something and then I'll talk more about this stuff and also more about how hackers can do a positive can have a positive effect on the world thanks again guys is that Sunday Sunday 2 p.m

it's the last day of defon if you're there Monday you're doing it wrong although I have been known to the ground at Defcon okay thanks both we have a break now um