Josh Corman Security BSides Boston 2013 - Good Enough Isn't Anymore The Value of Hitting Rock Bottom

all right so raise your hand if you're here at the Boston application security Summit anybody in the fall wow fewer than I thought that's good all right so I'm going to go as fast as I can but because this is kind of my hometown I don't mind if we get much grittier so depending on how responsive or adversarial you are um I may speed up or slow down anybody in here real fast familiar with HP word BL maybe I'll little slow all right so um I started doing some this topic right around October 1st um and for the people who were here my mom has just had a pretty bad stroke and uh since then she

has passed away but um I it hit me at a really tough point when like many of you I just wanted to quit security right it's a very tough job uh you're clearly dedicated to it because you're here on your Saturday free uh by by your own free will um and I started putting into context all the different things we do all the initiatives we try all the ways we try to make things better in our in our organization or our career in our environment for whatever motivates and drives into security and I just really came to the point that I realized we aren't getting any better right so this there's diversity of opinions on this so

I simply pose the question are we getting better uh staying the same or getting worse and how would we know so now I'll change it to how to hit rock bottom so there you go so in order to you know we must break you to remake you and and if you haven't hit that point of Despair where you're sick and tired of being sick and tired uh you really aren't going to make any changes there's this uh you know really academic sounding line that says uh no one changes until the pain of maintaining inertia exceeds the pain of change uh for many of us we're going through in the current events in public affairs and where we are in our career

we're at that point we're just on the cusp of that recognition point I would like to push you over the edge okay um I'm Josh fman you can follow me on Twitter if you like philosophical Rants and reging Nation uh but I tend to research things that are all over the place um most recently I've been researching Anonymous for two years with Jericho from at.org we just did a cyber War talk which is the douchiest topic we could think of but we picked it because it was of consequence it was obious seated by fud and good conversations weren't happening so that's what I tend to tackle things that are important misunderstood and could get better if we

could simply push through that uh so I tackle things like that mostly I've seen myself as a staunch advocate for SOS more recently though I kind of realizing I'm I'm a bit of an activist um I must make it very clear that while I'm the director of security intelligence for aquamine most of the research you're going to see here is not done for them um or on their behalf and my comments today are absolutely my own and do not to represent those in my employer so first off I'm not an expert I'm sick of people calling themselves experts it takes five dedicated years fulltime on a single subject going deep to get even early expertise in a subject okay most

of us the problem we saw tackle don't even have 5 years of Consciousness this space moves so fast most claims of expertise are false okay uh mostly I just try to passionately ask good questions and look at things because I do worry about things right I'm also a father so every time I try to quit this thing every time I say let me go be a school teacher or something less stressful um I realize that even if I can make you know plans for the rest of my life my kids are inheriting my neglect the things I screw up on uh and they're going to have to deal with this um also this may come off as s

demonus at times uh Jean Kim was the one who encouraged me to do this talk this way and I didn't want to make it about me so it's not about me these are just the things that I've researched and looked at that apply to most of us so I'm not what's important it's the ideas that are or aren't okay so like I said U I just lost my Mom PR pretty recently if you haven't been through that it's horrible I don't recommend it um but really it really makes you much more uh conscious of time than if you're wasting time uh it also makes it much clearer what your priorities are uh in the process when we were a hospit singer I

tried to you know I had to come up with um how would I give her eulogy so to speak and I was think kept thinking about what do I want to be known as when I um I'm gone you know what's the Legacy I want to leave behind this wasn't mine but a Navy steal I worked with he said he want to be a passionate principle protector and provider his subline was you want to be the kind of man his daughter would want to marry um but I really that really resonated with me because I think some of us get into this it's good pay some of get into it because we're good problem solvers some

of us get into it for that good versus evil altruistic streak um you know I used to joke that I want to be a superhero I just don't look very good in tights but um I'm not that athletic either to be H uh but the three words I came up with and I i' actually challenge you to do your own um this isn't what you are this is what you want to be um I want to be honest even when it's risky right which comes in the craziest part um it was really really stupid of me to research anous very stupid um but I knew it was important and I want to do things that

actually matter most of you don't know me as these three things um I'm usually unreasonable uh and a fool um but uh there's a great Berard sh quote on being unreasonable just to look it up so you know when I was congesting on my couch in January I just had like an emergency roof canal and I was very sad over my mother um I was watching Twitter with a different set of eyes I was watching the event News stream differently than I normally would have and what I saw was anyone know what this number is all right uh 44 missed viruses and the 44 the 45 viruses that hit the New York Times um this was before their

antivirus vendor blame the victim because they didn't buy more of their crap um if I were to ask you 10 minutes ago any one of you on the spot name the effect the efficacy of signature any virus You' probably say it's 90% just instinctually right um some of you are smart enough not to but most of you even the security profession because I know I tried this at RSA most people think it's 95 90% eventually not with a nine that's not 90% that's the opposite of 90% right um in fact the effective rate of ab is zero and a lot of you guys know this right we're the digera we're the Inner Circle we know this right so some of you

