Hackers are Neither Created Nor Destroyed

deja vu this happened last time we're we're good now okay deja vu it's like 20 20 all over wait it is 20 21 um sorry everyone and and rolling back everything that we just said uh back to the to the opening so take two right here let's try this again so thank you everyone for for showing up today um as you can see we're in really good spirits and we're really excited uh about being able to to have the conference today uh uh it's just just great that we can even in light of the ongoing pandemic situation things like that affecting a lot of different conferences um and the planning leading up to them so so this is still still a big deal um

we've got an amazing set of presentations today uh covering a whole slew of different topics so uh again thanks for thanks for joining us and before we get on to other things uh we want to first uh extend a big welcome to the newest b-side charlotte board member so drew would you take that away for the intro yes hi good morning everybody i'm drew green uh the treasurer for b-side charlotte and i have my uh co-treasurer uh daniel here who's our newest besides board member uh rocking his east side charlotte gear which you can find in our online store at uh linked eastsideclt.org um i wanted to give a big shout out to our sponsors this year uh

yep shout out quite literally uh so uh with john nasa with uh summerfield wealth advisors and secure code warrior um they they have been uh uh repeated sponsors uh uh at least last year and this year and uh code warrior is our uh ctf sponsor this year and john magnus always been a uh die-hard b-side supporter not just for us but other besides groups across the uh the state and the southeast so big thank you to both for uh continued support of these sites um we also wanted to say a big thank you to our uh to our donors this year we had many donors off and uh all of our donations help us to uh

provide uh gifts for speakers book venues for next year and you know just take care of all the operations that uh require some kind of upfront uh deposits and then uh what we like to do is have our sponsors usually sort of cover the uh the cost annually and then we sort of roll it forward so we're sort of on a rolling budget we're a non-profit 501 c 3 so uh any and all donations from sponsors and donors uh helps us put this on for y'all so with that i'm gonna pass it along thank you again everybody and hope you have a great time this year thanks drew and and yeah just to really fall really quickly follow up on the on

the sponsors and donors but we we definitely can't do it without you so thank you thank you very much for that um it's it we we try and run as lean a budget and as lean expenses as we can but it does it does cost money to run things um so a huge huge thank you for everybody who's who's helped with that um so again uh we have an amazing set of presentations both offensive defensive uh today so there should be a lot of different things to cover everybody's interest something something for everybody uh but in addition to that ignore my ring iot devices no um in addition to that the theme for this year is uh open mic

so in line with that you'll note in discord in the conference channels there's three new channels down there for open mic text and open mic voice and things of that sort those um channels are there for you to use through the course of the conference to have different different conversations different chats about cyber security topics amongst yourselves so feel free to use those as you see fit uh during the conference we also hope that you and encourage you to attend as many talks as you would like there are two tracks so there's a lot of stuff going on but in the event that you have an extra minute or two or free time or whatever feel free to drop into those

channels and say hi uh to your fellow condors um so i guess uh before we get to uh genie with an intro for our keynote i did want to point out that uh this conference again we're we're virtual this year last uh last year we we made that decision for covid this year we did as well we're definitely planning for in-person in 2022 we're a lot more comfortable with where things are looking now they're not great but we trust that things will improve by that point uh so so stay tuned closing ceremonies will provide details on 2022 and what that looks like to hopefully move primarily out of virtual space we will likely still continue to have a virtual

presence because having this virtual platform has been an amazing opportunity to bring other speakers to you from a presentation standpoint that we otherwise would have had a lot more difficulty doing we did so last year with with international speakers and again this year with two of our uh presentations being being remote internationally one in germany and one from mumbai so uh thank you for uh to those presenters we know that there's a time difference there as well uh where all of those presenters are going to be in chat with you as their presentations are going on so if there's any questions that you have feel free to ask in the track channel appropriate to the talk

and they'll be watching that to be able to interact and answer answer questions as things are going on so with all that said now i want to hand it over to jeannie for an intro to our for our amazing keynote speaker mr jeff mann jamie take it away hi everybody i am jeannie rogers i'm the co-chair of besides charlotte i also run fox pig and yes we are so sorry we are not in person because we miss y'all immensely i hope you all know that um we will be at besides augusta next week so if anybody's around we will be in person there massed up and gloved up and everything don't worry about it but we do miss charlotte immensely you

all are in our hearts so we can't wait for next year with our new games and everything so without further ado um we have our wonderful keynote today mr jeff mann he is a respected information security advocate advisor evangelist international speaker keynoter host of security and compliance compliance weekly co-host on paul security weekly tribe of hackers tribal packers red team tribe of hackers security leaders tribal packers blue team and currently serving in a consulting advisory role for online business systems nearly 40 years of experience working in all aspects of computer network and information security including cryptography risk management vulnerability analysis compliance assessment for forensic i can't believe i'm talking forensic analysis and penetration testing certified

certified fsa group analyst previously held security research management and product development roles with the national security agency the dod and private sector enterprises and was part of the first penetration testing red team at nsa for the past 25 years has been a pen tester security architect consultant qsa and pci sme providing consulting and advisory services to many of the nation's best known companies and yes i've had coffee but no apparently it didn't work but please thank you and to everyone to welcome mr jeff mann have a wonderful time good morning everyone thank you for uh the introduction genie uh and and thank you besides charlotte for giving me the opportunity to speak here today um

it's always a mixed bag having to do the virtual versus real i i much would prefer to be real i think everybody would um ironically uh when i ran in uh to some of the organizers uh live in vegas and they mentioned that they were needing a keynote and i said yeah i'd be happy to do a keynote i'm actually in north carolina right now i'm actually i spent the early part of the week in um asheville area and uh now i'm in raleigh durham and i i got here yesterday not realizing or forgetting that besides raleigh durham was yesterday i was i'm hanging out with some close family friends otherwise i might have crashed the party last night so if

