KEYNOTE - Ghosts of Past, Present, and Future - Bob Lord

Bob Lord is the chief security officer of the Democratic National Committee so he's bringing more than 20 years of experience in the information security space to the committee state parties and campaigns previously he was Yahoo seaso covering areas such as risk management product security security software development ich Rimes and apt programs before that he acted as the CSO in residence at rapid7 and before that headed up Twitter's information security program as its first security hire and so he's gonna be giving us a talk that is very suitable too as you may have heard the 10th anniversary of besides Las Vegas a lot has changed over 10 years and even improved over the past decade believe it or not but some

persistent challenges remain as I'm sure you're all aware we've seen high-profile attacks the rise big-time of nation-state attacks and many other changes in the threat landscape more recently we've seen some attackers favoring disinformation and hybrid attacks and we've also seen product seen products inching towards a security by design model Bob's had a front-row seat to some of these events and transformations and we'll share some of his observations and a few key reasons to be optimistic about the future and ways that you can help so please join me in welcoming to the stage Bob Lloyd hey hey hey everybody hey Las Vegas this is awesome wow there's so many of you wonderful on so when you

were here make sure that you see lots of talks and stuff like that but go see a show too and not just the big shows there are these underground shows they're really hard to find but I found one last night around 3 a.m. right outside my door and it was a short I don't know I guess you'd call it sort of like an improv sort of thing and I don't know the title but I think the title was you don't really know me or it could have been this isn't the vacation I had wanted either so yeah so I had a lot of coffee this morning to try to get through things do you awake oh okay all

right that's good so I worked at a few places for those of you who are a little bit on the younger side the Netscape thing there that was a company that made a web browser that allowed you to surf the worldwide web and it only cost $35 and you could buy it at CompUSA so there was a time when you had to pay for the browser true I'm not making this up you know oh yeah yeah what are we gonna do with you folks um so like everybody I wanted to see well I've got my talk but you know yeah any kind of talk could be made a little bit better by asking the internet what you should be talking

about so I asked some people and I got some some pretty good answers so Richard is talking about the value of the target breach because it not only really raised sensitivities but it allowed people to think well maybe money isn't the only thing great thank you thank you Richard that was a good one and then of course we had people asking or saying that the one of the most important events was the Snowden leaks anybody agree with that so that was I was something that was something we had a few people talking about Stuxnet and referenced Kim Zetter Kim Zetter favorite that one so I got that going for me which is nice oh yeah yeah it

might be something I would have thought of yeah the election maybe that was an interesting security story okay thank you thank you

I have no complaints with this tweet and then Jason actually linked to the infomercial and then I watched the whole infomercial the two minutes and I almost picked up the phone although I'm sure those numbers don't work anymore okay so I want to make sure that you're awake I know you've had some coffee I heard someone but let's really let's really do this can we do this you ready so here's the deal I just want you to humor me so just vote for one of these things even if you don't know or don't care or vote for the other one what do I know all right three three reasons why cybersecurity sucks and then there's like a whole

bunch of stuff but there's a thing about attribution I'm gonna talk about attribution later also the one thing you can be sure of is very few people know who is behind any cybertek code analysis can help to some degree hey there's some Chinese characters in here but code reuse is not exactly an unknown phenomenon online there is no serious attribution methodology so to some extent everyone is guessing all right if you think that this is 2009 ten years ago raise your hand Oh a bunch of a bunch of ten years ago all right if you think that this was like last week raise your hand yeah okay that's a little ambiguous this one was actually 2009 and I'm

hoping there'll be some talks here to help me understand what is currently going on in the world of attribution I'll talk more about that later - okay 2009 or - tour sometime last week so here's some noted cryptographers if I said - it was he'd probably guess so they say things like given the importance of the Internet to society and given the importance the network has in communications between people and their friends governments and their citizens communication security is critical and we should all take care that should take precedence over the debate of communication security versus communication surveillance wise words was this 2009 raise your hands or was it kind of recently WAP more okay Oh trick

question Oh oh he's a mean man he's a mean man that's that's not fair so some things just kind of keep coming back and forth I remember back when I was working at Netscape where you could buy a browser for $35 I remember back then in 1998 we we fought the crypto Wars then - and it just seems like the kind of thing that we keep fighting over and over again so I know many of you will have some opinions on that topic all right that that's that's 2009 but what a great t-shirt that would be black very strong I'm thinking somebody here should just make up a t-shirt that makes it look like that was a logo that was the slogan