baby Su turtles that were the eggs were laid you actually crawled out of the shell you're just eting out of the sand and then this number comes up and you wouldn't know what this is about you figured out signature anir alone just won't cut it we need to augment it with things like Advanced application white listing from M9 but if you were in that Minority that actually knew you couldn't over dependent on signature enir by the way we give the most money of any security product in the entire world to that ineffective security enir signature enir so Vietnam was compromised for many many months um so if you're one of those defense contractors or financial

services guys who knew uh the the digital certificates and signing were taken not shaming and blaming the victim in fact bit9 wasn't the target it was some of bit's customers were the target just like RSA security wasn't the target uh was their customers Downstream so security supply chain is now becoming so it becomes really really hard if you want to do this and then the Cuda gr right before RSA what's this number represent anybody come on is this a dead crab AP1 right so on the one hand uh someone just killed a kitten again actually we both did every time someone says AP guy kills a kitten um there's three um good cat uh the on the one hand I'm happy that

there's public mainstream recognition of this right other on other hands I go cryp the stabby level Omega because um every CNN NBC every single news station now talking in the mainstream about States SP tesage now many of us in our professional jobs have been doing hand toand combat for years my very first security job in 2001 official security job my first case was a piece of French Espionage sealing pharmaceutical research data so it's not that we don't believe they exist and on one way I'm thrilled mainam talking about it on the other hand they're calling them hack attacks like they have a Big Mac attack or something and we're letting others control the narrative so we're not

actually getting smarter the recognition we've been praying for has been us served with other people controlling the narrative and using it very badly and we're getting very angry about it all right so all that primary was just to get to the question are we getting better right and and experts disagree there are any experts but I'm just going to say no no we're not um and schneer tried to tell me Well we are getting better but we're getting worse faster so you can you know word salad um whatever you want to say I don't think we're get any better and there's lots of ways you could ask yourself right so I'm going to skip the YouTube references but uh you

know often times we don't have to get better cuz there's always something to blame right we used to blame PCI of the otter then we blame uh China then we blame Anonymous and we still have many others blame we can blame Canada next right um but how seriously how would you know if we're getting better and there's lots of ways you can try to answer it one of the ways I used to talk about security with cisos that are the middle being the ballooning cost complexity of risk it comes from five places you know threat changes compliance changes it changes business changes and economic changes so on any one of these give me a a thumbs

up thumbs down or neutral are we getting better or worse are there more adversaries than ever before more types of adversaries we worse yeah a lot worse are there fewer compliance regimes this year than last year uh did virtualization X city6 cloud computing s pass I pain mind um bring your own device did those things happen right is a business getting more security conscientious taking fewer risks or more risks right RIS uh economics you guys getting bigger budgets and more head count so on any one of these I wouldn't say we're getting better right I'm not saying that's Pro posit it's just a way to look at it but mostly I don't give a crap

about any of that I care about the people in this room right now the probably the most bizarre talk and piece of research I've been participating in the last couple years the the stress and burnout the SE burnout study can maybody familiar with this set burn up we need to be more active with this we didn't realize how powerful and important this was when we did it and now we need to go back to it and put more effort into it but basically a lot of our friends were coming to us with thoughts of burnout fatigue depression suicide in fact over the holidays we had a couple high-profile and less high-profile suicides in our community um it's a big

deal and some people mock this particular study because they say well you know I don't know what people are complaining about we're handsomely rewarded we get to do fun things we can break stuff you know there a bunch of whiners it doesn't matter um that there's some haters of this the bottom line is we're are pretty burned out uh there's lots of reasons for that um but just let me give you a couple highlights from the SE out study we did a mlock stress index uh it's a professional psychological profile it's a survey you answer a bunch of questions and they're basically looking to score you on three things your fatigue your cynicism and your perceived

self-efficacy the third one is a word salad which basically means how well do you think you're doing not how well are you doing how well do you think you're doing if you get above a certain score in any one of them them you're at high risk in your profession you should get paid time off or counseling or something right there should be some remediation uh we are off the charts in two of the three categories and kissing the line in the third uh our score was very very high for fatigue the way Jack Daniel lik what this is you like our 40-hour work week so much that we do two of them by Wednesday um we I think I believe I have to double

check this but I believe we actually have the highest score in the history of the exam on in the survey on cynicism so cynicism is your core confidence uh and then we were right on the borderline with perceived selfefficacy but when we really dug into the data it's like people thought they did no none of their work mattered or they thought they were a pretty decent job and there was nothing in between and we think that's the compliance illusion thing that well I passed it out I'm doing great and then you get a compromise or you get something that shows you just how badly we are doing so there's like a bit of a a gap there

between perceived and real but the point of this was I really don't care about uh your day job per se I care about your um your home life your personhood Etc uh and then I'm going to try to speak to the person in the audience not the employee or researcher so there's this notion of why does it matter I think our demographic is really really really good at uh how to break things what happened maybe how we broke it but we never really asked the wi question um I'm uh cryp is in the Hest he accuses me of being way too philosophical at times but I don't think enough of us are philosophical enough I might be too far

to one end but we never actually stop and say why are we doing what we're doing what drives us why do we keep doing this job and and more importantly why does it matter so don't take my word for it go look at the very first uh round of TED talks to this guy Simon Sy s i n e k and he's got the Golden Circle I'm going to butcher the ecliff notes it's a 20-minute video watch the whole thing uh it basically says most companies and people can tell you what they do um some of them actually can intelligently articulate how they do it and almost no one ever tells you why they do it and if

