BSides Asheville
Show transcript [en]
true
e
e
e e
it's like a uh so this is not a morning person you have to I mean I'm only time I'm a morning person is when I'm in China it works out really well that way but we're not there so um I forgot what I was supposed to say about the slide but it's little cat so we'll go from there uh the title of the talk is around the world 0 cons um basically what I do is um I started this talk to give a talk on uh how hacking culture is different around the world and then halfway through it takes a darker turn which I didn't expect and we'll talk about that and then I said
well I can't just say how bad it is I got to come up with some kind of solution or some kind of Call to Arms to do something so then it ended that way so we're going to go for this ride and see how it works um but I I do give people a warning I alternate every other year it's like one year I'll do an offensive talk and then the next year I'll do a rant and last year my talk was on spear fishing so we know what kind of talk this is going to be today right so uh I do get rant it's like I'm very opinionated it's like and sometimes there opinions are
actually somewhat correct but you know not very often and I really need to wake up I love the fact that like this one's like all live streaming and stuff you know it's like uh so exactly so the only thing that you need to know about me that you don't find on well actually you find on Google anyway because all my stuff's not on Google is I love to travel and I don't just travel to a conference go to the conference and then just like okay I'm out bye-bye it's like I I like to stay for the whole conference and then I stay two or three days before after the conference to actually see what the city
is like to see where it's at uh I've walked from the U from the Coptic area in Cairo uh to the South part of the city all the way up to the the Cairo Tower in the north which is like a 7-hour walk uh through the streets uh non the non- tourist areas it's like there's actually really cool Pizza Hut on the Nile river which is really cool uh it's like that one's actually the Pizza Hut that's right across the street from the pyramids the thing so uh the Transformer 2 movie where show was like all abandoned and everything was like just like out in the desert nope not really uh and I've gone through uh I did
11-h hour walk uh through the Zan District in Beijing and stuff you know which was really fun because uh I'm not saying I was being followed but it was like you know I'm sure I was a person of interest and all I did if you look at it on a map was just do this huge circle that end me right back up at my hotel that's all I did I just did this huge Loop and it's like just to see what was out there um so I like to explore I like to see what the culture is like I like to see exactly how the people are living that are in the places that I'm at and
stuff you know not just the touristy sections so that's what got me talking about the hacking cultures like the hacking cultures I thought were going to be different and varied and stuff and I wanted to give the talk on how uh the Malaysian hackers or know have hacking space and stuff you know versus the uh Brazilian hackers that do a lot of carding and stuff versus the German hackers that are all the privacy and activists and stuff you so I want to do a talk like that but it didn't happen and one thing that I wanted to start off at the very beginning Russ Rogers put the best part in the survey was I like
tacos that means all hackers like tacos right I'm only speaking for my perspective I'm only speaking for me this is my perceptions and my perspectives and how I feel the way it is everybody is going to be varied it's like everybody's going to have varying opinions and stuff you know but that's just the key to it it's like this is not to say this is a solution this is the way to go it's basically just ranting out to everybody going saying you agree with me yay if not help me change it and let's do something different with it but but the first thing is I realized when I was going to start talking about Nation uh different countries and stuff
around the world it was going to come up with nation state hacking so I want to like nip that in the bud right at the very beginning because I'm not talking about uh nation state hacking and if you tell by this uh thing one of the biggest problems that we have when we talk about nation state hacking and other countries hacking and and what they do we get stuff like this this is the Verizon day the breach report and stuff you know and I'm not knocking it I'm not no matter what flame Wars I get on Twitter about stuff you know it's like I'm not actually knocking it it's a good report but the problem
is is that all of what's going on on the internet right now are we missing maybe a couple pieces maybe a couple continents or something that may be not represented properly on that possibly I mean that's all I'm saying it's like it's a good graphic Department stuff you know it's really nice and colors and stuff shaded very well that's cool and and Trust wve I mean let's face it they did an awesome marketing department they've got pie charts we all love P right I mean that's great and so but once again is that the whole story is that the whole what we're all about this is all that's going on on the internet right now is based right here no there's
a couple little gaps and this is one of the reasons why I like this one uh this one uh slide here cuz I like this wife website hacked.com not because of the fact that he had pie charts which you know once again Pi but they actually he put the flags of the countries that represented because let's face it we're America we don't usually know other country flags until we invade them so it's like I thought that was really awesome that he actually provided that for us so great uh but what I led the most about the whole site and his charts was his disclaimer let's blow that up again don't need to repeat the data must
be taken very carefully since they do refer only to uh discovered attacks uh the so-called tip of the iceberg and hence do not pretend to be exhaustive but only aim to provide a high level overview of the global cyber landscape that is such a great truthful statement that I'm overlooking the word cyber in that okay it's like because that is a great representation of what he's saying this is never going to be everything no matter what we see we see a skewed expective now there are some reports that will have a little bit more let's say um focal point of what they're talking about uh you know this is this is a good report that says that possibly on May
9th of 2014 uh there could have been some possible activity coming from let's say China uh to I believe that's not Idaho so we'll just say America um so I mean it it shows that there there are some FOC and this is data this was Data this was like one little snapshot this is like and I'm okay with these kind of reports so you're not giving attributions saying that they're all coming from China said because there's proxies and and no proper attribution but you but that's still data that you can't refute and I love that what I don't love is uh the one the reports that are out there that are say a little bit more um suggestive and opinionated I
mean I don't know and I mean quite honestly no no disrespect to Richard Beatle but I really do feel like sometime in elementary China came over and stole his lunch money or something and I really feel bad about that but it's like you see the and it's not just me thinking the M report maybe a little bit one-sided a little bit skewered a little bit um well it's early in the morning so I can say hypocritical and not care um but yeah because of the fact that when I did a Google image search for ment one AP1 Port I kid you not the first image that popped up was this one so it's not just me it's not just me
thinking that and it's like by the way if you're not seen the Russians are coming the Russians are coming which is what this is based off that was a great movie uh back in the day but it's like so it wasn't just me thinking about that that and it's I've seen the report and I've seen some of these talks and you see some of this press and stuff you know and I keep hearing about oh my gosh the Chinese are doing this the Chinese are and I'm thinking like what when you come down to it what are they doing what are the bad things why is it so the evil scary Chinese coming after us and
basically from you know from what I get from sources Like Richard and stuff you know are the Chinese are bad because they spy on their citizens they spy on other countries they infect other Nation computers with malware they try to censor their press and they try to suppress protesters well that's effing horrible but let's like let's bring break this down because I want to break this down like why they're doing this kind of stuff so let's talk about what they doing about they spy on their citizens oh wait hold on maybe that's the wrong slide um maybe not but I do love this one NSA admits employees spied on husbands boyfriends and girlfriends so they're now having to
Institute a policy where the spies are spying on the spies that spy on the other people that are spying so they don't spy on the proper people that are not supposed to be spying on but the people that they're supposed to be spying on that aren't related to them so yay cuz it's like when you got a a surveillance program like that you're going to end up spying on an ex-girlfriend at some point right it's like because you're spying on everybody so they spy on their citizens which is a bad thing they spy on other countries which again oh and this is what really makes me look how sad Merkel is look how sad we made Merkel I mean
come on she she's German it's like she should not be that sad and she was grow by George W and still survived better than this okay it's like so I mean it's like to make her that sad is a really bad thing people and the one thing that gets me the most is right here at the bottom right here Italian magazine says us F listen to the pope V say aware I I don't care if you're atheist Buddhist uh Christian Muslim whatever you got to admit this is a pretty good Pope I like this Pope he is a cool Pope okay we can all agree this is a cool Pope I mean that last Pope with the red shetes was
sort of sketchy okay I totally okay I totally understand a little bit of surveillance on that guy okay but this is a good Pope we like this Pope and you're spying on him I mean that's just not cool okay so it's like I don't really like that but um I also like the fact that we're doing all the spying and stuff you know it's until the US curious to sh up spying on Russia because they had no clue what was going on with crimeia so yay I'm glad that all that stuff is going on and being effective right well they infect other nation in computers with maare that can't be good sometimes I guess it can be right
because we did it it's like and I love the fact of how we did it like we didn't even go and say you know it's like we possibly deny stuff you know it's we were basically saying we may have done it possibly it's like it could have been us pretty good work though wasn't it it's like uh it was a pretty sophisticated attack I'm not saying we did it but it was it was uh it was definitely done by a very Advanced powerful nation state uh attack there on that one so I I love how they did that one cuz it's like and then if you go after someone else's Network it's like you know on us it's like oh my God they
were hacking us it's like um they try to censor the Press but luckily we got the First Amendment oh maybe possibly a little bit sort of um and a lady just yesterday got a judgment and stuff you know for $57,000 because she was arrested for wiretapping because she was trying to record a police officer doing a stop a traffic stop her camera didn't even work it was malfunction she couldn't get the camera to work they arrested her anyway because she had the intent to record it so it's like so there you go that that was a good one uh but you know we do have the they they try to suppress protesters and we don't I love this one
right here this is my favorite because this is the Free Speech Zone you can tell it's right it's the The Zone that's right there by the machine guns and the steel barriers that's the free that's the more Welling stuff right there you know it's like I mean George W he's got some and I'm not trying to bash I'm not trying to be political but but that's some a willing stuff right there your free speech Zone it's like cuz I'm that's what I want to do is and this's one right here new evidence the US Army hired spies to go undercover among the local anti-war protesters that sounds like you know sketchy that could be like
some terrorist grou they were the Quakers the Quakers people that's like one step above Amish I mean seriously you think a little coffee clutch and stuff you know is going to be overthrowing a government that we need spies going in there to see what what's going on and how do you radicalize those guys you know I'm thinking I'm thinking we uh we get some bigger signs I think that'll do it I mean how do you radicalize those guys you know I mean so yeah so they do that so basically what I try to do comically is Express this these are command and control centers from uh for um actual botn Nets and malware and stuff you know that's what
I'm trying to get to everybody is doing it it is not one country doing one thing bad it's everybody has got some bad actor in there somewhere even in Canada they do it in can I mean I can just imagine how the bot controllers there excuse me I'm going to have to compromise your scene I'm sorry you know it's like I I don't I mean that's how I imagine Canadian hackers are it's like I'm sorry but I I have to pone you it's like you know so it's like uh so even the Canadians and stuff you don't have command and control units in their country all the countries are doing it stop saying this country is bad because
of X when your country is bad if you have a government that's worth its weight in taxes which well probably not because there's a lot of taxes but still regardless they're doing spying and they better be and you want them to do because that's part of their job that's what governments do otherwise you know they'll actually start doing something like passing laws or something and being dangerous so it's like so it's like that sounds really sedici and stuff you know on on a live stream so hi it's like I'm on so many list anyway it doesn't matter uh so it's like but we're all doing it so this is not a talk about nation states I don't care about your politics
it's like I'm not an American hacker it's like I'm not an Oklahoma hacker or a Texas hacker I'm a hacker if you are working no matter where country you're in if you're working to help better protect your networks and better protect yourself I'm all for you and I'm supporting that okay it's like we're all supposed to be as hackers it's supposed to not to be about the boundaries so let's start the tour uh of around this is what how I do this is I do a one picture uh one slide is going to be me telling an antidote from one of my trips and then I sent out a survey to other hackers around the world to say hey will
you please fill out this survey and give me the answers back so I could have a wider view of of what the culture is like so we're going to start off in Asia it's like uh these are my awkward hugs from Beijing from excon I love the Thomas Thomas limb for the record he loves my awkward hugs he tries to hide it he tries to like act like it's not a big deal it's like it's not a good thing he secretly loves it and I'm going to keep saying that until it's actually true um but my uh first trip uh that I'd like to talk about on U going to um what's a good country something to talk
about on one of my first experiences well first about Singapore it's like let's go I'm talking about Thomas Lim Thomas Lim throws a conference in Singapore called siscan and one of the things that got me is like when I went to siscan was there is so much curiosity I think is the best way to do it it's like there there's a lot of curious first of all Singapore is like the Canada southeast Asia it's like if you've never gone to Asia you want to go to a place start off with Singapore cuz everybody speaks English it's like it's like everything's very clean every very well tidy and stuff you know because they'll find you for everything
but it's like it's a very nice low crime rate very very safe very nice very beautiful uh country to go see uh and I love the fact that they all speak English uh because I'm American and I tell people when I'm traveling I said look I'm American I'm sorry so that means I only speak one language and I'm from Texas so that means I don't speak it very well you know it's like can't help it uh so it's like but Singapore it's like uh so when I first went to sisan and stuff you know it's like this especially this last one uh they are so welcoming so open it's like you don't understand when you're travel when we
have visitors come over and you go to these conferences over here you don't understand you can't get the grasp of being totally foreign and not knowing anybody or knowing just a small select of people and stuff you know but they actually TR try to make you welcome try to welcome when I first went to uh siscan in Shanghai actually I was like I was worse of a nobody than I am now this was like four or five years ago I just started traveling it's like I hadn't have my passport for a year yet and I went over to Shanghai for sis can and they didn't Thomas didn't know who I was Dave Adel didn't know no one knew who I
was it's like but they invited me to the the pre uh speaker dinner and stuff when I got to the hotel it's like uh they were there talking to me and stuff you know when I was going through lunch it's like they invited me to the speaker dinner afterwards I wasn't a speaker it's like I was in a attendee and stuff you know but I was a but they knew that I was a guy that was a fish out of water so they're like hey we'll we'll take you uh we'll let you hang out and stuff you know and chill with us and I thought that was a very cool thing let's talk about um uh the The
Talk this is the guy these are the four questions that I asked a lot of other questions but these are the ones that sort of resonate that I'm sticking with and so one other the country you're more familiar with it's from India it's like how did you find out about hacking it's like the Matrix movie cool people hacked into the Matrix and dig cool Kung Fu it's one of the only words that I censored on my slides in your region how's hacking by the general public negative is hacking in your reg in your regeny is more for Crime hacktivist nation state or other crime that's sort of depressing right it's like so let's let's go on and see
what else we can talk about let's uh let's go to Europe it's like um one of the things I like to talk about in uh Europe is my first trip to Europe was was 2008 December it's like I got my passport in September of 2008 uh November I went to Beijing for excon and then December I went I don't I like to just leap head head first into things uh and I went into uh Berlin to CCC 25 C3 was my first trip uh to Europe and what got me was the politics involved it's like you know we think that think we're political hackers these guys create they did a March halfway through the conference uh a
piece March where they just basically marched around the building it's like uh they have a member in their Parliament part of the pirate party it's like the reason why Germany has some of the strictest privacy control laws the reason why they because they fight for the users the hackers are political they don't just go and say well I liked it on Facebook oh I'm going to retweet that I'm an activist you know they actually get involved in their politics they get involved in their government they try to wake up the people they get involved in the media they try to wake up the masses and go hey maybe you should have some kind of controls like SSL on your email
that could be a good thing so I was very very surprised seeing that kind of activity and stuff going on there and then um so what country are you more familiar with the UK uh how did you find out about hacking uh progression through technology tips tricks Etc other ways to do things ways around problems that is one of the truest hacker answers you will ever come across because that should be the very definition it's like I'm hacking because I'm trying to see if I can do something or do it another way that's not been done before uh your region how hacking seen by the general public negative the bad guy who spreads B work takes Financial details Etc is
hacking your region seen as more for Crime hacktivist nation state or other don't understand question my fault sorry in my region it's seen as gangs who use crime wear kits spreading spam on Facebook Etc which I don't know how you differentiate between the spam and the other stuff on Facebook but okay whatever so it's like so so there's that okay and once again I'm not really I'm starting to get a little discouraged but you know we're going to keep going and this is uh the culture like I've only been I've only been to uh one country I went uh Brazil uh which is the far left it's like uh and I remember so I've only
got really one good story uh there and that was at um the speakers dinner for that conference and one of the hackers was talking to me one of one of the local Hackers from Brazil and he's like yeah man there's like it's not cool being a hacker here and stuff you know it's like there's no laws against it and stuff you know no one's going after you and stuff you know we don't got no Edge and stuff you know no one thinks we're doing with anything just we're nerds on computer I'm like I really was going like I'm sorry you'll get arrested at some point don't worry you know how how do you respond to that
right how do you respond to that guy so I'm like and the good news for him I guess is that their Brazilian laws are now catching up and now it's against a law to do computer crime so maybe he'll have his dream realized one day I don't know it's like so it's like he's getting that so that's that was my my my brush with with Brazilian hackers and uh so uh what countryes from Brazil how did you find out about hacking once again a true answer trying to get things done in your region how's hacking seen by the general public nowadays it's a mix of good and bad people sort of understand it back in
the day early '90s internet wasn't quite widespread bbs's are stolen credentials to universities were the way to go at that point in time unless you were doing something you wouldn't really be aware of hacking with online banking being implemented 9697 Bankers activi started increasing quickly in Brazil Banker activities means the actual credit card theft the credit card fraud breaking into the banks and stuff uh is hacking your region sees more for Crime hack nation state or other considering that that don't that those that don't know anything about it just see the stuff in the news yeah mostly tied to crime and sometimes activism in the corporate world a better understanding to ethical hacking so are we seeing a trend here cuz it's
like I mean I'm already starting to get a little ril right now it's like because you see these answers and you start off and you see these aners oh that's cool that's a great way to get into it and you learn how like oh that's how you want to become a hacker and then oh that's what you're dealing with that totally sucks so let's go to another one um I got I got I did a technicality on this one because but I got speakers privileges so it's like I'm going to do it anyway because my only uh trip to Africa was Cairo was to Egypt right Egypt is Africa but they also say no it's it's Middle East it's like it's in
Africa it's on the continent okay so geographically we're going to use that as as my my Excursion to um to uh Africa and uh one of the things that I got about that was the formality first of all they made me get into a suit okay which I sort of regretted but everybody there was so businesslike they were so conserved they were like so it was not hacking was not like like me you know like I'm going to go I'm going to go hack they're like this is very educational stuff you know I can't wait to learn more and stuff you know about this educate me and lecture me on on the the topics of hacking and
