Security Through The Eyes Of A Fly Fisherman
Show transcript [en]
yeah everyone's so excited and over on the other side of the room hi all right there we go make sure you make it really awkward when people walk in the door just everyone stare right at them because it's really awkward to walk in during the talk in the front of a room so let's make it extra awkward for anyone else that walks in I'll stop and look with you I gave a talk a few years ago where I mean I normally get kind of weird in the middle and people get up and leave and I manage to Rivet most people's attention for a really long time about 40 minutes in some do got up and left and I call them out on it it's
like 2,000 people there when I called the guy out and it turned around it was a client of mine I was like oh hey bad time to be an [ __ ] like this that's cool so appreciate y'all joining me on a talk that abstence ibly doesn't have a lot to do with security but I think it'll be interesting and I'll get you to a place where we talk about security first for those that don't know me I talked I started all my talks exactly the same way telling you not to believe anything that I'm about to tell you I am an autodidact Didac dieback I had that and I saw somebody called a lot of
people on Twitter call themselves this I didn't know what I meant I eventually wouldn't looked it up and then I put it on some slides and I spelled it wrong for like a good six months so it was an autodidact which is not a word and I felt so cool because like I know what other Didac means but I didn't know how to spell it which really was altima tyranny of being a self-taught person was not having knowing how to spell self-taught so I I'm self-taught in the sense that I went to school for a while I spent four years going to school in Fairbanks Alaska I dropped out never graduated really wasn't even close to graduating pulled
cable and never declared a major I was literally just going to school and [ __ ] around for four years it was a lot of fun I met my wife there so it worked out but everything else was kind of a cluster so ended up working pulling cable and coal mines and doing work above the Arctic Circle ended up running system and network operations for the largest isp and alaska eventually got into security did a lot of software security work for private industry and apps tech space and work for Segel for a while ended up at Booz Allen ran some Intel labs for them around Wireless and high assurance work started my own shop we did a lot of
DARPA and IR / research as well as private sector work during that time I hacked planes I hacked trains I hacked cars we did work for the largest hedge funds in the world I work for state and local had a lot of opportunity to do a lot of things and I think I've learned a lot along the way and I think I've learned things incorrectly along the way as well so when I speak it's kind of story time with Bruce I'm giving you my view of the world you're welcome to disagree with me if you don't believe what I'm telling you raise your hand the one thing we've learned from Xiuquan and arming people with squishy foam rubber
balls to throw at us is when one person throws the ball a bunch of people will throw balls right because you always had that thing like I can't be the only one thinking this is [ __ ] and it turns out you're not right like the entire room is agreeing with you but no one's saying it so if you disagree with what I'm saying today please throw whatever is convenient at you what okay all right if anyone here fly-fish okay call me out I'm really a terrible fly fisherman I'm also self-taught in that space as well I've been doing it for much less time I've been doing security for 20 years and fly fishing for like four so yeah
yes well there's kind of I mean there's the it's more around conservation than fly-fishing but there's a lot of there's there's people like your grandfather taught you how to fly fish I broke my grandfather's fly rod after he died because I didn't know how to use it so that's a very sad story as I tried to teach myself fly-fishing I broke my grandfather's hand-built bamboo rod which in hindsight was really bad and no one should have let me get away with it so it was like cathartic it never told anyone about that congratulations it's like you know therapy with Bruce time lookout me thinking about doing this talk is last year I I've had a lot of
really ridiculous opportunities given my background people taking chances with me that they probably shouldn't have last year I served as a senior technical advisor for the Presidential Commission on cybersecurity and I traveled around the country with the Commission interviewing public and private sector organizations organizing all the Commission events talking with the commissioners and their staff and Congress critters and people from the White House and whatever and I learned a ton through the process it was fascinating but I was traveling a lot like between being a commercial consultant and then a CTO of a publicly traded company at the time and being the adviser of the presidential commission I was on the road all the time in order to
stay sane I used to bring a bike with me when I traveled and I would like take a bike and go bike around because you get to see the community you get out of the hotel you get out of that rut of like I'm in a Hampton but I don't know what Hampton like I don't know what time zone right so with my fly gear it was an excuse to get out into the wilderness right it was because biking in places like Dallas like I just stay in a hotel in downtown Dallas and think I like to go for a bike ride it's like I'd like to go get run over by a car they're
functionally equivalent it's the same concept so I'm like they've never seen a cyclist in Dallas before I was the first one there was like a referendum to allow no more cyclists they're like no we can't have any more so instead I went out and I go fly-fishing and I find local bodies of water and sometimes once it was in Dayton on Memorial Day weekend and it turns out every body of water is filled with drunk Ohioans and they're just tubing and the fish do not eat when there's drunk Ohioans in the waters that sucked but other times it was in Minnesota I get to go fly-fishing and then a soda in Wisconsin it would be
great and as I'm standing there not catching fish and thinking is there a tie between what I'm doing here and my day job doing security and extensively the answer was no and so I pushed a rock uphill and I eventually came up with this talk so we're gonna try this out and see see how it works out so fly-fishing in a nutshell is actually a pitched battle I was just describing this to someone if you're doing like normal Lake fishing you're going after like a bass or something something far away that you can't see you're trolling in the ocean you don't see the fish right you were just like real in the den waiting is anything there I have no idea
with trout fishing you'll be like there's a trout your odds of catching you're almost zero right that fish is smarter than you it's basically like [ __ ] you buddy like I was fishing in like a legendary trout stream in Arizona I'm standing from like here to the middle of a table away from a whole school of brown trout all about yay big I spent an hour nope nope you don't know you don't eat that one okay change it out nope not that nope give him a break try it again [ __ ] you when I walked away like I just sat there and had this fight it was one-sided right like I was having a battle and
they were just like hanging out like hey what's up buddy so this is fly-fishing in a nutshell is you have a human who's doing I'm standing in cold water it's usually actually quite relaxing I had a client where they their headquarters were on a protected trout stream and the morning I would get dressed for work I would drive to client site I got out of the car I put on my waders grab my gear walk into the stream right like in front of where I was working fish for two hours get out take all my wet stuff off throw it in the trunk of my car going and work at the end of the day get dressed again and