the real agents of change the real um breakthrough companies or real breakthrough uh political leaders they always focus on values first why because if people value what you you value they'll follow you anywhere right uh one of the examples is why you know apple is more successful than TV was another example was the right Brothers over the people who had all the right funding and backing um the one that stuck with me the most is people didn't go to the the the Civil uh Liberties um marches for Martin Luther King because he said I have a plan because they said I have a dream so his values resonated with their values and it got traction he wasn't

even saying anything necess new it was how he was saying it was connecting with your brain stem instead of your neocortex so to speak but we don't focus on why up and I'm going hopefully for the time I have with you today this captive audience focus a little bit more on why I I grow increasingly concern and why I know we can be better and why we have to be now one of the ways I put things some of you seen this I think this my first public blog posts but I'm sick and tired of um the metrics Community talking about frequency times impact we do a really bad job guessing frequency but at least there's some

backwards looking data we did a really really really bad job guessing that uh plus it it's it's hard to determine these things so I'm just going to I say simplify it for my neighbor how replaceable is the asset it's it's kind of related some way shape or form to frequency and impact but credit cards are the most replaceable asset you can name that we that we care about uh human life is irreplaceable right somebody's dead you can't bring them back unless you want to have a zombie film which I do like zombies um but if you think about plotting any asset type in this Continuum in your environment we actually spend 95% % of our time money energy Budget on PCI

compliance it's the most effective and most guaranteed use of our time and some of you know which I may mention later I declared a multi-year Jihad against the PCI Council I call No Child Left Behind that infos and I thought it dangerous distracted us this is a much better way to depict it which is that I know forun 50 companies who don't spend a penny protecting anything but its most replaceable asset type they ignore their Trade Secrets they ignore their sensitive organizational data they ignore their intellectual property into squat so we focused on the things we had to at the opportunity cost and neglect of much more important things I may bring up this chart again later but uh

my heart and passion is in pushing us towards the left of the screen now when I first got involved with antivirus was really to stop the performance impact of our resources it took up RAM and CPU and network d right then it cared about crime it was fundal assets like credit cards then the organized crime in the states sponsor goes after intellectual property um I think in retrospect the reason I was interested in Anonymous is I saw this as you know a battle for censorship surveillance civil liberties SOA pea act the cispa and this becomes collateral damage out of those conflicts and then the safety and human life issue if you saw the flash talk by Roy medical device

security is terrifying um Dan gear maybe it's the sexy mutton chops but he is one of my intellectual Idols I say that he has more int ual potency for syllable than any man on the planet um in fact I got in the Lush several times if you go back and find the source Boston video from like the month ago uh we did a a fireside chat with him Rich theme our right and left brain in the industry um he inspired a certain line of thought in me whether he meant to or not about security as a a factor of dependence and essentially what I want to say is this is the single reason why I know we're not getting better and my

point is our dependence on software in it is growing faster than our ability to secure I want to say that a second time our dependence on software and it is growing faster than our ability to secure it we've known about SQL injection for almost 14 years we know how to fix SQL injection what's one of the top exploited attack vectors SQL injection so we we know how we've had plenty of time and we can't defend against blind sequel injection pervasively but now we're putting software into our body into our cars into our control systems our dependence is growing faster than we can keep pce that's not acceptable so when you think in terms of dependence you can either

make it more dependable by putting in all sorts of fixes and band nams and stls or you can depend upon it less and right now we're doing dependence without thinking if it's merited responsible rep pable all right so you know that's the ugliest version of control system or power get come up with but essentially uh just go to showan right now you don't even have to be a hacker you just have to know how to use a default login and password go to showan look for paral logic controller or some other acronym that PLC or something like that you will find plenty of directly connected exposed systems that should not be uh the first time I used this example I was

on stage at HD Moore and he found a boiler room in the UK in a church that was directly connected and he could have turned it up to explosive levels he's like who would like to blow up a church while we're on this now now it sounds like fun but it's ridiculous how dependent we are the only protection you have in that case is is someone have the willpower to go through that that's it so if you want to depend on the better angels of everyone in society I love that line from Dan gear uh the internet made every every sociopath your next to our neighbor right so it's it's not about what would most people do it's

about what would one person do I don't like that I'm very uncomfortable with that I'm I'm actually looking for another car right now my lease is almost du and I couldn't believe it I actually like this one car and then I saw the logo of a particular embedded operating system and I'm like yeah I don't think I can buy that car and I'm not being a snob it's just like it's why is it that we have to have an operating system a vulnerable unpassable operating system in a lot of these vehicles and almost every manufacturer is using a different one so I had to call my friends of arod and say which one is the least bad and I

still don't know the answer because many of them aren't letting people test them unless they break them LA to do so but I don't like that something that's discomforting about that it's not just about you unlock it from outside it's uh you know some of the cars on test driveing you can actually change the uh suspension with a push of a Buton you can control how the car behaves at high speed from the car so if you can do it from the car and now it's controllable over radio or Bluetooth or Wi-Fi or many of the above I don't like this I'm not a liite I just don't like that elective risk there's the uh the insulin pump got

