IATC - KEY - IATC Kickoff - Josh Corman, Keren Elazari & Beau Woods

good morning and welcome to besides Las Vegas this is that I am the cavalry room this is the kickoff panel with Josh Corman and Karen Eleazar yeah they found out I'm sorry they found it I am the cavalry these talks are being streamed live but we can turn off the camera if we need to we know we did that last year sometimes in this room if you have a question please use the raise your hand and I'll bring a microphone over to you that is partial ease for the people watching online and on the recording so that they can hear to your question as a courtesy to everybody else please turn off your cell phones or at least set them to silent

and before we get started I'd like to thank our sponsors verse bright fertility tenable Amazon and source of knowledge it's an air support that makes all this possible and with that let's get started we have Josh Corman I think kicking us off thank you for coming we have a little bit of a delayed start part due to the fire alarm but C heart due to Josh in part due to me so I'm gonna we're not gonna use slides we're gonna get through some just framing in case this is your first time here and then a quick recap of some of the highlights from the last year or at least the journey from we were born four

years ago here on August 1st so since we're a little phase-shifted give yourselves a round of applause for turning 4 years old almost so I'm Josh Corman I'm one of the founders Nick Rococo is the co-founder he's not here today we hope to get him here tomorrow and Bo Woods was you know essentially a founder he was on a different stage at the exact same time talking about how to be a digital vagabond and do the least amount of slack e things while making the most amount of money and the coolest places in the world and but as soon as he committed the mission he's been an MVP throughout so bo is essentially a founder as well and we're gonna

introduce Karen as well as one of our most enthusiastic and passionate empowers we know and now clearly she's wearing a Wonder Woman awesome I'll see you the superhero just as a very quick verbal level set the idea four years ago was for different reasons Nick and I grown increasingly concerned that our dependence on connected technology was growing faster than our ability to secure it especially in areas affecting body mind and soul is what we said but body being where bits and bytes meet flesh and blood so Public Safety and human life because those kind of failures unlike credit card failures or loss of electro property those kind of failures will trigger a crisis of confidence in the

public will harm people will cause a hit the gdp will compromise civil liberties etc so body was public safety human life issues mind was Nick was having nightmares about the increased criminalization of hacker and technical skills and actual nightmares so we want to make sure that we had the consisted the right to research without fear of prosecution or criminalization and soul was you know my notion as a philosopher I guess of I was worried about the relationship between technology in the human condition how we treat each other how social media has a dark side how social contracts were changing you know the rise of activism and direct action online and cruelty and I still remain

concerned about that but in in in the course of shifting from the Declaration of this to derbycon we really realized that if we really went deep on public safety human life it may help the other topics as well but the goal was we believe that if you looked around for the adults in the room if you went to government and tried to tell them what you were worried about we kept looking for someone to save us and there wasn't anyone we found there weren't any adults and we even brought five hackers into Fort Meade for two days before the cavalry this is kind of part of the cavalry Genesis story but you know we thought if we need the right message the

right decision makers with the right amount of power they'd fix these things and we found that they couldn't or they wouldn't or there wasn't political will or there wasn't a public appetite and it was really demoralizing and in that moment you know we said the cavalry isn't coming no one's gonna save us and we wallet in that four a couple months and then it dawned on me through some personal things that if something's missing we have to put it there right if it's it's not disempowering it's actually empowering well you know no one's gonna save you that means it falls to us like and the idea was a plea I am the cavalry is a

commitment you make it's not Josh it's not Bo it's you says I'm gonna be a voice of reason and technical literacy I'll be an ambassador a translator to the public public policymakers and these safety critical industries and what that meant is a fundamental shift in how we conduct ourselves it's not about being a pointing finger at past failure it's a helping hand towards future success it's not about what are they doing wrong it's about what are they doing right and how do we take that ember and that and foster it into a flame it's not about our technical elite skills it was about our empathy and we had really weakling empathy muscles but we figured out it was a muscle and you

can build it and we're not trying to be touchy-feely it's just that instead of doing everything we've done expect over and over expecting different results we said we're gonna try something new and we said we're gonna think like hackers - so we're gonna fuzz the chain of influence we're gonna find a point of entry we're gonna move laterally we're a privilege escalate and we've done this and we've tried and we had no idea what we're doing in fact our working title if we ever write a biography is I have no idea what I'm doing and it seems to be working but the reason wasn't because of necessarily what we were doing was how we were doing it

