Once upon a time... InfoSec History 101

good morning so um I'm not who you're here to see but I'm who you're going to see thank you I am Jack Daniel um I am one of the folks behind the the bsides movement I've been involved since before the beginning um not that that really matters because one of the keys to bides is that it is driven by local community and local organizers who make these things happen that's the power of bides one of the things i' like to point out is that uh um at bides we have a Founders Circle but unlike a lot of cons that I won't name our Founders Circle is based on the idea that bsides is a growing Community growing communities

need growing foundations so whether this is your first or 43rd or 44th bides you're a member of the bides founder Circle because you're participating today um that's unreasonably real you know optimistic and whatever for me but that's that's my deal so I'm also a strategist at tenal network security I work with space Rog and Marcus random I want you to think about that for a minute um makes space Rogue The Optimist the young Optimist in our team so um this is something I had a conversation with some folks about uh who we don't know um I actually I'm an auto mechanic I haven't quite figured out how I got here um it involved like having to stick a

tape that looked like a half an eight track into a thing that looked like a dishwasher that was a stack of dishwasher like things so the pars prices would be right and then I discovered that when they give you the shoe box full of tapes um I found out what an operating system was uh at 2: in the morning on phone support when the dire dealer group decades ago didn't work uh anyway so here I am now so disclaimer I am ignorant so I am not even a great mechanic anymore cuz they've gotten my damn computers and you can't get away from those things uh they don't take security seriously um yeah cars but I'm fairly new to the industry

in the scale of some people I mean like space Rog or Jericho I'm new you know I won't say young but uh and and some of you have been around quite a while and so I've got a lot to learn and that's one of the cool things about this industry is there's a lot to learn so before you make fun of me I just would like to remind you um with the challenges we Face we're all ignorant it's part of the L uh a lot of folks contributed to this actually um Jericho isn't B here but a couple of names he suggested uh Becky Bas Marcus random a couple of uh nonpublic lists that I'm on

contributed a lot of names a lot of ideas um and spaff has was instrumental in this uh had gave me a lot of perspective as well as his names and ideas we'll start out with U I know it's morning so this kind of hurts I spread the words out a lot but it still hurts to grab here why we don't know who and what it is we don't know so the early days were different um there wasn't this this thing called an industry uh people that worked with computers some of them were responsible for securing them that was it um it's different it's just what you did uh and therefore things are different they learned a lot of uh

dedicated security cons it was just different um one of the things you may have noticed is all the nice folks in the hall even the ones that aren't saying so are hiring we're trying to pull people into this industry we're trying to find the right skill sets a lot of us come in and try to play catchup and we can't even keep up much less have the the luxury of looking backwards so U you know it's going to L some historical perspective how much the work was before the internet um and before the web and if a uh you know if Google doesn't index a paper that it actually you know make a sound uh yeah those of us in the

industry like to make fun of DOD and Academia and government and mil and they like to make fun of us and is ridicule as much as they do but we don't always cross that now in this room in this region um there's more crossover because we can't avoid each other uh and there is the the revolving door from you know military to private to government service to contract them back but uh a lot of it is is off from under there um a lot of them aren't with us anymore either dead or retired or even worse you know now in management or something God forid policy rules and uh you know those that are still around very you R the con circuit

at least not our con circuit you know some of these folks you do see at RSA but that's so let's start with some folks that you know the names of and and kind of have a little fun with these um so took you see issp or any other thing or maybe actually studying this stuff you know about the badula model turns out those are actual people they're still alive David Elli Lyn leul is a much more private guy you won't find a lot about him folks that know David Bell confirm that he's a bit of a character has a great sense of humor but they're like actual real people and they came up with some foundational ideas that we still

