CG - Booze, Devil's Advocate and Hugs: The Best Debates Panel You'll See at BSidesLV 2014 - David Mo

I get mine without my pants and shirt on I'm just always so we are consent-based here we believe strongly in consent excellently group hug that's that's a good start all right all right that was a different panel yeah did you involve Corbin that wasn't that was actually the group awkward hug yeah that awkward we're all friends yeah more or less yeah we'll be at the end of this is or not so this is extra any one of you actually remember the title of our tacos I just remember those boos and the debate things babe boosts hugs the hugs part of it action hugs most part lose hugs and debates excellent British well I can guarantee there will not be any other

debate panels so technically speaking this will be the worst debates panel you'll see it veces las vegas 2014 okay so before we dive in i'm david wortman i'm your erstwhile moderator my job is to more or less keep these guys in line you've met them before so you know that that will be a vein task but you know it's wednesday afternoon and there's booze it's all that matters Jay you trust yourself Jay Radcliffe I am I research rear with rapid seven I do a lot of hardware hacking stuff and do a lot of community stuff so I somehow got wrangled into doing this I'm Josh Corman you hear me Oh speak up all right Josh

Corman I like to cause trouble and I to him recently driving a lot of community stuff through I am the cavalry trying to drive safety into

hi I'm Dave just here for the hugs I'm I'm Jack you all know me as the host organism for my beard okay so the way this is going to work is a we generated the other day a bunch of ridiculous questions here and each time each question two of these folks are going to pick either a pro or con they're going to debate the point then you all get to vote whoever wins the vote for the best debate doesn't have to drink is that winning or losing I'm not sure they can drink if they want two things I have to drink cash flow so you can drink whenever you want in this panel yes test

two three or pretend to drink I really don't care this anyway questions from the audience are welcome as is of course heckling but if you you can participate in the debate if you want but I don't think I'm we got to leave you booze so you have to bring your own sorry ah rob is ready say excellent okay so let's go with let's see our first question are you randomly pick uh I have a bunch here I'm just going to see what crazy and are we selecting our positions are you going to assign positions coin toss yeah we obviously had me before this discuss well we actually had a meeting but Dave did show up oh I was flying back from

China and his hugging pandas who's actually I'm gonna make up the first question then I'm going to Dave take the the pro and I know that Josh take the Conn here which is selena's an actual threat to us so I'm pro-china as an actual threat to us you can make it interpret it as you will listen cyber kill chains ABT's it's everywhere man it's like driver well I'm supposed to be for them right alright you're interpreting whoever you want it's just whatever you say josh has to argue against so alright sounds good I got not tonight no I'm Jessica no I mean if you look at the demographics I mean intellectual property all the other

stuff that we have here United States big booming business right because it's estimated I think the FBI came out the study that showed that we create about three trillion dollars of intellectual property per year and it's obviously something that other countries want in order to enhance and strengthen their own economies so I'm necessarily see China as a threat when it comes to like core infrastructure because they pretty much own ninety percent United States anyway but when it comes to you know what we actually produce here and what they actually need to actually continue their economy going forward they are they are actively of threats I mean they're going after our you know manufacturing processes are going after

how we're actually designing our new product line so we're coming out with everything from the chemical formulas recipes to everything that makes us unique as a as an industry they're continuing to go in and steal those things so they can lose their own economy so I definitely see them as being you know a threat and I think it's a lot different from here in the United States you know Nash Security Agency things like that are more on the defense and spying on everybody including the United States people than anything else so I mean you know they're more active on defense versus stealing intellectual property from other countries and then giving it to us so it's I think it's a

different threat but it's something that we definitely face here in the United States all right I have three answers that I intend to lose so I can get my drink on number one they are not a threat because clearly in the history of global gross domestic product several countries can actually double year over a year without stealing raping and pillaging from the US economy they must be an alternative way in which they've doubled their GDP and an unprecedented rate so it can't be stealing you have absolutely no evidence and China is awesome okay America Turkish I i didn't realize jeff car was on the scale this exit by the way the second reason i will say China is not a

threat is because they've already taken everything we're stealing so they are no longer a threat and I think I'll stop there excellent sure okay who thought date raise your hand if that dave had the more compelling argument okay and raise your hand meeting josh had the more complaint argument both sides those guys are rigged their rigs they're going against me you can drink also though i'm going to i'm on oh that looks tasty this moonshine of course you gotta do moonshine when around a baby cuz if the people can't walk out and it's been a good to be I'm wait if you say that fans only thirty-five percent alcohol I did notice it was actually melting the glass