Katie moszer's before we launched had said something to me she said you know if we want to change the world we have to first change ourselves she was right you know we suck at empathy and we suck at inclusion and we compete with each other and we tear each other down that's strike two hopefully tried to say a little bit ago hopefully did it well I don't know we'll find out but but what we did over the course of that first year was we really went deep on automotive who figured everybody rides in a car we eventually on our first birthday published a five-star cyber safety framework for connected vehicles and the idea was a

letter to the industry and says you're masters of your domain you've been making cars safer for a hundred years we're masters of our domain in cybersecurity and now their domains have collided we'd be safer sooner if we work together which is kind we got our slogan and at first you know people didn't like it turned out the car companies liked it the car ecosystem liked it public policymakers liked it but our own kind kind of hated it that was very arrogant and very simple we basically said if if these are computers on wheels all systems fail here's five postures you need to be ready for failure and in plain speak it was how do you avoid

failure how do you take help avoiding failure without assuming the helper how do you capture study and learn from failure have a prompt and agile response to failure and contain an isolated failure it would be impossible to disagree with these things and yet we had incredible amounts of hate and resistance and we targeted two cars because cars everybody rides in them and only 20 car makers must be much easier than say medical devices or there's tens of thousands of medical device makers most of which have 11 employees and we also found the FDA be a little stubborn and obstinate on the topic and said until people die until there's proof of harm we won't do anything about it

but in the course of working on cars the FDA had a change of heart and they started asking more questions and because we were helpful they actually started eclipsing the progress and ultimately Bo helped pull together with help from physicians and nurses and doctors and FDA's and hospital administrators a Hippocratic oath for connected medical devices was very similar so that was really the next big wave and then ultimately we realized while we're getting better the situation was getting worse faster so Janne Alice and Bo and myself and others decided to try to go in the belly of the beast and try to do Public Policy work initially from our day job and then for us at least

recently about a year and a half ago we quit our day jobs to go to nonprofit but but we're having really what turned out is the mission was terraforming right we don't have breathable oxygen or climate for a conversation between hackers and policy makers or safety-critical industries so we were working on primitives and trust and empathy and these things like are you patchable do you have coordinated disclosure programs and Jessica's gonna show an update on some of those she's one of the Congress staffers that we bonded with early she's been very very helpful in helping us navigate why would policy lis end and also having a voice in some of these discussions and debates and we're not

going to go through every single accomplished note but the zeitgeist here is every one of you have done something and have unique talents and every one of you have a unique leverage point of where you live or where you work some of you have actually changed jobs said you know I could do security anywhere I'm gonna do it for medical advice maker or you know I could help a bank or I can help a hospital and they become a CISO in a hospital or a you know an endpoint tech or whatever they can do but people are just finding some way whether it's an hour a month or help on one document one time or help constantly on weekly

calls to do things so Klaus wanted do you want to do the thing we entire yeah so we thought maybe we'd go around the room and for those of you who are the contributors or in our slack channel or frequently on our mailing list or contacting us talking out through Twitter if you want to stand up and say a little bit about yourself you know name who you are your handle so we can identify you so that you can identify each other and so that we've got some context to see what kind of diversity we've got in this room because it's not just about hackers we've got fifty badges at the back for people who didn't

really know that this event was even going on and then they ended up coming to Vegas anyway so they could come into this room and have conversations with this so we're finding every year we get more and more people like that so if you're on our slack channel raise your hand if you follow us on Twitter raise your hand keep your hands up you're on our mailing list raise your hand okay so there's a lot of people in here who if you want to we can go around the room stand up I don't want out anybody but there's a lot of good good friends in here and I'll maybe start with myself I'm Bo woods I'm

not creative so I go at the handle Bo woods or at mo woods what I'm feeling very creative and I am one of the the core contributors to I am the cavalry Karen do you want to stand up next I'll call you out okay you're already on the schedules hi I'm Kelly Kennedy La Valle I'm from tel-aviv I'll be talking to you in a few minutes you can find me online as K 3 R 3 & 3 which is more creative use of the number 3 to represent the letter e and I'll be sticking to you later not sure how we're gonna do very fast the mics yeah hi oh good I'm Klaus Klaus I'm also not

very creative my handle is cows Homan on slack and on Twitter I live in Luxembourg in Europe have been trying to build a European chapter Paul a group of follow you European volunteers to try to replicate the work being done in the u.s. in Europe this might take Chris hey Chris King handles Armen gar I live in Washington DC and I'm passionate about car security I work for a big ICS vendor trying to change things from within so that's that's me Daniel hi i'm daniel beard i'm a co-founder of promenades software we do medical device software so all the software that's in your medical devices working with a lot of those companies he's talking about