sort of pretend to pay attention to like we pretend The OSI model or you know the seven layers actually reference anything but uh you know they're real people and you they came up with some really fundamental ideas about uh you know no read up and no write down and using access using matrixes um and these folks were at places like merer you know back when it was Rel no that's um that's mean it's all right I'll make fun of this soon too was it Barnes & Noble not far away they have dictionaries so some of those words like continuous you could look up but anyway U miter Honeywell T EDS C and sa um which brings me to a tangent that I

kind of need to go on if I'm going to talk about people from the NSA uh anybody here happy with the state of Internet privacy what the government that's uh doing we get we got the yeah so we've got our FBI director Comey who's basically asking for um asking for you know Clipper chip too he's not using those words because he knows there are a few of us around that know what Clipper chip is and we would say bad things but no matter what you think of the NSA Through The Years a lot of brilliant dedicated patriotic brilliant people have worked at the NSA and have done some amazing work this is true today I'm sure in this room more than most

places that I will talk about this you know Folks at that or other agencies there are some phenomenal people there uh personally I feel that the failure is at the political level so that's Senior Management and at NSA and then the actual politicians and I I won't vent about that because I know standing and you have your opinions um it's also important to know that this you know supported a lot of people and a lot of projects um a lot of tech wouldn't happen a lot of things wouldn't have functioned without the seeds a lot of people wouldn't have the connections they do that built the industry we in without NSA that does not mean I'm happy

about the orwellian or Worse state of things uh this also applies to um gchq and similar D um unfortunately gchq and the UK and the other um entities that are part of 5i are really terrifying because can poke out four eyeballs and they still see everything but that's that's a political issue so um all right people have heard of Wht DIY and the ponytail um wh Whit rocked it before Bruce did um but these are real folks uh Whit Marty uh we use their stuff continuously their paper new directions and phography came out in 76 um the idea was to distribute cryptographic Keys over a unsecure Network securely so that we could like do things that kind of is what the

internet's built on if only we could get like SS all right uh job security um soy Helman key exchange you know and in 76 that that like exploded um interest in in asymmetric uh crypto and uh you know it's possible that Ron was more right than the RSA folks because you know Elgen all and other things based on this sort of asymmetric stuff seem to have more lifetime was it son forever he is as a lot of these folks that were early into cryptography is actually really concerned and has been for decades about individual rights and privacy um Marty's also in interested in Greater social and political things he is uh and has been active in the anti-war movement and the

anti-nuclear proliferation movement you know these are actual people um so the crypto folks might know that Marty worked with Ronald Merkel here's one of the names that a lot of folks don't know because it's we don't talk about the um Merle puzzles and other things the Merkel Helman napsack and other things uh his ideas that became part of what we now take for granted as Dy hel key exchange um started with uh secure Communications over insecure channels he developed something he called the the Merkel puzzles while an undergraduate as a class project he's one of the foundational people in uh one of many people that contributes to a lot of things he's also um besides inventing

public key you know one of the early inventors of publicy Photography he's into molecular nanotechnology and chics these people have other interests they're actual folks uh you know these people if not I'll give you a little subtle hint um Ron invented a bunch of symmetric key algorithms RC 2456 um RC being revest Cipher or Ron's code also authored md2 456 um he's interested in privacy and security he's created something called the three ballot voting system which does not use cryptography because he feels that democracy is too important to trust to crypto that thinking it seem Ron revest says that democracy is too important to trust crypto and so he's created this thing called the three

valot voting system and I will basically you get three Val it can be executed on paper um gross over simplification everyone's given three ballots two of your ballots are designed to cancel each other out the third one's real each one has a serialized number which is randomized across them therefore if you read the paper you can see how it is possible to uh have democracy with verifiable did my vote get counted um you know things like that because he cares about that um AI Shamir uh who's one of The Adventures of differential Crypt analysis Lynn besides what he does in theoretical computer science and crypto is into um DNA Computing using biologics rather than silicon for uh