I'm not gonna do know what he say on the label it says Made in China they stole that [ __ ] we had the best movement we had the best moonshine recipe in like Kentucky America hey ok so I let Jack and Jay do this and we'll start mixing things up a little bit more let's go with there's no point in training users you guys can do you guys gonna wrestle over who goes which side of this one it's Bru Snyder here mmm I don't think so okay second Oh am I supposed to debate no J&J and Jack I'm gonna cheat I want to answer the other one one more time while China may be a threat you

guys can't even stop basic sequel injection so to your point we we should get better at basic web hygiene before we start worrying about Kung Fu Panda you should drink again cuz that sucked it's burning in your stomach it's amazing I mean it's a good burn I'm glad I put roofies and all that that's a diva Cathi there's a drink he sipped it are you I'll take I'll take the objects that we don't need you trying to you go first and I'll rebut you as gently as possible okay all right so i don't think that training the users is going to help in any way shape or form the users cannot be trained they are pretty much a

hopeless cause they are the Sheep when we look at a lot of the major problems that we have and Josh just mentioned one of them sequel injection users aren't using sequel injection users aren't using you know these significant problems that we see in web applications in embedded devices we look we want to say Oh will train the users to use great passwords but even those great passwords are still being bypassed in all kinds of ways so you can give the smartest users the best training and you're still going to get owned all day every day so why should we waste resources on doing that when we should be spending the resources doing the major items as opposed you

know that are actually affecting our security like next-gen firewalls yeah and antivirus is dead yeah not still a good man got a two percent detection ratio we're good it sounded like one or [ __ ] so I me got you make some points which have some validity depending on whether you are reaching for the correct goal or not which in this case you're not you know co-worker of mine Marcos random is famously said if end user detected or training was going to work it would have worked by now the problem is that we're looking at it as if it's going to solve a problem there's nothing we do in security that solves a problem it's all

a matter of buying time it's all a matter of moving forward for those of you who've been in the trenches are in the trenches what you get from training users wait for time out first maybe just once we should try user training that does not suck wait wait the online see that wasn't part of the debate yeah Don light cbt zor it has a PowerPoint slide it's like hey don't click on things and hit next and itching everett st in this at the [ __ ] yeah all my stuff I think I coat it set so here's what I here's what I came to believe in doing some kind of I'll user awareness training what you

get is you get one or two people who will say to you I think I screwed up and you get a little heads up you get one or two people in the company you can say hey the [ __ ] hit the fan I'm not answering my cell phone you're fielding for me and they'll say oh ok cuz I understand and it makes it makes your job suck very slightly less and that's a good day for us is sucking very slightly less so you're saying that I'm right except for it just makes it slightly less suck here that's our goal though I mean like I said it's hey we haven't come up with anything it solves a

problem yet except alcohol I'm fresh for the kill chain does good point field is speaking of it speaking of alcohol that's an excellent segue thank you jack people who thinks Jack Jack's argument most compelling let's see some hands okay jay is in NJ Akkad users years one thing I will say though on on education awareness though I mean you may see the Bruce Schneier blog that he did about education awareness America see that no so we came out with a blog post that basically said education awareness shouldn't be done and should be done through attrition through our product lines and security which to me i think is a complete facade because i worked in a company i was in a fortune 1000

