What's the Worst That Could Happen? by Adam McMath

so how about a really big round of applause for our b-sides Edmonton volunteers who put this thing on please when possible when you're seeing our b-sides volunteers please give them a hug because I don't know if any of you have ever tried to run something like this before I once once and I've managed multi-million dollar projects in the past I've once tried to run a or was that the active start Jamboree for ring at it was six ringette teams for a bunch of six-year-olds and a darn Hitler killed me so the fact that they put this on this is fantastic first time in Edmonton besides have been in Calgary a couple times first b-sides I ever went to was in

Toronto which was held in a bar it was fantastic talking about security and drinking craft beer all day long it was absolutely fun so my name is Adam it's really special for me to be able to wear the number 56 the green and gold because about a year ago moved to Calgary so talking about I want to talk about all the things were information security people for the most part maybe information technology people we always believe that were the smartest people in the room because quite frankly we are right and we do suffer ourselves from that special snowflake syndrome the unrecognized personalities sort of destroying the world and some things happened a few years ago and that we

want to call ourselves hackers right Jurassic Park my favorite movie of all time I'm not a nerd I'm a hacker yeah that was fantastic but then all of a sudden apt 26 also known as fancy bearer trying to do the Russian dance for you and other state-sponsored folks like I don't know Lazarus group North Korea they started giving the evil hacker a bad name right so no not an evil hacker anymore we're security researchers right we you know that's been my mantra all along is I like taking things apart and then seeing what falls over oh I'm gonna go back oh this thing is just tricky as heck I love it okay there is okay Tom Selleck

really doesn't want the page this is your platform besides is your platform as information technology information security people the reason that I want to put this talk together is because in the course of my regular job that I've had for about six months I'm doing a lot of investigations so I actually went and got a professional investigator license which makes me feel like Tom Selleck in this Ferrari magnum p.i yah except I'm a bald man with a Subaru so if you do something if in the course of your regular business or in the course of your hobby you find something that is like oh my god everybody needs to know this this is your platform I encourage

you to submit a talk to besides or some other you know there's a egg sack which I'm gonna sign up for Cal sack in Calgary there's all sorts of great places that you could talk about these things Jack Daniels does a fantastic talk large hat large beard large personality brilliant guy talks about ethos and what is our ethos as security people what do we believe in do we believe that you know yeah okay we've got lots of tour entities on our hard drive doesn't matter it's not really really goes not really a problem well couple organizations a few organizations I listed ISACA in is c-squared they they haven't a code of ethics for those of you that are fans of Javad

malik and these you know rageh notice kid you see i've got a code of ethics that i have to adhere to but those guys outside they don't need to adhere to anything so just talk to me we do have a code of ethics if we have professional certifications I pay an incredible amount every year in annual maintenance fees I'm sure a lot of you do to talk at besides Calgary last year was about bootstrapping your own security projects I want to hack the next TV I'm just gonna go to Costco and buy it hack the crap out of it and then take it back to Costco and everybody in the room went ooh that's a neat idea but well how

does that fit into your personal personal ethos and I use keeper security as an example of maybe that's not the best thing Tavis almond II I don't know if anybody's hurted to have a psalmody he works for Google he is one of the the most amazing security researchers on the planet essentially what happens when Tavis points his laser focus on somebody two things happen the company that his laser focus goes on it says haha right on free pen test and then they go aw crap doesn't matter what happens this kind of fall over so keep her security had a really serious issue with their stuff Tavis found it and a guy named Dan good and published it on ARS technica keeper

security said you jackass you can't publish that you can't tell everybody that we're a security company we're secure you can't tell people that were not and they sued the crap out of them as a journalist so Dan's ethos did not match up with the law team that he'd those security you can't have an ethics issue if you don't have any at this yeah so talking about nothing yeah how many of you exist in in computer security echo chambers I often do right I thank you Nancy peered god that is a glorious beard I have beard Envy like you wouldn't believe I can't it all I could grow is this nasty 1970s porno stash it's terrible Movember is a real rough year

for me police disclosure form and I'm just gonna burn through a couple of these things like have you ever been chased or pursued by the police foot or motor vehicle yes or no this is part of a 40 some-odd page document that you fill out as the first step if you want to become a police officer this is their determination of the kind of things that they're trying to do to figure out if you're someone that should go through the police recruitment process I'm not saying that any of you want to go and be police officers I did at 25 I'll show you in a couple minutes why I didn't have you ever used pharmaceuticals