fish until I got hungry and go go it was great well I was best client ever like as far as I was concerned no one else did that by the way like when you're working for a hedge fund and you come walk it out like stripping off all your waders and all the people working the hedge fund or like who's this guy trespassing and I pulled my badge out there like that's weird you know we should investigate the contractors better so what's the secret to fly-fishing anyone could put a hook in the water I proved that empirically with those brown trout that day there's what's the secret to that there's there's an awful lot of opinions on how
to catch trout right and I mean trout very specifically like fly-fishing is kind of a an [ __ ] sport in the sense that almost exclusively we're fishing for trout you can fish for all kinds of things you can catch other fish but for the most part like trout's the thing that you're going after this is a picture of Heidi having caught her first trout in Estes Park at Wright middle of downtown Estes Park and I had nothing to do with our guide that game was that day was great walked her through all the mechanics of how to fish and everything if I had done it we'd probably not be talking to each other right now so it worked out very
well she caught her first fish but how did she do it so there's lots of parts to fishing and one of the things that people focus on when they think of fly-fishing is the cast right like there's this process that you thinking of getting the line out there it'll looks beautiful you know we were talking earlier like what's the difference between fishing with a lure and fly-fishing well a fly-fishing you're casting the line right with the lure you're casting the lure you've got this monofilament this heavy thing at the end and you throw it out there and it goes out if you're fly-fishing it's actually the weight of the line that you use in to your advantage to get the fly to
where you want it to be and that's why you have this weird mechanic of when you're casting arms are going everywhere as it turns out when you start doing this you're just overwhelmed right it's for like anyone who's tried to learn how to golf like there's a million things at once and the whole time the ball is just there like yeah you know every arms are going everywhere knees are bent back straight bend that elbow not the other one and fly-fish casting is the same same concept it's very easy to wave your hand next to your head usually you just kind of make a knot this was from a guy's website that teaches fly casting
as part of his guide tours this is the single hand rod cast I teach are outlined below these are all the different things he teaches which apparently is not a comprehensive list which is a little frightening right there there's casting that isn't that like the double and Annie's pretzel not one you know I don't really I don't know this is me and one of my sons when I got back into fly-fishing after I broke my grandfather's rod I took a 35-year hiatus and my family was kind enough a few years ago I biked cross-country and they followed me and make sure I didn't die so Heidi drove our RV and our three sons across the u.s. very slowly at 60
mile increments while I didn't die biking across the country and we got to Colorado and once you get out of the wasteland at is Kansas I'm no offense to anyone from Kansas but you're just a big ramp that goes to Colorado right like you gain 1500 foot of elevation in a smooth plane that ends in Pueblo so they have a cool Space Museum and there's like a big underground salt mine and corn you know I this is fascinating industrial industrial farming is fascinating especially if you've like ridden through a state that does nothing but industrial farming and you think to yourself how does corn grow how many ears of corn are on one corn stalk one
one Eirik or do you think it's like the pilgrim is just like laden with corn no and it's all exactly at this height if you go past an industrial corn farm every year according is right here and there's only one because that's what the machine is designed to do pop-pop-pop-pop isn't the most efficient way to get corn nope but it's the cheapest that's how we grow corn so Kansas is passing in this sense like we do dry passed a Chicken McNugget factory that is a Purdue slaughterhouse for chickens you have to explain to your kids like huh what's in there you're like that's where they grow chicken nuggets you learn a lot about industrial farming but we get to Colorado and
they'd like oh there's trees in the wilderness and it's very engaging so I decided like we're gonna start fly-fishing so we're in this town and and we buy a couple fly outfits and I act like I know what I'm doing and a business like watching YouTube videos I'm like how to fly-fish and so we go to the stream and within a few minutes I've caught a 40-foot pine I'm measuring it to see if it's the length if I can keep it my son is a little skeptical the situation is you can you can see I I've taught myself almost exclusively through this is not not kidding YouTube videos right watching YouTube videos reading some books that's how I learned how to
fly cast and it's the few guides I've met with then if they correct the idiotic things that I'm doing it helped me kind of kind of adjust you can be mentored by someone it helps a lot when you're starting right it helps a lot to be with someone that knows what they're doing to prevent you from building up bad habits like any other sport like any other you know profession if you build that habits early you're gonna carry those bad habits for the rest of your life right so is I'm busy watching YouTube and focusing I like my forearm is doing or not paying attention to my wrist a building bad habits with my wrists and therefore my cast is going to
hell and it takes some like 22-year old guy from Colorado to correct me so you can learn it off the internet but it's not like the ideal way to learn it what else yeah one of the the styles I don't know like this guy I think he's trolling by the middle of this right like the curving line it you know bending around corners like I'll come on like this isn't well so roll cast is actually when you think of fly casting you think of this big movement where the fly goes really far behind you and comes back out if you're an environment like this where you've got a bunch of brush behind you you can't bring your rod tip back so
rule cast is a way to basically do it all in front of you so you start the line coming up toward you and then you roll it back out so the jump roll must involve some extra like flourish in there for some god-awful reason but a roll cast keeps everything in front of you so you're not getting tied up with the trees behind you so this this concept of presentation of the fly right so you say no no the cast is okay it's really how you present it to the fish right this is another secret you got to worry about so you can think about fish will hide behind barriers right cuz there are like birds and [ __ ] that want
to eat them so they're like kind of was my hawk by the way I'd be practicing that it was that that was good yeah okay good feedback thank you I appreciate that so if you win oh it's these really small talks that I like if I did this in front of a big audience that would've landed but that really that was good when you land a fly here in some slow water what you really were trying to do with the fly is it get it to imitate what it would do in real life and for the most part any of the things that you're casting in water are just getting taken by the water downstream right you
think of flies as things that live on top of the water and scoot around very little of what you're presenting to official is on top of the water it's actually just under the surface and you're trying to get it to move in a natural way as if the current we're dragging it along because unlike bass which are pretty stupid they'll eat anything that looks like it might be food trout the minute it doesn't look natural to then they give up they're like oh that's not real I'm not going to eat that thing so in this case the fly lands here but they have all this line resting in water that's moving faster and so that line starts to go downstream