black very strong all right so not all of these things are just purely technological these things that these these patterns that come back and forth so you might imagine that I would be in my current role wondering about things like disinformation and active measures so it's two slides here so this was a CIA testimony so just spoiler light this is not from the mullah report but this is a CIA senior official testifying before Congress given the importance of propaganda and active measures in its foreign policy implementation the Russian government is willing to spend large sums money on its program thank you CIA for letting us know the Russians are willing to spend a large sum of

money on active measures they talked about how the United States is the main target the Russian leadership sees active measures as indispensable indispensable they say and they say the basic games of active measure operations are to weaken the opponents of Russia and to create a favorable environment Oh before a boy and then they go on to say that they are poorly understood and infrequently countered systematically so who so I really want to see every every hand here who thinks this is 2009 raise your hands a bunch who thinks this is more recent razor oh he's cheating again it's not fair these these tests suck so I was doing some other research and I found a whole bunch of of work that had

happened in the 80s and so this is an actor's you can go download this to Stanford is scanned it in and and so you can go read about it but everything reads like it is recent if you change KGB to FSB or GRU it really reads like it's the same thing and TV Guide of course got in on the action why American TV is so vulnerable to foreign disinformation this is 1982 also did anybody know about this I think I missed this issue of the guide and notice the date to this was actually June the CIA report came out in July CIA got scooped by the guide never doubt the guide okay so I wanted to talk about the attack so

we're talking about like past present and future so this is this is not ten years ago but this is a few years ago anybody hear about this anybody affected by this Liars you all were so we haven't talked a lot about this and most people don't actually know that we caught the people who had committed this this attack does anybody know they may actually like truth be truthful okay I have one person down here who knows that we caught the bad guys a few people over there okay I did not catch the bad guys I did I catch the bad guys but it turns out that we were able to provide enough information to law enforcement that they

were able to actually put together a case and trace the footsteps of the attack all the way back to the Kremlin I'm not making this up you know there was a press conference and they had foam-core look Department of Justice made a poster real foam-core you know that this is serious business so this was the press conference where they announced the indictment and this turned out to be a real a real-life spy story and the news is so crazy for the last few years that every time I ask a security group or individuals do you know that we actually caught these guys no one knows can you imagine that with all of the things that are happening

this would get drowned out but it turns out the news cycle is is really overwhelming you can go download this I don't want to say it's like a trashy spy novel because it's you know written in sort of legalese but it's it's some crazy and so I encourage people to actually go download it and read it because I think it's rather instructive so what is the indictment say so first thing it talks about are the people that are being indicted and just before that only talked about a little bit about who these these targets were so who are they targeting so they downloaded the user tables but but really they were looking for a very specific people so these are

people of predictable interest to the FSB personal accounts belonging to Russian journalists that's kind of a tip-off right they're Russian journalists Russian and US government officials employees of a prominent Russian cybersecurity company numerous employees of other providers whose networks the conspirators sought to exploit so these were some of the targets but some of them were commercial so an investment banking firm a French transportation company financial services a Swiss Bitcoin wallet and banking well that's kind of interesting that's all unusual and the US airline I wonder what they wanted with that data so let's let's talk about who these people were who were indicted first was Demetri do Kiev he was an officer in the FSB and most of you will know this but

the FSB is the largest of the successor agencies to the KGB in fact some people will say that the only difference between the FSB and the KGB were just the letters and so he was an FSB officer so it's crazy that again law enforcement was able to track these steps all the way back to the Kremlin and to actually name an FSB officer and so when you when you saw the the molar indictments of the Russians you saw a lot of the media people saying a lot of reporters saying first time that the u.s. government has indicted Russian intelligence operatives and it turns out no I'm staring at the TV like screaming no these were the

first so do Kirchhoff was really one of the first and then there was Igor Fishkin and he's an FSB officer and he was the superior to Duke Achaia and he was embedded in a Russian investment bank as the purported head of cybersecurity so to the best of my knowledge that's not something that our intelligence agencies do maybe you know more but that's not that's not something that's common here so here they are taking FSB officers and embedding them in these corporations so two FSB officers real-life spy story but it didn't really stop there because they didn't do the actual hacking they in turn hired some criminal hackers and they the primary person that they hired