company they had no security whatsoever and you know one thing that security did for us aside from people in that clicking [ __ ] as much and they still quick should obviously but from Les clicking stuff is that it promoted a security culture yes and so once we had that security culture for me to implement things like two factor authentication which oh my god or you know knack or stuff like that was expedited you know years in advance because the people understood why we were doing it they're like oh hey you're doing this to protect me personally right you're protecting myself you're making sure i'm not getting hack thank you and i get people that you know you

get you get caught you walk into companies in the securities like the redheaded stepchild everybody hates them and they want to you know the roadblocks in the company it's conversely different when you actually educate the users on why you're doing it i mean we got stuff like heartbleed right I using the word but you know heartbleed is it was phenomenal is like I have my grandma who doesn't even own a computer asking what the hell heartbleed was you know we have to capitalize on then use it to our advantage and that's where education awareness comes in not just from the stop clicking stuff and fishing but just to drive our security program forward a lot faster so i love that the time if

you want good i'm gonna drink to you i'm a drink soon and if you want training that doesn't suck and els has an amazing program at Akamai Bob Brutus had an amazing program at Liberty Mutual and Stephan Bonnar or Stephan Bonnar had an amazing program at kpmg doesn't doesn't if you clean up on your knees your neck in a training trusted sec by the way this training I don't know who that is though I mean yeah

I'll go fishing yeah um since Dave brought up heart bleeds excellent how is this our eyes so since you brought up heart bleed um it seemed see the branding vulnerabilities is the new hotness if you don't have a logo you don't have a phone right I mean that's a that's probably heartbleed sexy it was visual visual it was a great heart it was a great logo that was a great marketing campaign because I mean you can visualize a heart bleeding you seem real broken up about that I'm not joking mari starting a buzz a little bit so uh okay I gotta let you guys choose who you know who's going who's gonna argue this one um the argument here is that I'll be

pro hardly okay well actually was witness that was enough about her plate companies don't care if they're breached or not as long as it doesn't make the news how do we debate anything other than yep next well I think there's a key point to that though I mean if it impacts our customer base and ie revenue then they have an issue i mean i think i think you know just because it doesn't make the news doesn't mean that a company doesn't care about it I mean they care about what has their profit margins they care what you know their brand looks like in certain areas and for a lot of companies brand reputation is pretty big if it does it does it

affect their brand reputation target just got completely annihilated in their stocks better manners it's not true it's actually not true they're actually going through some major term role inside in fact they let go of their CEO the CI got let go shortly afterwards and it's partly because of the Canada expansion as well they're having a lot of issues with expansion in Canada as well but they're actually having a really bad quarter they've had back quarter since the breaches himself and I don't about you guys but I have my wife won't go to targets not because I'm even my wife won't go to target because of it I know family members that won't do it because

of it I mean it impacted them pretty hard it's gonna continue to put amount of business know but I mean they're feeling it rice cash-only that's good yeah it murder actually an outlier cuz you look at like TJX and new TJX is was not i may may sometimes be a bit cynical but Drake Drake yes you can't lie on stage sir I'm calling you out and you need to drink but everybody in this room I bet has dealt with let's let's just say large companies where they really do have that attitude and small companies that don't know any better and it's kind of in the middle where we try to make progress yeah I gratefully great in the eighth

Dark Ages when I actually work for a living and like ran networks and defending them and [ __ ] I loved it when a new worm or virus broke out because that meant I told you so budget provisioning but you know is me look at you look at you look at the retail space sweet I'm not sleeping for the next three nights but then I get a firewall

we look at the retail space in general I mean EMV spurn amelie made it across large majority of the globe already we're still one of the only ones that are still not using EMV so all the hackers have moved here right and so we're seeing a lot of breaches having the credit cards now all the retailers are freaking out cuz a target and I can't tell you how many retails we work with now just because like as soon as target happened it was like holy [ __ ] we're busy for the next six months with just retail work you know it's like you guys are moving forward to it now it's reactive hey I know you're gonna go like