and it drags that fly down with it at an artificially fast speed right so in order to correct that what we do is calm ending the line so you tend to take the line and you loop the line that's closer to you up into the fast-moving water and let it come down and let it come down let it come down well that fly which is on a big piece of monofilament so it's not affected by you doing all this [ __ ] will slowly work its way down the current to try to trick that fish so that's called the presentation right and so the presentation is important because sometimes you'll be on a you know on a
curb sometimes you're going downstream sometimes you're going upstream a lot of this is because you're in a freaking river right and it was like rocks and trees and you can't necessarily control the best place to catch like the best place for you to cast might be filled with a giant down oak tree and you can't stand there so you got to be downstream or upstream so understanding how to present the fly effectively to the fish that you're trying to catch is very important okay some of the people say no it's actually the fly itself right the fly is the most important thing there's all kinds of different flies what we did today about four or five people in this
room came in tied fly yeah she's got her fly so we tied some flies today and what we tied were called attractors these are flies that aren't designed to look like anything they're just designed to be kind of exciting you know they're like the club scene of flies there's some spoons and the bass and the pan fish and the kind of more predatory things that will just basically eat anything or like yeah that's cool but trout and other fish that are can be more selective and typically live in shallower water are going to go there they need something that looks more like what they're trying to eat what happens in a fly's life cycle most aquatic flies when we go in
for trout were going for gun to basically imitate three three things a caddisfly may flyers don't fly the vast majority of things that trout eat are those three three different types of flies and those three flies go through the same three stages of life there's a nymph stage which is like a larval stage living under a rock just kind of chilling down low in the water sometimes they break loose and they tumble through the water until they land on another rock so what you're doing with these nymphs is just kind of imitating this little thing that's broken loose from iraq and this tumbling around anna merger is that after it's transformed from its larval stage into an insect it
comes up off the bottom and it'll slowly rise to the surface of the water sit just below the surface of the water and it's trying sky like a wing sac and its back and it's trying to get its wings out of its wing sac break the surface tension and eventually fly away right and so this is just fresh meat for a trout because it's a totally defenseless big juicy bug it's got all the nutrients of a fly that's already made it but it can't fly yet so when these things are you know in the water they'll eat them and a dry fly is what you would think of it's like the fly that sits on top of
the water we're thinking of like conventional kind of kind of fly fishing and so tying the flies getting the flies to imitate flies is it's a it's a lifetime skill actually this weekend at Sunday I'm going up to the fly Tyne symposium in Lancaster Pennsylvania anyone else planning on going even my family I think it's decided actually no we're not gonna go this doesn't sound like an hour long seminar watching someone tie a fly and then go to another hour-long seminar like somebody else tie a fly go [ __ ] yourself so this is actually even if you're not a fly for sure person you're not into this the history fly-fishing in 50 flies is a
very interesting book that goes through from back in in Western Europe when people started the sport and it kind of advancing through materials through the different types of fish that they were catching the different technologies they had if you want to learn about fly fishing it's actually I think it's fascinating and not just because I'm into the sport it's actually a kind of a neat deconstruction of sport based around the Flies it does have lots of pictures it's my hand draw and lots of hand-drawn pictures it's really I love that I love that book okay so then you're like no no flies whatever you can buy the flies present them correctly don't have to be perfect and iatest like
you do not have to have a perfect looking fly they can be pretty raggedy but he's presented correctly maybe it's not it but you're in the wilderness there's gear right so here's me and my sons having just purchased this fly rod you all know there's like line everywhere like we have no idea what we're doing with a in this kit when you go fly-fishing and you're off in the woods somewhere there's a non-trivial amount of crap that you need to go fly-fishing right you clearly need the rod and the reel but then you need waders right because I'm gonna stand in the water and if the water is below like 50 degrees or 60 even 60 degrees you're
gonna be freezing your ass off of you're in there in a pair of sandals and shorts right so you need waders to stay dry it's slippery and you need to be able to stand on these rocks so like the Birkenstocks wherever you were wearing as a hippie they weren't working out so you need these big boots and sometimes they have like tungsten cleats in the bottom to help you hold onto the rocks and that kind of thing and then you need a net on the off chance that you catch something you need a net right like I have a nice gently used net if anybody wants it like it sits on my back and every once in a while I put it in my car
and then put it back on the back and that's about always you can get really expensive all this stuff can get exotically expensive I've seen net sort of like $700 nets right because these are all I can made hand bent exotic woods and whatever clearly designed for the fisherman who doesn't cut [ __ ] right like if you're if your net is like a piece of art to you it's because you're not using it as far as I'm concerned so I have a $700 net I really I don't I don't know just sorry clear that was just for the theatrics of the situation yeah sorry yeah actually it tells you is he kidding like I'm not
really I think we're good yeah the one you know yeah have a storage unit full of other stuff is you need you need a vest because again you're carrying all this crap you got a whole bunch of different you know cuz you have no idea what the fish are gonna eat so you brought every fly you own because you have no idea what's about to happen and you'll be damned if you're gonna miss out so you have like all kinds of flies tucked in there you've got nippers these are basically really expensive fingernail clippers like you can spend these are like 40 dollar nippers you can spell like $300 on nippers it's just a piece of machine frickin titanium or
something so I don't know these bespoke nippers just for you I don't know they have a little thing to kind of like ream out the hole and the in the hook cuz a lot of times you get glue and crap in there you get tip it this is extra line so if you need to tie more leader on and of course you're tying you maybe have a couple rods a couple reels they all different weight line so you carry a lot of different weights of tip it you gotta carry a bunch of frickin forceps again on the off chance you catch a damn fish and then it swallows the hook you got to get the hook out from like way inside
its anus apparently because they will swallow it like all the way through their body right like well then you take your like oh it's it's into another fish like oh my god like I don't understand you have high float something that will make the dry fly actually float if you tied it correctly it floats in its own I don't tie it correctly so you have to give it a little Viagra to get it to sit on top of the water then you have the boxes to keep all your flies in small large waterproof floaty floaty everything should float right because you're gonna drop this at least once right and be chasing after it running downstream scaring the hell out of every