was alexei milan and he was born in la fée and he was a Russian national so but this is crazy so here they are FSB is now hiring these criminal hackers and check this out he had been previously indicted and so he was well known to law enforcement in the intelligence community he was named one of the the FBI's most wanted cyber criminals in 2013 and he had an Interpol red notice seeking his immediate attention and so he had all of these all of these flags against him and it turns out he had gone outside of Russia and got arrested but then he was able to escape I don't know how to escape from jail do you oh no

this guy does sorry I do not I do not know how to escape from jail and so he gets back to Russia before he can be extradited to the United States I'm not making this up it's in the indictment go read it it's some crazy spy but instead of honoring this red notice the Russians picked him up and they're like hey we could send you back to the United States or we could actually have him gain access to the Yahoo Network so that's where this started and again this is one of these crazy stories that gets lost in the news on a regular basis there's a whole bunch of stuff here basically he was a lot he was able to

acquire enough information that he could mint these cookies that would then allow him to access any yahoo account and there's a whole bunch more I don't go too far into this particular thing but he had some side work too so while he's breaking into accounts for the FSB might as well make some money on the side so he was stealing gift card information credit card numbers and he was able to modify some servers to fraudulently redirect a subset of Yahoo's traffic now who wants to guess what sort of keywords Alexi blonde had rigged so that when you type those search terms into the search engine you'd go to his to his affiliate program who wants to guess what kind of

what bitcoin that's a very good guess but that's not it viagra yeah so his male enhancement drugs or something like that I forget the exact language in the indictment but that's exactly right so this was this I little side project to make some extra bucks Greenberry tov so he was not in Russia he was in Canada and he was he was actually tasked with with gaining access to more than 80 accounts in exchange for some commissions and this is this is kareem for his instagram account his license plate says mr. Kareem and then he has some nice tattoos but but he was in a place where they honored the extradition treaty so he was arrested in Canada extradited to the

United States and and then he was he was arraigned he was actually sent to San Francisco I live in San Francisco so I got to go see him in court a few times and you know the first time I saw him I was sitting near a courtroom sketch artist and I went over and I said hey do you do commissioned work and she says yes and I said would you would you do a sketch of Kareem for me and she did and so this is the first time I've ever shown this picture this is Kareem Barret off in court talking to the judge actually he was flanked by his attorneys and the government attorneys but this is

sort of like the zoom in he was 22 at the time he was indicted eventually sentenced to to five years in prison so he's still there so I think there are some interesting lessons here and part of them come from the 10k report and so I recommend that you read the indictment and I recommend that you read the Yahoo 10k report and I think a lot of the time we talk about information sharing and we talk about things like IOC s and we talk about I you know IP addresses and those that's fine we should talk about that but this is one of the few cases where huge amount of public information are available to you if only you go download

these documents if you download the indictment if you download the 10k it'll actually tell you a more fulsome story than you're going to get for most of the other breaches so everything that I'm telling you here is all completely public knowledge and so the 10k talks about the independent committee of the board and they they found out that the information security team had contemporaneous knowledge of the 2014 breach and they talk about the executives not properly comprehending or investigating and they also talk about a failure in communication and I think this is one of those really key parts I think that the ability for an organization to properly explain up to speak up and for executives to be able

to listen up is in evolving art and so I think we talked a lot about technology but there's people process and technology and I think we become so focused on the technology that we forget how to tell stories to executives there was a really interesting article The Wall Street Journal a couple years ago and it was by this woman who's a whistleblower but the article actually doesn't advise people to do whistleblowing what she really wants is to build a culture so that employees are encouraged to speak up on a regular basis and so she talks about speaking up and listening up and you can't just say to somebody if you see say if you see

something say something she says that's a pantomime of caring and I think that's that's really true and so I don't have any any solutions for you but I do know that this is a story I see repeated and breach after breach after breach and as I talk to CISOs and other people in different security teams the inability to properly tell a story and for that story to be heard is a common theme and so that's one of the things I think that I would encourage you to think about so that was the past and now I've got some more recent experiences at the DNC one of the things that I've I learned when I got there is I have responsibility over

the DNC's security so that fine but then I realized I had to help the state parties so we have the 50 state parties in the seven territories and it turns out that those are separate legal entities and those have separate they have separate charters they have separate funding and and they're they're just they're different and then we have the campaigns and the campaigns are also separate legal entities and they have their own staffing in their own funding and everyone has their own level of maturity in each of these organizations and so they're not remote offices and I'm not headquarters and so they don't have to do a thing that I tell them to do and so that meant a lot of the