illegally have you ever written NSF checks lots of things about naughty sacks have you ever beat up a family member kid down a stairwell because if you're looking for the next captain Canada you want to make sure that they've got a really good ethos right then you get to this section on technology crime have you ever illegally obtained solder given away any software oh and it's not just a yes or no it is kind of binary if yes please provide specific details including dates so starting in 1976 on a trs-80 model no hacking configured use wireless technology for the purpose of gaining unauthorized access wardriving does anybody wore drive it of course everybody who were drives we don't wore

dial anymore but have you ever downloaded otherwise obtained commercial software manipulated with patches cracks registration keys that allowed it to work Adobe so this talked anyone over the Internet I don't know who's never doxxed anybody on Lync dinner Facebook have you ever done anything naughty with email dr. evil himself doesn't know what the hell to do with this right and at the end of this police disclosure form it also has a thing at the bottom that says along the lines of if you have you know whatever you've done here becomes a legal document and you can be charged for the offenses you've just admitted to these are offenses so in our personal ethos all of a sudden this torrid box

that we got sitting at home maybe that's not viewed as ethically as the rest of the room might feel it is so what is the worst that could happen the title of my talk the whole reason I'm here and going through all this stuff in this investigators license course it made me realize the things yes we do have a constitution in Canada we don't talk about it a whole lot yes we do have a Charter of Rights and Freedoms and it talks about the kinds of things that we can be charged with by the crown Her Majesty herself comes out from on high and hits us with there's a 2x4 here originally oh yes I get props fantastic

so there's three kinds of charges that you can get in Canada a summary conviction which is the little stuff which means that you can be charged up to two thousand dollars five thousand dollars depending on the kind offence or 6 months in prison that's the little stuff that's you know one level above a traffic ticket there's an indictable offence that's where the juries come into play that's the big stuff so that's up to 20 years in prison that's you've killed your mom that's bad things then then there's a hybrid offense so you know a break and enter where you didn't shoot anybody is kind of a well it's not really a summary conviction but it's not really

indictable offense so they call it a hybrid and so we do have a constitution it's not really all that famous like our one true God and and going around and stealing the Constitution and not to say that Canadian politics is boring as our Ford brothers in eastern Canada have shown us right that was our that was our buddy Rob and his brother Doug isn't necessarily showing us up either but you can't forget about this national treasure from Western Canada himself right the proponent of shoot shovel is shot at so let's talk about the mack daddy to those of us who like to take things apart with computers three 42.1 unauthorized use of a computer everyone

is guilty of an indictable offence not necessarily a small one and liable to imprisonment for a term of not more than ten years or is guilty of an offense punishable on summary conviction a little one who fraudulently and without color of right and it talks about all sorts of good things there's one No so using a computer to screw with things and this is a criminal charge and then we start analyzing we go hahahaha password yeah because we use passwords now when you actually go into the definitions what they're talking about with a password is anything that you can use to gain a system that could be a public key that could be a private key

that could be a fingerprint that could be a Yubikey all these things that we can use to access a system so uses possesses traffics and permits another person to have access to a computer password sounds a lot like these disclosures and oxes and things right getting a little dangerous this is another big one so when I started going through this process I thought about the hackers in the room and I think we got lots of hackers in the room but we also have lots of people who are doing blue teaming and sometimes our employers demand things of us that aren't necessarily legal 183 point one where private communication is originated by a more than one person or is intended by

the originator consent of the interception is sufficient consent for the purposes of any provision of this part you've heard about one-party consent states in the US and two parties consent States Canada as a whole is a single party consent that means if Thomas and me are in a room and he hasn't consented to the recording and I have I can record it that's legal but if my boss comes to me and says those two people are having a meeting I want you to record it that's not legal everyone by means of electromagnetic acoustic mechanical or other device willfully intercepts a private communication is guilty of an indictable offense and liable to imprisonment for a term of not

exceeding five years somebody starts saying I want to record phone messages in our office I want to record phone conversations between our customers and our sales agents but nobody has consented that could be five years in prison if the wrong people start making the wrong messages dangerzone pour one out for a bloody Bert rest in peace danger some of my favorite guy Archer sterling Archer so more on the devices and modification so everyone who possesses sells or purchase any electromagnetic acoustic mechanical or other device or component knowing that design etc etc what this means is if you take a device and you modify it so that it can record things that nobody has consented to that's illegal