fish around you right that's also a predicate that you've scared everything around you so they don't come got another bag because your vest doesn't hold all the [ __ ] that you needed in the first place and then you've got to have the Hat so you're not a poser okay so like this is the gear like that's the baseline you're like what do I need to go fly-fishing it's like I don't know a grand worth of crap just to get started to go stand in the water not catch anything so if you want to not catch fish you just give me $1000 we'll call it even right like you have to you don't have to do anything
else all right so that's the gear people say the gear is important the Gary is important but like any you know racecar there's only as good as a pilot you still need the humans involved so then the next thing the human has to do is read the water right so this is out of Estes Park when how do you and I were up there fishing the fish are not uniformly distribute it's not like raisin bread right like the water doesn't just have like a reasonable amount of fish everywhere the fish are all concentrated in the coastlines are all the liberal fish and then the more right-wing fish are kind of in the center of the water
so why I like that way that was pretty good oh yes oh yeah got it got oh yeah so if we look at this section of water like the first thing that you do when you get to a body of water is first kind of assess like what am i dealing with like is this even a reasonable spot to fish and so yeah we like on this side there's a road so this is actually all I've been flooded out what four years ago in the big Colorado floods and they've reconstructed all this but they've redone a lot of the banks with these huge boulders to prevent erosion because there's a road up here I didn't
want to have to deal with it again so these are gonna climb down through all this crap on this side is those all brush right so it's really a pain in the ass to cast because you have to like you have to be doing the roll cast and everything else so we actually spent most of our time fishing over on this side you got this is fast water that was coming down off of a fall you got a pool over here open water fish don't like open water it's warm trout don't like warm water they want it cold I mean they want pretty damn chilly in Maryland as an example everywhere except for Garrett County which is all the way in Western
Maryland they mean they stocked trout all over the state and every River except for the rivers in Garrett County all the trout by July are even usually June are dead they expect a hundred percent fish mortality for the trout that they stock in Maryland that aren't in Garrett County because lar gets too hot 70 degree water trout are dead they don't live so they Maryland's stocking trout in streams that is not natural for them to be in just for fishermen to catch them so I I mean I still fish the Patapsco and some of the other local rivers but doesn't really feel right like I'm like yeah these fish don't even want to be here and they're
gonna die if a freaking hawk doesn't get him at some point so so the war like you know on a cold day they like to warn the Sun and I've got a warm day they'll stay away from it plus they're out in the middle get caught by predators so in general they're not going to be in shallow water right in the middle of an open space and then this all starts again the falls are something to consider because what will happen is the Falls where that where the water's coming down makes this very turbulent motion and you get a lot of food churned up so any kind of nymph or anything that was attached to rocking it
area has relatively short lifespans they'll get turned over so at the tail end of the Falls as things fall on out of the water and go to the bottom you'll often find trout they're eaten there so you gotta get to a place read the water okay what else this is a big one matching the hatch so once you get an idea at the read of the area you'll actually walk into the water pick up a rock and you'll look at it and what you're looking for are the insects that are living on the bottom of the rock all the larval states of all these different types of flies and things that are native to that area how big are they how
much sure are they are they hatching right now what colors are they and you try to find a fly the pattern that you have that matches something that you find on that rock if you go in and at 9 o'clock in the morning start throwing in some kind of caddisfly emergere right this thing that's hatched and is coming up to the surface trots probably not gonna eat it because the they those will emerge in later afternoon like 2 3 4 o'clock as the water gets warmer and there's more sunlight so if I take a caddis fly merger and cast it in the water at 9:00 a.m. I probably won't catch anything I come into the same spot
4 o'clock the afternoon I'd be hauling out trout as fast as I can hook them right and so in the morning I'm gonna be looking for more you know things that more apt to be in the water than imps the scuds the worms things like that that the fish won't find unnatural for that that kind of day so the idea of matching the hatch is like super important and then there's like blind ass luck so sometimes you're at the right place the right time this is me drinking champagne while fishing as one would do with a big [ __ ] sport like this not catching any fish and that's this park I'm it was a snowy March day
or April day in Estes Park I catch a thing so noise and Heidi handed me champagne and I'm still to this day a little confused as to why but it was nice it was good okay so then the big question right as this guy walks out the room he says what the hell does this have to do with security he's like I don't I don't get it like a straight man there nailed it for me that was good I was perfect so what does this have to do with security well on the face of it phishing is complicated I just went through like there's a whole shitload of stuff that has to happen in order to
catch a fish it's an industry filled with hobbyists and pros filled with people who are self-taught if you're mentored early on it stops you from making mistakes your gear matters but we still matter more it's dangerous you're not paying attention it's predominantly white and male like that's the reality of fly-fishing like it's a white male sport and it's a lot of fun as it turns out that's the same thing information security has the same traits as fly-fishing right all these things still hold true so let's kind of kind of walk through that information security is complicated right like no [ __ ] right this is this is a big no done 2017 the thing on the left right is the the nice
framework so NIST has put together the nice framework in the last few years they've given it a little more structure and made it a little more reachable I mean there's a whole document now around the the framework and how they broken down and effectively it's the big book of every cybersecurity related job ever at any point in history of mankind and it's a big tree because NIST will make things that look like trees because they want the hierarchy in the structure at the top level the tree all jobs that we would do in this industry fall into one of these buckets and then they split and they split and they split until there's hundreds of different jobs with hundreds
of different levels of skill associated with it then this defined as every cybersecurity job ever in the history of mankind right you go back 20 years ago there weren't that many types of jobs right like you had some network security admins you had somebody that did risk management we didn't really understand cyber risk all that well you had some penetration testing type people maybe for lucky a couple people around investigations but we didn't broken into all that much unless you were the government like he most people didn't know that they were hacked pre-google arora most organizations didn't believe that they were the victims of being hacked right google aurora was like the big watershed event