playbooks that I would have around making sure that we improve the security posture of these organizations those just don't work so getting to work getting getting people to listen and to digest all of this stuff it's all about influence so people are ready to be secured but they often don't know how to be secure and prioritization and incentives are really really lacking within any small business and we have these kinds of resource constraints as well so you know I talked to the different organizations and I would ask them have you heard about this thing called the Belfer Center it's the campaign security playbook is anybody here the business partner where yeah it's actually good advice for any

small business and so I talked to them and I say so what are you doing for security and they would tell me a few things that's very good what about implementing the Belfer Center guide or any of the other guides that are out there and and I would kind of hear this pause and they'd say well I'm aware of it and we've looked at it and as I talked to more and more people I found out well you know the deal is that these guys are really hard pressed to get started it's really difficult for them to figure out where to begin the journey of being secure they're incentivized but it's really hard to get started and so I was

wondering what are the things that I could do to get them on that journey of a thousand miles how do I get them on those first few steps what could be the things that have the best ROI and I wanted to put together a checklist there's a really good book called the checklist manifesto if you haven't read that one I highly recommend it spoiler alert the author thinks you should have checklists for just about everything so I want to have something that had big ROI and I wanted to have something that was really actionable so you see these checklists and they'll say things like don't click on suspicious links wait what wait don't click on

suspicious links what does that mean like I click I literally click all day like that's what the web is for dude don't boil an email I mean don't click on the suspicious links an email what are you talking about like that's like literally every important email I have has links in it like don't get fished is not actionable advice don't get scammed please like that that's just so I didn't want to have anything that wasn't actionable so I really wanted to have a checklist checklist where you would sit down print it out and actually start to do this and so let me let me talk about the checklist anybody want to guess what's on the checklist the first

version was three things three the three most important things that at least I thought people should do who wants to guess patching whoa I don't have any gifts to give out and and while the infantry management is a good one but I'm talking about like for individuals so remember remember the password manager well this this table is rocking it there's one more - oh factor all right and and the funny thing is I tell this to reporters all the time they they sit down and they're like oh a bob you come from Silicon Valley you must have some very sophisticated things that you're doing with the DNC I'm sorry you're gonna you're not gonna be able to

write a story because let me tell you I'm really doing I'm trying to remove technical debt and I'm trying to get people to do the checklist and there's no machine learning here there's no AI there's no neural nets there's there's really none of that because that's that's not where we are that's not where the that's not what the problems are you know the problem is you know people are not like breaking into firewalls people are just getting fished so we want to have this be the checklist and and you guessed it so you don't have to read this but that's that's the basic ideas we wanted people do those three things and the idea was if you did those

three things you are well ahead of the pack you're not going to be falling for all of the the common attacks and so that's what we put out and then we also didn't just send it out we were very fortunate there was a group called the digit ends and the digit ends digital Democrats they were putting together a program where they hired 81 82 or so tech savvy people and so they then embedded those people in though in campaigns across the country and so they could have hired you know somebody who was a database expert and they were fixing printers or they could have hired a software developer who was trying to wrangle the Wi-Fi it didn't matter but

they were kind of in the space and they knew how to do the right kinds of googling and they could also then phone home to all of the other digit M's to say hey I've got this particular problem it's outside my area of expertise would you be able to help me and so I got to train them on the checklist and it turned out to be hugely effective so some cases they rebranded it they changed it they added something deleted it but it was all basically the same thing and so we did that for the midterms last year okay so a bunch of stuff worked so we had some good anecdotal evidence that people really

were printing these out and filling them out now again I don't have agents on the machines of everybody in the everybody an ecosystem just because you're working for a Democratic party doesn't mean Bob's got some some agent running on your laptop doesn't work that way but we had some good anecdotal evidence and there were a few times when people would call up and say so Bob we got some money to do a an upgrade the firewall what sort of firewall should I be looking at and I'd say well I'm conflicted here because as a security person somebody comes up and says hey I have a security question I need your advice we're so happy somebody's talking

to us like wow oh my god thank you thank you it's not just me trying to push you you're actually coming to pull information out of you like this is the happiest day of my life and we're so tempted just to answer the question and to sit down and like well let me tell you let me tell you about packets let me tell you about deep packet inspection let me talk like we're so tempted to do that and I was tempted to do that too and then I realized that ain't the way they attacks work how did the attacks work they ask you for your password and then you give them your password that's how the attacks work so answering