it's like and then there's these college teams there I mean they didn't understand because especially like when I was doing the Ravid ear on the guy it's like uh but my favorite one of my fa most favoritest photo bombs of the world was this guy right here with the the scarf thingy or sweater jacket whatever those things are called preppy thing uh it's like he was taking a picture uh for uh for himself and said you know behind the banner of the conference and he was like you know cuz he is at this hacking conference and stuff you know and he was very proud of it he didn't realize you know 20 feet behind him in between him
and the banner was me in a suit going so that was great it's like that was a great photo bomb uh but yeah so it's like I saw that it's like it's very uh you like to think of uh uh Egypt to that area is like being very wild west but it's like it was just they want as an education this was a part of formal education was to learn hacking um here's a one from a friend in South Africa he says like how did you find out about hacking when trying to call UK longdistance numbers from South Africa during a part time there was a need he found a way around it it's like you know that's
that's hacking in your region how is hacking seen by the general public there's still a stigma attached to hacking as in hacking into Network gaps over building it seem as more criminal than anything is hacking your Regency is more for Crime hack nation state or other the media have dictated the view of hackers in most countries so it's hard to put a positive slant on it also criminals or Genuine hackers are put into the same category okay that was actually my statement on it was the okay I didn't want you to get confused say I was just rying so uh let's go to the uh talk about the Middle East it's like uh one of my um first trips to Bay rout and
stuff you know I'm not going to talk about the bomb that actually happened two days after I got there but um the uh the thing that I noticed about Bayou was I was having sitting down with a guy and stuff you know over like little coffee things and stuff you know me Diet Pepsi and uh he wanted to show me something on his laptop he's like oh look it right here like he shows it to me and he's got access to their natural Telecom system and I'm like what are you doing with this well I've had it for years it's like it's really cool I'm like but what are you doing with this it's like
he's not he he pays for his phone bill it's like he has he pays for his sale bill it's like he's he's he doesn't do it for that he doesn't have he doesn't use anybody else's ID identities or try to mess with their bills or anything like that he doesn't change the configuration files or anything he could it's why not you know it's like I mean it's like and that is the true nature it's like when you get over there it is the Wild Wild West it's like people don't even know what's going on on when it comes from the internet side of it it's such a physical world it's like one person explained it to me
was and the security mindset there is I'm trying to get it right because I haven't thought about it in a while and I just it just occurred to me but it was a good explanation is that there we in in America we think about securing a building we secure about we secure the whole structure and it's like and and so we think of it as a long-term a wide aspect wide ratio kind of protection in the Middle East it's not like that it is you hire bodyguards to protect yourself you secure your area and stuff you know so there's no this wide term Gap and stuff you know it is more personalized it's more compartmentalized
it's more of a oneoff approach to security so you could have like secured areas and stuff you know but none of them connecting to each other so I mangle that analogy but you know he won't care because he probably won't see this so uh but that that that's that's the way the Middle East culture and stuff you know to me in my perception was so let's talk about the culture in the Middle East and here's why I did my technicality because it's like Jason you said the uh Egypt was in Africa but right now we're saying logically inste from The Logical standpoint not geographically we're going to say this in the Middle East so because I love
this answer he how did you find out about hacking caught a virs in 2005 because a certain person downloaded pirated games and it was back doored wondered how those virus worms worked learned some programming first by viewing sample viruses sources and walked that road and never went back freaking awesome I mean seriously it's like oh I saw this it's like how did this happen let me try to figure it out and stuff uh and you're read you how is hacking seen by the general public hacking is generally viewed as hacking people's Facebook and Yahoo accounts and to me that's really sad because they're still using Yahoo uh but um but yeah so it's like but so so we'll keep going
okay like is hacking your region scene is more for Crime activist nation state or other most viewers are crime if you know about activism okay let's go to the next one let's talk about North America um let's especially we're in the these CS we got to talk about shukan because that's Bruce Potter I do not typically give non-consensual awkward hugs it's like uh and there are a couple exceptions Bruce Potter being the main one because I will chase his butt down okay I mean I have walked I have run through conference halls and stuff you know trying to get them so whenever I catch them it's like catching a wild butterfly you know so uh
and that's him showing his appreciation for it because you know he really loved it uh so Ukon my firston was at Sho apocalypse it was when where everything was snowed in and just think about that you got, 1500 hackers trapped in a building that is totally going to end well right it did it was an awesome time it's like people were having conversations people were getting to know people people were like just it was a community like we're all in this stuff you know was like we're all in this together and it wasn't like the Donner Party we're all in this together you know it was actually you know like we're all in this together let's learn this
and let's try to let's try to work off and make the best of it and stuff so uh I really like that experience I really like the coming together so you know and how how they handled that so that was a fun time um so let's talk about North America what country are you more amiliar with uh USA how did you find out about hacking first movies in properly through an instruction in a vocational program in high school which I thought was pretty awesome and your region how's hacking seen by the general public negative is hacking your region seen as more for Crime hacktivist nation state or other crime people seem to feel that anyone who makes something behave
outside of how it was designed or automatically committing a crime these same people during the 40s and 60s spent a good amount of their time working and building hot rods and modifying cars exactly but now I'm pissed now I'm upset because I spent all my time and trying to do my research I'm talking about the diversity of our culture and talking about what we have that shows us that and all I found was one common thread that we're criminals that we're bad people I don't like that it's like because I've got some news for you here are our four F family okay right here we are inventors we are creators we are artists we are hackers Alan Turing
hacker father of cograph say thousands upon thousands upon thousands let's say it again thousands of lives in World War II by helping uh uh break the uh Enigma machine a fabulous cryptographer an artist in his own right with numbers he was a hacker he was socially diverse and stuff in the in the country so therefore he was arrested and castrated until he forced himself to commit suicide that's how his reward was for saving that many people in World War II saving his country that was his reward Nikolai Tesla he was the father of open- source uh ideology he we lost so many inventions so many wonderful works of our time because of the fact he didn't want to
make money on it so no one wanted to invest in it and Thomas Edison had a good game going say because I hate Thomas Edison but you know that's besides point so it's like but that's what that's what happened to him he his reward they found his body two days later the ma did in his hotel room where he was basically almost destitute his only major love in his life that he admitted was a pigeon that he saved in New York City that was it that was his reward for being a hacker hey to love lace I want you know there's this always have these debates and stuff you know every three hours or something on Twitter about women and
Tech let me explain my position on it and I'm not debating it I'm stating a fact okay aah Lovel was the first computer programmer women weren't led into the tech industry they effing created it they let men into the tech industry that's how that went down so she started out computer programming she started how to do that she was uh socially awkward and stuff you know with her family which she was disowned it's like and she died because uh the treatment for cancer was what killed her not the cancer itself so that's what happened that was her reward for being a hacker I would talk about Leonardo da Vinci because he I considered to be the
Uber hacker I mean he was like the ultimate artist Creator hacker he created a a flying machine an arm car scuba gear all back in the day but I can't talk about him cuz he died really well people loved him this Prince gave him a house to to retire into and he was surrounded by friends when he went and that doesn't fit my Narrative of outrage okay so we're going to ignore him um so so I so I see all these people and stuff you know and I see if we came from hackers if if we came from hackers who were inventures and artists and maybe didn't lials but they had the same goal that we do why did it change
why did we become this why is it this why is it cartoonish or diabolical it's like and I and this is not this is not my perspective I'm talking about now this is fact Jeremy Hammond 10 years for hacking Andrew uh weave got 10 years it was overturn but for directory browsing when you're in the '90s and you're going to certain sites and stuff you know and you're going through the image thing and you like enumerated the folder so you wouldn't have to like keep going on the clicks breaking the law illegal not really but that's what they got him on we've all done it it's like Max Ray Butler 13 years for hacking Roman Vega 18 years for hacking Albert
Gonzalez I'll totally agree with 20 years for hacking okay it's like but you get these sentences and you think about like why what what Justified this kind of sentence when this occurs mik Richmond one year for rape jard Becker one year for involuntary manslaughter of a firefighter doing his duty doing his job Trent Ms two years for rap Seth hornberg a 3 to six years voluntary manslaughter means he got pleaded down from actual murder they could get him on the manslaughter Jessica Faso 5 years for murder of a 23-month old toddler in her charge bashed his head in five years half the time for directory transversal you know why because we're hackers we're the scary guys and stuff
you know we think it's so cool to be all Mystic and mystified well guess what people when normal citizens don't understand what you do they fear what people don't understand they fear what they fear they try to destroy they don't know how to deal with it they don't know what it is so they go after it and that is not all our fault but we perpetuate that but once again what happened what happened from this to this because 1970s it wasn't like that just 40 years ago it wasn't like that Bill Gates and Paul and hacking to a company's accounting file uh to try and get free Computing time the charges Mount up that they borrow the computer the high gay
and Allen began looking for a way to access one of the free accounts at CQ they somehow got access to administrator password and used it to Ste steal the company's internal accounting file exactly they broken a system man they were like that what's that 30 years at least right they got their computer time revoked they got booted off the computer time and he founded a multi-billion dollar company so you know that taught him a lesson and and I I tell you I I don't do I don't i i i i trash all os's you know equally and stuff so what about these two two delinquents it's like uh Steve Jobs and wnac uh wnac was
interviewed saying offering a guarantee on an illegal project product in such a quirky way appealed to wnc's sense of humor it's kind of strange in itself it's kind of unusual but I felt it was worth the joke because he actually had a warranty for the blue boxes they sold what she admits is an illegal product the FBI was trying to catch them and stuff you know uh and looking in the laboratory to find out and analyze them because they were illegal products they sold devices to circumvent the paying systems and stuff you know and utilities and stuff you know of the phone systems how many years is that worth well I don't know but it's like my
iPhone 6 is coming out in a couple months I can't wait right that's what they got that's what happened to them 40 years ago that was what was going on that was what hackers were like that was what was going on what happened to 2010 another young man who had already founded a multi-million dollar company he already had one broke into a utility closet at uh MIT he hooked up a laptop to the campus Network and downloaded 4 million academic Journal articles most of them in the public domain from a paid archive to which he had subscription he was arrested and dicted twice on multiple counts of Fraud and at a trial that was begun in April could have faced 50 years
in federal prison in a million dooll fine Aaron Schwarz was hounded to death he was hounded unto his death because he wanted to download subscription files through an archaic system and stuff you know and then release them to the public domain that most of those were in anyway how does that happen it happens because we don't know what hacking is the general public isn't aware they see this look at this it's like a freaking Nas ghoul I want to throw a ring on it you know it's like here go you know we have this representation of ours I've got a computer room that's pretty cold I have never needed my hoodie all the way up okay or a ski mask
to do my job I have never you know I I do not have big frozen coats and gloves and stuff outside my door saying okay honey got to go to work let me put this stuff on and get going but this is what they like to represent us and where do they get this from where does the media get this represent well sometimes from us Israeli hacking School train cyber Warriors it's like look at those guys I I would make more fun of those but I think those guys are the massage so I'm not going to I'm going to lay off a little bit so it's like but yeah let's just go to the next one so um and then
we got this representation just from like the hackers or the bad and scary people we've got welcome to cyberu Ron joins with colleges to train the next generation of net ninjas I'm a ninja okay I take offense to this okay it's like but you look at these these guys are doing defensive work for the government and for corporations so therefore they're ninjas they're okay they're the cool guys they're not the scary hacker dudes does that not look like every single hacker you see at every single freaking conference everywhere around the ever freaking world yes it's like it's look I can take a picture of you guys right now and put that in there and it would be
interchangeable it's like that's what happens but that's that's how they're represent that's how the media changes the the storyline they change the narrative because then you got this guy Glen Beck criticizes Watch Dogs for promoting hacking what the heck is wrong with us first of all Watch Dog promoting hacking and stuff you know and teaching you how to hack it's like Gordon Ramsay's television shows teaching you how to cook okay don't think that's going to happen the another thing is the only main reason why I put this in here is just for the comedy relief because you know G Beck is trying to talk about computers which is hilarious and adorable uh but yeah so like but this is what they
want to start off these are the rally cries that they like to start off with and so it's it's all fun and stuff you know when you get these representations but what happens when people get to comment on what are the public thinking about it well here we have Sterling rig's jerk off it's like and that's the nicest form I can I I use worse language but there's a child heer there's women you know gentle folk uh so it's like I can't say what he is but he's a jerk off he's a horrible person uh and and I and I that's my personal opinion so if you ever see the Sterling rigs um he he wrote about derbycon and
I'm going to use the voice that I think that he talks in I don't know how I feel about this Deron happening at the high at downtown it's a convention for computer hackers sessions include password cracking hacker war games and a lockpicking pavilion thoughts and there were some thoughts oh yeah you've got greed here going the L PD and FBI should raate the convention and arrest the people who are doing the training they were in attendance you idiot Michelle Perry Richard scary poor Darcy was so scared she could only do a abot con goes I bet no more like employment opportunities yeah your word Jenny Smith wow that's insane I think this threat is Sean what about classes
on mugging car I'm the W you one of the group it's like that's really good BR is like Sean that's next week LOL oh she's cute Amber I think it's stupid you didn't capitalize ey I think you're stupid Amber arrest them all I kid you not the targeting ads for the Facebook you know how Facebook's got those ads on the side were're for pitchforks and fire this is ridiculous so iron geek uh Adrian crw saw this and then he tweeted out to the Twitter sphere saying hey there's this post maybe some hackers that actually attended derbycon should respond to it and we did and see we like to think that oh we flamed them and we schooled them and we
told them like you know logical reasonable debate thought out responses to educate the public about what was going on I mean we're hackers so some of them were like yeah they were that flame worthy trolling but you know the majority of it was an educational opportunity mostly every hacker that responded was here's an opportunity to speak and educate someone who doesn't know what I do and give them the proper facts so Sterling rig's jerkoff did the only thing he possibly could when faced with that kind of Reason Sterling rig's jerk off deleted the whole thread this is the only evidence that you have of it because I took the screenshots because I knew I was going to use it for this SL
deck these are the only this is the only record that this thread actually existed because it didn't fit his narrative it didn't fit The Narrative of what we wanted hackers to be the media doesn't want hackers to be that we too busy making them scary and you're thinking well that's a horrible thing and I was thinking that too but then I found out one important thing I'm a hypocrite I mean I've always been a hypocrite on a lot of different things and I'm honest about my hypocrisy and stuff you know which doesn't make it less of a hypocrite but you know I least I get points for honesty right so it's like so but I realized that I've been a
hypocrite on something the McDonald's coffee cup lady and guess what but you're probably a hypocrite too because we see the McDonald's coffee cup lady who gets $10.9 million for her coffee was too hot and we think what a scam we think I can't believe she hosed McDonald's and stuff you know now I got to have please roll your toothbrush paint uh toothpaste up and stuff you know properly or it'll cause choking or something it's like it's all because of her right is that the story is that what happened not really it's like even though we like to make a no not supp to go that way let's go that way there we go and we've actually made jokes of
it which is all fun in games until we meet the hot uh coffee lady who received 15% of her body received third degree burns that required skin graphs till we find out that McDonald's served their coffee at 180 to 190 degree Fahrenheit to make sure it was hot all the way through the ride till we find out that all these people highlight in pink were admitted to the emergency room for scalding from their coffee till we find out the fact that she only wanted her bills repaid for the hospital McDonald's offered her $800 and not even some McNuggets it's like that's what happened and then we find out that that $2.9 million was a calculated settlement of
two days of coffee sales for McDonald's not even the Happy Meals just the coffee and once that was negotiated she received less than $500,000 for that for skin grafts over 15% of her body she was in a stationary car with her nephew at the time she wasn't driving she wasn't in motion they let that happen but we like to make jokes about the coffee lady because the media told us it was funny the media told us this was our story the media gave us the narrative and we didn't question it and we wonder why they think hackers are scary and they don't question that we need to change the narrative we're intelligent we know the
narrative is wrong we know that that's not the story for us but unlike the coffee lady we've got a voice we don't just let things go we try to change things and we're doing it it's like and I really appreciate that there are voices out there there are voices out there coming out there thanks for wearing the same Shirt By the way that's awesome it's like uh there are people out there trying to change it I mean I like to I I'll pick on Dave Kenny because I like picking on Dave Kenny because it's like you may have seen him on Fox News and uh MSNBC and Fox News and Bloomberg and Fox News and CNN
between plane coverage and you also may have seen him on Fox News and stuff you know and the Katy cork show which was a really good episode uh then he was on Fox News doing some stuff on uh testifying so and then did I mentioned Fox I when I see Dave in real life now I usually try to see a Kiren just like Fox News is going right below him every time I see him now in real life he's just like a whole projector but he's a great guy one of the best things about Dave is he admits he's a hacker he says I'm a hacker once his article talked about hacking it's like we're saying
we're hackers we're here to help we're hackers we're here to help secure you we're hackers we're here to help educate you on these issues that is what is needed we can let them paint the narrative we can let them color the stories or we can start participating in that and it's not these guys they're the Vanguard of it but why not you I say in my bio that I was times person of the year for 2006 I am 100% correct on that the other part of that was so were you why not be that voice why not contact your local news station your local newspaper if you've got valid information and you've got the the
actual information that can help educate people on a topic that's being discussed why don't take you take part in it it's not like you're just trying to pimp yourself out and stuff you know and get a name for yourself you're educating your community you're helping and be proud of the fact that I'm a hacker this is what I do it's like even if you had to put the ethical hacking in front of it and stuff you know they're not too afraid do it but let them know that you're there to help protect that you're there to help educate because if you don't do that if we don't have that Vanguard if we don't have those people out there
trying to change the narrative we're stuck with people like this doing it it's like some many people not may not know Gregory Evans he's the world's number one hacker or I like to refer to as the world's number one hacker full of number two um but he'll be spreading that out for his own gain for his own purposes and for his own ego we have to be the voice we want to be or we can't complain about the narrative that's being taught because we're not like the local steel Union okay we're not like uh a whole bunch of other fields and industries of automet or you know whatever we are different because we see problems and we