a lot of friends on insulin pumps I don't like the idea that we have a Bluetooth stack on this um what's the guy's name again is it Frank one one of the ones from Roy talk um PhD out of um university Massachusetts um Michigan uh we were talking about medical device why the hell they put bluetooth on an insulin pump you can't just plug a wire in it when you go to your doctor to get it tuned up why do you need Bluetooth in what universe is that necessary insane he says the bacon principle everything better than bacon everything's better with Bluetooth they don't even think about it it's really that simple I don't want

this to keep going right it's not as intelligent one um and even if you have to send you know Telemetry out like maybe a subdural uh uh what do they call those the defibrillators or the Pacemakers if you you really want to send some sort of Biometrics out fine have it one way U but we're just taking stupid risks and it's it's not ending so let's do an experiment you can even do a greas mon script if you like for 24 hours every time you see the word software I want you to save all so if you have a toaster at your house it's certified by Underwriters Laboratory it's not to burn down your house and you

put software on it you now have a vulnerable toaster okay try for 204 hour you'd be surprised right after I did this at the bide San Francisco I can't remember which car manufacturer they did a commercial that said it's it's a computer on meals so he said I have four-door ashback vulnerability on meals um does it make Bluetooth bacon is it Bluetooth bacon I think you have a t-shirt for all right so so substitute software vulnerability and and similarly uh when something's connected you know there's software in lots of places that's not necessarily new um but we're increasingly we're connecting it for thing so if you see connected substitute exposed so that if I have a software

enabled Internet connected toaster I have an exposed vulnerable toaster and you know I I keep saying this if people keep pushing back because we like to bearing it's our nature even though we know how bad this stuff is we want to disagree when someone asserts something we push back let me flip it on his head is there any technology in your home or on your body that you wouldn't want to have an IP addressable hyperconnected feature on is there anything you wouldn't use oh we actually answer it was rhetorical but go ahead what I for example I wouldn't want my if I had a uh hard deul lator I wouldn't necessarily want that to have

an IP address okay it's heart to FIB without IP address oh by the way I don't watch much television but I've heard that Homeland killed the vice president with something like this which spoiler alert

oops that had to be Skyler yeah yeah if you were actually directly in the scen be perfectly used to disappointment all right so anyhow I like the fact that that's brought up but I don't like the fact I heard it was done in a very funny way and we need rounded rational fact-based uh risk discussions and but I haven't seen it but apparently there's a second one from a less popular show but I will not spoil that one um so the you know I I I keep thinking Jeff blue and the The Cisco commercial over and over of the internet of things and I'm just going to be honest I am not comforted by the

internet of things I'm not uh it doesn't sound like a from um some things don't belong connected now this is coming it's going to happen if you we're at D gears ke there's certain things that are just Unstoppable um but some of us have to be the voice of reason and some of us have to actually point out maybe we can start categorizing certain use cases where that's not a great idea yet like my scale in the B Sure perf sure I I already P that it's actually five all right so um you know we we tend to also bring technical response to these things um but I'm going to flip through some of this I actually think

our problems are cultural um and Jim seen this now at least three times so I'm really really sorry I have a love hate with the L okay um open web application security project they often met here now they're meeting in aamine um great volunteer open source free Technical Training and Technical Resources and Technical tools absolutely no people skills um every time I get a veler motivated become their first OS meaning different chapters are better than others they leave saying what a bunch of judgmental jerks right they just tell me programmers are lazy they're arrogant they're stupid they write bad code you know it's not how you friends and influence people so I think what we have is plenty of Technical

Supply but what we've lacked is um sufficient uh cultural Demand right we haven't made them understand why it's important we told them what to do or we even how to do it we never told them why to do it back to that Golden Circle um so I say screw the off top 10 I want to see an all top one um if we can't figure out with a narrow use case how to eliminate one thing and why it's valuable to eliminate one thing then we don't have the credibility or the permission to ask them to do more I'm not just counting it all I really love a lot of the efforts and some of the

things they've done have made it much easier for people who already know and want to and have already found religion but it is in religious terms it is a bit of a cult and it is a bit of um preaching to the choir and the other 99.99% of people designing developing and deploying who didn't know that putting Bluetooth on an insulin pump might not be a great idea you know that's where we have to Target so I think culturally our our demographic tends to confuse activity with effect just because we're busy doesn't mean we're making progress uh we tend to go for the symptoms not the RO causes this is the proverbial fighting the heads of the