questions about Wi-Fi wasn't actually going to help them and so what I had to do is redirect the spotlight of their attention to the things that I thought were going to be actionable and by the way you're feel you know feel free to download the latest version of this and like tweet at me and say I've got suggestions or throw it out and do something different I'm not married to any of this the whole point is to make sure that we're building something that's reasonably good and effective against the attacks as we see them here so we did a pretty good job of that and we got some really good strong circumstantial evidence that a lot of

the campaigns and state parties we're actually doing this so that worked but not everything worked this won't come as a surprise to anybody here but did you know that there is a non-trivial percentage of non-technical people who believe that software updates are a vector for malware I'm not making this stuff up so Google to actually just study on this and they asked security experts and non-security asked experts to talk about what things they could do to keep from getting hacked and and when they interview the people it turns out up bunch of people actually think that updating your software is a bad thing so this is terrible if people believe that patching your software is going to

degrade security we're in a pretty bad place and then you know I you know frankly I need to sit down with people and I try to be like you know I put on my smile and print out the checklist and go through it but I could tell that people would sometimes get a little frustrated with me and like I said you know I try to be personable guy but we're going through the stuff and and it was really frustrating and they were frustrated with me and I'm frustrated with them and when we talked to the digit M's and got their experiences from the field a lot of the same though a lot of the same themes came alive so that

didn't work so well and some of these organizations are really really small and so nobody's deploying an MDM solution on an organization that has 15 people they just don't have the time and the energy to do that and they don't have time to to monitor that and so I kind of came to the realization that that many of you who come to which is it's really not the users fault so I took a look at this checklist and I was trying to make people turn on two-factor and update the software use a password manager has anybody tried to help a family member a non-technical family member install and use a password manager and what was what's your

reaction yeah some some screaming over here and and were they frustrated with you and were you frustrated with them and and what did you tell them stop using the internet okay that did that work yeah it didn't work okay so so this is a real problem and ice you know came came to the conclusion that it's it's really not their fault and really I started to start to wonder what was going on here whose fault was it it's not their fault it's not my fault and so I came to this conclusion that this checklist is really a roadmap of our failure to make things that are safe by default why am I telling people to patch their phones and

their laptops why do we have to sit down with them one-on-one to get that done that that's not a useable product from a security standpoint that's a gap in the technology and so like I said sitting down and working with people one on one was the only way to get it done and that just doesn't scale and so it doesn't scale and we're not building things that are safe by default so I think it's time for us to start realizing that if doing the basics is hard and time-consuming and if you have to do it one on one for every single person I think that we have failed our users and I didn't come to this conclusion lightly

many of you are probably light-years ahead of me in terms of thinking about this but I really feel like we've made some mistakes so some of you work for technology vendors all of you purchased technology so I would very much like for all of you to to take an active role in helping move things to a secured by design methodology so you know if you're a leader nor an organization and have purchase power use that power if you're an icy Lobby or executives so let's talk about a few of these things so anybody want to guess what my recommendation to the vendors is for software updates make it painless so again people don't understand the linkage between software

updates and security improvements and so what we need to do is just make it automatic and transparent I so I don't know if you're gonna do agree with me on this I think you should have to be somebody as talented as the people in this room in order to avoid a software update I don't think my dad should be able to avoid a software update it should just happen I recognize that that's not a trivial task for the vendors but they've made a whole lot of progress over the last few years and I just need them to finish the job I don't you know I don't know how to disconnect my car's airbag system I don't and you shouldn't you shouldn't

do that by yourself I actually looked this up and you know you should really not do this by yourself and I found all sorts of scary things Lazar is reading this like there are air bags that have their own batteries why do they have their own batteries because sometimes the electrical system will fail in an accident and so they want to make sure that the thing is going to explode appropriately so if you're if you're fiddling around in there even if you've disconnected the battery it can still blow up because there's another battery in the mix very dangerous I think the same thing should be true for software updates and again feel free to give me

additional commentary and Twitter but but I really don't think the average person should be able to avoid those laptop encryption so one of things that we tell people to do is to encrypt their laptop this seems like non-controversial but again why am i telling people to do that the the phones the phones tend to come the modern phones tend to come encrypted but the laptops don't so encryption is not on by default it's not really hard to enable but people don't know it's there and even if you tell them to do it they don't necessarily do it until you sit down with the checklist and it's not available on every single OS version so people are out there with