like hey we got owned another people like oh we got owned too and we've now been living in this age of breaches because people have better eyes on the system and they're doing a better job of analyzing the data in front of them so you know when you think about again the number of books that i showed earlier with about four thousand books on fly-fishing computer securities twenty-four thousand books that's just an arbitrary metric and arbitrary search term but it got that actually got more than cyber security which i thought was good right computer security got 24,000 cyber security only got like 12,000 it was like haha hasn't totally taken us all over yet just closed so while we're
talking about over the cyber scape from from momentum so momentum like is a track investments and M&A material in our industry and the cybersecurity industry and they break broken apart the the landscape of everything that has to do with cybersecurity into a bunch of buckets and then categorize every company that they can find that's active in this space into those buckets right so we talk about the complexity of the industry we have things like excuse me we have let's say network security endpoint security we have application security there's messaging security web security managed security this is actually at some point my locum company's logo being there we have risk and compliance industrial fraud security operations Incident Response
transactions security specialized right now threat intelligence data security identity access management cloud and mobile security right that's uh that's it right and the every little dot here's like a pixel because this is so small like they've had to jam all these companies logos because there's so many companies and wedged them all together to fit on one frickin page it's mine by the way yeah sure mm-hmm that's their whole shtick is is secure messaging on mobile platforms so as much as they have a desktop thing it's very much like designing around the ability of communications and communicating the way that you want it and whatever I look man so it's I actually talked with the Wicker CEO the
other day and got like his pitch about what are you trying to do and it wasn't what I expected like I was thinking it was more like secure messaging kind of thing but when you put a point on what they are trying to do it's land in this space I don't and and and he will freely admit they're not doing a good job of communicating that message because people have that reaction right they're actually like oh you're a messaging company like no no no no stop it's the same way like you know tenable is that neccessity right haha drives them nuts like because people will call them like I had to call meses and get some support
but you had a call tenable they get support so I mean there are companies that struggle with their identity in this space but they I mean in their universe they think they're mobile hobbyists and pros right so you can get degrees this is a new thing right the ability to get a cyber security degree if you're over the age of 32 you do not have an undergraduate degree in cyber security you may have a master's degree at some graduate degree in cyber security but as of what we require now 14 years ago there were really not general access to programs at the undergraduate level that would constitute a cyber security information security computer security degree right
we started having what what oh but it was this is a ditch slide from a different talk and I gutted it and now I'm getting [ __ ] for it so okay man yeah thank you that yeah it was actually as I was fishing while I stepped in a bear trap is what it turned out so the un-- this is a relatively new thing at the undergrad degree but it's ramping up really right and it's amazing the diversity that's happening at the collegiate level so I do a lot of college recruiting at different universities and I used RIT and Penn State RIT Rochester Institute of Technology in New York and Penn State obviously in in State College and I
recruit from both of those organizations very aggressively they could not be any different more different when it comes to what they're teaching their kids from the security space RIT is a Technical Institute it's very applied it's a good school right it's four-year school they have all the resources you can imagine like I mean the amount of computing power they have the access to the industry that they have you get people who are very applied very up to speed on state of the art and what's possible but they don't necessarily have the grounding and kind of core research methods they don't have the broader humanities background that you would get somewhere else you got a Penn State get a lot of big thinking
right people that understand the foundations the practice they understand you know a lot of the policy issues I could get a an analyst on depends out of Penn State any any day the week I can get a consultant out of Penn State if I need somebody actually go do something to a system that's not Penn State right I have one person I've ever hired from Penn State that would consider kind of in that doer category there was a cop's I major who coincidentally kind of likes security so I pulled him through the security not hole right but everybody else they've hired them to be policy people and do like seto work and that kind of thing so and I'm not slagging on
Penn State I mean that's clearly that both those kinds of disciplines are important they're an industry but when you think of like hey I want to go get a degree in cybersecurity I'm looking at Penn State and RIT that's like hey I'm thinking of something that will get me from point A to point B so I'm looking at a lamborghini and leftover space shuttle right like there wow those are two radically different things like you have need very different skills to operate both of them but they will get you from point A to point B like congratulations and divining that so and then you get local schools like I advised Penn College of Technology in
Williamsport Pennsylvania as a two-year school that's now a four-year school very much vocational their cybersecurity program is in the same College as the their welding degree right you can get a four-year degree in welding and the Dean of that College has a master's in welding right and he oversees the cybersecurity program thankfully he freely admits like I don't know a goddamn thing about this right like that's my assistant dean knows cyber and he's putting together the program in the curriculum but they're really like you know what do we do and so they've gotten industry people and academic folks together to try to help them build a degree that's targeted for for the kids that are there so and the
same things even happening here and in Delaware as you putting together the program here so there's not unlike mechanical engineering like psychotic psychology things like that there's no agreed upon what the disciplines here look like we can we can hem and haw about certs and the efficacy of them in our industry all we like my struggle with for those of us that don't have these that exist at a time where it wasn't even possible to get those what is the other metric in which to gauge competency if it's not a cert right the other metric is smart person interviews right someone smarter than me interviewing me to see if I know what I'm talking about in my domain they've
heard a lot of organizations that's hard they don't have people smarter that's why they're requiring the ceh and the SIS P and whatever because they're just gonna rely upon that as like a surrogate for a smart person doing the interview so I mean I struggle a lot with this because of the mandatory nature and then the fact that it's a printing press of money for the organizations that run these systems and you know that's a that's a bigger issue but I come to the come to grips a little bit that this is a necessary evil and again you can't age discriminate but part of it and still we have two or three generations of programs that the undergrad we're not