computing power these people didn't make a single contribution and then leave and then you know retire get a get a title somewhere although they did those things too so who else oh everybody knows these three folks right so the crypto folks might have heard of Clifford Cox um I'll refer to him by his first name even though I don't know him just because you guys don't need any encouragement to be juvenile neither do I we've met in 1970 while at gchq um James Ellis wrote a paper describing what he called on secret encryption these days we refer to that as public key cryptography he wrote that in 70 uh Clifford and Malcolm Williamson were College friends uh teammates at the

mathematical Olympiad team you know one Awards and whatever in 73 both of them joined gchq they weren't quite sure what to do with them at gchq the the UK version of NSA if you will similar organization so they uh took Alice's paper which didn't really Implement everything it just laid out this idea of public space the being able to do things securely over it you really kind of defined it but didn't get the nuts and bolts and working pieces spinning Clifford took that paper read it while he was waiting for a real assignment and um worked out some of the moving Parts including a critical algorithm um was a a few years later created by Ron revest

and Company uh so in 1973 Clifford Cox invented RSA um 1974 because Williamson um had other few things to do he worked out the the rest of the puzzle which was how to securely swap crypto Keys over an insecure Network so in 1974 Malin Williamson in invented the DIY Helman K exchange uh two years before DIY and helman's paper came out on but they were Spooks this was not Declassified until 1997 um Ellis had passed away by then and this is a classic case of why there are some folks that know folks and especially in a DC audience there's some of you who know folks and know stuff about those folks that isn't common knowledge and it's like there are some

brilliant people we don't know um and there are a couple of takeaways on the story first of all when you in discover invent create something hold your ego in check you may not be the first but more importantly I think is um so we we've all hold goes in check uh you know it says the idiot standing in the front of the room um but because of the situation this was used in they didn't get much value out of it so a couple of years later a couple different teams of people discovered invented whatever you want to say the same stuff and actually built the world we live in today out of it and so it wasn't new they thought it was new

it didn't matter they took it further they built on the people came before so wow and and I be willing to bet In This Crowd some of you have like found things whether it's a dis whatever you you've found something figured out a problem right you figure out a problem the first thing you do when you figure out a problem is like damn I'm good the people that I like to work with are the ones that like damn I'm good I figured this out and you know you go and grab a beer or coffee or Red Bull or whatever and you sit back down and think what an imile why did it take me this long to

figure this out and that's the kind of mindset that drives us drives us forward so anyway um that's them 16 people mostly random in order some you know some you've heard of some you may not have um everybody knows has to please right don't don't raise your hand if you don't just stop tonight tomorrow this afternoon solve this um badass doesn't begin to describe uh Amazing Grace uh if you think compiling all your own is cool um you can thank her cuz she got tired of writing everything out to the Machine by hand so she wrote the first compile it but that was actually really cool cuz when she started programming for those of you who saw the keynote this morning

her programming days started when they used patch cables and moving forward to dip switches for programming actually really was an advancement in her career that's pretty bad uh she retired from the Navy three times was brought back three times retired as a uh when they finally push rear Admiral um just a little bit of trivia the reason we debug systems because of Grace Hopper a mechanical relay that had a moth in it she pulled the moth out the computer resumed functioning and thus we had debugging um at the end I've got some references at the end of this if you haven't seen it uh there is like a 10-minute clip of her on David Letterman

like 20 years ago it's just awesome last 30 seconds are soort kind of weird getting into F Irish or Scottish family names or something it is great to see her because she's just you're awesome um she is unfortunately deceased um but she's kick all right so staff a lot of folks know of Staff um couple of things about staff he has a page of Firsts he's done a lot of stuff we think of him as an academic so trip wire was a summer project for Jean Kim when he was an under graduate student of folks like Jean Kim farmer and more than I can list are alumni of staffs he founded the Sirus Institute uh at Purdue