that are under 50 people which is most medical device manufacturers come on don't be shy my name is a guy by heart this is my first time here at DEFCON summer count and here in this room specifically I do embedded the devices security for automotive for different microcontrollers recently started working for intent for the fan testing [Music]

hi I'm Trey for Gatti I'm director of government affairs and information security issues for Nina where the 9-1-1 association we represent all the public safety answering points that take you're not on one calls and we have colleagues around the world that like 1 1 2 in Europe and so forth we work with them as well hi Tamar I work in Japan from one supplier in automotive and I'm trying to help evangelize a more security in this field I'm Brittany handles strength I'm a researcher at the University of Waterloo and I do robotics research so checking to make sure your robots can't be used to social engineer you hi my name is Chris pizza it's just

C Pizza Etsy pizza I'm very quiet on Twitter I'm also very quiet in the gallery group I pretty much just I'm a listener but I work for medical device manufacturers so as we talked about trying to change it from the inside Doug anyway anytime you can actually understand a picture of ours it's because of new egg yeah good morning I'm bill arts I started July 1st I am the deputy director of archimedes some of you may be flattered that little device Research Center at the University Michigan led by Professor Kevin foo prior to that I was like Chris as a global rector product security at a major medical device manufacturer hi I'm Amir and I'm a nurse from Holland and

I'm glad to be here and I tried to make everyone aware about inside the treats and the problems we have in the healthcare that no one wants to see and thank you everyone hi I'm Nina I own the bio hacking village at DEFCON I work on electronic medical records I'm a biomedical engineer slash healthcare information security researcher

hi I'm new wave on I'm a UX designer I'm just curious I work with a lot of mission-driven or nonprofit organizations and so i'd like to help out whenever I can in addition to that moral support when I'm in DC hi I'm Audie I work in the health care system in cardiology and I do imaging and informatics and manage servers that relate to cath lab and non invasive and non-invasive cardiology all right any more going once twice oh right here we go noticing a strong streak of medical last year was a very intense medical year but we definitely cover a lot of topics hi I'm your Silberman's mr. glass on Twitter slap chat cetera I'm a developer working

on for New York and I'm trying to imagine eyes other developers as well as how about with codes if anybody needs stuff here before we hand off back to the other guys just just to punctuate this we didn't know if this would work but and hopefully Suzanne will share some of this throughout today and over tomorrow but we told everybody in the kickoff video if you weren't here please go back and watch it it's more true today than it was when we first set it we just didn't know how right we were one of these we said is people will have to die first right and I wanted to be honest for the whole room that's just

what's gonna take and you know the more times I told this the less personal it sounds but because we focus on the empathy and the trust with people like Suzanne and because she's incredibly brave and did things that were potentially risky or unpopular within a federal agency entrusted us we trained each other and we use this whole of community kind of approach and because of how we got them past some of their questions there's that where they were stuck ultimately Billy Rios had found a flaw that hospira bits out infusion pump it doesn't matter what manufacture it is everybody has flaws and he he had said I'll give you a hundred calendar year to fix it before I

report and then in the course that counter you're somebody else found the same cloth and just published it and part of the the wake-up call for the FDA was wait a second if we make it hard for someone do the safe thing we may be buying time for someone into the unsafe thing and even the other guy that found it wasn't trying to be unsafe but it was a serious issue it's one of the most common pumps in hospital rooms in the world and it was had an unmitigated pathway to harm so while the prior standard of care was you need to have proof of her actual loss of life directly connected with forensics to a

hacking event in the wild and since the lead time for devices is about six years best case from when you decide to make it through R&D development clinical trials pre-market approval and getting into the field if we waited for loss of life that's six years of exposure after we know it can kill people so because we focused on trust a week before DEFCON that year year two right before our second birthday they decided to do the first-ever recall or safety communication in history because there was an unmitigated pathway to harm and that was sufficient to trigger corrective action in cyber and then later last January they codified that guidance in the post market guidance and

basically to encourage better behavior they created a carrot shaped stick it essentially said if you have a coordinated disclosure policy working with third-party researchers and acting in good faith and the bug they find is not actively being attacked in the wild and you can mitigate it in 30 days and fix it in 60 days then you don't have to go through a regulatory action so you don't have to work with researchers but you'd be an idiot not to and this clever hacking on the part of executive branch government employees combined with our approach you know we've got in front of this we didn't have to wait for anybody to die now we're still losing light and