try to make them better we do not let the status quo rest we actually for some strange reason are mostly idealists and stuff you know who want to see things better to see things work different to figure out how things work and see if we can improve on it there's a whole industry of us doing that and we are making changes here's blood code blood code was a barcode is the name of the the the nice Ginger there it's like and the cool thing about him well not the cool thing but the cool thing about how it started was he need BL transfusions cuz he was dying so he received seven blood transfusions like within I mean full
blood transfusions within like weeks of him being diagnosed so what did the hacker Community do he's like sorry dude he's like let me like that status on Facebook started a blood drive at Defcon the very first year it happened it was for one day from 9:00 a.m. to 5:00 p.m. by noon the lady who was organizing it was in tears the reason being is because she had to spend the whole rest of the day after 9:30 she had to spend the rest of the day telling people there was no room for them they were already booked up by 9:30 they were booked up through 5 she had never seen that kind of outpouring she had never seen that kind
of response from any conference any convention she's ever done in Vegas the second year we did Blood code uh the world uh the the state's largest blood drive in history the state's history was at Defcon she was really touched by that as well also I mean just for full disclosure Ninja the Ninja party was giving out invites to people that donated so that might have been the contributing factor okay possibly it's like but then what happened on the third year last year zero giveaways zero gimmicks zero ninja party invites the second largest blood drive in Nevada State history that's what hackers do I mean of course there's a lot more people now that are buzzing around in in Nevada
after getting blood transfusions but it's like but that's what hackers do okay we see a problem we try to fix it you've got Johnny Long here and stuff you know not only doing a mission in Uganda and stuff you know and trying to help that surrounding area but he also does logistic support and computer support for other people for other uh uh uh charity organizations for other uh Aid organizations in in that country it's like he's being that support guy he's that tech support people other the fact his shirt is actually you know says ihack chies on the front CU then people look at you go like how dare you how dare you do that I'm like no no no no
that's a good thing it's like it's like you get to explain that and stuff you know so um and also just to show you that I don't want to be believe this or not being contributing and being a charity and being someone that wants to do good and being a hacker and St you know that has that ability to want to change the world and make it a better place isn't actually reserved for Christian Americans it's like this is China Eagle here the guy in the middle it's like you may know the name from China eagle from Titan greine from 2003 yes that actually is the same Titan Eagle uh and it's like but you know what
else he is he's the Johnny Long of China he has created a whole program of actually putting uh computers in schools in western China in the like the desert the desert rural areas and stuff you know the non City areas he's been putting computers into those school systems he hates cyber criminals he helps consult and stuff you know with law enforcement and stuff you know to help put the Cyber criminals in China in jail cuz he's a patriot he believes in you know his country and he believes in being and that's another thing that gets funny especially talking about in America because it's like we love patriotism until we realize that other countries can have that too and then
it's like wait that's not so cool it's like it's like but he is he is a honest upright charitable human being and stuff you know he's just a patriot for the country that he actually was born and raised in for some reason so that's how that works it's like our world is complicated our world is confusing but as hackers we have something that does unite us the ability to try to do something and make things better and we have to pretty fast because believe it or not we're having Offspring and stuff you know it's like I mean I I it surprises me well sometimes and two of those are mine but it's like we're doing
that we're actually having there's there's a young gentleman in the audience today it's like we're Le what do you want want to leave your children what leg you want to leave on that word hacker 40 years ago it was destroyed how long is it going to take to bring it back to where it's something that your children can say with pride that they're a hacker when the most proudest moments of my life was going through my daughter's uh Elementary School holding her hand through the hallway and a child comes up and my daughter looks up at me and she says this is my daddy he's a hacker that was one of the best moments of my life because she said it with
pride because she meant it and that's what she thinks a hacker is she thinks a hacker is someone that does something different and helps protect people when are we going to let the other rest of the public realize that because one other key thing oh we're mistic it's like let me put on my hoodie and my wizard robe and hat you know no that's not it hacking is who we are it is human nature stop thinking that this is a skill set that you acquired that this is something that you've learned and you've earned I got news for you it's not it is in our DNA a group of boxes were set out in front of a village in Ethiopia
unopened with Android Zoom tablets in them within 5 months the children had opened the boxes figured out how to work the operating system without never seeing English and they were able to circumvent the controls get the cameras Reen and the paral controls unlocked from the devices they hacked the Android system operating system to get what they wanted that's hacking that wasn't taught that was ingrained in who they are that is who we are 5-year-old kid wanted to get into his dad's Xbox account couldn't do it so what did he do oh he was able to bypass security using a Microsoft law that need to be patched from Microsoft that was not something he did not take the C course which is on the
right level for a 5-year-old he didn't do that okay okay he did it because he wanted to get something done and he needed a way to circumvent something and do something that wasn't supposed to do it is in our DNA every human has the ability to be a hacker why don't we let them know that why don't we show them that why don't we stop trying to be the villain they want us to be and start showing them why they are like us and why we are the same and how we can help them be more like us because we are not an industry we are a community and we are all connected and if you don't believe that by the
transitive power of Kevin Bacon we are only two awkward hugs away from him thanks Oliver Stone okay so we are a community people this is not a union this is not an industry I will still always think of this as a community I do not have a job I have a passion that I get paid for and that's what we should all have so this is the wonderful time where I get to actually get some more several
minutes that's my so hint thing it's over I'm done
are there any questions let the ranty man get off stage now okay cool I'm
good
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
real quick before I I get rolling give a shout out to the bsides ashal organizers and volunteer so let's give him a
hand got to give a local a shout out for the local group I belong to my SEC it's the Michigan local Security Group and of course my boy in high hack Society there's a couple of us here so a little bit about me uh I'm Jimmy vau and two my co-workers I am not related to Wang dong what's with this handle though ugly gorilla that's a terrible one it's still better than W yeah it is it's like I don't want to even go there but ugly wangong ugly wangdong so anyway a little bit about me I am Brazilian Jitsu blue belt so I will triangle choke anyone in addition to that I am a Muay
Thai practitioner so if you do know me I talk about round housing stuff a lot I can throw a roundhouse kick so I've been training MMA for about seven years I fought in the cage once and uh I typically talk about it a lot especially when I'm on a date but I I leave out the fact that I lost to be fair the guy who beat me is I think he's the the champion for my weight class so I do work uh when I'm not punching faces and choking people out I I focus I focus on Sim and security monitoring and I do assist on some of the 10 tests so my talk today is called How to Win
Friends and Influence hackers it's uh sort of cheesy a lot of people are trolling me about it but it's an obvious title jacking of Dale Carnegie's book How to Win Friends and Influence People if you have not read that book I would definitely read it has anyone read that book here okay so definitely definitely read it if you have not so today I'm going to talk about basically combination of the psychology of personalities in information security and sort of my Approach for winning friends and influencing people in the information security community and uh I do want to put a disclaimer out there I do not have a psychology background so this is some collective research that I
done and it's adapted for my bad Chicago talk I refined it down a little bit and now I'm here so why do we care this guy obviously does not care so there's two reasons why I wanted to give this talk and why I thought it was important for my perspective the first reason and uh this talk is sort of geared to it's it's applicable for anyone it's more targeted to people trying to get into information security but hopefully everyone can get something out of it so the first the first reason why I think this stuff is important is because of networking opportunities right it goes both ways though we think networking opportunities is how can I can how can someone help me
but really it's about how can we help other people in in the community so let me share a story so I was a little bit tired of my previous job I was in sort of it Ops and I wanted to get into security so I saw someone posted on Twitter about a a job opportunity and I hit the person up and said hey I'm interested and uh this individual said shoot me your resume by the next day I had a recruiter call me and it was it was pretty interesting it kind of blew my mind that I was able to kind of circumvent the traditional HR uh process applicant process I'm actually at my current job
right now because it's kind of funny but it's from Twitter so that's the power power of networking and uh why influencing is important the second reason and the more important reason is we face big challenges today as a community right we joke about it security is hard right just a little bit and the best way to face huge challenges is working together as a community so the second reason why I created this talk was to build a strong community and this from understanding each other and working together and we have a very strong Community today I would say and with anything there's always room for improvement so let's talk about the foundation of my talk so I mentioned
personality type stuff and I had a a talk with Dave last night so he's going to be talking about some my's big personality type stuff and that's sort of the foundation of my talk he has this awesome sheet did everyone get one of these yeah I should have got them at the registration Des so this is awesome because I'm going to talk a little bit about the Myers break personality types and uh again it's the foundation of of my talk because if you want to influence people you have to understand them not everyone's going to have the same personality as you so so let's get rolling on the personality types content so I use Myers
break like I mentioned uh there's a lot of familiarity with it a lot of research a lot of people tend to know that Marb personality type and uh I totally understand that there are some criticisms uh to me it was it's it's kind of a challenge to identify personality types because there there's 16 of them I talked to a buddy of mine who who uses insights is anyone familiar with insights it's there's four colors uh it's a little simpler but I'm definitely going to look into that so I created a survey I was interested to see what personal types were in information security there's there was the survey was four four short questions do you
know your Myers's big personality type what is it your job title and any additional comments where I got trolled to hell so there are 81 people who responded with their personality types a bit of a small data set so I can't really say it represents the whole Community or the whole information security industry and uh so I'll share some of the the results from that and again the reason for this is understanding people helps frame your communication and that's key to influence and and winning friends so today I only have time to talk about the four top four personality types Myers Brig personality types there's 16 of them and I just am encouraging everyone to read up on it
and again this sheet is awesome for that so definitely read this so I have a lot of puppies in my slides I I love dogs so if you don't like dogs I don't I never met a person who doesn't like dogs but you need a dog person versus cat person personality type yeah I should I should should do that so let's talk about introverts and extroverts and before I did this research I had a big misconception of what an introvert is and what an extrovert is I thought introverts didn't like talking to people extroverts did and uh that's not totally true and it's interesting it's about where you get your energy so let's talk about int a
little bit uh they tend to think before they act they create solid ideas they feel comfortable being alone and doing things on their own and uh they need time to recharge after typically after a social interaction it's funny my boss will actually block half an hour chunks in his calendar after any type of meeting that's how much of introvert he is so on the flip side the extroverts I guess the extrovert is this puppy so they tend to get energy externally they get energy from being active in events like conferences or just talking to people excited to be around people they rather talk a problem out loud and hear what others have to say they they tend to have a wide range
of friends and they're very comfortable in groups so what do you think the split is in my data set from introverts to extroverts any guesses more introverts so according the my my the Myers bre personality type uh the first first letter in the in the Myers big personality type is i e so that's how I uh came up with the introversion extroversion data as you can see 66.6% of my data set are introverts and 30 33.3% are extroverts that's not too surprising does anyone have any theories why I don't my theory is just security people tend to be very analytical they look within for answers and I saw this interesting infographic so I'm not going
to read them all off but uh some of them respect their independence for an extrovert uh offer them options uh make physical and verbal gestures of affections give us hugs and EXT introverts so they're a little bit different uh respect their need for privacy uh let them observe first in new situations reprend them privately uh and this one is is Big respect their introversion so don't try to make an introvert an extrovert and that's key so let's talk about some of the Myers break personality type stuff uh I'm going to talk about the four that are highlighted and we can see there's some grouping and then there's the the outlier so this these are the top four personality
types in in my data set so we have inj ENFP entj and INTP what's interesting the interesting thing about these top four personality types is these four make up 54 of 81 personality types in my data set so if you can do the math really quick it's 66% of of these personalities represent my data set of 81 people uh my theory on that is security tracks a very a certain personality uh I'm a big believer that not everyone can become a security person it requires a certain way of thinking and and passion now I'm not trying to be mean it's it's sort of like not everyone is can be an accountant I don't know if anyone wants to be an
accountant but that's the point I'm trying to make so when I gave this this talk the second time there there people wanted context for for this data so I found an awesome research paper that uh analyzed personalities and software Engineers so let's take a look at that data so the puppies again the introverts and extrovert puppies in the red are software engineer uh numbers for introversion extroversion so the Gap is a little bit smaller but it's still prominently introvert so 57% to 43% these are the top four personality types within software Engineers so we have IST istj ESTJ istb TP es TP it's interesting that they're all STS but uh I won't go too much into
the software engineer personality stuff I just wanted to lay out some context of a different a different group of professionals so so let's talk about NTS the NTS we know there's three NT three or four are NTS so we'll talk about them a little bit so what the NTS represent or what that middle what the middle of the mysb personality type is is the temperament so they're known as the rationals they have they're called the problem solving temperament this makes total sense of why they dominate sort of the data set some of the core characteristics for the ns are pragmatic skeptical self contained and focused on problem solving however I never met a skeptical information security
professional some other characteristics they're they're ingenious they're independent and they're strong willed take a look at take a look at a pentester you get dropped in on a client site and do what it takes to accomplish the goal and some some other some more characteristics about the NTS they they trust logic they yearn for achieving they seek knowledge and I mean seek knowledge is Big that's that's why we're all here so let's talk about the top top four personality types in in the data set that that dominated the the results so intjs there are 30 intjs there's 37% of the data set it's interesting because they only make 1% of the general population they tend to be very highly
analytical creative logical they're aggressive for New Concepts and knowledge so I mean all of us constant hacking learning reading attending conferences trying to be trying to be better every day and they're stimulated by difficult problems again security is hard right so breaking into hard hardened environments it it's difficult that's the challenges that sort of Drive the intjs the the enfps I'm actually an enf ENFP I'm also a fers fan fan and this is ironic because they're known as as the Champions and the flowers have not won a Stanley Cup in like 40 years so they're known again they're known as the champion they make about 11% of the of my data set and they tend
to have strong people skills they relate well to others they're empathetic and caring tend to be disorganized I'm extremely disorganized uh they're capable of doing anything they're interested in and that's sort of why I think I'm insecurity I am not entj but I was very interested in security so that's where I kind of fell in some of the job titles were interesting in in enfps uh they they were there were some director csos and other leadership uh job titles in uh in in the data so we have the entjs there was they made 99.8% of my data set and there's more puppies their style is known as commandant uh they're known as strategy leaders and they're motivated to
organize change change they're they're they're pushing for change in in their organizations or if their Consultants their clients uh they entjs excel in logical reasoning they enjoy the process of discovering and implementing a better way and I mean that's what we do every day we try to improve security either with our our companies or with our clients or within our community and the the last personality type is the INTP so they're known as the architect and uh they make up 88.6% of the uh respondents and they see in how things can be improved or what they can be turned into uh there's security architect even job titles um so how things can be improved so we look at a pent test report or
something we show recommendations on how things can be improved they tend to primarily live within in their minds they focus their energy internally that's sort of the uh introversion piece of them uh they use analysis identifying patterns and they come up with logical explanations from within and they tend to Value knowledge above everything else and they tend not to lead or control people so so so this stuff is key the personality stuff because if you talk to an inj they value knowledge above everything else or logic so if you try to pull their heartstrings it's it may not be effective if they're they're looking for logic and um and again the sheet the sheet that Surfer Dave uh came
up with talks about all of this stuff so definitely read it it'll definitely help you frame Communications uh to different different personality types so let's segue into sort of my Approach of how uh I win friends and and try to influence people so personality stuff personality type stuff was the foundation and the house is my Approach so again I am an ENFP ENFP so most of this stuff will most likely not work for you so you're probably thinking well why is he up here talking this is sort of a call to action find your own way for sort of influencing people within the community and with outside of the community because it's important and that's how we
create change right that's how what Jason was talking about that's how we create change so I'm going to focus uh some stuff that that I do and uh I use Twitter very heavy for for networking u i and why Twitter this thing just freaked out on um it's cool back that's people disconnecting from the live
stream so so why do I talk about Twitter I found it really effective for me I want to genuinely uh connect with people and I want to to to learn from people my my colleague Scott Thomas gives an excellent talk about about learning from others so this is why it's important to connect with other Prof professionals within security we can't just do our own thing and not talk to anyone so the first piece of my Approach is building my brand roundhouse a service yes roundhouse as a service uh so that's uh that's important so I do not have two Twitter accounts I see a lot of people with two different accounts uh I don't roll like
that uh what you see is what you get if you if you follow me on Twitter uh I focus on keeping it real I have four LinkedIn endorsements for keeping it real so if you are connection with me feel free to endorse me in keeping it real roundhouse kicks and various other things the thing is there canot be a discontinuity on your online brand and your actual brand this isn't a problem if you're keeping it real the only C out to that is your reputation management goes up if you don't if you only have one account and uh your brain is important so ability is definitely important for people who are are looking for security jobs your ability is
definitely important but how you are as a person how you fit the company's culture is even more important in in my mind and uh only problem with Twitter and social media is it's a great way to broadcast negativity I I try to avoid it at all costs the second approach I do is I turn into a dog and I put my hand on another dog so it's being personable right so Dale Carnegie talks about a principal that's uh in in his book How to Win Friends and Influence People it's be interested get to know people uh get to know their interest beyond beyond security I mean we're all here because we're very interest interested in security but don't stop at
what do you do in security get to know them like I know Bill loves moonshine oh especially legal Yeah the more legal the better is My Philosophy yeah so um and it's funny because people talk about their Cloud scores I'm like why why do you care about that stuff what I care about is how well I know people that's sort of how I measure how I measure uh that stuff so the next approach is situational awareness and guys with guns uh I break this down in two parts it's emotional intelligence uh so how do you define emotional intelligence it's the ability to emphasize and and to Hope how I Define it is knowing how someone will