Calvary and [ __ ] I'm even okay no no but I mean they're so so you gave an example just this one time I was in the shark cage did you know he had a TEDx talk so you gave the example of target and your wife doesn't shop at target but if if if we stopped shopping at all of the places that had breaches we wouldn't be able to shop anywhere I mean there's a huge listing of like PF changs just came out and said that they had a breach they have amazing great I mean all of these places have breaches all the time is that our strategy for solution as the public I don't just say we're not going

to shop there but I don't think I don't think it goes on to the point if a company experiences breaches that you don't stop shopping I think it all has to do with what were they doing in advance to stop it and is it gross negligence or is it you know horrible so you're all wrong you're all wrong hang on had they merely been pci compliance guess what drink target was bc i could fly congratulations no but I you know honestly if you look at a lot of how we were breaches how we respond I don't like to point out specific companies but ebay was a prime example that it may ever see what happened with ebay so ebay

got compromised right it was for like months and they didn't realize that they actually had access to use names of passwords right so they responded and said hey publicly that they had a breach but they didn't send any emails out to customers they didn't even put a little notice on the front page that something had happened it took it took their PR person is literally on CNN saying we don't have the capabilities to send email solve our customers and no [ __ ] a day later an email went out to all the customers I talked about a [ __ ] right so when you have organizations that that just show that you can't respond an effective way to instance I

think that really hurts their brand long-term so I mean you know companies other stuff together and they still get breached hey it happens to all of us there's nothing that's ever going to make us a hundred percent but you know as an industry we have to hold these companies accountable for what they do I mean they're holding our data and it's our date as anybody else is our [ __ ] so I really think you need to focus more on on holding what companies more accountable and I think targets a prime example I don't think target was any different than anybody else but I think response wise you know they definitely could have improved quite a bit okay so

what was the question yeah I don't you remember right it doesn't matter because I have new question I'm gonna drink real quick after that yeah see how much a pc i want so you mentioned pci but you also said something about he's got a question sure there are there there you are they are you saying we should we should repeal those laws and all that's necessary what no he's not reaches oh okay so right there are certain types are under certain types of criteria obviously going to have 49 states at that look at social security numbers as being you know sensitive information you have crack cardholder data which is more for pcs entry but what about all the

other stuff that happens those robbers oh sorry so let's talk about uh should be some sort of you know yes by the way well I matter for big government but yes well let's let's talk about a related question which is should companies be held liable for uh for software vulnerabilities or in the case of something like a you know of a large breach because should they be held liable because they didn't do that's let's say best practices but that's nice drinkable offense I think you drink I do drink receive haha so so should companies be liable if they don't follow best practices floors what you're asking or should he liable for software vulnerabilities or in the case of a

breach you know that's called gross negligence that's kind of a broad question so if Microsoft has a vulnerability should should companies be able to sue them if they use Microsoft products yeah sure but you look I clicked on the usual what that I give you all my money SLR you can get around that sweet America alright so you want to I did the last one but I can do yeah you like to talk apparently all right yes I'm fine fine here if we built cars the way we built software no one would ever drive again we have minimum health codes and kitchens restaurants we have minimum safety standards in building codes we have minimum safety standards

in automobiles the only area you so you want to you want a nanny state where cars cost ten thousand dollars more than they should because of airbags that don't do what the first two airbags put in the car and a good set of seatbelts does in every mature market that has the ability to inflict harm there's some level of liability and it normalizes pricing and puts the cost and least cost of order there's a public good argument for super liability and there's an economic argument for liability it's the most efficient response to market inefficiencies what would I have to sand on software bugs I mean we're coding especially look at Microsoft millions and millions and millions and millions

lines of code right there's bound to be issues and exposures I think when you start looking at liability if there's gross negative the place where they knew about that and they still implemented it and they still left it there and they didn't provide solutions to fur people to fix it I think then possibly right I think you definitely have an avenue there to move it I mean you look at a lot of exploit researchers right how many times have we heard should I sent that for years ago and they still haven't fixed that [ __ ] and you know it's still out there and the medical devices is a prime example of that ready of the medical field which has there's