he's been there since ' 87 um he likes to be known for a lot of inventions and things that he's created in this in the context of this project his uh value as a historian has been fantastic unfortunately several of the people that I've researched in this project the best information I could find about them was the obituary or Memorial tribute spaff wrote about them U which is a great value too and by the way uh spaf is not just a computer science Professor he is a tened professor in computer science at Purdue but for the record he is also a professor of philosophy communication electrical engineering Computer Engineering and political science um and Rox a bow tie like

man Becky base all right so we're here in DC so everybody knows Bey base's name at least right please you're awesome uh Den mother of IDs was one of her many nicknames people that did early network analysis and intrusion detection that run companies that some of us may work for now might not have gotten their career started were it not for Becky's guidance connection with other people funding and other resources from the n um and she's done a lot more but that's where she's known there a lot of folks that uh many of us in this room like I said worked with and four um got huge career boosts and launches because of Becky um and then she wanted to you know

Private Practice Consulting afterwards and one of the most awesome things about Becky is that when she left Southern Alabama she promised her dad that after she you know married a damn Yankee and did her government thing up there and did the big business thing that sometimes she would go home because as Dad pointed out Southern Alabama could use some help with education so for the past few years um she's teaching at the University of South Alabama fulfilling promise um that she made to her father decades ago which is yeah you're awesome all right this guy's arguably young foist um he's why we have a c uh created the Morris mm that's Junior right right this is the

younger uh he was the first person convicted under the cfaa charged in ' 89 convicted sentenc to three years probation in 90 uh I think it was a $10,000 fine he appealed they said no you're paying it um I don't want to trash any other role models that we might have in the industry of the reformed hacker um but for argument sake let's look at the reformed hacker in air quotes U Mr mitnik his latest Venture is selling zero day um this reformed hacker who never meant anything malicious by the way that's pretty much universally understood uh since those days he is a he co-founded via web co-founded y combinator um when you're talking to

Executives and Congress Critters and others co-founded by combinate I've heard of that's like a real thing right um he's a tenur professor in electrical engineering and computer science has been tenur at MIT since 2006 um if we need a poster child for the reformed hacker I would um arue that this might be a better poster child uh which means we got talk about his dad um spent 26 years of B Labs back doing things like multics you know a old school hardcore operating system uh later he moved on to work on this new project called Unix um he spent some years at NSA specifically 1986 to 1994 so if we do the math from that last

slide that means he was working at NSA and was called into an office to meet with some FBI and other folks who had to tell him about uh oh we're picking up your son he did this apparently um Becky has called me he she worked with him at the time apparently the Elder Morris was not happy that day he have a couple of quotes that are worth doing I hate to boil these people down but I'm trying to cover a bunch of folks uh never underestimate the attention risk money and time that an opponent will put into reading traffic yeah we have people that still don't believe that but uh number one rule of Crypt analysis check for plan

next nobody's ever like even tried to solve a con puzzle and worked way too hard right um also three his three golden rules to ensure computer security do not own a computer do not power it on do not use it let me remind you he spent 26 years at Bel Labs working on multics then Unix and then spent almost a decade at NSA do not use computers um here's one a lot of people like to be futurists and Visionaries and animists and right that's cool um theoretically as a strategist that's me I'm not that arogant the computer will touch men everywhere and in every way almost on a minute to- minute basis every man will communicate through a

computer whatever he

does oh no it's not it's blackin it's for dramatic effects let's try that again the computer will touch men everywhere and in every way almost on a minute to minute basis every man will communicate through a computer whatever he does it will change and reshape his life modify his career and force him to accept a life of continuous change