we're going to lose life but the the audacity of this idea was if we lean in and if we do this terraforming if we build the scaffolding then when the bad thing happens maybe we can dampen the harm but we exceed our own expectations because doing the right thing the right way got them to an inflection point without any proof of harm and that's the mission to replicate not just for medical not just for hospitals but for autonomous vehicles high-speed rail maritime aviation smart cities IO industrial IOT and the thing is if you were waiting for that inflection point it just happened in last few months we want to cry took out manufacturing plants for car

manufacturers not petia destroyed systems in critical infrastructure which could constitute an act of war once they finally decide whether or not they want to do attribution 65 hospitals in the UK in a single day so I think that groundwork was absolutely critical and if you've contributed before thank you for helping us get to a position where we might be able to blunt some of these harm and if this is your first time here you're coming in at a perfect time because we've done a lot of the brush clearing now we need your contributions to do this so I'll shut up now and let go and caring though yeah so we've got a lot of stuff packed into the next couple

of days in here we don't expect that you will all sit in here eight hours or ten hours a day both days but if you do that's great if you don't it'll be on video but we've got the tables set up in here because we want this to be a more collaborative type of a dialogue rather than just one too many today we're gonna have Karen go up next then we'll have the break for lunch after that we'll come back here and Jessica Wilkerson who's a congressional staffer on House Energy and Commerce will do an overview of public policy of things the last maybe 18 months or so in DC and what's come out of the executive legislative

branches that affect Internet of Things and cyber safety a lot of that will look similar to things that you might have hear heard here first that might not be a coincidence Jessica as well as others who have heard these types of messages are really really excited about it then we'll have a panel discussion feds heart hackers really want to show that the federal government people working in federal government actually love this crowd and that's why we've got so many people who are in DC come out here this year to come to be sides specifically to meet more of the people who are at B sides because they're very friendly towards new ideas then we're gonna come back and at 5:00

p.m. we've got a healthcare overview what's going on in healthcare in the last 12 months probably capturing as many as two years josh was gonna lead that as he said there's a lot of things that have been happening a lot of some good things a lot more bad things then a panel discussion on the HHS task force that was stood up as a part of the cyber information sharing act I said cyber I'll drink for it later we'll be drinking a lot this week I'm sure but some of that will be related to the words we use so that will just be for fun draw to relax and then finally to close out the day we'll have Chris lead the

Internet of cars discussion we've also got a couple of other folks Abe from neo and if you haven't seen the video of the autonomous electric supercar going around the track it's pretty cool and then we're also going to have Kevin Tierney from GM come in and talk to us about a little bit of the things they're doing tomorrow we kick off bright and early we're gonna talk about something that Daniel has done in the medical device industry which is figure out a way to do an embedded let X Bill of Materials if you're not sure what a Bill of Materials is think about it like an ingredients list for software for things that might have life-and-death

consequences and we'll talk a little bit more about that tomorrow we'll also talk about building automation systems and how hackable and exposed they are you might not think it but the military doesn't put a whole lot of thought space to protecting the building infrastructure in our country and abroad so we'll have someone talk about that then we're gonna go down and do some lightning talks on some new and very different ideas that we might need to start considering especially at a public policy level in order to respond to some of the threats that we're seeing some of the incidents that we're seeing increasingly and we'll have a QA moderated QA or the pressure test some

of those ideas after that we're gonna come back and we're gonna do something really cool we're gonna do a tabletop exercise which is part of the reason we've got tables here so we have tops and that is essentially we want to walk through what a society-wide cyber crisis would look like so think about something we had this idea before want to cry and petia happened or not petty or whatever we're kind of gonna call it but what would happen here what happens in different rooms around the country around the world at the very top echelon when something like that happens so we've got a lot of people from DC specifically coming for that because they know what happens at the policy

level they know those discussions in the National Security Council the briefings that go to the president what Congress talks about as well as leaders of industry then we're gonna do something really really cool which might be great or it might be a catastrophe it's gonna be really good either way show up but it's a mock congressional hearings where we're gonna have actual people who have justified before Congress sitting up here getting grilled by a couple of people who are congressional staffers or former congressional staffers then we're going to opened up the room up to the we'll call this the Vegas congressional Congress the the hackers like you might want to put hard questions to people and

the idea of being what that sequences this bad thing happened we had to figure out how to respond and then we'll see what it would look like an actual hearing that we might see on the hill a couple of weeks or a couple of months after a thing like that would really happen to say who knew what when why didn't you get started a long time ago what's standing in our way so that we can wargame what even that would look like and for the Europeans or people outside the US while we focused pretty heavily on some of the US institutions because there were in reach and the think tank will work for the Atlantic Council's in