medical devices that are vulnerable you know when you have pacemakers that have bluetooth in it something's probably jacks all right I'm just telling that out there i mean i'm not going to blatantly raise the cost of the pacemaker they put bluetooth in the first place increases the cost its wireless it's like new technology rink every time we mention medical devices but here's a call the bucket but i think i mean when it comes to public safety i mean if there's if there's really you know if someone identified looking or how do you fix that problem in a timely fashion to protect people and if they don't do that then absolutely there's no different than someone going out and

driving drunk and crashing into a car I mean you're sitting there with people's lives at stake I think there's definitely a major issue there with software exposures if you don't actually fix it I mean anybody know about it we have some freaking brilliant minds in the security industry and just absolutely like Einstein related mother my mother efforts are I was committed these a whole work I didn't do it and and they come up with so many creative ways that I probably would never think tough if I was a developer doing it so I mean you're going to have those instances where people just come up with stuff that you would have never thought of if I sit there and say hey that's

that's brilliant but my business model I mean I'm not going to really fix it an F it then you have an issue there I think has a liability issue there at that point otherwise know if I'm hearing you correctly this you might have a good insight here it's not about having a vulnerability right everybody will it's about how do you detect and respond in a professional and reasonable way absolutely that's interesting is we're talking responsible disclosure oh now you have to drink oh that's that's oh that's a whole different question drink what about responsible disclosure with the kill chain if we do that yes Chris all right I just want to throw a [ __ ] out there because this is finding

the number of times he says kill chains you can send the check to locky hahaha is it a next-gen kill chain next gen kills him whoa we got our buzzword for next year everybody any banners in here please patent that [ __ ] so that you can start selling this stuff that doesn't work anyway thank you you left off the two point O two point oh yeah next gen kill chain two point oh I just want to say this is God leadership right here guys right here ain't got anywhere else it's not as bad as the PCI panel DEFCON doing oh no that was that that was yeah okay one day you'll forgive me Joe that

was 19 yeah it's Jack's fault I told you he wouldn't give me my pants or coffee or he did was Shaq losing his pants and his coffee if you don't know that story cool don't don't google it better see you ever seen shack with the kitty where he's going kid he's like no I am still caught with Dave doing the cool cat dance my brain just went blank I can watch it for hours maybe these no one has a song on it too it's got the song don't let I've seen to the one with the cat doing led zeppelin sir oh okay yeah it's going to yeah hey let's go with the let's change topics complete and say

let's go with the soft skills are more important than technical skills when it comes to security god I hope so cuz I've lost all my card skills no you have it [Music] I to blue screen I think I person is I think we have the explicit tag now I think that's relative soft skills are definitely important okay I'm on the side well I'm not both sides you can't be sure if you got a drink either way I don't know if you don't commit if you're not pushing code to get every [ __ ] hour you're not in security let's me by the way but I slept soft skills you well you have soft I mean aha you also have

soft hands we work out good here is ok you know look how on topic sorry see no in all seriousness you know if you look at we need hard skills because we have to have folks that continue to drive the research and continue to drive the industry forward because I mean without folks researching without folks you know holding companies accountable we're not going to be able to move forward but we also have to develop the ability to communicate and here's here's a prime example the hacking community you know I remember going to defcon alexis park right we're all a bunch of crazy-ass technical people that I just I mean like I remember shmoocon going on stage with

this UPS box that looked you know like a normal ups and it was a computer that would intercept all the traffic and my [ __ ] mind was blown you know it's that's the stuff that continues to drive us forward but you know what happened was we had a period of time where we had all these brilliant minds and technical folks that could talk so technical and talk awesome on that what we're doing is all these [ __ ] sales folks and product guys and everything came in swooped in and changed the industry moving forward to a little bit of a one I would say is not so good right now now now we're trying to get a little more

educated around the soft skill side we can actually communicate to business folks and understand why risk is important and start to drive the technical side from a business dance and I really think that you have to have a little bit of bowl for a lot of holes yeah I mean we are arguing sides here so no chance why they rolled up yes it is hey don't go to freezer kickin it Judas like it hit me like a ton of bricks aside from Dave getting the Katie Couric show cancelled so funny so real quick I'm on the Katie Couric show and then literally three days after i was on the Katie Couric show it got canceled completely