feel in response to what I do and the second part is knowing what's going on with everyone at all times so that's sit situational awareness so what do I mean about that and uh it's kind of strange I even have to say it but uh I tend to focus heavy on it if if uh one of my security buddies has a new job or just married or got a new puppy or something ask about it that's so important in in influencing and uh building better friendships and the last thing that I really focus on is avoiding the battles and uh I mean we never see drama in security right at all not once uh Dale carnegy says don't
criticize condemn and or complain and uh that's key right drama may be entertaining whenever there's drama WE Post uh pictures of popcorn and we're like yes drama but is it constructive I don't see much constructive feedback when when people are going off on each other of I think feedback is important but criticism without feedback is not effective so what I'll leave this as I'll leave it at is uh avoid the battle win the war so our war is facing security challenges building a strong community and working together and and teaching each other so that's all I have today so we have a little bit about personality type stuff and a little bit of data I'm going to continuously build
that data set I need to release I keep saying that I'll release that data but uh I get lazy and don't do it so I'll do that and then sort of my Approach so my call of action is build your approach for influencing and and and making friends within within the community uh give someone a hug today but we'll be lining up to get awkward hugs so my contact information I'm Jimmy V on Twitter shoot me an email if you have any questions or feedback Jimmy roundhouse doin um I'm votch on free node a hangout in the myc room and the high hack Society thank you
good
um
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e for
started Ron Parker our next talk you guys want to find
SE
okay give y'all guys a chance has to craw over couches and get all
settled I handed out uh just just before I started I handed out a couple of uh couple of keypads if anybody wants any more of these to give that a try just raise your hand and I'll thr throw some back there and that way uh you would just pass
these that way you got one of the blue sheets what what you're actually looking at on the little sheets that were passed around uh was an actual onetime pad and a onetime pad has been around since about 1917 and um it's it's just a very simple sopher very very easy to use but was actually used in the Cold War and even later on and turns out it's got some pretty cool characteristics to it because mathematically when you when you look at this every character is not related to any other character so from a cryptography standpoint it was a great thing to have because there was no relation they would actually build small little uh small little onetime pads of
these Keys hide them in all types of things microfilm microfish all types of places hand those out give it you know one spy would give to another and then they could use one sheet at a time and actually brought this one's actually huge it's really big but if you look at it you know it's got got the numbers on here and they would use one sheet at a time and they would pull it off eat it burn it do something with it to destroy it because the only thing that makes this not safe is to actually use the the the pad more than once and so the cool part about this is you know I got to
looking at that and it's a it's a great thing if you're just getting into you know cryptography just looking at cryptography one-time pads great thing to look at because it includes all of the important things about cryptography it includes a key distribution tion how important Randomness is siher it includes also everything about the actual you know the algorithm and everything else in there plus plus you do cool stuff like this CU what I actually did was I actually got you know took my Raspberry Pi at home it actually has a hardware random number generator built into the arm unlike most random number generators that are all mathematical in nature this actually uses Quantum tunneling that sounds really cool
doesn't it but actually it's just some electrons jumping around kind of acting a certain way they're both random and not random at the same time and so with my Raspberry Pi I actually generated a couple couple million bits wrote some quick oh I got to tell you right now if there are any pythonistas out in the crowd you know we got if we got anybody who are you know who's really really sticker sticklers on this don't be looking at my python code just just assume it's good okay if you see someone pass out I'll know I know exactly what what you're passing out from so I took my million bits broke them out five bits at a time made made
up my own alphabet generated a bunch of these Pages slapped it in a book and and that's what you were actually looking at so if you're looking for a project that's a pretty neat little thing to play with and talk about and uh there's also if you really get want to G geek around with this there's actually a movie out called the num station it's actually got something to do with one one time patch but but it's not that great of a movie but hey you need to see it actually my name is Ron Parker um I'm here to talk about when to use and really how to use cryptography if you came in as a
cryptographic expert you'll leave as a cryptographic expert otherwise don't expect much honestly you know just this this is what it is um I'm actually in Insurance business I've been Insurance business for about 20 years I'm security architect for a fortune 250th something something company um I've got 12 15 years experience of security and risk management experience and so that's kind of my background a lot of programming a lot of that kind of stuff in there and I do have to reach down for for my water water bottle there and so this short talk we're going to actually talk about cryptography it is foundational you know when we look at our jobs and what we do
every day a lot of times we worry about physical locks we got guys back in here breaking locks we've got guys working on Blinky boxes you know we got other other people doing all kind of stuff but at the end of the day really the only way that you can really protect your data is to add some of this at that data level because eventually they're going to get past the Blinky boxes they're going to get past the lock doors they're going to get past all those things So eventually cryptography comes into play in what you're doing so obviously the next thing that we need to talk about and look at is cooking cuz years ago I figured out I
like to eat and I figured you know along with that eating I I I also figured out that hey if I cook that goes with eating so I I really do enjoy cooking and so one of the things that one of the things that I really you know one of my favorite dishes and this is kind of what we're going to go through you know one of my favorite dish is actually just has three simple ingredients three it actually has milk has flour and actually has lard of course and so those are my three free three simple ingredients for my very favorite dish and if you'll look you know what all can you do with those
types of things so we could look at those three ingred ingredients and go Hey Ron would really like no no that ain't happening you know that that that's no good that's not what we want out of those three simple ingredients you know I'm talking about the sky opens up rainbows appear yes you guessed it gravy and biscuits look at this what we've got is gravy you actually make gravy now think about this you put grease flour milk in a pan and you stir stir stir you have gravy to make biscuits I turn intake flour grease milk I put in a bowl I stir put in the oven and I end up with biscuits then I take and put those two
things together and I come up with this spectacularly amazing dish it's that good so what we've got to look at is these were simple ingredients these were three simple ingredients and I used them a certain way put them together a certain way it came up with a certain result and that brings us to our problem when we really look at our problem when we're starting to talk about cryptography is that I've got no easy guaranteed results by looking at the ingredients if you were to look at cryptography I've got all these simple Primitives I've got many simple ingredients many simple tools you know I could go through there and point out all these tools all these simple things but
the problem is the result that I get may not be what I want it may not be what I expected so when we're talking then do we know what we want from cryptography you know can you go and describe to the person next to you about what your desire is or your end result or your expected result is are you using the same terminology do you have the correct tool now the tool conversation has totally changed in the last couple of years you know that the whole you know just in the last couple weeks we can go backwards and talk about what happened to True the NSA RSA you know we can kind of back our way through all this
and we're not even too sure about the tools we're using so there there's a lot of uh a lot of things we need to look at with tools but even if even if we assume that all that's okay do you know the proper steps the proper order to put those in just like the gravy and biscuits dish do you have the simple ingredients do you know how to do that so we're going to look at a really quick really quick demo here to actually take a very simple case of you hear this all the time how do we look at passwords really quick store those passwords or the hashes of those passwords and then figure out and verify
those and I'm just going to look at a small piece of this because that that comes up all the time you know how do you safely store a password and check it later on so a quick 17 screens later and I'm going too fast it's danger danger there we go so what we're going to look at is we're going to look at um a piece of code here and once again um don't uh don't look too much on make sure that's there so you go out to your local uh local crypto closet and I apologize it is a demo what's the next word in the dictionary past demo disaster you're right they come really close they come really close in the
uh there we go you tell I was kind of nervous and toing ahead of myself so I go to my crypto closet and I grab I go grab a hash that I'm looking for for and that particular hash happens to be shaw 256 what is that that's a really really good hash returns a 256bit hash that I can so I can basically feeded information and it's going to give me that hash back it's it's approved it's a good one to use and it just seemed like the right thing to do so I'm going to go pass it my password I'm going to create that hash show you what it is just to give you an
idea then I'm going to go do that a thousand times Zach pretty straightforward I think so so let's uh let's let's start again there it is there's your there's your actual hash that came back from the password and there's a thousand of them so what we did is I also didn't mention I did salt that in a very poor Way by adding the number to the end of it just so they'd be different um but that was a th you look at that you go well it worked I have hashes of all my passwords everything looks good now I'm great no actually this is bad this is really bad the reason it's bad is look how quickly
I just ran through a thousand of these in this very slow language displaying them on the screen this isn't a good algorithm to use if you're trying to prevent people from you know going through your database and trying to determine and guess your hashes because it's so quick it allows me to use a graphics processor it allows me to use other pieces to fly through these at billions of them a second so great primitive really works not the one I should have used so let's go look at let's go look at uh another one this happens to be bcrypt I just picked bcrypt there's a couple more out there you know you could use different
ones same thing I'm going to take bcrypt and generate a salt generate a hash because that's the way BCP works I'm going to show you what that is then I'm going to generate 10 of them 10 just 10 not not thousands so there's the first well you see me again so there it is and if you'll notice the first line is the the sawt up there the way the way it looks is the first two others the 2A is actually BC's algorithm the 13 the next past that is actually the cost of this so I can actually adjust how slow I won't be Crypt to run I can say how computationally intensive I want it to
be the next 221 characters or so is the saw then the rest of it's the hash so now let's generate 10 of those We Ready there we go now looking at this this is 10 very slow glacially slow and if I was a hacker trying to to come into a database trying to look at you know whatever it is I can't you know fly through millions and billions of these a minute so knowing the right algorithm to pick even though both of these were Primitives both of these were simple to use very important you may have both of these at your disposal but which one you use is makes all the difference in the world which was the first one it was
just a sha 256 just the normal um everyday government approved you know and how do we win the argument with our developers about performance on web servers and there is a tradeoff so that's why we have to do performance testing and you have to have a discussion with your with whoever is going to be your security SME right you got to look at your subject matter expert and there has to be a tradeoff because what you'll do is you'll adjust that 13 and maybe it needs to be eight maybe it needs to be 14 It's actually an exponential number so you have to be careful if you go to 14 it may take them depending on the hardware it could be it
could be minutes so that's a discussion and we're back up and it's even changing that's amazing so so the recap here really looking at this is cryptography Primitives are easy to use that's that's the big deal the problem is implementing cryptography as everyone tells you is actually hard and and that's what we can't take casually so we actually need an approach to this we need a way to come at this that will help ensure that where we're going so what we want to look at then is how do I get to explicit results when I was talking about the biscuits and gravy earlier I had explicit results in mind I was not looking for a cracker I was
looking for biscuits and gravy so when I'm looking at that particular approach we have to think how what what does it matter about the explicit results how do I get there so going back to cooking you know when you hear someone say cut well you normally say cut what and of course you come back and say well cut carrots that makes perfectly good sense until you know if you happen to have some cooking skills you may step back and look at that and think what did you mean just then did you mean to dice slice what what what you mean was I supposed to Julian nose D you know small chop what how was I supposed to do that
well you can't really Shi an a carot but you can you can do the broom WS down there but but what what did you mean when you when you said that the problem we need we need to be more explicit being more explicit with cryptography is actually a good thing so we need to look at the vocabulary the context and information gathering we need to as a group if you're dealing with cryptography you need to sit down and think about where's this coming from what sending it what's the target of my cryptography is it a message is it something else what are the mechanics of the algorithm what what are the different mediums or states that
it's at is it going to be at transported is it going to be at rest how's it going to work and then finally the recipient and we have to think about the specifics of things like do I need to authenticate the recipient do I need to authenticate the cender does the Integrity of the message matter you know all those things matter and we need to have a vocabulary amongst oursel and amongst our group otherwise if we miss one of these important attributes we could be just you know you could be totally off you could get a cracker instead of your your biscuit so when we hear this we hear things like from from our business I I work in a
corporate environment so I hear things like I need to protect my data you know that needs to be private hear that all the time the service provider must encrypt all non-public data and transit to I'd never hear that that's the that's the state of Delaware you know that has nothing to do you'll never hear hear our people say that so what do we do we actually need to take our vocabulary that we talked about a minute ago those attributes and we need to put what the business or what our customer or what our project is saying we need to put it in context and really map it to these things and that's not a casual thing that's actually kind
of hard and we don't spend enough time thinking about that we we may just take the word secure it well that's no good that doesn't actually tell me what to do it doesn't tell me what tool to use so you think about it how many times have you seen one of these you know every time that you sit down at a restaurant what happens not every time because sometimes you're driving through and you yes I want fries with that but I mean sometimes when you actually go in and you sit down at a diner you know you've got someone who comes out and they they give you a menu you look at a menu then
then you start rattling off all this crazy stuff you want eggs over easy not this not that and they're writing but what they're writing is probably not what you're saying they have their own notation and everyone in that kitchen knows that notation and so the important thing is when they walk away that they know your require their requirements but those requirements have to be in context and have have to be ready to be used so for us we need to be gathering this it doesn't matter whether you are an agile shop or a whatever shop if you're using you know story cards or napkins or use cases whatever you're using you need to have some method to gather those
requirements and make it consistent from time to time so when we do look at it we get at the end of the day we can say I have explicit requirements I can say I want you to Julian those carrots no question about what I meant so explicit requirements as part of an approach to explicit results sounds very simple hopefully so moving forward now that you actually have those requirements what does that mean you may have tools the tool may be bad may be good we don't know your industry I happen to work in a regulated industry that means everyone is my boss every state government every Federal whatever is my boss and I have to listen to everything they say
so I have to look at what does the industry require if you're in the federal government you've got nist and fips and fed ramp and all these other pieces to look at you know key handling can be complicated and most people don't think about the full life cycle so we've got all this stuff to think about so what do you need to do in order to get ready well what you actually need to do is much like what they do in restaurants if I go out and I go to my favorite Chinese restaurant and I order House special orange beef I expect it to taste like it did the last time I came and it should look the same
if it comes out and looks like it popped out of a TV dinner one time and looks like the next time like it's a festar dinner something's wrong the consistency is not there what does the kitchen what does the cook what does that restaurant do because they have culinary knowledge you know they have equipment they have the menu knowledge they have the recipe knowledge all of that is there what they have done is if they have set things in place they have tidied up their work environment and that's you know the the whole misaa thing here is really just French for set in place and that's what we need to do if we're working with
working with cryptography we need to get our we need to get our stuff in order and that's really what it means so that's the second part of this approach is a consistent implementation and the two pieces of that consistent implementation is really around standards and right now we're just going to call it recipes and that will push us you know down the road and standards that's an overloaded word but I'm going to use it anyway there are ISO standards there are you know measuring cut standards there there are standards out there like standard measures and weights you know but really what we're looking for is we're looking for a a a document or a place of documentation that
actually tells us who in the company is my security contact for crypto or is it external because if you work in a big team you need to know who you need to talk to when it comes to this type stuff you also need to Define your vocabulary you need to spend some time on that so everyone can be consistent also put out how not to approach it and so forth know what you have to do and not do for certain you know certain if it's data at rest or data in transit you can describe what needs to happen there and also algorithms to avoid and that list is growing every day seems to be growing
faster than our other list so what what should we do how do we handle keys and so we could take all this and really what it does is it takes the creativ it sucks the creativity and guesswork out of a lot of your cryptography and and I know all you creative you know you think about this all these creative people they see that and they go oh you know but that's actually what you want you don't want creativity here you you want consistency you want the ability to if all 12 of you just think about heart bleed I hate to say heart bleed it's been over said but you know when you think about that
do you know what types of cryptography used in encryption used and where so if you do find a problem with it you'll know exactly what to fix if all 12 of you did 12 different things now you've got got 12 different vulnerability thing 12 patches 12 12 12 you know that's just not you know not the way to go about it so really what we're looking for is a a way to bring all that together in one one place and once we do that then we can come about to okay I've got these tools I've got a place to work I know my boundary what am I actually doing well that well that's really where you know a
recipe comes in because you think about what is a recipe I pull up a recipe and it says what I actually want to make on it it includes ingredients it includes you know directions it includes kitchen configuration cuz that's what setting a temperature on an oven is that's kitchen configuration we just don't think of it that way but the problem is this is most of our recipes that we have right now if we were to go look in our current businesses this is this is kind of what we do today it's all in your head every bit of it's in in your head and if you went to your granny or your great aunt she might could have cooked a hundred
different things but she probably didn't write down any of the recipes the problem with that was she was the only one who could cook it and we don't need to be in that situation we need to be in a situation to where we're not doing this that we're not just getting there any way we can so what we can do then is let's find those patterns let's find the topics and for example you know when we looked at earlier how do I verify a save's password that should be written down that should be a recipe for your area for your group for your business when you look at how do I send a confidential message to an
authenticated recipient and be able to verify the Integrity of that message that needs to be written down for your company on how you do that so if you're a new person coming in if you just never have worked with cryptography it's all there for you you can look at it and it's there so that's why we would build these re recipes we could then take that expected result what the inputs would be which is the same same as the ingredients algorithms needed what specific tools you need and so forth to actually build out information and then we could take that information and I would build the equivalent of a cookbook and actually I wouldn't even do that I'd put this on a
Wiki I would take everything that I've just got through saying from the very beginning and build a crypto Wiki and in that I could actually build my standards build my direction build what you know what tools can I use I'd put it all in there I put it all right there to where you could have a set of people go in and vet that out and if there were any changes it'd be one place to change and it's not some big lumbering document that you got to carry around so I I would honestly suggest doing that and finally that really does bring our approach to the explicit results CU if you think about it if you