anybody's on from besides raleigh durham sorry i missed you i guess the technical details should be let me see if i can share my screen and make it work so everybody can see the slides that i'm about to share with you so let's do that technical thing first here

does it look good somebody say yes verbally because i don't see the chat or anything anyone anyone all right i'll open up the chat just to make sure

all right i'm assuming we're good and i'm assuming you can see my slides um i mentioned of course that i am in north carolina i love north carolina um i'm wishing that i could be down in charlotte uh and enjoying barbecue with you guys uh i used to work for a company that was headquartered near charlotte we used to love to go to bubba's barbecue um so to jump into the talk uh that i want to share with you this morning jeanne you know rattled off my bio uh i've been in this business a long time it's it's rather an extensive career and i've been very fortunate in the opportunities i've had throughout my career

and i'll give you a brief you know here's a brief synopsis of what you just heard jeannie telling you um one of the purposes of this talk that i put together and full disclosure i gave this talk uh initially a couple weeks ago at girkon actually live and i'll apologize ahead of time some of the the slides are oriented towards audience participation which obviously is going to be difficult this morning in the virtual space um but you know the title of my talk uh hackers are neither created or nor destroyed is partially because back in the back in the former times after speaking at conferences i would very often get approached by people asking me various variations of a question you

know how do i become a hacker how do i get into cyber security how do i get into red teaming pen testing you know how how do i do this and you know variation would be well how did you get into it and i usually just tell the story well i started in nsa and that's usually uh as far as i go with it because most people think well okay nsa that that's obviously a pedigree uh within our space if that doesn't make sense to you you know when i started at nsa i started in an in an organization uh where the name of the organization was information security so that was kind of our main business we weren't a a

company that was also building widgets or selling widgets or producing software or equipment or anything like that our focus actually was information security and i i was lucky enough to be born at a time where i grew up in in the very beginnings of the internet and we used to call it internet security and and you know on to where we are today so you know a lot of how i got to where i am is simply just being at the right place at the right time and i think if you ask a lot of people um that is that's sort of a way that a lot of people uh venture into this space um

you know this is where it's like okay i haven't seen everybody in two years because of the lockdown and of course we're virtual again but uh some of the things that i've been doing over the last couple years which also is sort of a segue into in into what i want to talk about today um jeannie mentioned i'm i'm a host of paul security weekly uh paul actually gave me my own show just about two years ago called security and compliance weekly where i was either rewarded by always talking about compliance i talk about pci a lot or he put me off in a corner still not sure which one it was but the the goal of this podcast

at least for me is to try to bring together multiple communities within our with uh within our field of cyber security i've spent the last couple years going through um going to hacker conferences a lot of b-sides uh you know all the big name conferences i saw somebody tweet this morning uh apparently we're somewhere around the anniversary of when derbycon would be and somebody put out the obligatory trevor forget tweet if you don't know what that is you're probably better off in my opinion but i'm a grumpy old man but i also go to security conferences more the vendor side of conferences type of conferences information security conferences compliance conferences the pci industry has their own conference

and something that's impressed me over the past couple years when we were doing these things live was there's a lot of smart people all over this industry and there's a lot of people doing great things and very often they don't know that the other side exists and so one of the main focuses of my show is to try to bring in people from both sides or both both silos both both and there's more than two really but bring in multiple people multiple personalities multiple people that are smart doing great things interesting things have stories to tell to expose the other side to oh there's people like me over there and they're doing a lot of the same

things because uh this is a huge industry at the end at the end of the day there's so much responsibility there's so much complexity to all the nuances of uh what we do in this thing called cyber security and uh you know lots of supporting roles lots of lots of front line roles but you know all told we're all in this together um uh jenny mentioned i'm sorry genie mentioned that uh the tribe of hackers books the last two books were published in the uh in the in the previous year so i'm actually one of two people that are in all four books in the series uh i'll let you do the you'll have to go

buy all the books so you can figure out who the other person is i'll give you a hint also x nsa um and of course marcus carey uh also ex-nsa um oh one more thing on the uh tribe of hackers i'll give you i'll give you a a a a a sneak preview i was approached a month or so ago they're they're getting ready to put the tribe of hackers series on audiobooks release them on audiobooks and they've invited all the contributors uh to the books to read their own chapters and i should back up and say if you're not familiar with the tribal hackers books they are uh a series where uh the author uh

editor marcus carey and and jen jin uh they put together a a survey a series of questions um you know how'd you get your start and security what are your what are your triumphs and losses what what would you do again if you could all sorts of different types of questions and they put these questions out to all sorts of people in the industry that are recognized in their fields of expertise and and and you know obviously call up call them hackers so every chapter of each book is a different person responding to the same questions it's a fascinating uh series very very informative and educational i highly recommend it to everybody and stay tuned

it's going to be an audio book so i'm going to be in the next couple weeks recording my chapter of the first book and i think over the course of the next six months or so they'll get through all the books so kind of a cool opportunity and i'm looking forward to it um also in the in the last year or so i've been involved over the last couple years with a an organization also a non-profit called hack for kids hopefully some of you have heard of it it's it's a it's an organization that's focused on teaching not only the technical skills to to young people but also hacking skills so they they very often put on

as a group sort of mini conferences just for kids as part of other regular hacker security conferences and do a lot of the same things in terms of capture the flag exercises having lockpicked villages one of the fun things they do is they get people to volunteer and donate old equipment of any kind it could be tvs vcrs computers tablets whatever and they let kids just rip them apart break them apart you know no agenda just tear this thing apart see what you think experience it um anyway they i spoke for them a couple years ago at their main conference with students which is in chicago and they asked me to join the board and we came up with this title

of the director of diversity equity and inclusion my focus is trying to make sure that um what hack for kids and what we're doing as a community to bring others up and bring others into the field uh is is something that's available for everyone uh regardless of you know race religion creed ethnicity orientation uh culture geographic location whatever i mean one thing i think we as a country learned in the past year and a half is that there's a lot of disparity just in terms of opportunity for access to technology and internet frankly uh throughout the country depending on where where you happen to be born by no fault of your own so that's something that i'm i'm