DC we've not isolated our work there some of these patterns or successes have also been we've also been working with an ISA a little bit less in Asia but with a lot of manufacturers in Asia and when you think about it if you affect the Food and Drug Administration's policy for a global supply chain it kind of affects everybody but one of the things Klaus is really pushing for is that we further breakout in fact one of our happiest moments was somebody in the slack Channel pointed out that the second version of the French translation of the five-star cyber safety framework had been done and we're like wait we had a French translation so this is kind of

the power of the group is that in a very self-organizing way we can get scale and reach with different people's skill sets but this is not meant to be us centric it's just we've had a lot of strides this year because the u.s. finally found their footing or they're starting to find their footing any of you haven't been dealt with Congress before you can potentially be a congress person asking the testimony's things tomorrow and now without further ado Wonder Woman will come up and tell us how to be more wonderful ourselves yes okay so the first thing hi everybody thanks so much for showing up the first thing I want to do for my talk is to offer you all a

chance for a free first class upgrade so we have seats right here we have seats right here if you guys are standing all the way in the back it's not standing-room-only we got some seats for you right down here you'll get more leg space guaranteed access to nothing so hopefully come on I might be amusing but it's not a stand-up show so I won't make fun of people sitting in the front row you might get some sweat on you though it might might might be a splash zone situation all right uh how can you hear me in the back everything's okay with the video audio good technology is at our side hi everybody I'm Karen Irizarry

I'm excited honored and happy to be with you all here this morning I am actually here thanks to these guys thanks to Josh thanks to Bo who roped me into the cavalry a couple of years ago and I don't know if you know this but I'm a fan of movies in general and the Fast & Furious in particular and the line I am the cavalry is originally spoken I think by the rock in one of the Fast and Furious movies so feel free to take pictures if you guys get into trouble with the rock for taking his picture then I'm gonna ask my pal gal gadot who is Wonder Woman you might know her as Wonder Woman she's

Israeli supermom and actress gal gadot to come to my rescue so feel free to take pictures as much as you can by the way I like the fact that she's wearing a hoodie in this particular image I tried wearing a hoodie earlier today let me tell you something about wearing hoodies it's too hard to wear hoodies back home in tel-aviv it's way too hot to wear hoodies here in Vegas and as you can see in the room and as you know from your personal experiences not all hackers not all security practitioners not all heroes wear hoodies we are very different and not just diverse but have other things and different things to offer to one another I also run besides

in Tel Aviv so if you're looking for a reason to come and join more besides Fun in the Sun in the Israeli Mediterranean region come on out we usually run in June towards the end of June so stay tuned for the CFP for that we have a few beside self speakers and team here in the room and a couple of them walking around with besides silly red shirts you might know me from this though if you hadn't come out to be site selfie this is the TED talk I gave in 2014 and it was titled hackers the immune system of the Internet but there is a little bit of a typo there because I actually said

on the Ted stage in front of I guess now two million people the hackers are or might just be the immune system for the digital age so not just for the internet not just for the world wide web but for all of these devices and technologies that are now powering our life all of the things that we rely on and it was thanks to this talk and thanks to Bo and the cavalry people who reached out to me in the same year I didn't know about the cavalry and they reached out to me and asked me to come and be a part of this move and I'm very proud to be a part of this movement what

I would like to do today is give you a few ideas what you can do to be a more significant part of this movement how you can teach others to do things that will matter and save human lives so if hackers are the immune system where did I get this idea 2013 I was deeply deeply inspired by our late friend Barnaby Jack who if you don't know who Barnaby Jack was he was a security researcher and one of the things he became infamous for was not just hacking an ATM over at the black hat event on stage but also hacking an embedded insulin pump with a radio antenna and demonstrating the capability to remotely dump any remaining insulin

in the reservoir of this device this was conducted if I'm not wrong already five years ago something along those lines five years ago and it was a proof-of-concept demonstration but it really got a lot of people's attentions here's the thing it very much inspired me and I honor the work that he and other researchers do Barnaby said that sometimes it's up to hackers to demonstrate a threat so that we can spark a solution I agree I try to embody that same message but with that in mind demonstrating a threat is no longer enough it doesn't necessarily spark the solution we have to start designing the solutions we have to start helping build the solutions and this is what I hope