start off not knowing what you want you'll never get what you expect because it doesn't make sense you know but with knowing what you want and consistent implementation it's going to be much easier for you as a security professional to make sure the level of assurance is higher because that's really what we're talking about when my bosses come to me and my business comes to me they're asking me for a level assur of assurance how safe is this how good is this are we at you know what is the level and hopefully with this approach you can raise that level of assurance and really that's what I wanted to give you today was really that
approach not not individual pieces because we could talk all day on that the more important piece is for you to actually have a way to approach it and a way to raise that level of assurance and so you didn't know the final thing the secret sauce to cryptography is milk gravy yes that's right you got it okay I was just seeing if you were paying attention any uh questions comments throw anything what's your take on uh password saers like key pass key pass there's a couple of password savers out there I actually I use a password saver because honestly my theory is I cannot keep up I use a Yubba key have you seen a Yubba key
get a Yubba key Ubbi keys are cool things you can get a Yubba key from yubico and basically it's just a keyboard stuffer you know it's it's a very small fob you can go look that up and shoot me a note like say uh you find me I'm secret secret chipmunk on Twitter SC monk or you go to secret
chipmunk.is you really just about have to do something because because the number of passwords that we need and the complexity that they really need to be at you can't keep in your head so you're going to have to trust something you do because it's just just the complicated world yeah so Tu there was a report from Google that tell people to in their email with yeah I don't know you know what do you do here's my here's my problem with that and I'm going to use TR Crypt as an example when we look at true Crypt for all those years it really wasn't open source we really didn't pay for it and it really wasn't commercial
and so now when true bellied up everyone kind of had the oh my goodness but yet at the same time we weren't really paying for it it wasn't really open source to where I could control it it was Source open it was yeah it it it you could see what it you could see what it was but you really couldn't own right it was not a community effort as the same as the the the rest anonymously built anonymously built which you had to you know licing issues and the licensing issues so when we look at gmail what I worry about Gmail is what am I paying for that you know how do they make their money what do they do
with the data and so no matter what I'm doing you know I I do have I have issues with that period I have bigger issues than then what you do with the actual you know the actual email so was interesting because it provided two other things that nothing else did well one was Cross Pop Farm archives Y and the other was the concept of data hiding within an archive absolutely yeah which with the the other privacy concerns especially if you do any international travel that was I think the the bigger thing and that's also one of the things that they the first things they stripped out when they started so um I think there isn't anything else
that competes that of bit a bit AER is not it you know that's just a you know I will say that um talking about the danger of creativity and cryptography and just been kind of listening um people talking about oh yeah we've got our own our shops develop on our own cryptography or whatever and something gets released and immediately blows whatever um but at the same time the last couple weeks I've heard somebody's announced like there's possibly a CH in the arm 50 helmet all but but the difference is the big difference there is when I take and I invent you know secret chipmunk soer the problem with secret chipmunk saer is I have two eyes and I may have a couple of
buddies who look at it when we at least go through n now you can say what you want about n when they go through that process they at least get a lot of smart people to look at that the algorithm needs to be open the algorithm needs to be on the table and everyone needs to understand the algorithm because you're not protecting the algorithm you're protecting the key and so when you create your own you don't have the same level of assurance and Ving and that's like one of the first rules of cryptography is don't don't do your own you know that's like number one don't do it go go find something else to do and
and definitely this talk was not for cryptographers this talk was just for US general people out there trying to use what was already there so back on the serious topic of biscuits and gravy what's your take sausage you know I'm very I'm I'm more of a no sausage person because I think there is a yeah I know you just lost credibility no no no no no I have no problem I have no problem no problem using sausage grease to make my gravy okay it's that is just a different type of gravy I see it as two different types of gravy both of them equally you know have their place but honestly I mean when I'm really
talking about biscuits and gravy I think there's something something to that yeah you mentioned earlier um putting all your um internal knowledge on a week yeah what arguments do you use to sell this openness to your team and your superiors and to your organization and job to actually go through that effort yeah to to put things out in the open so that you your process is transparent well if you don't have if you don't have and when I say open it can be a closed Wiki to your team you know so that that's okay but still it's a degree of openness it is but but the problem is to me it's worse if I have Tribal knowledge
you know does that mean I'm operating off tribal tribal knowledge that point and everyone is holding something in their head but I'm not too sure what it is to me that's a much more dangerous thing when it comes to think about what's happened lately patching vulnerability management just knowing what algorithms and procedures I have where you know that to me you ought to be able to sit down and draw a case out for that especially you know to say this is much more more dangerous and costly if I do have to patch or fix or or do anything like that so I I think there's an argument if you don't have a longer conversation be sure and shoot me a
shoot me a note seriously if you want a real world example to offer to management point out the case of a security guy that goes and Designs maybe he uses the right methodology but he's the only one that knows how to absolutely cryptography works and if he leaves the agency but he knows everything about that crypto system he knows how to back door it and nobody else knows how to stop it lots there there's lots of ways team knows then at least the entire team knows how to right there's a transparency level of assurance and transparency is really what you're what you're looking for I like that yeah as an argument toward levels of insurance
level Insurance EAS way make it part of your Disaster Recovery plan and that's the crazy thing that I guarantee probably 90% of the people in this room have not done if you have any that's a great idea that is that's a good idea what happens if one of these guys dies in a car what happens if this guy gets stuck and he can't come it's amazing how many people have shops put together and they realize that I haven't thought about security I haven't thought about development because you realize everybody has the whole a c developers that they rely on you know heavy but if you don't you carve out those roles in the contingency plan you
can really we actually we actually have key resource dependencies they actually tag people in our company who are Key Resources because you actually don't want Key Resources you know and so you try to minimize those and that's a that's a Dr thing is a great great point do we have time for any more questions or we good did anybody work through another question did you start out in the military doing signal analysis in crypto or no no not at all no no no not at all not at all I'm I am ground up just uh security and just every everywhere all the time homegrown that's scary isn't it that's why I all you heard me say a 100 times
get someone who's smart vet this out back in the corner there you see any uh chance for something like pgp encryption for email with private keys and stuff that actually ever work if you could make that work where I can explain that to my mother and father and it's build into the OS and build into the system then I think it's going to work otherwise if I if they have to actually maintain keys or have a notion of what a key is or life cycles or disposal you know I don't see how I think people in this room could get it but but extend that out to the rest of the world and I I don't know how I don't I think you're
with it in college and the only people I can get to actually use it for the other people I I think you're front yeah uh so I would say to that that uh everyday people using that aren't um it experts that aren experts they don't understand howp Works they don't understand how it needs to be that it um and it really is a matter of making it default that um os's and services just default using it's like a smart card if my company issues me a smart card and puts a certificate on it I don't actually have to know that that certificate's there I need someone or something to manage that certificate manage that life
cycle to make it to where I don't know that it's there but usable so the government classifies strong cryptography as Munitions and Industry classifies strong cryptography as required for business yes so you know where do you see that Smackdown going that's a great I tell you what's happened in the last couple years if you look at n uh 853 revision 4 if you'll actually look at that what they finally got around to doing was is they figured out privacy was important so this this is like the first you know the first inkling that we're seeing coming out of the government about privacy mattering and that's really what what commercial people care about is is the Privacy so I
think you're going to see that I don't know where they're going to go with it cyber security framework all that other stuff you know I think it's going to get to where they have to accommodate those other you know more than confidentiality integrity and availability there there's more to it than that so I think you're going to see that merge over the years you see them slowly slowly starting to accommodate that so do you think industry is pushing at all or do you think I think I know our industry you know we're we're we're heavily
regulated
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
to start but before that I have a announce uh the conversations that we just had talking about PPS and you know how hard is it to get people to use them and all that stuff maybe think we have a nice big collection of people from around the country and maybe the world here uh you are a much more likely population to have pgp keys and know what they mean than most people so why aren't we doing a key signing party so what I want to do is later on today uh anybody who has a PPT fingerprint and a photo ID that can come up basically will do a key signing party if you can get your pgp key fingerprint
if you don't have it with you now and you don't trust the wirel here try to walk down the block and turn on Wi-Fi and get it uh and a photo ID then whoever can wants to participate we can exchange you know hand out our key fingerprints and verify all our ID and then I'll take that and whoever else takes that and goes home we'll verify it later and sign it and send it back to you with our signatures attached let's get this party started uh like I said we'll do this several hours from now so go ahead and you know figure out how you can get your key uh fingerprint between now and then in a way that you trust and
uh let's let's increase our own web of trust that's a great idea thank you I really appreciate that all right so um first a big thanks to Daniel and Company for having me out really impressed that we're doing this here in my um my adopted Hometown originally from Charlotte but uh I love it here I'm glad you all came out so thank you for that uh big thanks to Jason Street for the awkward hug it's the fir first of my career it could be a career Enders but I'm I'm curious I'm anxious to see where it's going to take me um so if you haven't seen it check it out pretty classic picture so my name is
Justin Troutman from here in Asheville uh I've done a lot of work over the past years with Vincent Ryman uh who you'll probably know is the guy who co-developed the advanced encryption standard so he's pretty uh hard hitter as far as crypto goes uh so basically over the years we've been looking at how cryptography fails to work in practice you know when I first got started I I was really into the Math building algorithms learning the the algebra behind it uh but then I realized that that's pretty much a Sol problem we're not really in the business of breaking cryptography at the mathematical level anymore um and that's evidenced by recent leaks about a random number
generation being tainted by the NSA what that tells me is that the NSA they're trying to break the part that's Universal if we can taint the keys and weaken cryptography that works better than trying to break individual algorithms so over the past few decades we migrated from breaking math to Breaking implementations so that's what got me obsessed about implementation um but then I got to thinking about that too even if we Harden cryptographic implementations nobody's using cryptography and pgp is a prime example of that um and how it's been around for 20 plus years but very few people actively use it and why is that you know we have strong cryptography available people obviously care about security and
privacy so why are we not using this tool so that's that's really one of the foundations behind this research moving from the math being soled to the implementation still being kind of shoddy but even if we solve that part we have to really focus on the interfacing of cryptography and that's the one part that we can't solve in the cryptographic community because we're not user experience designers we're not usability experts you know our community has lots of really good developers lots of good mathematicians but even if we get that part right and even if we could build something remotely NSA proof if it looks like pgp nobody's going to use it so that's sort of the the launching pad for
this work hope nobody's has motion sickness cuz they got a little crazy with C all right so it's hard to tell from here but that's the tip of an iceberg so after 20 years of cryptographic software this is this is sort of where we are as far as the user experience goes you almost have to have a PhD and cryptography to really benefit from it practice that that may be a stretch but at at the same time usability studies going back 10 15 years have shown that you know even college educated computer science students that have no background in security and privacy have a tough time understanding a lot of the concepts that take place largely because there's
no physical analog to the the language we use in cryptography so I like to start off with a quote something slightly beautiful more beautiful than most people find math um I love math my wife hates it so this was probably the easiest way to get her in tune with with a lot of the work we're doing but I think this quote sums up where we need to go and how we need to approach cryptography in the real world basically what he's saying instead of asking people to build a ship and work with tools let's teach them to love the ocean to long for the sea and that's really what the consumer industry is built on you know when I get in my car
and I'm driving on a Mountain Road I'm not thinking about internal combustion if it depended on me to understand how that worked I would probably have to take a bus because I'm not a mechanic I don't work in automat you know Auto Engineering um I really want to get in the car and drive I have things to do places to go and that's the disconnect we have in in real world crypto we're asking people to care about the cryptography when at the end of the day that has nothing to do with what they're trying to accomplish so this has got me in a little trouble some people find this to be heresy a lot of the purist in crypto
when I say that real world crypto has nothing to do with cryptography at all solving this problem is is really going to be a matter of problem design because we already have the math we have you know decent implementations that we're hardening all the time so that stuff's been solved for the past 10 20 30 years in many regards but we've never really looked at security and privacy especially in the context of cryptography as a matter of product design and you know for two good examples well the first one uh Tylenol if I get a headache I go to CBS look for the the Tylenol label it's a brand I know and trust take it off the shelf
open it instructions take it my headache's gone that's a consumer success story somewhere in some lab uh there was a compound of chemical sitting there that they knew would relieve headaches but if they didn't have people that could turn it into a product and give it a brand it wouldn't have turned into a billion dollar you know pharmaceutical industry so that's that Gap we face now we're still in the lab we're still giving users the raw materials to put together you know I probably would deal with a headache if I had to compound TI on myself that would probably give me even more of a headache um but yes that's that's really where we're at but I think we're we're in now
so if real world crypto is about products which I firmly believe that's that's where we'll find a lot of the answers then that means it's about people understanding the roles of people when it comes to security and privacy um so we really have three groups of people represented by real world crypto you've got cryptographers like me who obsess about the math obsess about the algorithms you have developers who may or may not know a lot about cryptography but they're asked to implement it and they have to work with it quick show of hands anybody implemented cryptography sometime in their career depends on what you mean by Implement something as simple as you know call it a API saying
I want to use this to encrypt that okay so most of you have dealt with it in some way but at a very high level you know it's it shouldn't be required that you understand what's taking place so much as having a safe surface to work with so we have to respect that too but I don't think we do we still give developers a lot of raw pieces to try to put together and build ad hoc protocols which tend to fall apart but that's not the the fault of the development community and of course we have consumers now when you think about what we ask consumers to do we ask consumers to encrypt authenticate decrypt verify
these are the same terms that I use as a cryptographer uh so what we're doing now is looking at the language we're using for developers you know there there are really you know tur ways to describe what happens in a car as far as internal combustion but for the consumer we just tell them to start the car that's a very high level abstraction but it works so why are we asking developers and consumers to to work with language that really doesn't fit where they are in the process so the Golden Rule going forward uh if you're building crypto products or working with crypto or have any sort of influence of of how cryp shapes up in
your organization make sure you're respecting the individual roles of the people involved make sure the language and the decisions you're asking them to make lines up with their job descriptions basically so cryptographers expose way too much to developers a prime example another quick show of hands who knows what ECB mode CBC mode is okay so You' probably heard by now and you've probably seen the images of the penguin the tux penguin That's encrypted with ECB versus CBC so we know not to use ECB it's a really bad mode it's not even semantically secure it leaks a lot of data uh regarding the plan TCH so we don't want to use that CBC is probably the most commonly recommended block
Cipher mode of operation so you would think that if you're using CBC you're you know automatically okay but CBC takes what they call an initialization Vector that's what sort of starts the chain sequence but there are some conditions imposed upon the initialization Factor it has to be unpredictable if you use a fixed IV you end up with something that's no better than ECB so it really depends on this implementation detail that as a developer you may or may not know because it's not really crucial to you programming it's crucial to us as cryptographers when we're building systems but this is something we shouldn't be asking developers to do and you know if I look at 10 implementations
you know sometimes close to half we use fixed IVs they'll do things because it makes more sense from a programming standpoint it's more efficient it's easier to do but since you're using CBC you should be okay so that's sort of a fallacy we're trying to to get around um I guess it's timely to mention true Crypt I'm sure a lot of you have heard about the fate of true so this is not a problem anymore unfortunately true cp's not asking users much of anything unfortunately but the good news I think some uh some folks in switzland are trying to to keep it alive so it it may come back but anyway Long Live TR yes Long Live TR who
can tell me let's say that the mathematical difference between the Advanced encryption standard and two fish I'll be really impressed anybody want to take a stab big numbers big num so we're at an information security conference and you may or may not know the difference and that's okay because this is not a problem for developers to really understand it's not part of that job description but this is what we're asking end users to decide way and I used to participate in the true crit forums I was very critical but only because I loved it and I wanted to succeed but then one day I couldn't log in I couldn't get a response from the admin so I'm sure my my criticalness um
may or may not have been too appreciated but I always said why are you asking users to stress about which block ciper and which hashm to use after thread on the Forum was about which one's more secure so we had lots of people saying things like well I really like snakes so that's why I use serpent um AES was approved by n so must be backo so I'm not going to use that but two fish is by Bruce sne and who else are you going to trust than the Chuck Norris of cryptography that's a pretty that's a pretty safe bet um so in in reality it doesn't matter which one you use if you're using one or using
three together this is not how people are going to break into true Crypt they're going to snatch your key out of you know hibernation file or some cach on the system they're going to find an easy way and those those ways exist and there's relatively cheap software out there that can siphon out key material while while people are stressing about which algorithm they're going to use so we need to stop showing cryptography to users stop asking them to choose algorithms you know my my car doesn't ask me to choose anything that's under the hood I just get in stick in a start it and I'm gone that's how we reach consumers not by asking them to make
decisions that they really don't understand all right so pgp is a great example I'm also critical of pgp but only not it's not really pgp's fault either it's it's more or less that when we adopted pgp we kind of stopped there we didn't really try to improve the user experience instead we tried to get people to just learn pgp the way it was and that this is this is how it is you have to learn it and if you don't don't learn it then maybe you don't care or maybe you're incompetent so a lot of arguments have been started about you know why people don't use pgp but I think it's a user experience problem you