unrelated completely we're in your debt how are you glad it was a great show I loved it you know I heck a soccer mom on TV who else has done that all right everybody raises her hands yeah so we can agree that tex oft skills and hard skills are both important but you have to look at what the bottleneck is and we don't need the 708 android malware talk if none of them have yet compelled action so in his defense the power of story his ability to communicate inaccessible ways on the telly and use small words look at 1940s work by the way i'm trying to compliment you the tele appropriate way be from are you

from me from UK sir ok well I mean I'm prettier the UK embedded English Australia's just a suburb of UK right that's true yeah weren't you guys like the prison stay and then you guys all went free and then went crazy and [ __ ] yeah just I love Australia so it in all seriousness though a few of us will last year some on the secret some of the CFAA front murder things that you guys care about like the criminalization research and some on the safety side we basically realize that we have to hold our nose eater lima beans it except the word cyber for example if you want to talk to people who that's their lexicon so if

you want to be ambassador compel action meet people at their vocabulary and elevate their threat IQ soft skills it has been the bottleneck and you've done a great job with that and the people who are trying to be translators ambassadors they're moving the ball forward just as an aside one of the things I love about the security industry is that there's a place anything with hard skills and there's a plea there's place for people with soft skills as a lot of people with both but if you don't have any hard skill or soft skills sales is always hiring I [Music]

love you oh wait or you can be an evangelist evangelization cyber kill chain next gen 2 point 0 we got it Nick Nick Santa Angeles band that idiot so is a Josh mentioned the CFAA and we actually talked about this on our prep call and I'm actually I just have to read the question as written because well and I directly quote the CFAA computer fraud abuse at for everyone is a big poop and I mrs. call with the hell you got to talk about poop this is Miss Alan's who gets stuck on planes Thank and get show's canceled that's here that's guys it's hard to break your business or I'm not sure which I big poo

or is actually willing to argue in favor of the CFAA I will pull alone londa b li yeah sure why not that that's what we're supposed to do up here aren't we we can't just all agree all the time well then it's not a debate you can train all up I'll back you up on this one because zfa is fantastic I know her for putting people in jail for long periods of time that commits barely nothing compared to a child rapist it's [ __ ] awesome you commit a crime you break into computers you go to jail you cause damages that's the law of the land in America and if we find you if you find you guilty in

America by a trial of jury you go to jail of people that that was a long especially still have VCRs flashing 12 the [ __ ] I mean you should ask your Fox friends about that and don't they don't they know a lot about the law and stuff like that listen I've listen I balanced myself on all set so hush you're fair and balanced I said I've been on Fox new year IRA foxes are in balanced here I've been on fox news i've been on CNN I've been on fox news I've been an MSNBC ebon on fox news it's been great right I mean listen that that [ __ ] is so vague that literally if

you breathe on a computer you can be here with the CFA it's [ __ ] sorry right hey it's very modern though he was designed and scrutinized in 1984 it has held the test of time there is no irony in the 1994 big people hacking mods on those BBS isn't [ __ ] we needed that let the sauna see but I mean in a serious note this is pretty good luck yes it is especially after half a bundle thank you yeah well that's probably why is he so good it's all relevant lots of people do lots of computer security research and don't go to jail lots of us do you haven't gone to jail I haven't gone to

jail may the people in this room haven't gone to jail you can name a small handful of people that have gone jail in your CFAA are stealin so when I did what I did when I did reconnaissance on healthcare.gov okay so I testified in front of Congress twice and if you saw me the security news about security issues in health care at I cover whatever that was us doing the research right when I was in front of Congress those guys were like you have to Obamacare I'm like dude I [ __ ] google [ __ ] that was it that but seriously though but a legal system worked you didn't go to jail not yet right here