Hydra instead of killing its heart um this is what philosophers do they look deeper right they look at what is actually causing uh the bad behavior we do the this one's really important we do the easy stuff not the important stuff so this is the proverbial picking the low hanging fruit okay we've done it the orchard is picked clean at the bottom ranches now when all you've done is easy stuff what are you left with not rhetorical the hard stuff the hard stuff right which tends to map to the important stuff so uh somebody at this point usually shouts out before I even get he the Paro principle but just don't you believe in the 8020 rule yes I do I

also know it's not magic um we can have it backwards I think we do right you can't be certain that what you're working on is The Sweet Spot of the 8 point so when I see best practices I am almost certain they are not usually it's a good practice at best typically it was a good practice in 2003 when we had different it different adversaries and different compliance environment DCI was cutting edge when it was conceptualized and it took several years of community to get to its first first version it's hardly Chang at all since its first version what we consider best practices aren't uh and whenever I hear somebody say well I'm just aing for good enough

they're going to miss right good enough typically isn't it really depends on what you're talking about the context the adversary the asset Etc so I think our problems are really down to incentives now I don't want to just break you down I want to build you back now I don't actually have the answers but I ask really good questions usually and I'm going to give you this is the part I don't like doing the gene made you do it I'm going to actually drive through a couple the experiments I tried and if I thought it was valuable and why um for most of us though we don't actually want to get better but since you're here on Saturday I'm going to

assume a good chunk of this room at least for the next few slides we're going to assume that you actually want to make cars how's my time 20 minutes 25 minutes okay so if you want to do things new you can't go on Wellborn paths you have to look in the dark edges of the map and sometimes there dragons there and sometimes you regret it and it's a little bit of Trail blazing but you can't keep doing the same thing over and over expecting different results I think Einstein called that Insanity so um really really early on I said you know what there's these 730 secrets to the security industry you're not going to read them all but secret

zero was that you don't have to if you're a vendor you don't have to be ahead of the pret just ahead of the buyer and one of the I think that's one of my most foundational recognition points was that um we get our education on threat from the very people selling us anti- threat and because it's so hard to do primary research because it's so hard to know what's going on the topic is so vast this tunnels us down to things that are almost by definition uh not going to be the right things you can read them more ones later this isn't really supposed to be autobiographical it's just you have to start with a

healthy distrust that you're not going to get the most important things from the private sector vendors you're going to get the things that private sector vendors are incentive to tell you um second thing I did is said instead of just beating down vendors for beinga liars and cheats and snake oil salesmen what we need to do is start actually building more defensible infrastructure this is why uh I got interested in OAS in the first place it's that we have so many people writing future code you can't just scan for bones and Band-Aid bones and put waps and ids's and firewalls in front of Bones forever and ever and ever uh you actually have to start producing less vulnerable swiss

cheese out of the vulnerability industrial complex right um so we this in San Francisco and we said um look if you build a Skys scraper in Boston you just build a skyscraper you build one in San Francisco py little environmental problem for after you PR earthquakes so you had to design with an anticipation of earthquakes just like sofware needs to do more so there's plenty of materials there I'm not going to give you a whole pitch on rugy but that was the idea of how do you encourage the supply and demand for better more defensible infrastructure then actually here at the very first bides I said you know what we're part of the problem yeah Echo

shamber is part of the problem you got fud which is fear uncertainty and doubt but then we go completely the opposite direction and we deny things we know to be true right because you want to be a Canever to things that sound scary uh and then the echo chamber and all the bloviators and blogers and there are people who's full-time job is to blog and blog and blog and they're blogging on topics they have absolutely no idea what they're talking about um so it's really hard for a practitioner who wants to find signal to separate it from noise so I knew we were part of the problem then Chris Hoff inspired me he said you know against the punctuated

equilibrium with all this x86 virtualization and cloud computing we can actually say screw the past we're never going to get that right let's do a really much better reversal in Cloud so we tried to dive in and get in front of the cloud security lines and everything and it didn't work um then I realized you know what's distracting is it's that even when people know what they should be doing differently they can't the only budget they have is for the Chosen Few PCI has required 11 Technologies uh which are most our most Antiquated and in effective Technologies and I said look in our attempts to make it's just like the no up behind de get

really good security practitioners average ones and you know late bloomers then you had negligent that did nothing and when PCI tried to Def find a minimum for the negligent we got a minimum for everybody it sucked most of you down into a hole where you could do nothing but protect your card data uh it really it really frows a lot of innovation some of those really interesting Innovative Technologies that I was playing with at ISS and other places they died or they sold Pennies on the dollar because there was no market for it and then when I became an analyst the 4x1 group I had hard numbers to show how the ramp of Revenue was going like this and then it

do off and pretty much the only ones doing good during the economic downturn post 2008 were the PCI chosen F this isn't just a theory there was data to substantiate this this Behavior that's why I had to tackle that and make us aend less upon I can't make you avoid being compliant I can make you less dependent upon it then I went to the metrics Community I did the zombie apocalypse uh I said metrix are bunk and we did a zombie apocalypse and um we analogies to Money Ball that's Alex who my co-author and several of these people are SOS um or when he took the m rooll at 451 but uh the point here was that we keep thinking

maybe metrics and numbers will save us you know if we actually just get evidence-based decision support we can leave faith based decisions the problem is most of our numbers are we're we're looking at light is best we're using statistics like drum L post more for support than illumination and the current state of art is that mostly we're just doing numerology right it's it's still just faith-based but it's faith in random numbers um it's a a guess times an assumption and some elaborate spreadsheet um and we're we're feeling better at ourselves uh then we got to burnout stuff I'm not going to repeat that but essentially we realized that we had to take care of our own or