going to be able to kind of start to push these aside because this is for people like me if you need I don't have any certs right I've taught cert programs for asserts that I didn't have it's weird like I don't know how I was able to do that but I've never had a single cert in my life abstence ibly most contracts that I worked on on the federal government I didn't qualify for most of the labor categories I had special labor territories constructed for me because of my college dropout with 20 years experience and no certs they're like well that doesn't fit anywhere like we'll just right Bruce's labor category and they're there would be there were
several contracts with different government agencies I was the only person in a labor category cuz they were wired so I could get in the door and then we go to conferences and we learned from our peers and that's four again people that in this space before their degrees that was how you learn right like you go to events like this and you listen to people you're talking you network and you get to know who's doing what and what else is interesting and it's still the case right I mean we def cons huge then we have all these b-sides events we have all these other things we can go to places and talk to people that are
like-minded and get interesting the same thing in fly-fishing right like there are people that I mean they probably degree in wildlife conservation environmental whatever but their focus was on freshwater aquatic wildlife right there are focused on fish they know everything about the the streams in central New York right there are agriculture universities in New York State that you can go to and learn all about New York agriculture and wildlife and become an expert in that space in a way that I can't even envision I grew up as a fourth-generation lumbermen my my father his father and his father all were lumbermen my brothers work for them they still all are lumbermen I got out of that business that was not my thing
but I have an appreciation for my brothers degrees in forestry like the fact that I do like some casual woodworking and I cut down trees in my backyard with a chainsaw does not make me a forester it just means I'm kind of reasonably confident with a chainsaw and if the zombies show up like I'll probably not die in the first wave but you know that there's a real discipline around wildlife management right and part of what we do as fishermen is is a respect for the outdoors and whatever so these are pros in this space you can get certified as professional cast instructors you can get certified as professional guides there's all these different bodies that will certify
people and say hey trout Fisher person who's giving guided tours you probably know what you're talking about which is about the level of thumbs up NIST that some of these certs give us in the cybersecurity space and as I stated earlier I'm going to international flight and symposium on Sunday I'm super excited about it I mean I'll be honest I am excited to be a bee size Delaware I think I'm actually more excited to go talk to guys about flying just so you all know where where I stand anyway door yeah if filled with people who are self-taught I love this photo that's it's not a self-portrait but it could have been like is this how are you really sure
hacker what I I'm a mixed mind of the bug bounty trends that we see these days and I I think they're they're an effective component of a cyber security or risk management program abroad program they're a poor component if you're betting the farm on it right like I don't think we need to pay for a pen test let's just have a bug bounty like no like that's a horrifyingly bad idea and there are organizations that have kind of gone down that road you're like no no that's not all right but this idea that there are a whole group of people that are getting into applications security because of bug bounties it's actually kind of fascinating because
it's it's it's like was it fiber or whatever you just ask people like you can just go pick up a website be like what are the rules of engagement okay I'm gonna go attack it and see what I can find that's actually kind of neat right it's it's just mercenary pentesting there are parts of it still kind of make me a little nervous but all in all if we're if we're building more people and getting more people in this industry in kind of non-conventional ways I'm okay with that as long as the companies are participating understand how the quality of some of the work they're gonna get out of here I've worked with companies that have gone down the bug bounty route
and there's definitely this like hey we got a bunch of interesting stuff and we got nothing that's interesting right like although the volume was constant like if they got a constant volume of stuff but there'd only be one or two things out of a hundred that were useful after the first month or so and and there are other instances that hasn't been the case but the vast majority that I've seen they get a big oomph at the beginning people get their money and then that's about the end of the useful stuff mentorian early on helped cement immensely for those of you that have been in the field a while you've been asked these questions for those of you
if this is new to you you are probably asking yourself these kind of questions right now like I I'm amazing number of times that I'll give a talk at a place and someone will come up to me and be like okay I'm not doing this kind of thing but I'm thinking about it how do I get started I gave a talk at the association of the US Army in in DC a couple years ago and during the before the talk I was having one in the cafeteria at the convention center down in DC this guy you know I'm just sitting there by myself this guy comes down sits down next to me and we get to talk in and I'm like he's like
you know what do you do and I'm telling them and then why you asking what he does this guy graduated from West Point okay cool he's a ranger all right that's pretty badass and he's got his MBA wow man you know how to kill people and make them feel dumb like I'm in flux that's really he's a nice guy but he's clearly like off-the-charts smart like talk to her play 10 or 15 minutes I'm like so much respect for this cat right like the fact that he's put his life in the line he's been deployed and now he thinks the greatest service he can do to this country is work procurement at the Pentagon god that hurts me so much and
so then I'm talking about what I do he's like man cybersecurity is so fascinating but I just can't figure out how to get started in it like your West Point rains your MBA and the thing that's challenging to you is how to get started in cyber like holy we are doing this so wrong right like god damn man so I actually like called him in the middle of the talk that I was giving like had him stand up like let's talk about this guy I'm like oh that's probably dangerous but it worked out here you know can i hack back with someone hacks me I mean people ask that question maybe not in that way but I'm reminded back 15
years ago we were doing community wireless networking stuff in Northern Virginia trying to build a big nest network of companies and an individual sharing Wi-Fi connection so you could just move around Northern Virginia and get free internet bait you know off of everyone's home Wi-Fi it whatever is a grand utopian socialist like socialism and Bernie was in the back room guiding us all so one guy comes to me at one of our meetings it was like hey I got an idea I got a business plan I think it's gonna work I said what's that he's gonna I'm gonna drive around the area and look for like open access points and when I find them I'm gonna find the businesses