this year and I am the cavalry in these two days and it's specialized track we will really focus on not just showing you know poking fingers at things that are vulnerable and saying hey here's the vulnerability but hey let's do something about it here's a solution here's an approach here's a technique that we developed back home that has worked make this device safer or this industry sector if it's a medical industry medical device industry sector or the automotive industry there are things that we can learn from cavalry members and from outside of the cavalry to build on and make more significant impact so the cavalry needs you not just to be cool and have mustache

and compete and DEF CON competitions for my stitches but also to come up with solutions demonstrating threats is simply not enough yes it gets people's attention but we've been doing that or security researchers have been doing that for a few years brave and bold people like Barnaby Jack and like many of the people that I will mention today and that Josh and Beau have mentioned earlier yes they're demonstrating a threat it's not enough we got to do more so with I'm the cavalry you have opportunities to influence areas that are really critical for safety that means medical devices that means automotive that means commit connected devices in homes like smart homes and it also means infrastructure things that

are really fundamental around the world things that are evolving a lot faster than the capacity to defend them so even if you don't see a current area of focus right now within I am the cavalry that you find that you relate with that doesn't mean it can't be a part of that effort that doesn't mean you can't start your own meetup or group or a slack channel to focus if for example you are really curious about safety of trains and that kind of mass transportation system this is an area of focus that you can start the conversation on and help people learn more about it so it doesn't need to be like a top down you know list

of topics which are the only things the cavalry will work on or make a difference in yes these are some the medical device field and the automotive field has been really in the focus of the work of the cavalry and the impact in the past few years but that doesn't have to end there in fact it will have to go way beyond that scope in order to make more significant lasting impact in my opinion this is a Jay Radcliffe who's been mentioned I believe earlier this morning I don't know if he's in the room Jay is a cavalry member he's a medical device security researcher at rapid7 and he is also a diabetic patient himself last year he was at the I am the

cavalry track and meet up I think he also met with Suzanne Schwartz and the people from the FDA and he met with the people from Johnson & Johnson who are the company that makes the device that he relies on every day so when he found a vulnerability a very dangerous one durability in the device that he relies on for his life he was able to communicate with I am the Kaveri with the makers of the product with the FDA's blessing in a way I hope I'm not miss constructing their blessing is that fine to say that I'm not a Fed I'm far from that so by the way don't sue me but if you will I got a fierce lawyer in the

room right here to protect me she's also my sister so watch out and I'm sorry 2.0 she by the way she's got a great talk later on tonight 7:00 p.m. 7:30 about bug bounty programs and the legal legal risks to researchers so that's complementing to a lot of the things we're talking about here as well when when Jay made this research available with the FDA and with the company that makes this product he was able to get a solution out there into the world a lot faster than in any other capacity er way definitely a lot faster than he if you would just show up at blackhat or DEF CON and give a really cool really snazzy demo that would get

everybody's attention I think in order to get the FDA's approval to conduct the software update for something like this to solve a life-threatening bug that really is a safety critical process that needs to happen in rooms like this with conversations face to face and not just on a blackhat demo stage that's what I feel anyway this is Mary mo she is a professor and a researcher from Norway she's also a member of the cavalry and she's also focused on medical device security and it's not by circumstance or by coincidence she has a medical device implanted in her body as well so she has a pacemaker in the past year or two she's been focusing research on this

very critical area so cavalry members and researchers we're not just poking holes at them you know demonstrating the problem we are not just going to be a part of the solution we are also the patients or the people driving the cars or using the devices which are at risk so we really have I mean I think we should all feel like we have a lot of skin in the game this is another fantastic effort that is being done by Craig Smith who is not here but will be at the car hacking village at DEFCON and the car hacking village DEFCON is going to be pretty rad this year with lots of different cards he wrote this book

called the car hacker's handbook he shares his knowledge which is exactly I think what Josh spoke about this morning it's not just one person who's going to be the expert on everything car hacking it's gonna need a lot of people who are experts at car hacking and security of medical and automotive devices and so he's doing that speaking about cars in 2015 I believe mark Rogers and Kevin Matt 50 I hope I'm pronouncing his name right gave this really awesome talk at Def Con about hacking the Tesla Model S and I hope we have some friends from Tesla here in the room with us I know that some friends from Tesla were in the room when these

guys gave a talk and tests are reached out to them and they really appreciate the research and everything that they had done in order to show problems with the Tesla which is you know the Model S is their flagship flagship product mark and Kevin described hacking the Tesla Model S as the hacker Olympics because it's hardware and software it's embedded systems it's radio with navigations it's infotainment this is really everything like maybe you could figure out a way to do some social engineering research and there somehow you know we're thinking about the UI and things like that so these areas of security research that the cavalry is focused on they're not just writing secure code or applications