interested and passionate about and always open to ideas and if anybody has ideas or wants something like hat for kids to come to their area you know please reach out and talk let me know let any of us know um i'm i i have a day job i work for company called online business systems uh i i work in the pci field is what's called a qualified security assessor or qsa my job is to go into companies that are responsible for meeting pci data security requirements and i assess whether they're actually following the rules and doing everything that they're supposed to be doing um and uh i do that and i've been doing that for 17 years why i like doing it

and why i talk about pci my little pci moment is a pci is a solid framework for basic security things that everybody should be doing no matter what most of the companies that have to do it are not companies that are historically involved in security or have security as part of their fabric uh you know organizational structure it's not part of the their history um and so they don't understand it so i i spent a lot of time uh you know just trying to explain what it all means and putting it in context because i think it's very reasonable if you understand security requirements most people say well that makes sense yeah we should do that and that gets you

over the hurdle of people doing the bare minimum just want the check box which if you've heard of pci it very often is labeled as a as a check box compliance exercise which unfortunately a lot of people treat it like that i'm sort of on on a mission to try to dispel that uh attitude and try to get people to understand no this is basic security stuff that you need to do in an organization um anyway enough of the pci minute this is the the company i work for we're a consulting practice primarily we do a lot of the compliance things we do security architecture recommend solutions we have a security testing team uh we've got a pretty decent team of pen

testers web app testers so on and so forth and and we get a lot of work so we're always hiring so keep that in mind if you are job seeking now or in the future um if you've heard me uh speak at other conferences or you know conferences talks are very often available online on youtube one of the things that i did early on in my career at nsa as a cryptographer was work with the u.s special forces back in those days they used a paper one-time pad for communications and i developed a little uh cryptographic cipher wheel special specially designed to be able to work with the the the one-time pad that the special forces use

they called it the the whiz wheel i came to find out the last real defcon before the shutdown back in 2019 i happened to meet a guy that was ex-special forces that remembered using my wheel and over the course of the lockdown uh he happened to also be the chapter uh president for the special forces association which as you can imagine is for ex-special forces ex-green berets but they have the associate uh membership available and he said you know you would qualify because you know what you did really helped the mission so long story short he was able to get me a lifetime membership into the special force association he helped me apply for it

and and i was given a lifetime membership uh you know i used to spend a lot of time in fayetteville north carolina so there's a little bit of a north carolina connection here as well uh in the fayetteville area of course at fort bragg um one other thing or among other things notable is uh i was interviewed actually along with marcus carey for an episode of darknet diaries uh where i tell uh pretty much the origin story of how penetration testing uh got started at nsa back in the mid early to mid 1990s um i'm i'm embarrassed and shocked to say that it's been almost 30 years since i started uh penetration testing and doing

you know internet security trying to break into computers and networks uh which just makes me feel old and makes me feel tired um one other thing that that happened is and sort of is the segue into this talk uh ultimately or one of the reasons is i was asked to become an advocate for another non-profit called hacking is not a crime um and and speaking of hacking that that's one of the reasons that got me thinking about you know what it what does it mean to be a hacker how do i know i'm a hacker how do i become a hacker how do how do i get the skills how do i learn hacking skills it

all kind of jumbled together in my mind but but part of it frankly was when i was asked to join this group and i was reading through um you know some of their bylaws and mission statements and so on and so forth um my to be honest my initial knee jerk reaction is uh you know every time i'm approached by someone that says how do i become a hacker in my mind i think uh if you have to ask that question you're probably not a hacker but i i i'm always trying to to check myself because i don't want to be arrogant and think well i'm a hacker and you're not and therefore i'm better than you i

think it's more to the point and this is what i want to try to bring out in this talk this morning is that uh it's more important to find out who you are uh and and find out what you're uh good at what you like to do what you have some talent or aptitude or or potential to do and and pursue that and it's not really uh this is for the people that may not be hackers it doesn't matter if you're not a hacker you can still excel and exceed and have a lot of fun and a lot of satisfaction in [Music] you know success which is a weird word because how do you define that

in this industry pursuing so many things because there's so many different things you can do in this industry if you are if you do happen to be a hacker uh what i'm going to talk about could help reinforce and maybe make you feel a little bit more uh accepted or you know oh i'm not a i'm not the only one that thinks like this or acts like this or does this um but this organization essentially is trying to do i think one of two things uh you know at a high level one is just you know to try to dispel the the notion that hacker means a bad guy um which is the part that i'm like

kind of the least interested in because we in this industry and i and i've been in this industry and especially in the computer hacking internet hacking space essentially from the beginning this has been an argument that's been going on for you know 30 years and counting and i don't think we're ever gonna really shift the mindset doesn't mean we don't try but uh i think more importantly the the other goal of this organization is to try to promote uh and help out with uh you know proposed legislation that tries to make hacking activities illegal and uh i i think that's more the key element of this organization is to try to you know make sure that the the the the

inaccurate uh mindset of or or beliefs about what it means to be a hacker or what hacking is doesn't negatively impact the hacking community especially in it within the realm of computer internet uh technology hacking that we do do today they have also key tenants and i can i can put them up here let you read them of course you can find the website and learn more about this organization i i will i will have a get off my lawn moment as a grumpy curmudgeon and uh one of the tenants they point out there that i've highlighted is they're trying to discourage the use of the terminology white hat versus black hat you know to define good and bad you know

because of the uh the racial overtones the the ethnic overtones uh you know how we as a society of tried to move away shift away from white meaning good black meaning bad which i get i mean but you know this has been around in our culture for a long time um it's i i kind of tend to think that it's it's not necessarily the origins in terms of a racial thing uh and undermining uh people that don't look like me uh i i'd like to think it's more a contrast scientifically sort of the the opposite ends of the spectrum to to point out that there's a huge difference i point out this one in particular