and that even becomes a bit of a gray area if you've modified something you've taken a device I don't know a cell phone and modified it to record your wife's conversations that could be five years in prison that's why you don't see a lot of these kind of apps on the App Store people are asking all the time how do I record conversations well the apps can be found but they're getting harder and harder because there could be prison sentences as a result the other one that I put on here too is GPS this is a very great area in Canada this particular device here is available for $59 on amazon.com it's called the cheater

tracker and a lot of these devices get used so this one is used typically by private investigators or law enforcement it's a little OtterBox looking thing it goes up underneath your your your car you cannot place one of these on someone's vehicle in a private space you cannot place one of these on a vehicle in theory without consent and if there is without consent and you're going to try to get that admissible in court you have to prove that you have tried everything else first before going that directions that could be a very great area you're not likely to get in trouble for it but you're not likely to get the results you want if you're trying to be

the one doing something legally related people talk all the time well things got broken into there is a data breach there is or whatever does break-and-enter apply and that bear does not know how to play the piano he has broken into that house no break-and-enter will never apply break means you have actually physically broken a lock or a key or a door or something to enter and they use the term a dwelling so okay if I owned your nest am I in your house my in your base killing your dudes yeah kind of but you're not gonna get charged with breaking in it well you couldn't have getting charged with this things like mischief mischief is an interesting

charge summary conviction hybrid all sorts of goodies depending on what you've done or theft as the monkey is stealing a hubcap you can especially surrounding intellectual property if you happen to have broken into something and steal something patented that could be really bad for you as well assault you can be charged with assault as a result of things you say and do on the Internet if it gets tied back to you or impersonation with my Elvises especially if you are at any point impersonating a police officer or any kind of peace officer by law whatever hi I'm Adam from the internet police that could be bad another disclaimer I'm not a lawyer so if you're taking any of this

is legal advice you're so screwed so we're talking about criminal law at this point and I'm gonna burn through this how do we do it for time give me like a fiver when I'm getting close awesome because I'm hungry and I wouldn't mind a beer interpretation of the offense the crown if you're going to be charged with a criminal offense if you're going to go to jail or get a fine of up to $10,000 and we're thinking okay how disruptive would five years in jail be that would really suck my youngest would be 14 the crown must prove that the accused acted without color of right and must be acting dishonestly and in bad faith the

crown must prove that the accused had the knowledge that the act and an intended use was wrong so you they have to prove that I was a dick and knew that what I was doing was rather dickish how many of you followed this case from Nova Scotia yeah I like that people are angry about this 19 year old faces one count of unauthorized use of a computer remember we talked about that a few minutes ago teen charged over and over Scotia privacy breach a 19 year old unauthorized use of a computer seven thousand documents four percent highly sensitive information here's the scenario to what I know and I don't know a whole lot I reached out to the lawyers

that were representing this young man he did what was essentially a fight what we would know as a FOID proquest he paid his $25.00 to the Nova Scotia government to get some information back about a teachers strike and he noticed that you know they gave him a URL so he puts the URL into his browser and he got the information he's looking for and then incremented the number in the URL and got more information is this hacking the CIO of Nova Scotia oh yeah I don't know it was hacking it was bad it was bad they went to the police they've told this sob story we've been hacked what does that sound like to you and me it sounds like

frickin data breach right oh it was absolutely a data breach and there's my Carbon my respect my authority ah Sofia I don't know if Uzi RCMP or the Halifax police a police force did all sorts of things they showed up at this kid's house they emptied all the cupboards they cut open all the mattresses they arrested his little sister walk in while she was walking home so he was charged about a week later the charges were dropped because somebody said oh we screwed up but what's the worst that happened to that kid for those two to three weeks he was convinced that he was going to jail for something that you know he he scripted it w get is all he

did and downloaded 7,000 documents that we went to school and he was convinced that he would never get a job that he would never get a university education for a night remember being 19 and the smallest thing you know some girl looked at me funny and my world ends could you imagine facing 10 years in prison and a $10,000 fine at 19 and never being able to you know make a living because you are passionate about computer security oh my goodness as compared to civil suits so on a criminal suit the crown Her Majesty herself has to prove that you were bad and you meant to be bad you're from the evil League of Evil and

you want to do bad things in a civil suit instead it's this balance of probabilities right for those that remember OJ if the glove doesn't fit you must acquit but he was still you know civilly responsible how the hell does that work because all that the all that the the plaintiff has to do is prove to 51% of evidence that you were a dick they don't have to prove to you know the letter of everything and all that's good and truthful they just have to say you know if we have this much evidence we just have to tip the scales this much and you do a faceplant and typically what does that turn into money money money