1966 Willis wear made this observation some of you have undoubtedly heard of the wear report a lot of you haven't it is originally released in ' 67 reissued in 70 47-year-old document it was designed to talk it was targeted to address the concerns of multi-user computing environments handling sensitive secret uh in military sensitive and secret information in military environments uh it is stunningly relevant today uh it's full of acronyms it is you know ' 60s '70s it is military and government targeted but it is still stunningly right and he started life in the in the War World War II working on classified radar systems and the you know automatic identification if prero identification stuff um he spent 40

years at Rand Corporation where he did this um and so the wear report is a big thing that people know it's still readily available you can Google for it but he like many of these other folks realized that the power of the computer meant that it would had a great power to be um a tool against us and was very concerned with privacy and actually was one of the people that drove President Ford towards uh the Privacy Act of 74 the first time we had any kind of legislation he was instrumental in getting that and we actually lost Willis less than a year ago at the age of 93 really yeah um Peter Newman influential to his perspective

and career so I would imagine so he had uh had breakfast with Einstein um and you know what they talked about they talked about the significance of complexity having that conversation with Einstein it sort of altered the way he viewed the world complexity and we're still fighting complexity to this day um he was at Bell labs for a decade then SRI and um still at SRI actually worked on multics and he actually came worked on something called the P provably secure operating system um some folks may know he still writes the risks digest provably secure operating system is um that's pre Global interconnect connectivity of everything and you know multi function Computing but uh people actually should try to make this

happen P Peterson a lot of folks may know him as an early antivirus guy but um quote from Rob slate on padet is to some extent the prototypical US good old boy although he prefers the term Southern gentleman and accentric uh for car folks if padet still drives a GTO judge um uh dirt track and pain track stock car Razer um he is proud of his uh skill with large caliber handguns gentleman um CL isth trans trans Oceanic radios uh he also was like a lot of those early AV guys who are going to make the lists that I'm doing is um they were low-level programmers and they wrote lowl code because that's how you found this stuff and

fought Willam Stallings um all he's done is write a ton of textbooks which Define computer science and other in things throughout everybody taking college courses in this he did not create algorithms he did not do but he's sort of is how people in college learn about our industry and related ones so he's kind of important and he did it well in that he would turn to um people who actually knew what they were talking about and were in the fields of antivirus and crypto and other things for his X books another one everybody should know she's under appreci um Dorothy Denning is known for the um again 76 publication lce model of secure information flow sexy title um the the

data nerds love her and as well they should it was basically established a mathematical basis for enforcing Security on a Computing system and that's where the data Nots of the world live in that math the ones that actually get it not the ones that just PR to U people who actually understand statistics and math not Larry ponon I said that loud uh but some of us in this community know her cuz she was early on sympathetic to early hackers and she got cracked for them and then she changed her view on that as some of them became more and more criminal from just mischievous uh and she also worked on the skipjack Cipher which was used in

the infamous Clipper chip um she felt that was necessary uh and she defended her position um she still gets crap over that uh she actually still has a c bir ship device on her desk at least a couple years ago uh she was a professor at Purdue then to Sri and then Georgetown and now both she and her husband are at uh the nabal postgrad school uh as professors but she's the one that one of the people responsible for bringing real math into the security ground uh Brian snow Brian is an eloquent speaker another one that spent decades at NSA cryptographer mathematician protected NSA from attack and his job was securing NSA systems um sees big pictures really

big pictures so when we talk about crypto and resilience to attack and it's like oh my credit card number it'll take you know oh credit cards are a bad example um you know if it takes six or seven years to break the crypto on something we're doing that's not a big deal cuz it's irrelevant by them if it takes 58 years to break the crypto on things that that are happening at NSA that could just start the war 58 years later forces you'd have a big picture of view and that's one of the things I I think is fantastic about hearing what Brian snow has to say uh he on we interviewed him on security weekly year

and a half ago he's on Pat Gray's Risky Business podcast with some regularity he took some time off after the Snowden things just a few months ago he was back on that if you want to hear a great interview Risky Business podcast find the one with Brian Snow he talks about what his beliefs what his views of NSA are post Snowden Revelations post Wikileaks uh there's also a secondary feed where he talks about the significance of quantum Quantum Computing on Modern cryptography uh the short versions are screwed um Steve Crocker uh inventor of the RFC first one that he was written by him summary of the Imp software not sure that's really relevant but he's been