because i will probably slip and say white hat or black hat at some point and i apologize ahead of time but for this morning's um lesson in in race relations uh and i i put this slide back in at the last minute because torrey mentioned star trek and and i had to remove this because i didn't want to go down this road but if you want to have the classic lesson on why racism is stupid go back to star trek the original series and find an episode i think it's called this let this be your last battle where these two planets have been at war for you know decades centuries and and because they're different and you

have to look carefully and this is where it's easier to have audience participation and people shout back but these two people are different and because they're different they fought wars and were killing each other for for years and years and years and of course captain kirk and the enterprise came in and saved the dave and helped them understand that their differences were stupid but look carefully the difference between them and this is the beauty of star trek and at least the original series the the societal lessons that they tried to teach and and the societal um norms that they went after one person here is black on the right side white on the left side while the

other one is the opposite white on the right side black on the left side it takes you a while to see it but that i thought this was the classic example of pointing out why racism is stupid uh so my nod to star trek and and the brilliance of the original series and all the other series but i'm an original series kind of guy um i want to spend a few minutes uh just talking about you know sort of uh you know some of the things that hacking is not a crime is trying to tackle in a visual sense of course uh you know the depictions in hollywood of course of hackers uh you know

i i i could have spent a whole uh you know hour just talking about all the depictions i just tried to capture some you know here's some of the boys that we know uh from you know hollywood uh depictions of course there are women hackers out there and and you know more than i can put on one slide what i thought was interesting when i was you know looking for these images is um typically you know there's exceptions to every rule but typically the um or very often the the male hackers uh there are the they are the bad guys in the movies and the tv shows not all the time of course and and very often the

women are the ones that are the good guys the ones that are doing things for the side of good trying to catch the bad guys um uh you know for a live audience at this point i would ask an opinion poll this is because paul acidore and i have sort of this running bet because we asked this question of our guests on the main show paul security weekly what's your favorite hacker movie and uh his favorite hacker movie is hackers my favorite hacker movie is sneakers and we each have our reasons why um so this is sort of you know i always like to find out and and we're sort of keeping an informal tally of you know

which one of this is right type of thing in the context because this is a virtual talk and i it was pointed out to me after i did this at girkon the other week uh there are a lot of younger people in this community that actually may not have seen these movies therefore don't know what they're about so rather than asking you what's your favorite hacker movie just very quickly the movie movie war games and this is a an encouragement if you haven't seen any of these movies go watch them because this is sort of hacker history this is our community and our industry's history um the perhaps the first and most classic and arguably is the best but i i'll tell

you why my movie uh favorite movie is sneakers in a moment but this movie came out in the early 80s 1980s so almost 40 years ago and it was a a tale of at the end of the day artificial intelligence and machine learning and the potential of what could go wrong but it showed the early days of hacking which was uh over phone lines and it was very slow and there wasn't a whole lot of graphics it was all very textual i don't want to give a spoiler but that's war games early 80s uh the next movie uh that sort of uh a classic hacker movie is a movie called sneakers if you work in the

as a as a penetration tester red team or do any type of testing for other companies this movie is the model essentially for the methodology that you follow this movie came out in the early 1990s there is also a classic line in this movie um that and i i don't have it memorized even after all these years but basically it says it's all about the information you know there's there's a war being waged and it's not with missiles and guns and bullets it's all about data i think you know that that is prescient and i think it holds true today and of course the third movie which is called hackers came out in 1995 so all these movies are old um

it in my opinion um and this is where paul and i diverge it's it's the movie that introduced uh hacker culture the idea that you're um you know you're you're a community you're a tribe you're a pot of people that kind of know what's going on and are out to defeat evil defeat the man defeat the organized government defeat big brother have fun do cool things know all about this cool new technology i encourage you to watch these movies um hackers of course do have an image problem uh and i i also went out to do a search of like okay who are the world's best hackers who are the most famous hackers there's thousands of lists out there some some

names show up a lot but a lot of disagreement uh most of the lists again are white guys but there are other lists that have women on the list and again hack most of these lists the best famous hackers are all i shouldn't call them bad guys or good guys but they're all people that have been arrested prosecuted perhaps have served to jail time and of course maybe you've reformed and turned to the side of good um i'll let you be the judge uh but you know there is an image problem i think most people acknowledgement not acknowledge this i'm sure you guys have all seen some sorts of of media representation this classic hooded

uh faceless dark ominous hacker person and this is one of those images that i think the that we're trying to dispel um i can go on and on and on my question simply is and i ask this of myself um you know how many black hoodies is too many to have uh i have probably about a dozen of them um anyway uh i want to shift gears a little bit and and and sort of get into the essence of the talk and and the essence of the talk is hackers are neither created nor destroyed i believe and i could be right or wrong and i'm happy to be proven wrong but i kind of believe that you're

either a hacker or you're not and i know this because i'm a hacker and i want to qualify that uh i i often forget my own advice which is don't assume that people know what you're talking about when i say i'm a hacker i'm talking about a mentality a lifestyle almost a world view an approach to just how i see things i was a computer network security internet security hacker for many years but i have not done hands-on trying to break into systems for quite a few years i don't do computer hacking anymore but i still claim to be a hacker and i'm very comfortable in saying i'm a hacker and in fact becoming a computer hacker is

what began the road of discovery to to to figure out that i am a hacker uh and and the essence of what i want to share with you for the for the remainder of our time is how we got there um you know part of me is like you know again as i was doing the research and i look up the actual dictionary definition of of the word hacker which is something that i like to do just in general is figure out okay at least start let's start with a definition before we get in into deep discussions about any kind of topic so when i first looked it up i'm like is this really something we want to discuss