else none of us that could solve the problem have the energy too my wife got really really mad at me but then I spent a couple years researching Anonymous and jerck and I actually spent um over a year writing a very very long blog series um some people in the room actually helped quite a bit give us harsh feedback in private before we provoked the Hornets not but we thought it was consequential and what I started noticing is even if you don't agree with their tactics or don't think they're necess that talented um they were actually upset about some things that most of us are pretty upset about too increased surveillance State censorship problematic legislation

things like CFA things like s cisa and in the process they actually Drew my attention to the fact that the UN is trying to take over the Internet it's currently free and open and governed by no one and they're trying to make it the sole province of uh nation states who want to introduce taxing tariffing censorship and surveillance within the borders of their countries and the routers and whatnot so vinous stuff was interesting and challenging and scary but I also thought this is where I think where I started realizing that our cyber security knowledge was starting to impact our personal lives uh and if they were too aggressive they were going to cause bad laws and if they were too Reckless they

were going to um cause bad okay H Wars law I thought most more of you would know this by now um in the this is what happens when you go to deathcon in Black hatat all week and then you go straight from Defcon to meton you get h words lock so spending a lot of time with hackers in the desert drinking too much Jager moner and things like that leads to H War law my simple assertion was for years I was trying to say PCI wasn't enough and now I had a way to prove it and the assertion is just like Mo's laws compute power doubles every 18 months HD War law is the growth rate of a casual attacker

we're talking in terms of slang is the growth rate of script someone with absolutely no Talent at all how strong are they because the basic assertion from Bob Russo and the PCI Council was well Jos will never stop a determined attack her but will at least stop a scripting false demonstrably false so what I'm going to do here I'm not going to walk you through all of it but what I said is every attacher class is 100% successful when you do zero security as you add security that's effective you'll start to cause drop off rates in the adversary and the Casual adversary this green drop off rate is how strong is met point today so largest open source

project I think it's one of the largest ruby projects right the largest the largest ruby project so very talented people in this room white hat hackers gray hats every day they're adding new modules new exploit new evasions new collaboration tools there whole things like uh um add-ons and different things a social engineering tool kit from David Kennedy so smart people are making the script K stronger every day I'm not getting into a moral discussion I'm simply saying good enough whatever good enough you want to call it is harder every single day unfortunately we have very static and riddle practices this purple line the only one that's past station words line is how you make the

qsa go away that's the qsa adversary so the only adversary we can actually stop is the self-imposed self- imped head and every day HD War's law moves the right so I can't tell you when you've done enough security if you go home on and on Monday you test a land segment or a PCI environment against today's meta if you can't handle it you can't handle even our weakest adversary again I don't know what enough is but I know if you can't handle that you're not t enough to ride and H more off the trick all right there's adversary Cent this is one that the intelligence Community likes a lot um a lot of the risk models that we use

ignore the threat actor in fact I saw a decent presentation today talking about how to you do risk quantitative risk assess qualitative risk assessment the small medium business and I asked about adversaries and there was one column where you can put your confidence in your you know your controls or maybe um how strong you think an adversary might be in this overall MTH but if I I'd like to put to you just in cud terms that my neighbor would understand um the key determinant in the breaches that's been more than one a day the last 3 years wasn't anything you did it was who is after you the key determent is the who's after you and too often we

bury that way underneath the asset value and things like that we could have glorious debates but a friend davidu and I spent a lot of time saying what really starts to matter is chaining much like The Kill chain anybody seen the lck Martin kill chain that's really a win Horizon but each one of these chains will have their own kill and essentially who is AC it why are they doing it which assets do they target they don't all go after the same things what impact does it have in one of the ttps or methods so again a who to a why to a what to a how and when you can start to do that this

is how I could tell which Anonymous opts were fake there's lots of false Flags there was a point where very few Anonymous Ops or false flags are faked by some uh organized crime gang or whatnot if you look at the Sony 21 punishments 21 punishments in a very short span of time they only publicly took credit for two we only attributed six of them to them who did the other 15 only six of those 21 the media still thinks all 21 were not but I I knew the moment you saw 77 million credit cards stolen and it never once gone after credit cards that that was not Anonymous later gred up it was not Anonymous a

good hun it was but it wasn't Anonymous the models like this not help you make better decisions about your limited staff and budget on what to protect from whom but also help you in an incident response a lot of these banks are think they're getting impacted by spontaneous protest and it turns out it's actually um organized crime dossing the front page so you can't notice the fraud so it buys time for money mules to actually perpetrate and make it actual value instead of potential all right then Jean Kim and I got back on the rugged bandwagon with devops this time because devops is it at ludicrous and what we realized was this was either the end of it security as you know it or

a chance for it security to evolve and working with people like Netflix and clicker and Etsy who were doing went from doing 50 changes a month to 50 a week to 50 a day to more than 50 an hour and we can barely Hardon servers at the rate of 5 month so this was an interesting piece of work that I won't go into um remember I said Anonymous pointed out the UN take over the Internet well now I go on my next some weekends to internet governance forums because the UN is in fact trying to take over the internet and they came pretty darn close in Dubai in December uh they're going to try again this month