operating systems that literally don't have hard drive encrypt encryption and I'm not worried about a lot of state-sponsored attacks I'm just worried about lost laptops anyone who's worked in IT knows a shocking number of laptops go missing depending on how large the organization is every month or even every week so I don't think that you should have to pay for laptop encryption and it needs to be easy to install and again I recognize that some of these recommendations are complicated so there are real-life cases like what happens if people forget their laptop there the password for the laptop are they locked out of all of their their systems forever sometimes there are tragedies so people die and you you know family

members want to get into the laptop to get pictures and things like that so I recognize that these kinds of recommendations really can be a double-edged sword but I want to make sure that we're starting the conversation and I'm convinced that the people who work in these companies are incredibly bright and would be able to to be able to solve this problem one way or another oh boy passwords and password managers where do you even start and everyone who's actually tried to help a friend or relative use a password manager it's a real struggle under the best of circumstances it's a real struggle and so we have some inconsistencies so we you know we tell

people that we want really long randomly generated passwords we want them to be you unique in the universe and so you in order to do that you have to use a password manager but like what's my recommendation here I don't know like passwords really suck and we could start with a few things though like let's let's find a way to to come up with some standards like the NIST standards for for password guidance length allowable characters complexity no hints and anybody's actually used a password manager will eventually bump into a site that does not allow you to use the password manager and does not allow you to copy and paste the password in there so they really want you to have a weak

password and so this is something where we just don't have standardization and standardization is going to be really key to factor to tell people to use two-factor good news is compared to ten years ago all the major sites have to factor in fact so many sites have to factor that if you're trying to find the two-factor portion of a particular services website you may you may not be able to find it that's okay you can go to two-factor off dot org type out the name of the site and then it will deep link into the place that will tell you how to do that and this is a great site so they've got 30 categories they got

hundreds of pages but you've probably already figured out where I'm going with this which is if you have to go to some other third-party website to explain how to get two-factor turned on something is probably not quite right and the problem that we run into when you sit down to help people is you help them get two-factor turned on on one website and then you go to the second one and you realize it's completely different I know this said multi-factor and this one says two-step and this one says two-factor it's the same thing only why don't they say it's the same thing I don't know let's just keep going this goes over and over and over and over

again and so yeah you want it you want to get frustrated convert your family members to two-factor for three different websites and then of course well you know you can use like the Google Authenticator kind of model but oh wait which one do you use and when you give people choices and you give people too many choices they will often choose to do nothing and so which of these is the best I don't know you probably know I don't know do you have one I don't know I've got a few of these which one do you recommend Bob I don't know too much choice and that works against the users too so it's not safe

by default and then we have also it's a two-factor you want it again you want to get in a family fight like the SMS is SMS yeah that's not too bad it's it's definitely better than nothing or it's incredibly dangerous avoided at all costs you're going to get yourself killed I've heard people make this argument I do this for a living which one is it I don't know it's context-sensitive you have to do a threat model it's very hard oh there's in-app push that seems pretty good assuming that people never actually accept a command when they didn't initiate it yeah it says it says I'm logging in that's fine this actually happens biometrics again our biometrics

okay to use or incredibly dangerous don't let it leak out into the wild I don't know it depends on the technology and the threat model and a whole bunch of other things backup codes never write down your passwords never never but your backup codes are fine print those out and put them in your wallet wait what what and you should see my family members looking at me and they must wonder if I actually do this for a living and then there's physical tokens and I say those are the best and they say I shouldn't use these I'm like no you should use those until you get a physical token and so you know we're starting to see the end of of this phase

where we've got to factor with the six digit pins and we're starting to see some man-in-the-middle attacks so these are real things and so now you wonder if people are now starting to do man-in-the-middle for to factor with like a Google Authenticator system well that's that's no good well that's okay we got security keys that's good and so you can go to dongle off that info and you can find out how to use a physical hardware token for the site of your choice but again you get 29 categories and I applaud everybody who's by the way I'm really applauding everybody's using hardware hardware tokens like thank you for building that stuff but every time you do one of these things you have to

use different tokens and you have to go buy them it's not clear what happens if you lose them and so the investment at one place does not pay off in another oh so one of the other things we added was helping people make sure they had secure web connections do you remember remember like we used to do this I don't think we do this as much anymore but I still see this I still see articles I saw one last month saying do not connect to sketchy Wi-Fi wait what what does that mean what does sketchy Wi-Fi do you not sketchy Wi-Fi is what's sketchy what's what's sketchy if it says it's the haut if it