guys listen right now saying hey get a lawyer do you're probably [ __ ] going to court for that stuff you know you don't have a lawyer yet was all I know is that he is every correct all I know that is when it was being argued I found out some very good revelations about healthcare.gov that its in one big honey pot and that it wasn't really vulnerable just a big honey pot and you still didn't go to jail the conversations about the CFA not all your work and all your media exposure so you don't you don't think you don't think you don't think you don't think that for that for for for any time if one of those those

congresswoman or congressman specific congresswoman Edwards did not like me on the throw that out there she was a fan of Katie Couric she's why Katie Couric like a resolution don't vote no kidding what was interesting though is if they wanted to pursue that and take me to court they absolutely could up in the be honest with you who knows with the CFA if that interpretation would have been used against me to do and I was just trying to [ __ ] me all i hear is if they did this if I did this if I did this but you're still not in jail they didn't do it so why are we so concerned about this law isn't all I

know is that it was st. haven't all I know is in the security industry you have a clear distinction between people are trying to do the right and people are trying to do the bat okay wait that's clear so you'll be on the wireless at the Rio do I know everybody on the Rio yeah they're better'n hey I want to say something about really great about CFAA and here's what I will say that's fantastic about the CFAA is that it's so [ __ ] up it's finally galvanized this community to realize we have to become political yeah speaking of soft skills how's that you're talking about you this weed is good yeah Tennessee honey I never had I hate

whiskey this is great fright cousin Mary so for those of you who if you want something even better than that you get regular Jack Daniels and you put great be dark maple syrup in it so use maple syrup as a sweetener instead of honey it actually accents the maple flavor from the maple barrels that aged in can I not use this we have a watch yes does it make a blue waffle oh I'm so sorry I'm so sorry seriously you carry me out of here Oh what let's make one thing clear by the way you all knew a blue waffle was so don't even give me that [ __ ] the fact that you all know that you're dirty

sons-of-bitches no are you gay blue waffle later don't worry yeah google it don't owe on your work network it's a home on your work computer one thing we should have said at the beginning cyber kill chain next gen 2 point 0 blue waffle dot-com I mean it's all [ __ ] anyway so I mean take it take another hit off your vape pipe they're saying ok one thing we should note if one thing that we should tell everybody before I should have said that before i started the cfa thing these positions are not personal advocacy all right yeah these aren't my positions this is supposed to in SLO conversation so I don't want any hate mail over me

loving CFAA and as a reminder and speed debates when we arbitrarily pick positions our comments may not even reflect our own or anybody else's I'm gonna drink now because I do we envy any questions in the audience see how every no one I think they're all drunk or asleep so oh it is well there's still booze up here angel we do if you ask a question we get worried they all have their disclaimers I work someplace where they hired Marcus random so as long as I'm not more [ __ ] up than that i'm ok with a little bit that's a challenge and you don't necessarily enforce them you get us deceptive law just because they

force it lightly what cheap stuff enforce it heavily later thankfully we live in America where we're protected from selective enforcement

that is that may actually be the quote of the day right there correct why are you too many judges you don't have cleared oh my god you know it's like you got a tgirl judges and juries there I completely agree some but somebody has to say this then I'm enough of an ass to do it the great thing about cfa is it got weave off the street for a while oh okay real question the back that's true by the way as SS whoo that's a drink without for good that's a very good question why would I support the CFO just repeat it again would you support the cfa if you were if you're judged by

a jury of your peers met suckers yes this weirdly vins on how you define netsec how's it bc i could be using us days off like i said q haces i'm drinking by the way doesn't right that's a that's a good question feel feel feel feel fit medical device medical boys hey I was tough I was told I was told by members of the medical device manufacturing community that there are no known adversaries that would ever exploit any weaknesses and medical devices there's no financial profit in it so don't worry that's that works for that works for you turn dish at all myth & Wesson and Colt arms because no one would maliciously use their product I

went yes I went there right Mary went there to America to a [ __ ] America whoever doesn't i just want whoever does the next pacemaker heck to call it heartbreak it's a heart breaking heart breaking marketing month America wait as long as it's America that it came from Larry we should actually be happy that there's no device security and medical devices because we can have it aftermarket that's 80 billion dollars inside to make Barrett a cage formal wear I'm just gonna carry this [ __ ] box around mrs. wheeler hey 73 billion of that market will be placebo a Faraday cages oh I'm just waiting for the mcafee EPO agent for much bigger no but I mean