actually in Neva I think it's actually next week um and the US was really not prepared to stop it and only six democratized Western Nations actually trying to stop it most of the world thinks it's a pretty good idea they want to protect their regimes they want to protect their Global their GDP and if we have an Internet that is taxed tariffed surveilled and censored and blocks tour in Skype uh what do you think the response will be from our community U so I'm not concerned that nously going to Doos them I'm much concerned that our 35 plusy old gray hats who are really talented are going to have to formate an Insurgency I don't

want to get to that I told you Jer and I did cyber War so I'm looking at how does this uh impact um Citizen Soldier militias there are people in this room I know for a fact they're participating in Citizen Soldier uh militias uh much like the gester but in larger groups some of them might doing information gathering open source intelligence some of them might actually be taking actions and digil it's not comforting to me that these things are happening but they are so we're trying to get a dialogue started about what is saying and rational and see all right so back to what you can do um anything for the love of God do anything different

right um experimentation is King uh and I think what we're doing is we're just doing the same thing over over and over hoping it gets better I I don't think intelligent people if they reflect on that statement will will actually realize things will get better than the exact same things we do ah so what is experimentation um some of that experimentation led to my favorite model so I'm going to give you the zombie one if you've already seen it it's okay maybe you'll get something out of the second time anybody seen the zombie apocalypse model pyramid yet besides YouTube so um I like zombie films before it was cool but um the dead is still one

of my um if you were being chased by people who want to eat your brains the undead and wanted to eat your brains which of these would you run towards you don't stand a chance in that Barn friends you're dead I don't care how good you are I don't care how much ammo you have you're dead so we have to choose defensible infrastructure my wife's a dietitian and she bought me a nice uh food guide pyramid for zombies they mostly eat brains a little bit of gristle whatnot so I made a survival pyramid for the zombie apocalypse and what I'm saying is it's not buying security products that keeps you alive it's procuring defensible infrastructure

whether you're writing it with a good sdl whether you're you know choosing this Android platform or this Apple iOS one mandatory access controls one's discretionary one has a chance one might not um you have to make choices like this with your CIO and CTO if you're not picking defens infrastructure you're going to fight bravely and die quickly it's one of the reasons we push the rugged and rugged NE op stuff so much the second key to survival isn't security either and this is how you actually secure anything by the way it's ironic that the two most important building blocks have nothing to do with security uh this is uh reducing the entropy in your environment so Jean Kim

wrote a seminal piece of work based on surveys of the top performing it organizations it's called his lops now he has the Phoenix project book which is even better um and essentially he found three patterns like the best the best outcomes do you know what you have do you know when it changes and and you have a tolerance for zero unplanned changes so the tighter run it operations shops actually have a chance to use an on INE they can actually find needles and H Stacks they can actually tell when there's suspicious lateral movement so having a well-run it shop lets you manage change much better and KN one people we packing now the idea of the

pyramid is the stuff at the bottom has a high return on your investment and the stuff at the top is the empty calories third thing is situation awareness so if I ran the undead and I chose a defensible infrastructure and I keep my fellow survivors keep their wits about them and they don't panic and scream if we're in the dark do we have the flood lights the door sensors the cameras do we know who's attacking from which direction is it zombies or werewolves or vampires CU I need different counter measures for each how many from which direction so we are poorly poorly instrumented our environment and you recently at finally after this AP1 stuff you're starting to

see more people investing in broader visibility and better instrument not just in the network level but at the code level a good OAS project for application disability so again defensible infrastructure managed well well instrumented and then and only then you use your limited counter measures 99% of our activity is buying an antiu for a f right so we need the O and the ooop to inform who's attacking and which thing we actually need so I mapped my replaceability Continuum against the squished pyramid and I just thought about the conferences I've heard of in the last couple months and what they're focused on and you look at the type of submissions and most talks and most conferences are talking

about counter measures for the least replace the least important assets you have a couple things like you know medical device insulin hacking sometimes thanks to AP1 we are starting to see people talk about situational awareness last two years I would love you to start leap frogging and going down the pyramid earlier than you might otherwise have and if you're a researcher and you just want to cut a name for yourself and differentiate yourself on something consequential and underserved I'd suggest you don't find another piece of Android malware you know there's plenty of those I'm on a couple conference committees when we had 80% of our submissions for Android malware talks I never want to see another malware talk

for as long as I live doesn't it's not that it doesn't matter but how come I can there's hardly any talks about working a law or about tical infrastructure attacks and when they are they usually someone who doesn't actually The credibility to talk about it but you know if you want to differentiate yourself there's plenty of white space here down the step the things that matter more all right one of the problems is we're mostly ding by ego money so I am naive enough to at least ask could we have something that's a little more altruistic you know you actually realize that there's things that matter more than just paycheck or your day job but

since I know people are pretty much selfish you might think I'm nuts um but actually there's a really selfish reason to care about those things right you actually live in this world too uh social contract theory as fast as I can possibly do it um social contract Hobs said the state of nature is a state of War it's nasty brsh short he thought people were Savages if you read uh Lord of the Flies you probably get a glimpse of what we're talking about um the idea is if there's only so many coconuts on our Island um I should kill you in your sleep and steal your coconuts but you should kill me in my sleep and