says it's the hotel lobby like is that sketchy I don't know is my all of it of sketchy well that's probably the correct answer it's all sketchy so I don't even know what's sketchy is so I don't know why we're giving people this advice and there are some real examples of people doing hijacking did you read this article and wired a couple years ago so the gru had like the you know the back of a of a the trunk of a car filled with year they went to some place there they're targeting some some act fists so yeah this you know people trying to hack your Wi-Fi yeah I get that but the Wi-Fi is not the only

problem and when I start talking to people about the stuff I say like you know that your traffic can get moved around the internet there's probably a bgp session here at some point but like it's not just the first hop that you should worry about there's not one man in the middle it's a whole army of people in the middle and so what are you gonna do about those guys so what advice are we really giving people good news a lot has improved over the last 10 years so remember Firesheep any old timers like 10 years ago Firesheep yeah so sit in the coffee shop and find people's Facebook and Twitter accounts grab their tokens and then be them that was pretty

awesome so the world is really improved and huge advances have happened with certificate authorities so now we have let's encrypt we have HTTPS Everywhere so Thank You vff for sponsoring that and yes yes thank you EF f rarely yeah take a bow like that's some serious awesome stuff and then of course we've had you know the Firefox and the Google folks and everybody else really pushing everybody to move to HTTPS the world is a far far better place than it was a long time ago especially if you use like HTTPS with I think they call it ease mode which is basically encrypt all the things and then we shouldn't also forget that there's a bunch of other things like

HSTs and other things to really make sure that their connections are secure so I want more HTTPS and I have to tell people to go download the AFF plug-in to make themselves more secure again why is that not the standard and there's reasons for it but in my current position I don't have to I don't have to side with the technologists I get to side with the people who are potential victims and their targets and I get to say I want this out of the box to be patched and I want this sort of thing to be secure by default and I think if we were to do this we might be able to abandon the sketchy Wi-Fi our

sort of mantra there was an article in The Wall Street Journal a couple days ago actually exploring this so thank you to them for doing that so a lot of the problems that we run into talk really about incentives and and so I want to make sure that people are thinking about positive incentives I mean remember like like a lot of places would charge you more for security so here's MailChimp look at this if you setup two-factor they offer a 10% discount what get garage yes thank you yeah Thank You Mel Jim that's the way you do it folks that's the way you do it or yeah turn on to factor on fortnight and you get the boogie down a moat yeah

that's some sweet stuff right there so I a while ago I posted on Twitter I said hey I found this like are there other examples of companies properly incentivizing security and two-factor and turns out Twitter have a lot of examples most of them were gaming related so you can get free skins with Ubisoft you can with Steam they restrict certain activities with Blizzard you get a Core Hound pup reward what is that what is that I don't know I want it I'm gonna go get that I'm gonna turn on two-factor and get my core reward I don't know if that is free teleports and exclusive gear and I guess it doesn't it's not really surprising I suppose it

was surprising until I thought it's pretty obvious but yeah the the gaming vendors know how to game of five things and so if this is important to them and it's something that you wouldn't do organically they'd find a way to incentivize you so I think that's that's pretty key minor diversion here SSO tax is an interesting sight so there are sites that will charge you more for security these are more enterprising things so it's kind of outside of what I really worry about but the challenge is like you shouldn't have to pay more for your logs right am i right you shouldn't have to pay more to be good at security you shouldn't have to

pay for single sign-on like single sign-on helps move the security needle for your organization and if you have to pay more for that than somebody who doesn't do that that just seems like a terrible disincentive so we've seen some ins positive incentives and some that aren't quite there and I really want to call out all the vendors to make sure that we're not treating security as a luxury item that you have to know to ask for and then often pay for and still instead build those incentives to spur adoption so we talked a little bit about the basics no uniformity and two-factor and incentives and so one of the things I want to talk about is I started to do

some research on this and and there was you know we're not standardized and so I was looking like when two other one do other industries standardize and reduce complexity and so I got this quote and says years of experience and experiment have brought the manufacturers into such uniformity of ideas that their machines may be said to be practically all built on the same general Lyons who wants to guess what year that was what year any guess guesses the 30s that's a very good guess 1907 1907 the automotive industry figured out that it was better to have standardization and then wrote in track magazine starts talking about when people say a car's operation is intuitive what they really