but don't worry there's more to the definitions and you'll see even in dictionaries that there's a definition of hacker that represents the good and there's a definition of hacker that represents the bad so in order to be to properly frame this i i want to use myself as as an example and uh you know sort of talk to you about how i figured out that i'm a hacker um and and figured out more importantly uh how to how do you how to use my mindset in the particular peculiar way that i see the world to to do something hopefully that's positive in terms of the the whole industry and helping companies be more secure and so and so

forth so um [Music] my origin story uh which is me attempting to answer the question a little bit more in detail how did i get my start in information security or cyber security how did it how did i become a hacker how do i know that i'm a hacker you know i mentioned of course that i usually just say i started at the national security agency i want to walk through the process though because it i it occurred to me how did i get my start in the industry how did i become this is is really the question is how did i get to nsa and and that's what i want to focus on for a few minutes here

when i first started at the national security agency which was back in 1986 35 years ago nsa was going through a hiring spree what they were looking for first and foremost and primarily were what they called the critical skills of computer science mathematics and engineering um you can loosely think of this in terms of things that we're familiar with today so stem we didn't call it stem back then we called it critical skills if you had a degree in any of these disciplines you were offered a job at nsa if you were in in school studying these you know nsa would show up at job fairs nsa did crude recruiting from college campus campuses if you got the degree you were hired

they did this you know they hired thousands of people this way i went to work at nsa i was neither of these i'm still neither none of none of these disciplines i actually have a business degree um so i had to go a different route and this is what i want to focus in on i'm going to talk to you kind of about how i got there and and what i want you guys to think about is because i'm thinking about it is how did nsa know that that i would succeed and and be able to do the job in nsa um i had to apply i had to fill out an application mail it in the mail um

provide them all all of my information college transcripts and stuff but ultimately i was invited onto the campus fort meade for a couple days worth of skills tests aptitude tests i had to have a physical a psych exam how i passed that i don't know so on and so forth all i knew at the time was nsa likes to hire people uh who had liberal arts degrees and i happened to go to a liberal arts college so i think that happened you know that was in my favor um i also knew or came to know that uh you know they want people with you know uh clean wreckers or you know people that were trustworthy

that uh you know back in you know i think 30 years ago it was a major issue for hiring if you did any kind of drugs you know had alcohol problems gambling problems cheated on your spouse girlfriend uh had alternate lifestyles any of those types of things were issues um now nsa when i went through the hiring process they wanted you know they hook you up to a polygraph machine and they wanted to know all your dirty little secrets not so much to preclude you from employment although that happened but also to make sure that um they knew what your secrets were so you couldn't be blackmailed because there had been espionage cases this is back in

the days of the soviet union and the cold war where people were compromised and and and committed treason uh you know u.s citizens by being blackmailed you know so that it wouldn't come out that they were cheating on their spouse or more importantly it wouldn't come out that they were homosexual you may remember uh the inventor of the computer the one that broke the the enigma machine in world world war ii alan turing uh you know he was homosexual and it was a time when it was illegal and he actually you know you know the story we've come a long way and uh unfortunately and still have further to go but um the you know so that's some of the

background stuff the the tests that i had to take the two days worth of aptitude tests um i i wish i remembered all of them uh and i wish i could display all of them the one that i remember the most is they gave you a picture a geographic you know two-dimensional drawing of a three-dimensional object and they would ask you what does this look like from behind what does this look like from the right or the left and then they give you you know other pictures and options and you're supposed to identify what it is that people what it what what the object looked like from the from the various perspectives um i found that

easy apparently not everybody can do it other other tests were they gave you a made-up language a language that didn't exist it was just gobbledygook but they asked you it had structure and they asked you if could you identify the structure can you figure out what the nouns are can you figure out what the verbs are and all the other parts of speech another test was they gave you samples of collection traffic now back in those days the the information that was collected was mostly out of the air it was radio signals ironically very similar to network traffic in terms of the signals would have you know essentially header information there's to and from and time stamps you

know source and destination things like that very similar so you know to try to give you a picture of what i'm talking about they uh they would give you all this traffic and they would ask you questions like can you figure out who's in charge you know is is there an address that uh messages are originating from more than other can you figure out the chain of command these were these these were messages that were you know going from governments to armies to battalions to various levels of you know leadership and authority within a military organization so they ask you to try to figure out what the structure was what kind of information could you get

get from it nsa calls that traffic analysis what kind of useful information can you get from that you know stuff that we still do today with network traffic but we call it different things but in essence it's the same kind of stuff that nsa had been doing for years and years um what impresses me and this is an ongoing sort of research project that i'm doing is the fascination that um nsa knew how to find someone like me and i i gave a very condensed version of this talk a couple days ago uh for another group in north carolina which i'll i'll i'll talk about uh later on uh but it sort of clicked in my head at

that point um and this is a message that i think a lot of us especially the ones of us that are hackers or identify as hackers i think i think will resonate with you um given today's standards given nsa standards back then looking for people that had a certain pedigree to put it in today's terms looking for people to hire into this industry that have certain certifications that have a degree in a certain field of expertise or a field to have training of some sort uh you know those are the common sort of barriers of interest entry into into our business these days back then it was these three critical skills um nsa figured out a way to identify me

and find me i didn't even know what i was capable of they probably had no idea what i was capable of but they knew what the indicators were and that's the essence of what i'm trying to get at today and what i'm i'm curious to keep discovering and researching and and and i encourage you to think about it too and and feel free to to contribute and and let's talk about it but what are the things that uh nsa knew to look for that would identify the potential in someone like me because quite frankly i didn't qualify with their standard criteria a way a lot of people today i think don't qualify to get into this field

because they don't fit the the popular criteria uh for you know what is the minimum that you need to get into and that's obviously a topic that's that's been very heated and ongoing for probably many years but we had nothing to talk about the last couple years since we're all locked down but you know this is stuff that we've talked about on uh the main show of the podcast my show the podcast when i have had conversations in the past in in real time it's you know how to how do i get into the field how do i you know re-engineer myself change you know change uh uh professions and and and sort of start