I'm not a good buy stuff that is a serious topic I had heart surgery a few years ago to fix a heart defect that has called a cholo natural fibrillation so they you know obviously through three times that day the penis size got so larger Lienhard I can figure out why but is amazing ah no [Music] but your this got smaller than I know no truth the matter is I mean but when I was in the in waiting room I'm sitting there looking all the devices and are all using wireless I'm sitting are scanning spectrum and it's just like standard 2.4 weapon it's [ __ ] awesome I'm like I'm glad you guys are heart

surgeon me through wireless devices with wet that that amazes me I'm like listen can I just can I just kind can I secure Network before you operate on me is that possible I just [ __ ] go WPA with like password at least for a little bit I remember that because you were actually recording a social engineering podcast episode at the same time I was on a podcast as i was getting heart surgery did it for some reason when they decide to operate in your heart now they don't knock you out for some reason why that is I'm awake as socks so again these webcasting certain that's an interesting one that America just remember i'm good

at tangent so here we go a few months ago a friend of mine was in the hospital and i was getting ready to leave and I hear the nurse outside the hospital room say yell down the hall does your computer work to the other nurse down the hall and as i'm leaving i see that it the workstations can't communicate with active directory and so they can't authenticate you say that like it's a bad thing and but a do to work stations open the drawer that has the medicines and the intensive care unit so [ __ ] security people are dying and we need to balance that right we need to balance that but what web does is it's the worst

right it puts a hurdle in the way that is ineffective and they don't understand we got we got security you have bad security take it all the security away so that the nice lady who is trying to save the patient's life or make that you know given their morphine so that their life sucks less or whatever can do our job or give them effective security and that's the industry is whatever that's my ears are doing is that not you know four engines here just wrote it for you when you have surgeries or whatever you want a nurse this is sexist an ageist and everything else I want my nurse in the hospital because I get to do that a lot because I'm old I

want nurses still hot though that are like like I'm hot the waitresses that I want to see in diners to say they're not young they're not slender they call everybody hun they've seen everything and they take good care of you that's my but you know when just remember Weber not the MRI machine down the hall still running son las 4o three dozen okay Bob I don't even know how to hack windows on a machine nowadays so that's [ __ ] awesome because I would be like what I saw one we weren't any windows and windows seven perfect thank you for our show great that's okay no one could head when just hit me we don't know that

though we don't don't would we don't know it's highly unlikely it's never been documented there were deaths from the anthrax that got sent through the mail that we're not documented as deaths in my opinion fabric fabric I have no enfermo an site information on this however what you need to know is the post office power washed all the mail handling facilities before they were inspected for anthrax so if there was an 84 year old woman in your neighborhood who just sort of died how do you know it wasn't anthrax we don't I mean it's trying to prove a negative yeah I mean they're one of the thing I was just the point you made earlier pic Cheney had

bluetooth turned off this yeah saw a one of the things one of the things you mean if you're a coroner and you come in with a pacemaker in your dead really good I'm trying you don't you had a bad ticker coroner looks at you and goes you had a bad ticker you're going to die eventually anyway they don't never bother to look at the medical device nor does the medical vice have any forensic evidence on it so you can't do anything even if you thought you were suspicious of it there's there's no there's no bread crumbs to follow there so I'm a slightly different answer to your question I feel more comfortable if they can't do it if they want to

if the only thing protecting me is the willpower of everyone being nice and saying I just think we're getting too close to being at the mercy of someone else's will so I like healthier separation than that we don't have to argue whether or not people have died from hacking or not I'd like to make it harder for them to do so if they chose okay and that we're at a time actually and there's still booze thank God I Vanina blue waffle two point oh that's what I got two point on next-gen ABT separate kill change [ __ ] 1 dot 20 thank you all for Emily and thank our panelists please thank you if you have

more questions and things will be