thank you snoop it's all about money in this scenario so what is worse five years in jail and ten grand or 100 million dollars or maybe the prospect of bankruptcy and losing your house and of course who wins to the lawyers they're all the ones that lawyers love these kind of suits especially when it's something like you know what I don't like what that doctor did to me and the Alberta College of Physicians the surgeon says well that's fine you can hate what the doctor did to you we're just gonna tie up a lawyer fees until you're bankrupt and that's not uncommon so what can we do with with all of our energy I like packing stuff right I

really do so that's why I get into things like up at the top there wintered that was the SANS Winter Hawk remember so sans every year for the last number of years has done a hack challenge a holiday hack challenge that's what it is and it's friggin awesome last year you're going in you you you own machines and then you have to do this little game where your your little snow balls move around North Pole had been taken over by evil baddies etc there's bug bounty programs CrowdStrike that you can actually get paid for making things fall over how cool is that the attackers are getting getting paid right hi my name is Adam I'm from the

internet police and I'm from Canada yeah I'm Canada Revenue Agency I'm sending the sheriff officer to you you need to pay me $4,000 in itunes gift cards and people do it why can't we get paid to weekend there's bug bounty programs for all that my biggest advice though is breaking out of those critical or those echo chambers do some critical thinking so stop thinking that okay yeah I've gotten my fourth or fifth letter from Shaw that says I've been torrenting movies well yeah they're not gonna do anything to you until the day they do that doesn't mean it's without teeth the agreement that that the telcos in Canada have with all these movie producers is

that they will say okay we've identified that this person has been downloading stuff they will send a letter so Shaw will send a letter the movie studio sent Shaw letter Shaw sends you a letter and that letter says yeah quit it until at some point when the movie studio says yeah you I've decided I'm gonna do a subpoena and it's not just the crown in Canada who can make a subpoena for evidence there's what's called an Anton pillar order and any citizen can subpoena evidence so the movie studio can subpoena your computer from your house and the police will go get it and it's it's something we should be scared about if that's the kind of activity

where we're taking part in because quite frankly karma is a bit of a bit of a thing the kid in Nova Scotia did that the whole scenario sound familiar to anybody anybody remember we've he did the exact same thing with one of the large telcos in the United States and he actually went to jail for quite a while the difference was well this kid lawyer not pretty quickly and we've as a deck I think we've got out after six years so Computer Fraud and Abuse Act in the United States is significantly more more scary than what we have in in Canada and I remember actually there was a fella in Russia who was convicted of running some

large spam botnet and he chose to be tried in the United States and would likely go to jail for 20 years in the United States one of the ladies that works for me works in in in my in my team she's Russian and she's awesome she immigrated to Canada about eight years ago and she's got the thick accent and she's the kind of lady who who when walking through a park the birds would land on her shoulder she's just so sweet and I asked her well I why would this happen why would this guy choose to you know face these charges in in the United States rather than then than Russia she said oh and

Russia they would kill him what's the worst that could happen death I guess still have to be charged in Canada or Australia or any of the five eyes nations that aren't the United States so in protecting our Canadian infrastructure and connect protecting the stuff that we do for our for our clients for our companies for for our our people again that that wiretap one in particular was a real eye-opener for me I encourage you to read the law nothing I've put up on here is not available on it's all available on Queens printer so Queens printer if you just google that then you will get access to all of our laws Computer Fraud and Abuse Act and part six I believe is

all that wiretap stuff so things that you know again phones are just an IT asset now aren't they so what's our second happen lots of jail time I don't know lose your houses rolled up a lawsuit I'm not sure but you know what it's Miller time it's the end of the day for those of you sticking around for supper I really appreciate the opportunity to hang out with you I burned through this pretty quick and I will pass this back over to some say he fought a giraffe with nothing but his feet and that is the illegitimate child of Serena Williams and God all I know is he's called the Thomas thank you very much thank you thanks Adam so awesome

high-energy talked and our first day at besides so for those who do have VIP badges and are sticking around for dinner it's just right outside in the lobby we will be getting going tomorrow again 9 o'clock so thanks for coming please feel free to Domingo in the comment area if you have any questions from the speakers from is C squared from Nate or myself our vendor will be around to to talk so thanks again see you all tomorrow thanks