over and get into this field you know there's all sorts of variations to discussion what i'm ultimately getting at and want to plant a seed in in everyone's head to think about is what are the identifiers that make us uh recognize someone's potential for being successful in this in this field whether it's to be a hacker or to learn hacking skills be a red tester red test red teamer or a pen tester but of course again there's so many different things in in this field that you can do how do you f how do how do we identify the things that uh make it more likely that somebody's gonna be successful and and be able to

have a career in this field and be good at what they do um the nsa scores of the test and you can barely see it here but my scores are very faint but you can see hopefully there are mostly sevens eights and nines i had one six i actually uh i still have this i have about a 12 or 15 page document that basically lists every job code that was available at nsa at the time and it shows the minimum score on on which particular test that you have that you needed to get to qualify and you can see here just from this little snippet they're mostly looking for fours and fives to get people qualified where i

was in the seven eight and nine range so i basically scored off the charts um you know again briefly uh to just to highlight okay i i wasn't those critical skills but in my 10 years at nsa here's some of the things that i've done i taught i give talks this is the name of the talks where i go into more detail and tell more tell more stories but you know just very quickly i invented something that had never been done before i fielded what i believe is the first software-based crypto system that nsa ever produced they weren't happy about it because they were an engineering build a little black box but i essentially i had to hack the

system i had to rewrite rules that were written for producing secure hardware and figure out how what made sense and apply it to how do we produce secure software and a secure application um i'm not saying i would ever repeat this and i'm not saying it would be secure in any way shape or form by today's standards because that computer wasn't plugged into a network but at the time it was fulfilling a need from a customer and and it made sense to me why not use a computer to speed up a a an intensely manual process that would take hours to do sometimes which is manually encrypting and decrypting a one-time pad uh i mentioned earlier the wheel that i

invented for special forces which they ended up using as near as i can tell for 10 or 12 years [Music] and of course you know i go on in a different talk more tales from the crypt and tell the origin story of the first pentest team there's a book that came out a couple years ago called dark territory there's a chapter in that book that has a a a paragraph that talks about um you know the nsa red team working out of a super secret dark chamber called the pit i was actually uh part of the team and we called our office the pit but we sort of collectively came to know our call ourselves the pit um but we're we're

famous we're in a book so obviously whatever we did had lasting impact um meanwhile the all the people that were highly qualified the critical skills what they typically did at nsa was they came in and they got paid more right out of the gate sometimes 30 40 more than just p on me on the regular pay scale was paying they immediately got into a 2020 program where they could go to school and pursue the graduate degree and only work part-time half-time school 20 hour school 20 hours of work they were first in line for promotions because nsa wanted to keep them they are first in line for the training opportunities for the diversity opportunities which is touring different

offices within nsa that did different things to be exposed to get you know sort of a liberal arts kind of thing expose themselves to everything they would get their master's degree and two months later they'd leave for private industry where they got an even better paying job that with exceptions that was very much the model they discovered me however they did i did some meaningful tangible things uh all the people that they thought were highly qualified uh they threw money at them an opportunity at them and they left anyway uh and i'm am i bitter about it perhaps um but you know so that that's sort of the origin story which i provide is context

i yeah i didn't go into nsa thinking i was a hacker or even you know using that word in my vocabulary that obviously came later when i got into the red red teeming pen testing thing but i you know again i'm trying to think about okay how do i know i'm a hacker what is it about me that identifies the potential or the skill set of being a hacker i i want to use myself as an example and and this is where it would be ordinarily audience participation so you'll just have to play along you know silently wherever you are but you know what i would ask if it was a live audience is you know show of hands

who else is like this and the nuance is and there's overlap is i'm not just looking for things that are sort of character traits or identifiers like oh that person's a hacker uh but the things that are the sort of innate about your being your the way you think the way you approach things that are indicators that oh you might have that that hacker mindset if you will so uh you know again i did a little bit of a research online you know because i'm quite sure that any idea that i have or anything that i want to pursue probably 100 other people have done it before me and have done a better job organizing it i found this one

particular uh article uh that i thought was kind of cool um you know if you have a chance go back on the replay and find this article it's pretty interesting but yeah this is kind of interesting stuff but again these are sort of uh you know it's the it's the reverse of course but you know signs that you would make a lousy hacker don't do this make a good hacker but uh all that aside these are the next several slides or these are the things that are unique about me that looking back on it self-reflection i think these are indicators that a i'm a hacker but b these are probably indicators that you know helped me get in the door at nsa helped

me be able to score well on those tests i don't think this is an exhaustive or exclusive list and i am genuinely interested in hearing other people's ideas maybe drop it into into the discord server in the chat um but you know what are the what are the signs and indicators that someone might have the potential or the aptitude for doing well in this field so i grew up doing puzzles i uh i was in a puzzle solving family we used to get these things called dell crossroad puzzle magazines in these in these books there were of course crossroad puzzles which hopefully you've heard of but there's other types of puzzles and these are the

ones that i like to do them more often than just the normal crossword something called a diagram list which is a crossword puzzle but not only do you have to solve the clues and get the words you have to figure out the grid a little bit higher level of difficulty but a fun puzzle um i i actually did the crypto quizzes where uh you'd have to guess words and the letters would pop into the grid and eventually you would have a a a a quote or a phrase and you could actually work it both ways as you started to get more letters in a word in the grid you might recognize the word which would give you more letters

to go back over to the uh the questions of uh you know the specific words that you're trying to guess similar to a crossword puzzle um you know these are all caesar ciphers in fact these were in the puzzle magazines they they used to be in the funny pages the comics pages of newspapers the ones that i grew up with you know so i was doing cryptography long before i ever did it for a living uh but the most important one uh type of puzzle that i used to like to do was something called a logic problem and in in a in a karma type of twist of fate when i first started at nsa