part of the internet Community since the beginning uh he was a grad student he actually worked on the original protocols for aranet Steve lner didn't want to be in Security El that it MIT her um and they wanted him to do computer security stuff and he said he would do it only until they could hire the right person decades later years later he left at MIT went to deck he's been at Microsoft for 15 plus years now he's one of the people that drove trustworthy Computing and still does not sure where he lands in the trustworthy Computing reshuffle putting people out but he's been driving things since um you know from multics days to Windows

days and he's one of the folks that's still around Hal Finn lifelong privacy advocate so yes lifelong privacy Advocate quiet developer of pgp he wanted to stay out of wine white he stayed out of legal battles in the 9s and when um all the legal nonsense flew over and Phil was able to start a company first person hired was halin advocate of anonymous and cryptocurrencies early contributor Bitcoin he's one of the many people that have that people thought were Satoshi but isn't recently passed away from ALS um unfortunately but he was also a um advocate of CICS so if he's right we may hear from aligan um Bob abbit uh I can't do him justice but I'm going to read seven

points from his Ros Research into secure operating system study 71 to 76 he outlined seven things uh about securing systems one incomplete parameter validation at least we got that solved two inconsistent parameter validation uh three implicit sharing of privileged or confidential data Maybe we're not doing so good number four asynchronous validation or inadequate serialization that's race conditions and time to use versus time checkout yeah we got those nail uh inadequate identification authentication authorization uh violable prohibitions and limits and exploitable logic errs uh some of you may know him from uh he did a bunch of cool stuff we're running out of time here so I'm not going to do it all but you at the end of sneakers James

Earl Jones is sitting there that character's name was Bernard Abbott and tribute to Bob Abbott technical um an you know consultant for the that and several members of the of the cast were based on Abbot uh team members Jimmy Anderson um generally cont contributed with the convention explaining the reference Monitor and audit based intrusion detection contributor to the we report Anderson report afterwards deeply involved in the orange book by the way the orange book was reissued earlier this year if you did not know that there is a new version of the orange book read into that whatever you will uh let me read staff's obituary tribute to him Anderson had broad interest deep concerns great insight and rare

willingness to operate out of the spotlight his sense of humor and patience with those earnestly seeking knowledge were greatly ADM ired as were his candid responses to the clueless and self-important issued public recognition preferring that his work speak for itself the guy who tiped the 90 something page uh report on information security about if you can still find it on the internet but it's Ian the the Anderson the Anderson report drove Air Force and most military security for a decade plus and yeah still it's still substantial reference um so wrapping up bage Institute University of Minnesota has a bunch of great oral histories they have a lot of information on these folks um Wikipedia usual disclaimers

apply uh Gary mcra Silver Bullet podcast he's interviewed several of these people uh we have on uh security weekly interviewed several of these folks um and uh I I lean heavily on this dude not for his physics well I do you know those of us that like lean on things believe in neonian physics um but as a philosopher as well um it's actually not his quote but he's most famous for it which is if I've seen further it's by standing on the shoulders of giants and that was brought home to me over and over and over again researching this and as a result I've started something called the shoulders of infos project there's not a lot there yet you

can contribute you can contribute a little or a lot um there're about 60 names there now right I think and it's there's a Blog a single post up there's a Wiki ugly Wiki it's PB works I hate it it's a software Stockholm syndrome I hate it but I know it well so I use it um and uh you know at this time those people have a link to a page which might have between one and six links on it about those individual people a bunch of other references and resources places to find things like U early reports on other projects there um if you would like to nominate folks please do um I would love it to grow into a lot more it

is a Sparetime project so the rate of growth is kind of slow but there are a lot of folks that we don't know I would like to eventually be able to have some subsections of folks like early antivirus Pioneers thanks to a cooworker um I've got a couple dozen of those um but check it out everybody that's on this and more are on there um and a viation on this clock is given to derbycon and that's up there so link to that if you want to share this with folks if you're interested um and with that thank you very much