associate Wayne I'm gonna go in and say hey I see that your wireless network might be vulnerable if you give me like I don't know five thousand dollars I can fix it for you I'm like just so we're clear your business plan will be viewed as extortion by other people is like no I'm just trying to help but like dude they have no idea when you come and be like I know something you don't know that bad for your business you give me $5,000 I'll tell you about it it's like I'm gonna call the cops I'll be right back you know like oh my god so I'm all hooked up on the microphone now there we go
can you still hear me okay good Oh dodged a bullet is it okay to attack a website I learned like again people don't ask that necessarily they like so I was running this free web scanner against Amazon last night like let's talk it's like eight things we need to cover like right now first of all were you going through tor can anyone find you like you know people learn from people that have been around because we've all made mistakes right like I've made so many mistakes in this space and I'm more than happy to help people to learn from those mistakes and it's the same thing like I swear when I'm learning in like fly-fishing I
the number of times I did this and was just like I don't know what to do because I have two problems one three I want to keep fishing and I can't right now because I have like this basketball sized pile of [ __ ] in front of me that does not gracefully go out like we saw Robert Redford earlier in the movie right you're in the in the movie I'm a movie I'm not a [ __ ] movie that's my ego right there like I just I just stepped right in it so secondarily this lines really expensive right and you're like [ __ ] I just torched a bunch of it right so because I'm not gonna untie that
nonsense and then third that the nail not that you have to use to connect this to the monofilament it's complicated and every time I do it I have to Google it like I have a special tool that I use but the tool doesn't describe how to use it it's just as weird you think so I'm in the middle of water balance in my phone I got two lines what try not to drop the phone the fish are all like got it guys terrible it's really just the worst so but then like I'll talk to something like why does this keep happening and it'll be like some real subtle thing like your hands here instead of here like no and now I don't
make giant basketball sides knots of crap anymore like that's great I wish someone told me that before your gears matter but humans matter more this was awesome this this talk and besides Vancouver it's AI is now on its third research and out resurgence third birth if you will in the in the 60s and 70s symbolic computing will save us all right we don't need faster computers we just mean more abstract programming languages we need Lisp and [ __ ] like that to make our life better and if we can teach computers to think symbolically we will win and that did not work out and then in the mid-90s we thought wow we have a lot of computing power will
build expert systems and they will be like AI and that will all work and that [ __ ] didn't work out and now we like I have the cloud and we have so much horsepower in the cloud that we just solve problems by running at them as fast as we can like if he's run against the wall eventually the wall will like move right like that's what the AI model is today just push really hard for a long time and eventually the system will learn it's such [ __ ] but and it's funny how much of this stuff just still turns out to be stats right like finding the standard deviation isn't machine learning it's math like it's not that
complicated but we keep finding it now I worked with a company that was trying to do automated discovery of denial of service through an AI system and I spent months explaining them how the internet worked right literally like here's autonomous systems here's BGP here's how route flapping happens all this kind of stuff and they're trying to find all like build the AI sustain a magic AI box that they thought eventually could find denial of service attacks and one day I'm like you know you could just look at the amount of traffic and if it's bigger than the pipe it's a denial of service attack there's nothing more kathai well yeah we could so humans still matter and
will continue to matter in this space for a long period of time it's the same thing here like if you and I were to go fly-fishing right now I am still a shitty fly fisherman like I will admit it I'm not very good and the difference in the amount of fish that I will catch between a 50 dollar rod and an $850 rod are probably zero right not a statistically important amount of fish well I catch will be the difference between if I use those two rods mentally I think I will be a better fisherman if I buy that rod but I know in my heart of hearts I suck and this one will be just
fine right it hasn't stopped me from landing somewhere in the middle so closer to the no no right um information security is dangerous if you're not paying attention fishing can be very interesting you're not paying attention I don't know what this thing is it is real it's somewhere in South America and you can catch them before they catch you it's like pokey it's like lethal Pokemon so there are things that we can do in this space that cause harm right we can hack back like that causes harm we can and this is an interesting one like I I've worked with clients who do and sit you analysis they let the attackers stay in place so they can observe them okay
like I've this thing that makes fire and I'm gonna put it in the middle of this pile of tissue paper let's hope it doesn't catch all the tissue paper on fire right like it's this is incredibly dangerous and what most organizations aren't geared up to do this it sounds good most of time most organizations are better off like yanking them out restoring normal operations and getting on with their life I've been involved in breach response where they won't spend a lot of time figure out who is breaking in and after two or three months of the same people breaking it all the time like we can stop with the forensics analysis it's the same people like we
don't attribution is not important stop getting broken into that's the important bit detonating about we're like we've seen that go bad right like hey I do malware analysis at home now my home blew up right like this oops IOT is hard even speaking out about high-profile attacks will get people in trouble right there when you piss off organized crime groups and stuff like they won't come find you as it turns out right like when you put ask Brian Krebs right how many times has he been swatted a lot why cuz he called people out right people out that don't want to be called out and then inadvertent hacking like oops I inadvertently hacked no right
this is how you gonna fly through your pair of glasses but that's somewhat terrifying this is happened to me a lot this is the situational awareness like I'm doing something I'm not paying attention and also like there's a huge pool information it's like a cartoon right like if you look on the terror of my face and then the waiters spill up and I'm like floating downstream like oh well I'm a water sale a big fat wire sale very quick story about a river otter I was fishing on a protected trout stream in Wisconsin and I had a hike it was like you got a hike a mile through a cornfield so I go in this cornfield I go
down the freakin dog huge steep slippery and back maggot all the way at the bottom I'm so exciting is like this is supposed to be the greatest transfer in Wisconsin the Kinnickinnic River and I was fishing on the K I was all excited I get all my gear on and I see a river otter like upstream like 30 yards I'm seeing honor in a while again the water I'm fishing and then there's a river otter downstream like 10 yards making noises at me like that's weird and the river ours over here making noises then running through the bush and the behind me and I'm like oh my god and I'd like half an hour I'm like there
is not a trout within 100 yards of this place so this otter is scared them all off right because no trial wants to me new this goddamn otter so like screw this noise so I go walking back to my gear which is up on the bank and the otter swims in front of me and disappears and I realize I put my stuff on top of its den I like ah man that otter is pissed so I go climbing up and taking my stuff off and so I mean it's an ordeal right like I gotta take off the fast I gotta take off the boots add tape oscillators and I'm sitting there I got waders around my ankle I'm like kind of