in this cryptic cryptographic organization where i did the software and i did the whiz wheel i had a mentor and the mentor was a cryptologist that had been in at nsa for 15 or 20 years already he taught me a lot he really i i would credit him everybody should have a mentor that you can credit is putting you on the path to having you know a successful rewarding career for me it's job satisfaction um the the twist of fate is this this person that was my mentor as it turned out used to as a side job as a hobby write logic problems for these dell crossword puzzle magazines so i used to do puzzles that he would write and then

i ended up working with him and he became my mentor i'm left handed i i feel like in this industry uh there are more left-handed people than than you know the national average the worldwide average of how many left-handed people there are um if you're left-handed hopefully you'll understand the difficulties that we face you right-handed people don't have to listen right now because you don't understand but we live in a world where everything is right-handed and when you're left-handed that means things are backwards i am still scarred for my first day of first grade in elementary school where back in those days this was the 1960s the schools would give you supplies they'd give you a little box and you get

pens and pencils and rulers and the most coveted item was a pair of scissors and everybody else got these little shiny pointy scissors i got these rounded blunt-edged loose dull scissors and it always kind of bothered me like why can't i have the pointy scissors i'm left-handed i'm gonna put my eye out um i still have issues uh i i very often feel like i don't fit in with a crowd i always feel like an outsider i think part of it is because going through especially junior and senior high school and even college if there's a left-handed desk in the classroom it tends to be pushed back in the back row off to the corner so to

this day if i go into an auditorium or a convention center or you want to attend a talk at a conference i tend to like to sit in the back left corner i don't know why it is but that's the way it is um i've got trust issues i've got lots of issues if you have issues you're either a normal human uh or maybe it's an indicator um i this is where i'm trying to put myself out there a little bit i count things uh i don't tell people that a lot but i'm putting it out there pretty much every set of stairs that i ever go up and down i'm always counting the stairs if i'm driving out on the

highway i'm i'm counting the dotted lines you know between intersections or from some arbitrary point a to point b um i i i would ask you the question i have to give you the punch line but you know these are sort of depictions i think of people that might be uh on the spectrum at some point they might be adhd they might be cdo which by the way is ocd but in alphabetical order um there tends to be a lot of people in our our our industry that that have these kind of you know what society says or abnormalities but they actually make us really really good at doing the things that we need to be good at you know the

ability to see things and analyze things and you know are com i'm not just saying it's me necessarily i see this in others but just brilliant people that are just for whatever reason sort of socially awkward and you might have picked up on on on it especially talking about the nsa experience i might have some anger issues uh other random things like uh i'm one of the types of people that actually take the tags off of the furniture even though it's illegal um i happen to be from a musical family i i attempt to play guitar that's that's me i think when i was four years old when somebody gave me my first little ukulele

clearly i'm left-handed um i don't have a good depiction for it but for some reason i can see what's wrong with things uh you know i'll watch somebody give a conference talk and i'll see a typo in their slide or they'll use the wrong word or or you know it's made me good as a as a consultant going in trying to find whether companies are doing the right things or not i for some reason i can see the wrong the logic error very often and you know as an example this slide bugs me because i don't have an example i don't have a graphical example to depict this it kind of bugs me little odd things like you know being

able to see the world not necessarily for what it is you know most people know that joke um but that's where i invite you that's just me that's just a glimpse of me you know what are your experiences what do you see as indicators not just again not just the character traits or the identifiers from a oh they're a hacker but what makes it what makes you or others uh likely to have be good at have the potential for success at being a hacker at being a cyber security professional um i mentioned earlier that i've given a a brief uh version of this talk earlier this week i was actually down in asheville north carolina

i was invited by the carolina cyber center which is uh operating out of montreal college they've joined an organization uh it's it's an you know i'm only glimpsing and beginning to understand but i'm sharing this because this is an opportunity for you guys in north carolina they they're part of something called the carolina cyber network so if you're someone that's uh you know if you're listening today it's because you're you want to learn if you're participating in b-sides you consider yourself a student if you happen to be an actual you know like college student or even a high school student looking to get into college and you live in north carolina there's this whole network of

colleges and universities that have gotten together trying to figure out how to better identify people that are going to succeed in this career but give them the right types of education so they can actually go out and have jobs in this career so just a a quick acknowledgement especially since this is essentially a local resource for you guys uh you know in the state of north carolina so you know my bottom line here to some degree is whether you identify as a hacker or not to me at one level it doesn't matter but that's easy for me to say i guess because i am a hacker but it's not something that is means that you

it doesn't really mean anything at the end of the day you can be smart and successful and do well at your job find what it is that you're good at find it what it is that you have the potential for i want to take the last few moments to tell you a quick story um not sure if anybody knows who this person is uh if you've heard of a book that's relatively old at this point this is robert fulgum folgim i don't know how to pronounce his name he wrote a book called all i really need to know i learned in kindergarten um speaking of which uh you know just for fun here here's my actual

kindergarten class the photograph was taken in 1968 and in case you're wondering that's me uh but i want to take a few minutes and i know we're running short on getting close to the top of the hour but i want to read a short essay that robert fulgum wrote just to give you a sort of food for thought um so let me open up and tell you real quick and i apologize for reading something but i i think it's worth it for you so robert fulgham writes over the last couple of years i've been a frequent guest in schools most often invited by kindergartens and colleges the environments differ only in scale in the beginner's classroom and on

university campus campuses the same opportunities and facilities exist tools for reading and writing are there words and numbers areas devoted to scientific experiment labels labs and work boxes those things are necessary for the arts paint music costumes rooms to dance so on and so forth in kindergarten the resources are in one room with access for all in college the resources are in separate buildings with limited availability but the most apparent difference is in the self-image of the students ask a kindergarten class how many of you can draw all hands shoot up of course we can draw all of us what can you draw anything how about a dog eating a fire truck in a jungle sure how big do you