or crypto there's a lot of different things to be done so if you find something that is of an interest to you or if you feel like something needs to be done there is so much work that can be done even outside of what these people are doing and it shouldn't be enough for you if you're saying oh this guy already there to talk about card hacking so we don't need another talk about that we might not need another talk at DEFCON but we do need more research we do need more solutions we do need more conversations in rooms like this now the Tesla hackers got this coin which is really cool it's a challenge

coin Tesla gives without only to the top researchers around the world that's awesome there is a chance though that you didn't even hear about this and there is a chance you might have not heard about something like this that happened the same year when researchers from China from lab at lab called kin which i think is part of $0.10 that's a huge huge Chinese company they found a way to mess around with the firmware updates on the Tesla and their reports to Tesla actually triggered a change in the way Tesla requires digital signatures for new firmware updates on vehicles and I think a lot of other companies already look at that slice an avocado or as a you know a marker of

what's coming so when a company like Tesla learns from researchers to do something like that I think it's very positive and it definitely sparks solutions and not just demonstrate threats but there's a chance you didn't even hear about that in fact if I go now to the streets of Las Vegas even during this week and I just ask a random stranger or a cab driver I often speak to cab drivers and I ask them what they think about car hacking so the last time I was in the cab just I think yesterday a couple days ago my lovely driver she said to me oh yeah car hacking well there's this she didn't hear about this she heard about this she

heard about this video of Jeep being remotely hacked so everybody on the street will you know tell you oh yeah you can turn off the engine for a Jeep or you can take it off the road or you know hackers could do anything to a Jeep these days right even in the latest fast and furious movie Charlize Theron who is now a fierce cyberterrorists which which is great you know I really feel like we need more female role models in this industry I myself was really inspired by a female role model I was inspired by Angelina Jolie and hackers now Charlize is you know also providing role models for super villains he doesn't wear a hoodie

a single time in the film by the way but she did utilize this exploit on the Jeep as part you know of a very very energetic scene what you don't hear about is the five star automotive safety framework that was published the same the same time you don't hear about the Tesla research you hear about the Jeep hacking because it's fancy and it catches people's attention and it speaks to the fear that's already in the hearts of man and it does not inspire hope so you know what guess what will not see you know surely stir on saving the day with a Tesla we will see her hacking a jeep and that's when the elephant in the room comes in I'm sure

you may have heard or maybe you understand that there may be even some elephants here with us these are the media our good friends who are helping us spread the message further writing Hollywood scripts and conducting TV shows but guess what they really love it when hackers run a circus show for them you know when we jump through hoops and demonstrate on stage that we can make an ATM spit dollars because it photographs really well they love it when the cavalry guys run a simulation with the patient like a dummy patient a guy who is not a real guy who's getting electrocuted yes that's photographs very well but it could also really scare people and when

we are conducting security research or when we are conducting we're trying to spark solutions you know we really need to be really intentional I think not to deviate into the realm of stunt hacks because these stunt acts yes they're very provocative if they get our people's attention they get the public speaking about things but they can also really derail a conversation and prevent some of the solutions that we're trying to build here in the room they also really harm public trust so I really like Charlie and Chris who did that G pack in 2015 and I mentioned them in a lot of my talks but I also think there was a lasting impression in the public

that car hacking is all about you know maybe a particular car that could be hacked a jeep or that anybody could hack a car but it wasn't about the solutions it wasn't about the security research that's being done to prevent it it wasn't about the five star automotive platform so we have to do better I think at this and finally when I'm talking about stun hacks they really a lot of the times they really uncover very basic Universal issues so while you're doing like a demo a fancy demo doing like some fireworks on stage or you know recently I saw something really cool in the ICS area I saw a Siemens industrial control system rig mated like

Siemens and Honeywell to vendors you never see that together used to make cocktails used it actually made me like a great vodka grapefruit cocktail that's really awesome but it's not really showing the actual security vulnerabilities that are in that system the way that hacker control it remotely to you know make me a cocktail yes it gets people's attention but the really universal issue is hard is the fact that in the industrial control system world we have different vendors living together in the same machines in the same environments the same devices and so those are some of the major risks and we need to look at not the fancy cocktail that comes out at the end so

what are some things that we can do and I would refer to bow to know if I have some more time okay two more minutes okay so what are some things that you can do in the next two days what are some things that you can think about as you think about your role in the cavalry how you can get others involved trust and safety are our goal it's not about protecting our little piece of turf like I'm the car hacking expert or I'm the voting machine expert or whatever it's about getting more trust more safety in these devices for more people so it's not about protecting secrets or Facebook passwords or credit card numbers it's