know pgp was wonderful in the sense that it made strong cryptography available uh you know that was a revolution at the time we didn't have access to crypto software let alone secure crypto software but at that point going forward we should have said okay now we have it but now we have to improve it because there are lots of high-risk situations that still call for pgp you know journalists working in oppressive environments activists um you know you can go on and on about the the situations where pgp is critical but at the same time it's often used improperly I know a study I think it was probably 10 12 15 years ago at um Carnegie melon
uh where they had you know computer science students quite a few different groups represented people were accidentally uploading private keys to the Ser you give them an hour and they're still doing things like sharing their private key um and that's not because they're incompetent they're very very bright people but a lot of what's taking place isn't clear and that's that's simply because pgp was the first incarnation of strong cryptography there are going to be rough edges but that's where we have to sort of adapt and learn to to speak to the user experience Community to try to solve this in a way that that can reach the masses so a timeline here 1991 pgp pgp
the source code hits uset that's a long time ago eight years later first paper comes out referencing that study I mentioned why Johnny can encrypt so basically they conclude that five versions in really nobody can use cryptography or use pgp which in this case was really all of cryptography at the time 2006 why Johnny still can encrypt so we're almost 10 versions in and the user base hasn't grown people are still having trouble with it so there are lots of conclusions you can draw from this you could say that okay well everyone's stupid they just can't use pgp that's not reasonable uh but at very few points along the way that people stop and think
well maybe the whole model of pgp is wrong maybe it works for a very small set of people who are willing to put up with it or work in environments where they have to set it up they have no choice like you know activism journalism where this is the best we have so we have to make it work but the campaign the cipher Punk dream of crypto for the masses is just not going to be realized with tools like pgp staying the way they are you know you can tell me that your product gets 10,000 downloads a month um at that rate I mean compare it to Whatsapp that's been around what maybe a fourth of the time pgp's been around and
they have half a billion users to me half a billion is reaching the masses 10,000 a month is not reaching the masses and that's impressive I'm proud of projects that that get user bases like that but at a certain point we're going to reach stagnation where we think 10,000 is a lot of people but at the end of the day it's it's such a a minute fraction of what you know Facebook users Twitter users the apps that people really want to use that's where we need to Target you know the adoption of cryptography so here we are in 2014 and I'm going to tell you that Johnny doesn't want encrypt so we should stop we should stop asking him to try to
learn it I mean we've had a long time to try to get Johnny in shape and Johnny's not stupid he cares about security privacy but maybe we need to look at it from his standpoint of okay why can't I use this how do we fix it so these again these are just numbers I mean we can look at 1991 and say okay that that's that's quite a bit of time but I like to to look at Pop Culture to see what else we were doing whether right or wrong in 1991 to really capture how long ago that was so I hear it still alive in Japan I've never been so I don't know but I
figured I would put that there but zema was a long time ago people have lots of memories with zema good or but uh this is yeah so this is part of 1990 the early this 1993 so Zemo wasn't even out yet when pgp came that tells you anything this this is what we were also doing around the same time pgp came out I don't know that we've improved with Dancing with music since then and Friends debuted and we taped it on VHS so again these are a few early things that that were taking place that we've that we've migrated from but if you're not convinced that that's a long time ago the worldwide web first
description came about 2 months after pgp launched okay so how far has the the web come since then um it used to be something back in the day where you had to have some moderate understanding of computers to make things work people were still building tools because they didn't exist but nowadays if it takes more than one click people aren't going to pay attention they're going to move to something else so it's it's really changed from the consumer's perspective um so it's been a long time but pgp is still pretty much the pgp we knew in 1991 so this is sort of what we're giving users now we're giving them diagrams of engines and asking them to
click this and choose this length of key and choose this algorithm but this is what they really wanted to they want experiences and that's evidenced by the fact that people get annoyed when it takes more than two seconds to download and and start using an app that's sort of where we come back in the day we might wait 20 minutes for the flash based Joe cartoon frog and a blender to download because you know it took 20 minutes to watch a Flash animation Back in the day so but people aren't going to do that now they want experiences and cryptography really gets in the way of experiences cryptography in many ways is more of a barrier than it is a boom to
people and that's that's because we we haven't found a way to turn it into something that's really useable um Henry Ford was even looking you know back in the days of the Model T at the user experience you know cars were pretty primitive back then there wasn't really a lot of safety there was you know a lot of Hands-On that you had to do to maintain the car and keep it up and that was expected because cars were new but even he understood that he wanted people to enjoy Open Spaces he was all about the experience as much as he was about the engineering so for a hundred years we we've understood user experience but
in cryptography we're we're really far off so I think there's no such thing as usable cryptog and I say that because usability happens at the product and service layer but cryptography doesn't happen there cryptography is very low level um so usability you know if I want to send a tweet I get on Twitter I type it I click Send that's sort of the the usable product level the cryptography should be happening behind the scenes I shouldn't have to select anything or choose anything so the idea that we're going to get people to use cryp phography is sort of a a mix a mismatch of of levels of where things happen um one thing that we're just now starting to realize is
that we're at a point where real world cryptography is no longer like it was in back in the day when you had an academic paper and you were implementing cryptography and things played out sort of the way they play out in the paper because there wasn't a huge surface to work with there wasn't a lot in the sense of attack services but now once you put once you take cryptography from Theory and put it into practice it becomes a really small part of a really large ecosystem it's almost non-existent compared to other things and the effectiveness of crypto depends on so many other things working um and we can't solve this with cryptography along this is not really a
cryptography problem it's a much larger problem it's a composite of different types of problems but cryptographers can't do this at all we need the ux community uh it's really the only way going forward that we're going to solve it um so I implore you if you if you're building any sort of cryptographic apps or software if you have the funds to hire ux people consult with them invite them to your company sort of get a good idea of where you're going wrong and different key points you need to work on to improve definitely hire ux people those are the ones that understand the masses that we're trying to reach not cryptographers it's not in the security
community's job description to build usable products uh now we need to get what we do into usable products but again that's not our job it's very much across disciplined thing so going back to mackerel mackerel we we chose the name because all throughout history of cryptography people have used fish to name things so it seemed appropriate to to honor the field in that way um one of my favorite functions to analyze in crypto or Max or message authentication codes so I figur the first three letters corresponded to something I really like so aside from that mackerel has no meaning other than it's a sort of you know a way to honor the the crypto community so what we need
is a design and development framework something brand new for building cryptography but we don't need the traditional you know software life cycle where we're looking at it in terms of very tur security Concepts and jargon that way we need something that's driven by user experience in other words Microsoft for example I got a chance to go to the blue hat conference uh last year met a lot of really bright people a lot of really smart people in the security Community um I also got to talk to some people uh that work on the Xbox and I thought okay what would happen if I got into a room with people that designed the Xbox a very successful
consumer product and said okay this is what I'm trying to do these is the security Concepts I'm working with as a console developer as someone very successful at building a consumer product how would you as an Xbox designer rebuild cryptography I think we need to have those kind of talks mainly because they're not going to understand all of what I'm saying so there's that that's representative of the gap between these communities and they're going to be able to solve some problems that we think are really hard uh like you know possibly key management or the way that we ask people to work with CER you know certificates or or pgp as a whole they may have a really easy way to look at
that and say oh this is what you do this is how you use language to fix this pardon me to fix this problem so I think we're going to find that the the language we use is it could be 90% of the solution to this problem uh but until we have those conversations it's not going to work um I think we need to drop crypto for the masses as a excuse me as a campaign I think it's it's time is come and gone we've had plenty of time to try to reach the masses with what we're doing now so we need to drop it and we need to move into a campaign that really emphasizes crypto
that's context for user experience crypto is not the focal point by any means any questions thus far want to take a drink so you know I really believe in the cyer punk dream I think it can be realized but I don't think it's going to happen so long as we tell users about cryptography or ask them to make cryptographic decisions I think at the end of the day people are moving into the expectation where they want all-in-one experiences they want stuff that doesn't require them to step out to download this they want an all-in-one experience and and you know companies like Google are already providing that where you got email you've got messaging you've got
searching you've got you know Google you know office applications you're you're able to do more and more without leaving this ecosystem so if we ask them to step out and install cryptography they're going to tolerate this less and less as we move along uh so we need to move into that mentality that crypto is not the focal point as much as we love security and privacy this is this doesn't represent the end goals of the users they want to accomplish things they want to experience things so we need to find a way to abstract the cryptography into products and services that are usable uh so they benefit from it and we can engage them we can give them feedback uh
so they understand what's taking place but at the same time they're not required to AC make decisions that affect security they're not asked to choose which block cers and key loads because at the end of the day that doesn't really matter we can choose safe defaults uh we can use a language to let them know what's happening without asking them to be a part of it in that technical sense so we started looking at macro the macro framework and we got got a little ahead of ourselves because we don't even have this cross-discipline field yet but we want to build a framework in it so how do we do that so I'll get to it in a
minute but we're we're sort of establishing this idea of Crux or cryptographic user experience where crypto is a part of the user experience it's context for it it's just a basis for for designing a product and a service but working with journalists and activists we we started to look at what three main things would you want as a journalist working in some oppressive environment where you have to communicate with a source and you may not have a really good connection or a lot of time uh to deal with it so and this is good for any app but three things we're really focusing on with this framework you know zero learning curve as soon as I click the icon and
the app fires up how quickly do I know what's taking place or what's expected of me as a user that's really important for the source more so than the journalist because we can train journalists we can go to journalism schools we can go to newsrooms uh we can teach them how to use these things but a source may be anonymous a source may be somewhere else that we can't reach them safely uh so for them especially the app has to fire right up and be intuitive um you know rapid accessibility there's no sense in Reinventing anything we have like I said consumer success stories that already work very successfully so we need to build on top of that whatever
apps that we're going to give in the next decade for people to use to encrypt authenticate with they need to look and feel like the apps people are already used to we need to try to mold what we're doing in the style and language of apps that are already successful that already employ user experience that we know works and minimal code Footprints this is especially important for for developers and analysts who are looking at the code uh it's really easy to build something like true Crypt true Crypt I think it passed the first audit with flying colors but at the same time now they pull the plug so it's hard to say what's going on with true but
the likelihood that you're going to make a mistake by implementing a dozen block ciphers and hash functions is magnitudes greater than any one of those things being broken so having that in the code you have to look at it from that way if I'm implementing this what does it cost me in code complexity and what does it gain me in Practical security all you really need is the advanced encryption standard or if you prefer something else a single block Cipher a single hash function you don't need dozens to choose from this is the strongest link of any system um so yeah these are the the top three things we're really focusing on and it's these are good you know generally
speaking but we didn't have access to the threat model we originally looked at and that was you know militaries and governments what sort of threat models they deal with and we felt that journalism activism was as close as we could get and in pretty you know right on the money as far as threat modeling and what's in state so this was this came up in a paper about six or seven years ago some researchers in Canada they outlined utility usability and usefulness as sort of and I call them the three use of getting it right um when looking at an app the utility of it is what does it do like pgp what does it
do it you know it's supposed to protect my confidentiality and integrity that's what I use it for you know usability how easily can I do it well pgp not so easily it requires a basic understanding of the concepts of public and private Keys uh you have to understand understand the web of trust uh very few key signing parties take place uh so people and even when they do people will randomly sign someone else's key Without Really knowing them even if you meet them at a security conference the web of trust doesn't always work the way it's intended uh usefulness what am I getting out of it I think pgp hits really strongly on utility but it's not very
usable and even if you have something that's really strong but you can't use it then it's not very useful um and that's that's the one part that crypto can't solve so usefulness is sort of a combination of utility plus usability so as a cryptographic community we're really good with the utility part usability that's the other half that we've completely failed at honestly so key ways to gauge if you're if you're doing it right if you're building a real world crypto product and this isn't always possible to do I understand that but if you get funding If You're Building a security and privacy product I urge you to set aside some funding to have ux help come in and
guide the process uh because you know since the NSA Revelations it seems like every night someone's coming out with a crypto product a secure messaging app something to try to be the next greatest thing but what's going to set you apart what's going to allow these products to compete is how usable how good of a user experience they are we can't just rehash pgp and expect that to catch on so we really need the guidance of ux people so the first fruits of your funding if you can in any way try to get some ux people in um and also to understand the mentality that even if you eat drink and sleep cryptography this is never going
to be a focal point of any consumer this is something that people may care about at a very abstract level as far as security and privacy they may want those things but that's as close as you're going to get to the consumer conceptually there not going nobody really wants to encrypt that's the main thing I'm saying so when we're designing something if at any point along the way it asks the user to encrypt you need to backtrack you need to redo it you need to rethink what you're asking the user to do again nobody wants to use cryptography um the really bad thing about good tools like pgp is that's what we have and people
are going to use it and the worst thing that can happen aside from having no tools at all is for people to use lose discretion when using the tools that we have and you can actually end up being less secure by having something that is pretty good then you can if you have nothing at all because if you have nothing you're you're more likely to be cautious but if you have something you might loosen up you might feel comfortable using it with whatever you're trying to secure um and that sort of speaks to user experience as being the key part because without that so many people are going to continue to uploading you know private keys to
servers or sharing the wrong pieces or posting it to their website for people to download and they're going to be compromised all because we failed to make something that that made sense to the consumer um so yeah moving forward with with mackerel Sometime Late next year in u university of louisan in Belgium we're going to put together a conference and we're also going to call it Crux where we're bringing together people who specialize in user experience design we're going to bring cryptographers developers you know my idea is to have people that design you know console gaming systems right across from the table from someone who designs mathematical algorithms uh to try to to find a common ground as far as the
language that we give users and again this is something that just came to me last night but I think that user language is going to be 90% of the solution to the problems we have in security and privacy getting people to benefit from it I think a lot of it's just finding you know physical analoges to draw from looking at other consumer success stories to build from so sort of a summary of uh what we're doing any any thoughts or questions or heckling or um one things that when you're talking about the usability like the feature that gets me the most like using pgp likebook you're trying to do that out the add-on it's like it's so hard to
configure so hard to get it going when are they going to start learning streamline it make it more easier to use uh pgp or cryptography in email communication which is main reasons why you want to use it in the first place right so sorry what's the question exactly when when is that going to be easier when when do you think they're going to be coming out with more add-ons for browsers or for email communication for like Gmail or Yahoo or whatever email sources out there I sort of think we're going to see two things we're going to see we're going to see add-ons that try to take away some options to try to select secure defaults and one
thing I also see happening with that is let's say you download a plugin and by default it's the simplified interface and just to appease to developers or power users as they call them you might have some fairly hard to get to alternate menu that allows you to f- tune things and that could be uh that could be the the trade-off that we have to make where we we try to simplify the interface go default go secure by default for as much as we can so I think we're going to see a lot more of that um not sure if you've heard of mail pile but there are a couple of other um like M velope you alternate apps where stuff
baked into it interger it's a lot less painful than sure you know I think it works better I'm sort of on the fence as far as too much integration goes you know I like I like modularity I like when things fail locally as opposed to globally but with Email encryption I think it helps in a sense to have that crypto framework built in in all aspects of the program because email as as it is it still leaks metadata there's still problems with that protocol as it is so I think the more integrated we can make it the better so that could be a more secure route than plugins for Outlook having Standalone apps that that replace it but
again the problem with that is you know people are used to the interface of Gmail so what's going to make them want to download a standalone program that happens to be secure they're only going to do that if they're more amazed by the interface on argil or if it's easier at the end of the day it's going to come down to would I leave this really beautiful usable product to migrate to that so I think better plugins is probably a stop Gap to where we need to be going forward I think just this week Gmail launched beta for they did and don't I'm still looking into this so don't quote me but um I think they use elliptic curves only
rather than RSQ generation and if I'm not mistaken what that means is there are two branches of gpg there's the the one pointx branch uh that supports RSA keys but not elliptic curves and then there's the experim Al enhanced you know 2.x branch that does so what this could mean is that if you're trying to communicate with somebody using gpg using what they're doing at Google you may have some interoperability issues may have some compatibility concerns there because of the ECC support what I've heard rumor has it that they're going to really move forward with making a stable you know 2.0 version of gpg try to get that uh possibly to take over Branch um I'm not
sure exactly how they're working that out but it's it's a lot of work um so I'm really excited about what Google's doing with that that plugin but I also worry about you know if you're a journalist you you may not be able to communicate with your source using this easy to use Gmail encryption thing you may not want to anyway but uh but it's going to be interesting going forward so there's this tension between open source right which is easily inspected easily forked all that good stuff and user experience and open source is generally not great user experience and proprietary is generally great user experience but very low inspectability and trust is there a new or do you
foresee a new business model where people can create products that are both trusted with the user interface how's that problem it's it's really tough because the industry is not driven by security and privacy people want business they want to have a business model so that that tends to be what drives that and they want to protect their interest if they have something that's very novel they don't want to open the source at the same time the community doesn't want to trust anybody that doesn't open the source because they are driven by security and privacy they're not concerned about the business model so it's going to be hard to get around that and especially you know people love and