want it how many of you can sing all hands of course we can sing what can you sing anything what if you don't know the words no problem we'll make it up let's sing now why not how many of you dance unanimous again what kind of music do you like to dance to any kind let's dance now sure why not do you like to act in plays yes do you play musical instruments yes do you write poetry yes can you read and write and count yes we're learning all that stuff now their answer is yes over and over again yes the children are confident in spirit infinite in resources and eager to learn everything is still possible

try those same questions on a college audience a small percentage of the students will raise their hands when asked if they can draw or dance or sing or paint or act or play an instrument not infrequently those who do raise their hands will want to qualify their response with their limitations well i only play piano i only draw horses i only dance to rock and roll i only sing in the shower when asked why the limitations college students answer they do not have talent are not majoring in the subject or have not done any of those things since about the third grade or worse they're embarrassed for others to see them sing or dance or act you can

imagine the response to the same questions asked of an older audience the answer no none of the above so the question robert fulgam asks is what went wrong between kindergarten and college what happened to yes of course i can so my question to you and my encouragement to you as as our time wraps up is uh you know what happened between when you were kindergartner and where you are today because this is true of all of us where do we build in our limitations and i want to encourage you to to remember especially as you pursue your learning and further your career in cyber security and hacking and pen testing and wood pen testing whatever it is that

you're doing um you know realize you are capable of doing anything anybody can do this but i think the important point is i give you a couple sort of parting thoughts here the important thing more than trying to get to a particular place is to find out that place where you're best suited to be find out what your potential is learn how to recognize the potential in yourself and others the things that are indicators that are that will make you right for the job and and my my wish for everyone and this is something i say to people again in the former times that have approached me how do i get into this career how do i exceed or excel or

advance myself is uh expose yourself to as much as you can don't limit yourself find out what it is that you are good at or have the potential or the aptitude or the interest or the curiosity for and pursue that but also find out what it is that you like to do and the sweet spot if you're lucky and i've been very lucky what you're good at and what you like to do are the same thing and and to me that's sort of the ultimate indicator of success uh but maybe i'm wrong but you know so i leave this with you enjoy the rest of your day enjoy all the talks especially the international talks that's so cool

let's figure out this thing together my question in my ongoing research is what are the indicators that someone has the potential to to excel and be successful in the career of cyber security and by all means you know don't stop questioning as a way to push back but also as a way to learn here's my contact information i i do welcome contact people reach out to me please somebody actually called me one time which is rare but you know find me on the twitters feel free to send me an email thank you very much uh to besides charlotte for letting me be here today i i hope i gave you at least something to think about

uh hopefully there's some about you there some of you out there who said oh wow i'm just like jeff mann i'm weird and warped and have issues i can be somebody have a great day thank you very much

thank you jeff for that amazing keynote presentation a lot of good information covered in there um so i wanted to jump back in and just in case there were uh questions or anything from chat please go ahead and post them for for jeff in the keynote channel and i'll reload relay those to jeff to make it a little bit easier um [Music] so just waiting for them to come in there there were some snide comments and some other things that you'll you'll have to go back and read in the keynote channel as you were presenting jeff so i look forward to it i i i i give a snide commenter to myself at some point in this field you you have

to get a sense of humor somehow otherwise it uh i don't know how you would do that successfully without it would be a lot more bitter yeah there's a a saying that i got in a fortune cookie many years ago you know it's a common saying and i always i always get it mixed up because i overthink things which is one of one of those other characteristics but life is a tragedy for those who feel and a comedy for those who think or switch that one yeah that's one of those other if you can't laugh at this stuff you'll you know and unfortunately too many of us have we will uh pursue more permanent solutions to our problems which i think

yeah i know of course tragic yeah dude definitely don't want any of those yeah yeah and and yeah and plenty of other vices to go along with it right leading leading up to you um so it looks like uh just kind of keeping an eye on chat here it looks like we're we're we're good on questions i'm not seeing anybody posting there's one last snide comment yeah yeah last night comments no uh lots of thank yous lots of uh uh excellent presentations and and um and and whatnot so uh very much appreciate the the presentation uh everybody you'll you'll get to read in just a moment the comments have been great so thank you very much and

uh for for everybody else um track one and track two should be kicking off here in just a moment so stay tuned for that and jeff it's been a pleasure uh thank you so much for for uh joining us today again thank you for letting me have the opportunity and again i encourage everyone to to think about what it is that makes me who i am whether you identify as a hacker or not and and what are the indicators so that we can fill the openings and and help the next generation you know what are what are the things to look for beyond the stem and beyond the certain certifications that we love or hate and

so on and so forth because again and this was as i said it crystallized for me the other day when i gave this talk to educators i wouldn't get into your colleges today you know with the qualifications that you have i wouldn't have gotten into the college that i went to which means i wouldn't have gotten into nsa because i didn't have the the prerequisites that they were looking for so you know if for nothing else we've got a as a community we have to come up with a different set of indicators because we all know that the ones that everybody's pointing to are are not let's say not necessarily the right indicators but that means we

got to come up with the other indicators and that's what i'm i'm pursuing and and i i hope but i have at least intrigued others to think about it and and let's let's let's pull our resources and think about and promote how do we find the talent how do we identify the skill sets for all the different things we do in this industry that's really what i'm working on in my brain this week and last week and next week for the weeks to come so thank you again for letting me be here yeah yeah absolutely uh a pleasure um as as always to uh to spend a little time chit-chatting too so sure um thank

you and for everybody else uh check your check your talks uh speaker ops should be kicking those off here momentarily i'm looking at the other the other room where speaker ops resides uh so we're we're ready to go for track one track two head over there and um and thanks thanks for attending me all right thank you ctf intro and instructions first that'll be in track one all right thanks jeff all right take care everyone i'll try to pop in on the discord throughout the day and have have a great day everyone