about trust and safety Public Safety public trust in technology media and public opinion really matters so how how hackers are portrayed in the media is a big part of it but it's also it also falls to us when we conduct the demonstration when we talk about security research we have to be really intentional not to spread fear but to also offer some hope some optimism some ways for solutions not just demonstrating threats and striking fear into the heart of mankind we really got to be intentional fixing some things fast because I think as just mentioned threats to human lives are happening right now this is not um you know it's not a drill this is actually happening I'll skip

some of this part I want to talk about connected toasters but this is a website that I think magazine created like a demo of a hackable toaster yes somebody could root your toaster not to spy on your bread making habits but to make it a part of a botnet and we all saw this with me right with the Mirai botnet in 2016 and it wasn't just that but here's a positive stuff the FTC has sort of a bug bounty or sort of a competition for IOT and connected devices and what they're focusing on is one thing which is really critical which is how do we get firmware updates or software updates to these multitudes of

vulnerable devices you all know Sheldon I don't know if you know this site it's got some cool hacks for home devices so if this is an area I want to explore explore more it's called exploit peers it's used to be the Google TV hacking crew build it securely is another fantastic resource I hope will be mentioned throughout the day for IOT security I wanted to talk a little bit very briefly about ransomware so the idea of ransomware for devices has been out and about for a while this is a thermostat it was a demo right here at the Def Con last year but as we know ransomware now now really significantly impacts hospitals Kim Zetter from Wired

wrote a great great piece about why it health care is going to be really impacted by ransomware because people will pay people do pay so it's a very very significant business opportunity for criminals we're not gonna see less one cries we're not gonna see less attacks that are disrupting things like the National Health Service in the UK for example which was totally you know brought to a halt by one a cry recently I found this which was also referenced in there this is a ransomware hostage rescue manual kind of cool I don't know who this guy is I don't know if this is like a for-profit thing or not if there's something that we can

build on here if we can learn from this manual I know that a lot of people need the sort of advice and help so definitely in the healthcare industry and other industries as well right here to the right is an EEG that's running Windows XP it's not experiencing wanna cry ransomware it's just got like like a crash dump or blue screen of death because that's gonna happen even without ransomware right to the left it's nothing even more risky in my opinion it's a refrigerator for donated blood that also runs on Windows XP so we don't need ransomware to prove the point now this stuff is vulnerable and at risk you know yes if you are running a

healthcare system and you're running Windows XP you are not HIPAA compliant but guess what there is a big problem there it's not HIPAA compliancy if you're running Windows XP on the healthcare medical device system is you're putting people's lives at risk just like that you know I'll say that I think we are at that stage right now these operating systems these environments are at end of life we can't let them and people's lives right this is it might sound funny but it's not a joke it's very very serious I know I need to wrap up and I'm pretty much the only thing standing between you and lunch so take two more minutes to give you some hope and not just fear yes it's

on all blue the exploit that powered want to cry and PETA is still out there yes there are at least a hundred thousand vulnerable devices out there in the world still running Windows XP still exploitable by eternal blue this is a great resource a friend from Israel has made you can find it online scanning the internet for vulnerable devices truly plug everything off no we can't do that right we got to start updating operating systems which is really basic stuff that you have to explain to people why they should be doing it this is something really cool for the healthcare field that our friend Elena over there has created she works in hospitals and she found

it's really hard to get two peoples to get their attention so she created like a comic which I love because I'm a big fan of comic books and she created a comic to get people to know think about password protection updating the software yes this is not fancy snazzy card hacking on the big stage and bracket but this is probably saving more lives so that's the kind of thing that I think we need to be doing a red team is something that we got going on in Israel it's a volunteer team of risk Assessors and pen testers that go in to hospitals and other organizations that can't afford cybersecurity Red Team testing and it's not

me but it's some of my Israeli friends some are b-side selfie friends and they do that you can reach out to them learn more about that finally anything that you can do you can teach somebody else to do and you have to we have to branch out it can't just be this room it can't just be the people who come out to Vegas which is a privilege let's admit it it takes time and effort to go all the way out here to the desert we need to get more people in Europe in Asia and Latin America all over the world some blue skies ahead cyber safety is our goal if not now then when now's the time to start doing things and

we have to share collaborate teach each other so that we're not just defending our you know status as the only Highlander that can do this particular type of security research work or secure the advocacy cavalry it's time to roll out and it's time to have lunch thank you very much [Applause]