Trust Brands so as long as the brands that people trust remain closed I think they they hold a firm grip even if open source gains traction the thing I I sort of like to play a pH closed Source apologist in a way because if you compare bit Locker for example which is relatively easy to use to True Crypt which is not the hardest thing it's not as difficult as pgp but at the same time it exposes a lot more than bit Locker does we don't know anything about the developers of true cryp some Anonymous guys that we we trust because they're open source and they're all about security and privacy whereas bit Locker hired among others n
Ferguson who codeveloped two fish with Bruce SNY so I have more reason as a cryptographer to trust bit Locker because I trust the people who designed it than I do true Crypt at the same time even though the guys that designed bit Locker said that they would not develop a product if they knew a back door was being inserted they're small fish in a really big pond in Microsoft so they have no way of knowing if it's tainted somewhere else in the product development because exactly it's so tightly integrated into into the product that it's hard to say even if as a cryptographer you would have no part of a back door you can't really put your
life on that that promise I mean that's commendable I love them for it but again the business M I don't know how we're going to to fix that um one thing we're seeing now is a lot of funding from companies that build proprietary products they're funding things like op SSL which is open um now I'm not convinced they're doing that because it's open but I am convinced that they're doing that because it is critical infrastructure it just happens to be one of these open things that is used everywhere and if it falls apart people suffer so you know I'm not convinced that's an open source uh hero type of thing so much is okay we need to
fix this and we have some money let's let's try to fix it I think you're debt on that the way to really get wide scale adoption like the way to get my parents and my you know my aunt to use use crypto in their daily lives is for them to not even really be aware that they're using crypto in their daily lives just that should be the way things work we you know uh one big concern I have with that is the snake oil problem gets worse and worse when you start saying we're going to move away from things that we've studied for a long time you know and Implement something new and it won't even be a Topline list
of you know here's the here's how we Implement all the Privacy stuff when we'll take crypto we'll say privacy whatever but you know Snapchat claims to be private it's nowhere near you know we all know that but if somebody comes up with you know private chat or whatever and there are you know people could be drawn to that because it is like you said uh a topic high in high in the concern of the average person but the average person is so unprepared to vet whatever is out there that you know we need to make sure that we're doing a good job of throwing you know of testing things out and complaining when when snake hit the
market I agree and I think Twitter Twitter might be one of the single greatest things to happen to the security Community because a lot of dialogue is taking place very quickly like you know true crypto audits probably might not have happened or at least not as quickly had a few people talk about it on Twitter so I think we're we're in a position where we can catch these products and call them out fairly quickly that's good it's not ideal I don't know if anybody ever followed Bruce's old mailing list before he set up his blog but he used to have the dogghouse call and if you looked at snake all back in the day it was really
easy to tell it was snel because it was something like polymorphic Chaos Theory where you know beams of light from the heavens coincide with these bits and you have it was really easy to to see but now ever since you know the NSA Revelations the St in debacle since that we're seeing products that that are snake oil in the sense that they're not very good but it's not like it's as noticeable as it used to be because they claim to be using AES they all look the same from that security standpoint so I think the snake problem gets worse and it's not so much because people don't have good in but you have people that are trying to
capitalize off of all of it overnight and then you have those who really want to do something great but they don't really know how but they put out a product that looks nice and people buy it and use it so that part's going to get hard and crypto is still Wild West Frontier it's not regula so anybody can build a crypto app and make it look nice and sell so that's going to be an issue I think we're in a position to to maybe fight it better but it's it's always going to be there suggestion if you don't have lots of funds for these are experiened audits um one of the things you can do is take it
to a university even if you're closest University just Communications vertical in it um you can buy a of pizza you can get for the best suggestions of whatever class you choose no and I I appreciate you're bringing that up that's really important I just had the opportunity here recently to work with the university pretty much doing the same thing on on an almost non-existent budget it's just you know basically printing material right and as long as you're listening you can learn a lot but if you go in with the concept of my stuff is perfect then you're not going to learn anything you just wasted your time yeah and that's I think we're in a community and
Industry where a lot of us a lot of folks are in denial and there's a lot of back and forth about what's the right way to do things there's still a lot of flack that we need to weed through especially when it comes to user experience because it's hard for some people to say that we're doing a really bad job at this but I think again it takes up you bring up key point that it's not just foot UI goes back to security concept there's plenty of people out there will say this sucks because it's closed Source because it's this this this and this but until you try to put up ation so you contribu to someone else
you're just as unimportant to me in the long R because it's very easy for us to look and throw stones at this product until you've actually contributed code back and you help change that you know you're you're no no better than that that productos so I think that's part of the problem too there's a lot of social advocacy here with open source is the best and obviously if we can collectively build it it is great it does surpass things but you know um you run into an issue where unfortunately sometimes people don't contribute and I'll give you a good case example so before I I came back to East Coast I helped design and implemented a tool
called o it's Sim technology that's out there right we have an O Source product in the two and a half years that we had the source code open for this product which is using open source tools we had four major commits that did any enhancements or bugs the majority of stuff we got were complains about how things didn't work and how they would do it better but they never want to elaborate on how to fix it so then we would get complaints of why do you have a a paid version that you're doing you know private development on this so you kind of there there's two sides of right so if you want to change that business
show that that interest you know and actually you know we pay out people for that too you know when but you got to contribute back I mean don't don't just point it a problem you have a solution absolutely I agree and the the fallacy of Open Source versus closed sources people mistake open sources being inherently more secure because it's open versus potentially more secure and that's the the many eyes principle which I I completely disagree with I don't care how many eyes are looking at source code I care whose eyes are looking at the source code you don't want you don't want to have me look at your source code and AIT it that's not that's not what I
excel at I'm May to catch a few things here and there but even even working in cryptography I'm not I don't consider myself an expert at auditing code um so just opening the source because are you paying the people to look at the code that takes time people have to put foot on the table they have day jobs and if you look at a lot of really successful open source projects they became successful but they only have like a few developers and at a certain point you have this huge user base that overwhelms the developer saying like this is not our day job we can't we can't fix all these things but nobody's helping they're complaining so you end up with
products that people really depend on like true but you have two Anonymous developers who probably don't do that for a living or get much of anything for it uh so yeah you have to you have to to commit cut it's and I think that's a downfall of of the industry too there's a lot of this sucks but okay well it sucks help me fix itell aample of a product that was developed bye team very few people Everyone used everyone depended on and until hardly no one to pay for it they're Pony up money exactly but at least they did have bug submitters who who would reported bugs as far as like two and four years ago that including
suggested patches and those patches languished in their bug tracker until the L SSL people resurrected them in so you know they they at least had
contributing
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
you guys smell that smell that it's not pizza was like just making sure it wasn't me something burning Elric it's not pizza a little little back those chairs are not very for ready to go all right ladies and gentlemen hey guys thanks thanks for having me that was a awesome talk and and uh discussion that we had uh so I wasn't really in any way upset that it went into my time so I realized I'm up against pizza so we'll we'll kind of do this quick here but um I want to thank Daniel and josha and everyone who's here at bides Asheville for inviting me to the first uh besides Asheville this is really exciting I'm
from Charlotte I grew I was born in North Carolina Ash will really considered a second home I'm a craft beer lover so your 18 breweries to me is like a Mecca I will be at Wicked Weed twin leave all those tonight so uh anyway thanks for having me um so I live in Charlotte I work for a company called Gotham Digital Science I'll tell you a little bit about my company and my background before I get into my talk um but the talk that I put together is basically focus on on some recent security uh breaches and the trends that we're seeing in our company over the years and also some common pitfalls of network penetration testing
that's a lot of what we do and so we've kind of identified you know when we all came into the company we all had our different methodologies and approaches and so we've kind of put our heads together and come up with some you know what we think of is a a pretty good methodology and we know where we started and so we basically just wanted to kind of share some nothing's groundbreaking by any means but just some techniques that we do that really I think closes some gaps and helps you know ends up with more comprehensive results when it comes to doing some Network penetration testing so before I get in I just kind of want
to know like what type of people are in the crowd are people test penetration testers anyone in the okay what's that former lives yeah former former lives um people working in a people are from Asheville how many people are from Asheville I'm just curious oh so good crowd okay so this is kind of that part of the segment is kind of designed for testers and also organizations who want to protect themselves um so here goes um so my company is uh Gotham Digital Science we've been around since 2005 we have a team in Charlotte uh we're headquartered out of New York City uh we also have an office in London that started in 2007 majority of the clients
that we work with are like financial banking clients technology uh also Healthcare um a lot of the services that we offer you're going to be very familiar with web thick client mobile application testing also Network pin testing which I'm going to talk a little bit about today source code review threat modeling social engineering and and fishing so a little bit about me I started off as a web developer uh in 1998 and then around 2004 uh 2003 2004 I got into security uh and started Consulting I worked for Bank of America for a while and then got in I worked for a number of consulting firms I've been with GDs for about 4 years and I'm a
manager uh here in Charlotte or here in North Carolina and also I mentioned craft beer lover I've been hum brewing for about 13 years so if there's any hbers in the crowd I'd love to talk to you after this so uh anyway that's that's the story about me so um we're going to cover some recent breaches some that you're probably already very familiar with um there was a recent report that came out from Verizon that kind of blew my mind had a lot of great data and I wanted to share some of that um it was really hard to kind of pick and choose what to share but I think there's some kind of interesting graphs and bits and pieces
to it that I want to share and I'm also going to share some trends that we've seen at our company since starting in 2005 uh we going to share a case study of a recent um assessment that we did talk about some common methodologies some of the common pitfalls and then also some new techniques or not new but just some techniques that we use to kind of close some of those gaps so first of all by show hands did anyone else see the Verizon 2014 data breach investigation report it's awesome um for several reasons first of all it's very well written it's you know it's like a 60-page document you would expect it to be really dry and you'd only make
it to like page five it's really there's a lot of creative writing it's a lot of fun to read um it's really pretty graphs and colors and pastels and all those fun things that people like to look at too so I think this came out in like April and um I've given this talk once before and this this came out like two days before the talk and it was exactly what I needed to kind of segue into talking about Network penetration testing and some gaps um and trends that we've seen because it really just strengthened everything that I was thinking about at the time um so to kind of give a little bit of background if you haven't seen
this report I highly recommend it um I got a link here at the bottom but um basically it's it's based on 10 years of data aggregated across 50 different companies that just volunteered it a lot of it's you know then they had to normalize it and put it into different categories and groupings and they did a fantastic job with it um I was in no way part of it at all so you know I'm not like tooting my own horn I just I just thought it was a great thing so I wanted to share some of the data um so in 2013 alone Verizon reported that 1,367 confirmed security breaches happened uh and 63,000 semiz security
incidents um a lot of the well-known breaches that you're probably already familiar with just wanted to list a couple here Evernote Harbor Freight vone Adobe bips uh which is the Bitcoin um Washington post Target just to name a few there are many many more and a lot of them are included in the report um and those are in sequential order over the course of 2013 uh one data point that I found really really interesting is like what were these attackers after and you know no surprise here it all came down to money or user credentials and I'm going to get into some graphs later that kind of show you some U hard facts around that so I won't spend a lot of time on
these but I do have about um five to six graphs that really jumped out at me there is so much more in the report um this first one here is the number of breaches per thread actor so you're looking at like the partner the internal or the external threat actor and you see a huge Spike here in 2010 11 um for external so you're talking about external perimeters of organizations and that's where the attackers are really really focusing the next one here um I love how they categorized this into you know different types of of patterns um so the four that I really wanted to point out here are point of sale intrusions web attacks um card skimmers
and cyber Espionage those are the ones that really jump out um as far as the 2013 breaches so the number of of breaches per threat action and the actions break down to um hacking social physical misuse error you can't see uh in yellow that's malware there but um basically you know this is this this is 10 years of data here and um you start to see you know an upward climb for hacking and malware and I think that sort of tells the same story that we're seeing a lot more Automation and the tools are getting better um and you know the the different kits that people are using it's a lot less manual a lot more
automated these days so it's a lot easier to you know load up a scan and start running against these uh against uh different organizations um so I think that's why we're starting to see that upper Trend there so the next one here is the number of breaches per asset C category and you know one that jumps out to me obviously here is is servers um you know servers usually think about that's where the data is stored um a lot of people think well why why isn't Network included the way I look at it is network is what carries the data and transmits it but server is really where it lives so if you're an attacker that's really what
you want to go after that's where that's the assets you care about user devices is also seeing this uh sort of a spike here and um in the report they sort of allude to the fact that uh that's because you know so many people are using user devices that are connected to those Legacy databases and those backend you know Flagship apps that have been around for years but these user devices are now just another Vector on top of that um they're getting more mature but a lot of the software is new a lot of the devices are new so that means and they're in they're very you know very rapid Agile development platforms so you know how it is
vulnerabilities get exposed and you know when you're developing quickly and your you know time to Market so those are being utilized as well as as a vector to get you know kind of back to the that same data so this is one I touched on earlier um breaches count by data variety like what are the attackers after and the two that jump out here in green um which is the payment which is money and then yellow there is is user credentials so significantly higher than the others so if that's that's mainly it for the report if you haven't seen the Verizon report I highly recommend checking it out so sort of correlate some of the
trends that we've seen um over the years is when I got into Consulting in 2004 um I was doing a lot of network pin testing and then that moved into more app pin testing and maybe some people in the room have seen a general Trend like that we're starting to do a lot more Network penetration testing over the last couple years and I think this is this is kind of why like in the past like you know since since app testing kind of took an uptick companies you know they still care very much about external network security but a lot of that is really shifted to a commoditized approach um so a lot less manual pin testing versus
relying on scanners which are great but you you thinking about vulnerability scanners such as qual and open Vass and nessus and things like that nature those are all great and they serve their purpose and we use them but at the same time they can't find every single Nook and cranny um so some things are kind of left on the table or you may be some open gaps um so now with the rise of external Focus attacks and the Reliance commoditize automation you know many gaps are left open and we're starting to see companies come back to us because they're seeing all these security breaches and they're like you know we really want to make sure that our tools
are doing the right job and if they're not where are those gaps and how do we close those in that's that's what we've been helping a lot of people with so I wanted to share a case study that um that we had this is fairly recent um just to give a little background on the project um and why I think it's interesting to this talk is uh first of all they are a very large Global healthare provider um they came to us and they said basically we want you to do an external penetration test uh their network is massive but they had a very specific range set of ranges they want us to look at it came out to about uh
just over five about 5 and a half thousand um potential external Live host after we did the initial discovery on it we noticed we realized that there were about 500 active IPS um so the interesting thing about they didn't tell us this until after we did our assessment um they had another vendor that that did an assessment similar to this and they came back to him with a zero findings report if you're not familiar with that that is is a report that has absolutely no findings informational or risk or anything like that and this scared them just given the size of their Network they knew that there must be something out there so we had already been doing some other
application testing for them they said hey we know you guys do Network penetration testing would you be you know we'd like to bring you on to do a a similar scope test um so they shared the results with us afterwards and it turned out you know we didn't know about the zero findings report till later on but um we came up with 20 critical findings I'll give some details of some of the things that we found um and then also some numerous mediums and lows as well and the reason I'm sharing this is because we we sort of took a step back and said well I mean there's a lot of other really talented uh testers out
there and vendors like what could we be doing that they're not doing or how did we find these things and they didn't find them so we kind of came up with a list of things that we do and I wanted to share them in a little while and it may help people in the room who do Network pin testing um maybe you can add this into your methodology so uh first of all um we did a comprehensive network discovery we uh discovered numerous IPS many with that were running virtual host uh administrative interfaces customer portals single sign on Portals and also Legacy applications were found um we also found some some metadata um a lot of documents
containing sensitive information and this is not our tool but we we found it and we loved it it's called Uh Informatica 64 foca and it's great for finding like PDFs Word documents Excel documents just actually call it FOC foca I was I wasn't I didn't want to say fakka so okay you know what that stands for no but it's a bunch of H Spanish guys that write it I know yeah it's it's a fantastic tool what we found with this is a lot of like security architecture diagrams a lot of information about servers and logins I actually I used this one time against the government and I actually found a an employee network that was steing joint
strike fire documents because they were leaving the path and the documents and they were putting on their iPod to take them out of the network interesting it's a great tool so if you haven't used it definitely check it out um a lot of the things we found in these documents kind of help us and led us to some of the discoveries um so here's kind of the results there's a lot on this page but I'm just going to kind of summarize it um first of all we were able to compromise the external web presence um we gained access to 13 million personal and business customer accounts um we were also able to basically you know we
could have defaced we could basically just changed all the content on the web properties um this our customer said asked us like can you quantify what this data breach would be and um we didn't didn't actually have a way to calculate it at the time but we found uh in 2013 ponman Institute and uh sanch did a fairly extensive study on us data breaches and they came out to $188 per record so basically just did the math and that's how we came up with 202.5 billion would be the estimated cost if this had been breached or was breached um we also compromised the externally facing a secure email system this customer being or this this company