weasel it up the otter jumps up like for me your sneakers away jumps up under the bank stands out by others behind legs boys hit me and I'm like what like I've literally said what with my arms outstretched and he's like and he starts like bitching toward me like I grabbed my tube that I keep the rod and I'm thinking I'm gonna have to beat a river otter to death right like I thought I was gonna die here to commune with nature and it's done and he decided at that point that I was not gonna you just took up okay yeah yeah I don't think he's that smart I think it large abstract thing is making me angry I
think that's all he was really thinking but anyway I did not kill a river otter that day so not that day that dance my lawyer advised me very specific language around wouldn't declare I have not killed her actually that was the Carter page answer I know nothing about the dead moose either like I have no idea so so information security is predominantly white male totally not okay right this is not something that's good for our industry it's not good for society this is a complex topic both why we are that way as an industry and also the impact that it has on us right the fact that we don't have the diversity that we should
makes this week we're not accomplishing everything that we could be doing we're not giving back to the community we could be doing so in in both these instances there are organizations who are trying to make it better that's not to say you can't do things on your own to address some of these root causes but I think that there's good work that's been going on a s and project healing excuse me project healing and trouts unlimited have youth outreach programs and outreach programs to disabled vets that I think have been very useful to make trout fishing and fly fishing more inclusive and part of the community yes is a organization in the DC area that does stem outreach in
schools year up call special attention to Europe Europe is an organization that the way that they're structured is they'll take people adults from 18 to 25 ish who have kind of the desire and and an education background to be able to go to college but they don't have the academic ability or the exceeding the economic ability and not just from a financial perspective from the cells but the fact that they may be holding down a job because they're having to take care of the grandmother or the brothers and sisters or whatever it is you know we've got people living in areas where one or two job supports a family of five or six and so people at 18 and 19 aren't able
to go out in the community and get a job or they have to go out in the community get a job and they can't get an education so what year up does is for those people they say okay you're gonna come and get six months of intensive training eight to five everyday and it's around business management IT or cybersecurity and it's it's eight to five that show up in business attire every day like not whatever like I have a collared shirt like the guys are all in suits the women are in and either you know they're dressed in business attire as well this is a more complicated subject for women like what constitutes business attire and we have that whole discussion
but they they then go through everything from the the technology and the the tech aspect of their job and also how to interact with your co-workers how to write reports you know what a business meetings actually like how to communicate effectively all these kind of things and then it's really cool and and so then then when they're done they have industry partners that they'll reach out to and you basically get a six-month intern and so these people go out in the field and they'll get jobs interning for six months in their in their domain and they they're very sensitive to like hey we're trying to find companies are close to you or within your means to get to because
sometimes people don't have cars they have to ride mass transit so they're trying to find you know ways to be able to make sure that they're successful in that domain that whole time they get paid right so when again this program they're getting a paycheck they get a stipend so if they were working somewhere if they were working at McDonald's or working at the dry cleaner or whatever was their doing they can get paid to get educated and then at the end of this process they have the education and they have the exposure where the company they're interviewing with then they can go get a job a lot of the companies that they in turn would pick them up and a lot of but
even if they don't they're the the rate that which these these students have jobs after six months is something that rageous like 93% have jobs so they make a $40,000 or more which for some of these kids who are making like sixteen thousand dollars a year it's life-changing for their families right something less changed for themselves I mean so the whole damn family gets a benefit out of this so the way that this works is the companies that that bring the students in they pay about twenty six thousand dollars which is about what you're gonna pay a six-month intern anyway but they pay that fee two-year up who uses it to fund their entire program
in combination with other fundraising that they do so if you are a hiring manager if you're a company that is hiring today looking for interns looking for a junior staff and you're in DC you're in Baltimore you're in Wilmington you're in Philadelphia or you're in Boston or Chicago there's a year up there please reach out to them at least get to know them build a relationship they have two cohorts a year they I think they come out like in February and August when the when the internships or when they're ready you know and then may vary locality locality that's the Baltimore one but I would encourage you reach out to Europe if you want after
this meeting or after this puck I'm happy to get in contact with my contacts a year up I can't speak highly enough about this program it's a fantastic program the guy who started is I mean I don't get motivated by much I'm kind of an [ __ ] I really had probably more wrapped up in myself than I should be this guy's humbling to listen to talk to you like he is I mean the guy who started your up is really really an amazing cat so with that information security is a lot of fun so why fishing even if you're not catching fish so my advice to you especially for those of you they're kind
of getting started find the stuff that you love you know fly-fishing if it's the gear if it's the flies if it's the traveling to exotic locales like you know focus on that if you're in security you know if you're a forensic analyst winter yeah do the stuff you like doing I've discovered much as I like standing around in water and not catching fish I really like tying flies the fly tying workshop earlier today I'm not very good at it but I enjoy it it's very relaxing to me I feel like I actually get to build something I mean it's not and we do stuff in cyber all the time and all you see is like I have a bunch of files
somewhere and like a web page or something like that like of a bunch of little hooks I hide stuff to that fish sometimes want to eat I think it's kind of cool and and for me I mean as much as I like to fish I'm busy I don't have a lot of time but I can do that kind of clock at night let the Black Knight sit down tie some flies and enjoy things so anyway with that I don't know if there's any questions guys she looks skeptical well I told you I was gonna closer to it you're like oh that's okay but yeah ii beartrap I had a bear trap on each plate all
right sweet well thanks for playing along with this little science experiment if anyone does have any feedback on on how to make these two topics tie together better than I did I'd appreciate it so thanks [Applause] you [Applause]
you
Related talks
8:14:09
52:00
1:10:21
31:02
28:25
48:45