mean is that it's similar to what they've already been taught the plain fact is that we're all safer when our cars work basically the same way individuality be damned and so you know I really take a look at that checklist and I say I really want things that are secure by default for average folks and I want that in all devices and services with no action required by users and again I understand their technical complexities here I'm painfully aware of them based on my background but we have to get over that and we have to understand what it is that is the end goal and then when user interacts is unavoidable let's standardize on things so that we stop talking about

multi factor two step two factor or whatever the other things are so the flow should be the same getting two factor on one site should be the same as the next one and so consolidation of tools things like Fido one and Fido two are huge steps forward huge steps forward so thank you if anybody's working in the phyto Alliance or implementing any of those technologies I think that's a real game-changer in the world of making things secure for the average person so you're the smart people out there I'm just the guy who's making these observations about what's right and what's wrong and I really so you think I like my checklist no I actually want to

kill my checklist I want you to kill the checklist because it's really really not the users fault and I've got a fuse that many of you already know about and that's the elections of 2020 and that is already dangerously dangerously close so so then what can you do so that's my present I want to talk a little bit about the future and how you can get involved I love this graphic by the way that's a really great icon so the few things you can do to get involved one is you can apply for a job at the DNC that's pretty obvious me can do that there also other organizations where you can volunteer and so mobilize us / DNC

will include a bunch of those things if some of those are in your state you can get involved or even if they're not you can get involved so those are ways you can get involved and you know I talked to people who apply for jobs and sometimes it's just not the right fit for us and I want to make sure that they leave understanding that working for the DNC is one of a thousand things you can do to get involved and to not be on the sidelines anymore you could become a poll worker and there are links in the next couple slides that will take you to places where they will actually give you a template for a letter that you can

send to the voting agency in your area to ask to be a poll worker to get involved that way or you can find a local campaign office and volunteer there and just you know word of caution you may be an expert on any number of things and what they may need more than anything is somebody to fix the damn printer and that's important too they may need you to fix the Wi-Fi or you may notice that hey these systems are exposed on the Internet let me go fix that and lo and behold you've made things a thousand times safer and these may be easy for you but they're not easy for the people who are

trying to run a campaign and so don't underestimate the power of that you can join a phone bank so you can actually talk to people on the phone and explain explain the issues and explain the candidates knocking on doors if you join a campaign again you may be the expert in a particular piece of reverse engineering and they're gonna be like that's great here's your list go knock on these doors tell people to vote and that's okay you're not necessarily going to use all the things that are in your area of expertise in order to move the needle or texting and one of the people at work gave me the story which was the sharee she recommended that her sister

do some phone banking so she called people and that was good but what she really loved was getting on the system and texting people and saying hey there's an election coming up here's a candidate and people who text back some of them rude but a lot of them saying tell me more and so she would actually get involved in that and for her that was the thing that really made her happy other ways to get off the sidelines I mentioned the digi Dems so they'll be staffing up in the fall and so again if you're interested and I'm just gonna say this and you're gonna laugh I'm telling you quit your job and go join the digit

ends to make some of these campaigns more secure you may be fixing printers you may be helping them with their Wi-Fi you may be helping them build software but it's an important role and they've really moved the needle another organization called ragtag they they will match your technical skills with what campaigns need and so I would give them a call too and there's all sorts of other resources the Center for Democracy and Technology has a toolkit and that's the the thing I mentioned that has this link to sort of a form later that you can fill out send this to the local polling precinct and then ask for for a role their CIS has some great resources swing left

indivisible so these are all ways that you can help to get get going and not be on the sidelines a lot of what I wanted to do in joining was to be in the mix again and so I really want you to think about that too so we talked about really three main things we talked about the yahoo thing which is kind of in the past I really want to encourage everybody to think about the things that you can do to improve communications within your organization I think that's an area ripe for research by the way so if any of you are researchers I think that's an untapped area we talked a little bit about the experiences of trying to roll

out the checklist to average people in campaigns and making things secure by default I beg you to help me fix that problem all right there's no way I can do it I can identify the problem but the people in this room are the ones more qualified to actually fix it and then we talked a little bit about getting involved in not sitting on the sidelines I really want to inspire you and I want to I want to nudge you towards getting involved in some way if everyone in this room did one thing towards that goal and some of you actually did the crazy thing and quit your jobs and join a campaign we would be in a dramatically better

place than we are today and I don't want you to underestimate the power of you and your backgrounds really throwing your back into this and if you do this I think the next 10 years are really going to be the decade of the defender as opposed to the past one which has really been the decade of the attacker and that's my story and I'm sticking to it thank you [Applause]