kill my coconuts so none of us are going to able to go to sleep if we had that kind of a policy so out a rational self-interest be form contracts that's the simplest version I can give you so whether you're altruistic or just really good at being strategically selfish there are reasons you should care about that m space so I'm going to pick on paul.com uh last time I was on his podcast uh we talking about stress and burun out the Phoenix project and the way we actually weren't completely at the end the podcast said well you know at least we have job security and I say well but the problem I have with job

security is that it lets the pressure off and we should be frustrated sometimes and we should be pissed because uh back to my point earlier you don't make a change until you're sufficiently motivated you have to hit the bottom um so hopefully next time you feel the job the the the instinct to say will have job security trust me we will always have job security even if we Tred this hard talk so these are the people that uh made me better and made me do these research projects together various folks yes even inski um but what you start doing is you mash up their brilliant ideas with your ideas and you start getting interesting things and I'm not going to go through

the metc numer so back to the sick and tired I love that line from alcoholic synonymous right you know I'm sick and tired of being sick and tired so if you're perfectly happy and you think we're doing a great job there's nothing to change if you are sick and tired of being sick and tired if the pain of maintaining inertia is greater than the pain of trying something new why not experiment so uh I'm not going to beat you on these but to tease you for hallway conversations maybe over beer uh some of the areas I want us to fold our nose and eat our lime of beans this year for one year we may actually pitch this

at deathcon is should we explore professionalizing our trade we hate it we hate ISC squ we hate cisp but we have absolutely no way to get rid of charlot none we've tried and we have absolutely no way to separate really talented people from Pretenders so we actually want to have some people do some uncomfortable experimentation with the Notions of professionalization same thing litigation we can complain about the cfaa or we can propose something Stan uh and tenable we can hope e saves us because we throw a couple dollars their way but we can get technically experienced and literate people engaged with law professors I'm trying to do this right now with Wartman school and other places with law professors with

people on the hill legislation cryp is going to literally blow a fuse in his brain next time he seees something like liman's last bell um so we can either complain and excoriate them with blogs about how bad their language is or some of us could try to infiltrate I don't mean evil in evil ways we could actually try to propose boiler plate rubrics and language and framework and give it to them they will take some because they lack expertise I'm not saying this is easy I'm not even saying it will work those are really complex systems that are well insulated from outside ideas but if you think about how we hack a mobile phone architecture or a complex

sap system we do that stuff all the time so how do we take the kind of person like Charlie Miller who can you know look at a apple battery that catches on fire and how do we apply some of the same systems thinking to map out break down and and navigate some of these tougher things I've already started trying to do this it's hard I wasted a year trying to figure out how to do it but we need more people to help and do experimentation on that so you can either dos when you don't like the law or you can help Supply a law that isn't going to cause infringement on civil liberty so it might actually solve

some of the security thing that they're trying to and then yeah even a Lobby don't throw anything please um somebody approached me after a talk I gave and said he has tremendous experience doing political action committees there's 5501 c3s which you know what there's also 51 C4s and there's political action communties and there's laws about what these things are and ultimately the conversation became you know all those things I just mentioned we should do one of each now if you have any experience or in in any of these Avenues it's just complaining about it doesn't seem to be doing much about this one's I think right up our the house we have some of the best

professional social engineers in the planet and we more we would more Rather Make fun of lagot for on CNN than put really capable uh people that we chose deliberately in front of media a few of us have crossover mainstream media in little spits and spurts I'm pretty happy to see Relic if Ken's had a couple really decent intelligent spots but we also have people who have absolutely no idea what they're talking about getting up and talk about any virus again so I'm pretty sure we could handle this one as long as no one makes fun of us using the Cyber word you know all right so the irony is and I only have a minute here left or so yeah

a minute um I was looking at my building a better anous series that we spent all the year on and I realized if you take out all the anonymous references I was actually describing how to build a better infos sect um the the heart of that piece was ultimately saying there's three steps to making a better Anonymous you have to know why you're in existence or what's your statement of belief and your first principles and I don't think we actually know why we do what we do as a community there's some Community level interest things that we just drink our way through the second thing we said was you should Define how you're going conduct

yourself with your photo contact your parameters you know how you're going to um execute your will if you have something that's important you how are you going to go pursue it and then a whole series of what and and and how type things we've said uh measure twice cut once choose fewer things do them better prioritize stuff we had a whole bunch of unlocking you're inner Badass blah blah blah and uh if anyone's even remotely interested in helping to start this kind of stuff um we have plenty of thoughts we just need more disciplines and ultimately I know that this can't just be one person standing up and complaining for a Saturday um I've started experimenting with team ups

right whether you know half those spaces or not or whe it's too dark in here um some problems are bigger than anyone here all right so I I I have mad respect for the God of Thunder HD Moore I have mad respect for you know genius philanthropist Dean Kim uh the Hulk is might of Dan Kaminsky Alex Hutton's scheming behind the scenes of numbers um we have really decent folks who tend to work on their own projects but much very very impressive results have come when I put these together on specific projects these folks and others so rather than like looking at how to get your next talk submitted I'd encourage you to find a teammate who's good at something

different than you and you will have much better results wait who get to team up SC and we didn't have a we didn't have a SC but I did have an evil squrl if you got stupid Honey B here how bad who does care and I hope you do too all right need to be better make it better thank

you