being a healthcare company they had a um secure messaging system that basically patients and doctors could use to communicate and everything was stored in clear text in the database we got access to the database um some really really confidential stuff about um different you know medical conditions and things you would not want exposed um so we found got 2 million records estimated cost of the breach there would be 5 million $500 million then we gain unrestricted access to the internal corporate Network um we were basically had the security cameras took screenshots um uh got on their internal corporate Wiki uh internal corporate uh workstations and so forth gained complete control of the of the corporate
domain uh and then finally we gained access to the their customer portal which being a Healthcare company and they have millions of customers and we gained access to the portal um which actually had connections back to a lot of other application uh servers as well so we had the credentials um for those as well yeah go ahead this is what we call a pants down spanking it was a pants down spanking yeah it was I mean this is probably one of the most interesting ones that we've had that's why I'm sharing it but it it really like brought things to like for this company and now we're doing a lot of looking at all the
other areas of it as well um so this brought us to kind of do our own internal analysis like why do pinest fail and um here's kind of some of the things that we came up with so as pinest we observe that there's numerous approaches and methodologies for penetration testing um there's significant inconsistencies across testers and test teams and that could be in a consulting firm like mine or in an organization like I've worked for I know that like you know what I the way I approach it next to the next guy is going to be very very different um so that can you know lead to gaps in an assessment if you put this tester here
and this tester to do the same app or the same network are you going to come up with different results are they going to be the same um engagements are largely automated in a lot of cases um for a number of reasons clients you know obviously they want to save money so you know they only give you like a week's time or a short amount of time we've all been there it's challenging so you kind of have to come up with a an approach that gives you a good balance of coverage but also you know you're not going um you're not you're not just spending a lot of time just scanning um so there's a lot of times that leads to
no manual validation uh of discovered um and that can lead to reports that contain false positives or false negatives so we kind of came up with a what we think of as a common methodology um I've actually practiced this methodology in in my in my past as well so um if anyone if this not here to in any way hurt anyone's feelings but if if you feel like this is this is you I'm going to maybe give you some tips on how to improve this um so common methodology first of all you know you get you get the assessment um either it's an internal you work for company and they're like we want you to assess this
range you know or your client comes to you and so first thing you do um you know you start up in map you're going to do a disc Discovery um you're going to see what's out there what's running what services are running what's listening a common inmap configuration kind of out of the box is right here a SL sssv you're basically looking for uh a common like just a TCP sin scan here um you're also looking at like top 1,000 ports but it's not looking at like timing or running some of the Advanced scripts or anything like that that comes within map so then you would um run a vulnerability scanner such as nessus qualus open VAs on those same systems
you know the ones that you found to be running some running some an open port or or a service um from the inmap scan um you're going to see what that comes back with a lot of times these can take a while depending on how to read right not usually uh so you've got 100 plus pages of inmap results to go through and and you know inmap is a wonderful wonderful tool but it can't tell you every single thing and every inv validate every single thing so you've got a lot of false positives to go through um so that's going to take some time hopefully you have some some time left over to actually manually go and
and see if any of those are exploitable because that's what your your customer or your internal you know your boss really cares about great you found this open J boss vulnerability out there what could you do with it and it's really unfortunate sometimes say well we ran out of time we did we couldn't exploit it so you want to make sure you have enough time at the end um to try to exploit some of those vulnerabilities are you using like canvas or core impact or a little bit we are playing around metlo for sure um not so much with canvas I mean I've I'm interested in it for sure um we're just our our core tool
set we have some proprietary stuff that we've written um that really helps us kind of analyze a lot of the the inmap data and the nessus data gets it into a humanly consumable format that um but mainly we're starting within map you know we've really kind of just tuned our configurations to try to maximize it also using nessus um some qualis as well but um and some metas spit when it gets actually to the exploitation I also had a question you also run this m scan first what you don't do any passive reconnaissance first yeah we do yeah we'll we'll do like you know sort of zero knowledge type of reconnaissance looking to see what's out there absolutely but this is
more like you know they give you the range let's see what's out there and what's listening what fors are running for sure you're saying this is what you're seeing as Comm you it is we build on top of this but yeah I mean I'm not saying this is bad by any means um I'm just saying this is a more common approach I'm going to share some things that we've learned over the years this is your entire methology then it's bad yeah if you stop here and copy and paste the results into the report and deliver it to the client I think you leaving some things on the table what's that got to put a cloud in there
right pretty graphs okay so some of the common pit balls you know an inadequate methodology like I just mentioned um insufficient Recon in Discovery so you know these two things in my opinion are like really like this the second bullet here is this is where you're starting so if you don't start and have a comprehensive plan and approach and coverage up front then you know this really propagates down the line to your results well the reason I brought that up because one time I was doing a test that get a B yeah and inside the web page the developer had commented out usame password log in right there no scan would that up exactly that brings
another good point I mean a lot of the things um some of the things that we found for this assessment um were not like really groundbreaking like Cutting Edge we weren't like writing custom scripts or anything like that it was right there under our nose um and and that's I'd say 95% of the stuff that we find is not really that hard to find it's in source code you know it's it's in HTML source code coming back in the rendered in the browser it's a lot of times it's just it's how you look knowing knowing what to look for um so you know as I mentioned this this kind of leads this can lead to
massive gaps in your coverage um some examples include uh virtual host Discovery authentication methods extraneous web components I'm going to get into some of these in a little while and from my perspective like these are things that are typically not looked for um and so you've got virtual host for example uh you know virtual host is basically multiple applications running on the same server the same IP address so they're sharing that IP address um but a scanner is typically just going to pick up that one the one that's actually tied to that IP address not not all the others so there's some techniques of how to find those but you may be you know leaving 20
30 40 apps out of scope and not even know about them because you know you didn't know to look for the other virtual host other apps running on that server um I think also we have become as a you know just sort of an industry um excessively ring on automated vulnerability scanners hoping that it's going to find everything and it's not going to find the the admin admin in the source code for
sure so so as far as the methodology goes you know some of the things that we found were like you know a lot of times the activities are not scalable so running that inmap scan for 5 weeks before you actually you know open up you know metlo or something like that and start looking at things you know how is that going to work because most people aren't willing to pay for that or they're not going to um you don't have as much time to do the actual manual testing and validation that you want so that's that's a difficult part also you know the data coming out of inmap is not really consumable so you're you're
pouring through all these reports and that takes a lot a lot of time um so you also have an incomplete view of exposed networks and host for example going back to the the uh virtual virtual host Discovery if you don't know that those other virtual hosts are running on that system then they're completely going to be out of scope for anything else that you do during this assessment um and then it also leads to overall inefficiencies that could lead to false positives and negatives in your reports and in your final product so there's two two core things here um you know for two different audiences first of all as an organization you can't secure what you
don't know about so if you get a pin task done or if you run your own Discovery scanning and you know you're only looking for top 1,000 ports and you've got some odd Port that's you know outside of that range um then you may not know that that host is out there so that's not even going to end up on your asset list so really having a good understanding of of what you own uh is really key to to to you know how you can secure it knowing how to secure and then similarly for a tester you can't test what you don't know about so going back to like really having a good core Discovery and reconnaissance phase
to help build on top of is is really key so it's got a lot of great uh Advanced scripts and there's like a really great community of people writing a lot of these scripts and we've been leveraging them and we've also been writing a lot of our own to to you know that do a lot of the things I'm going to talk about and we've been trying to you know add those give those back to the commity as well so um that's that's one that we like um But whichever one you use just become intimately familiar with it so you can really maximize it and know how to use it um another key thing is determine the depth of the port scan
so if you for example know that you're going to have 5,600 host to to to scan um you need to and you only have a week to do it you're probably going to have uh a much more of a breadth than depth perspective or on your on your scope and your approach so whatever the depth is is you know based that on the amount of time that you have and the range of of host that you're going to be looking at uh leverage the scripting component of the scanning Tool uh and then also don't forget about UDP ports a lot of people forget about these or they don't include them uh and there's a lot of interesting
stuff you know running on UDP as well to take a look at uh a lot of people don't run the UDP because it's really timec consuming a recommendation would be to split those off and do a TCP scan have your UDP scan running it's going to take longer but at least you'll get your TCP results back you can start going through those and then UDP shows up later and you might find something really interesting on those as well so there's three things I want to kind of cover here quickly as to you know how to go about identifying uh virtual host is the first one I want to cover some Discovery methods that we've kind of used over the years and helps us
find some virtual hosts that we wouldn't have found in in the past um and then also you want when you find those host you want to validate with your with your client or internally with your it group make sure they're in scope for the assessment um so the first one here um actually wait back up so the there's there really four ways with virtual hosts to discover and first is is very simple through DNS um look at the you know the host that comes back the IP address plug it into a browser see if it matches up see what that host is that add that to your list of its in scope um the next is an SSL certificate the SSL
certificate is going to have the actual domain in there as well you can look at this manually uh you can also look at this here's an example here of of law of the um one for Yahoo uh you can look at this manually you can also automate this as well uh another interesting one is that you can look at the subject alt name so for a lot of host um it's going to list out here's an example for Yahoo it's going to list out a a number of uh domains and subdomains that are also running on that same host and so you know you would consider all these assuming that you confirm this with your
client you would assume all these would be in your list in in scope going forward for the testing um so just kind of imagine if you didn't add these and you would only have yahoo.com so you might miss all these assuming there wasn't they weren't linked from somewhere else in your scope and then the final is um we actually use Bing you can go out to Bing and plug in the IP address and um Bing basically gives you back all the information about that server and it's it's really valuable there's even if you want to automate this there's there's a bing API that you can include and automate this in a script and it'll pull
back all that data as well just make sure there's some quirks to it so just make sure that you go out and validate that everything that you have is in scope I can't can't say that enough so the next is uh authentication methods so uh a lot of different systems out there run a lot of different authentication methods uh ntlm over HTTP over telet you've got FTP servers there's a lot of different ways to authenticate to a system and a lot of people don't know that you can actually make uh Brute Force attempts to log into a system and it actually is going to give a lot of information back about that system that you can use um for
further attacks so um here's an example here for this here's one and this is not red box this is just a name of an internal system that we have so I just want to make clear we weren't hacking red box here um so this here is a TCP con it's basically comes back with the the the um 23 P 23 tnet and it comes back with all this information based on an ntlm authentication so we know what the target name is of the Box we know what the net bios domain name is the computer name the DNS domain name and computer name um a lot of information about the the underlying uh software that is running as well so this can be
you know leveraged during a penetration test to tell what's running on that system and maybe use it you know um finding out what the version is so a lot of this can be used sort of as a stepping stone for further uh analysis of this of this system here here's another example here very similar HTTP and this is this is all based on a script that we wrote that we've actually submitted to inmap and it's going through revisions now and I think very close to acceptance so this will be out um in the script Library very very shortly you can utilize it so the third one is identifying extraneous application components that may be running on that same system um so
we're looking at web services web protocols uh an interesting one that we see a lot is WordPress and it actually doesn't get picked up by any vulnerability scanners because WordPress it has its own admin um login admin login for the for administration but that's not a vulnerability it's something that that gets installed for us we we see it as a vulnerability you're exposing administrative functionality to the public on the internet so that's not something you would would typically want to do but something like nessus wouldn't pick that up so we want to make sure we point that out to our our client we also want to make sure that you know it's not something that could be used U and is
exploitable um another example is JBoss consoles the one sort of foothold for that assessment that I shared earlier was a J boss console we found a lot of interesting things on the perimeter in this in that range but we found an exploitable JBoss console it was not picked up by nessus because it was running on non-standard Port um and so it can we completely missed it but we have some scripts that we've written that go out and look for different extraneous web components and it actually picked it up on a non-standard port we found it and that actually got us into the DMZ the security email system further into the corporate Network and that's something that would
that didn't actually get picked up by the scanner so another technique here that we've really used and we're starting to work with our customers on this is front loing so how did we go about doing the 5 weeks of scanning before we had four weeks of manual testing we basically front loaded all that um we said look this is man this is not man hours it's machine hours we're not going to charge you for this takes very little time to get everything kind of crafted and scripted up and ready to go and start our scanners and then we say okay we'll talk to you in a couple weeks when it's ready to go um so we recommend this for
anything other than a small Network um it's going to allow you as a tester to really gain efficiencies because you're going to put all the time that they're paying for into the manual testing and validation versus the actual time of waiting on a scanner um so if you're a tester if you got an internal kickoff call if you're working with a customer you know if your consultant you know request this as part of the kickoff call let them know that we're not going to charge you extra for this this is going to give us more time in the long run to actually you know look at this from a manual perspective and have a person
working on it um organizations if your internal test team you know ask them if they're doing this and if if not why not and maybe recommend it um as a way to for their team to become more efficient so in in the end you you know you want to pay for man hours not machine hours so to kind of recap on the case study and the Lessons Learned I've mentioned some of the things along the way um but root causes for finding differential uh an insufficient Discovery methodology and excessive Reliance on automated scanners can a lot of time times lead lead to gaps and miss things um virtual host you know public sites and numerous admin sites were
found during this assessment and the admin sites you know would have obviously been undiscovered um previously just because those virtual hosts wouldn't have been picked up by a normal scanner uh authentication method Discovery uh discover numerous authentication methods on multiple virtual host they were form-based inlm FTP so on and so forth um we were able to also use weak admin credentials to authentic at so we do some very light Brute Force testing we're not in any way you know slamming these uh authentication methods but we're going to look for common things like admin admin uh or you know if it's a database connection you know we're looking for essay and blank password and things of
that nature those things are still you you wouldn't think so those things they're still out there um people are not hardening these things and configuring them when they're setting them up um and they may even just be a test server that someone stood up to test out a product and then it never actually went to production but that test server sitting in the same network segment as all the production boxes it's exposed to the internet and it's used as a foothold to get in um to the to the network uh and then the extraneous web components the one I mentioned was that non-standard JBoss configuration we didn't pick it up in a scanner in a
scanner with a scanner um was running on non-standard Port non-standard subpath and it was a critical foothold um for the assessment did uh well we based on the inmap results we B basically take all the information um that we know about each of those servers and then we go out and we're looking for non-standard ports and see if anything's running on those we'll also really tune our uh inmap scans in the beginning to go outside of the top 1,000 ports I can I'd be happy to send someone if anyone's interested I mean our our inmap configuration script is like a page long and you know we tweak it for every assessment just based on what we're looking for but it actually
picked it up on one of those um and then we had another script that was running after that that goes and follows up and looks for virtual host nlm authentication also just web components that are running out there and you found it through that so I know everyone's hungry so just want a quick summary here you can't test or secure what you don't know about um this approach hopefully for you a lot of you will you know or your company would give you more time for manual testing um and good methodology you know provokes consistency repeatability across your test team and comprehensive Discovery and end is going to lead to you know increased security visibility for your
assets so you actually know where the gaps are so that you can secure them and that's it for me I know that was quick but thank you so much for having
me
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
odd he pronounces my name Jason nothing you did you take attendance I'm sorry um thanks for inviting me down to Asheville speak at besides uh this is a great event it reminds me a lot of my first information security conference we were so uh kind of out in the boonies we basically organized our own that's how we got to go to one because our employers wasn't all that excited about sending us to one so we started a hacker con um who's been to hacker con couple of you awesome uh my name is m Gardner I'm assistant professor at Marshall University where I teach uh in the digital forensics and information insurance program you may know me as Oni
online it's my Twitter handle handle um this is my CCDC t and the purpose of this slide is public shaming they participated for the first time last year we in the middle a conference and they quit halfway through because they got frustrated so the public shaming will continue until uh their their productivity and their standing improves so first year the goal was to fill the team next year is to go to Regionals so uh as I said the last time this is our current team some of these people may not be on it next semester I'm co-founder hacker CL which I already talked about um former past president of Aid The appach Institute of digital evidence
at Marshall University who's been to Aid a couple of you have maybe no one's been to Aid you've been to Aid you spoke at Aid that's right um I'm a volunteer for hackers for charity please go buy some think from that man back there um AR train uh so what we're going to talk about today is security surprise Marcus ramond is real I'm sorry uh for the streaming people but I I'm a Pacer so I'll be pacing a little bit so um marus Raven is my hero because basically he thinks everything's and basically c a lot of things that we do in Security in BS um but we doing it bom we spend millions of dollars a year on products
which don't protect us we buy ids's ipss firewalls Next Generation firewalls but yet we're still getting ped um I already did the slide last night I don't know what this is sorry don't look at this um this is something Frank hacken and I did a couple years ago um which is basically the security Peri so you start out with policies and procedures tell your users what they can and can't do policy and procedures the next thing up is user awareness you don't really start talking about buying products until you've done the groundwork so
Related talks
8:18:56
51:31
39:41
51:57
30:22
51:43