The Two Types of Fool – Generations in Cybersecurity

Uh, without further ado, here is Casey Ellis with The Tale of Two Fools looking through through the looking glass. [applause]

>> Whoa. Nearly knocked that thing over. How we doing? >> Yeah, good bides. >> Rock and rolling. Cool. Um I am like I'm I'm kind of feeling about this talk with a mixture of excitement and dread um in some ways. This is like a definitely a collection of of thoughts um that I put together over the past 12 months. And I'll explain kind of the context of that in a second, but uh yeah, let's get right into it. I appreciate you guys all all kind of turning up to the log note. And I think really thinking about it like what I'm trying to do here is touch on the things that I think are most

powerful and most important about security as a community. Thank you very much. All right. How are we going to do this? Just be shorter. That's a good that's good advice. Yeah, it's helpful except for when it's not unfortunately. Um anyway, let's let's get into it. So agenda, who am I? Bit of context, the thesis, why this, why now? And then solutions and suggestions. So, who the heck's this guy? Uh, my name is Casey. I am probably best known as the founder of Bug Crowd and the co-founder of Disclose I.io project. Um, also do like angel investing policy stuff, all sorts of wacky things. Um, but yeah, Bug Crowd, uh, basically we didn't invent Bug Bounty and disclosure

programs, but we we did pioneer this concept of getting in between the, uh, security research community and all of the folks that can help out with security insight and all of the different problems that exist on the defender side. So sorry and you're welcome, I guess. Um cuz that definitely escalated. Uh but yeah, from a context standpoint, like that's that's kind of my background. Um and yeah, Australian in case you couldn't hear that. I live in San Francisco, California. Um one one note, uh there's a little bit of medical stuff in in this uh talk. So if that's um something that makes you squeamish, it's nothing hectic. Just to give you a bit of a warning there. So yeah, in terms of

like how I'm thinking about, you know, what's important, disclose is really around or is really around changing the operating environment for folks to hack in good faith. Like we've done a lot around trying to influence policy, actually seeing the [clears throat] CFAA get amended with charging rule guidance changes out of DOJ, um different things that we've done with Scotas and in other countries as well. Basically, like if you're hacking in good faith, it shouldn't be a crime and you shouldn't be worried about it being perceived as criminal. So that's the problem that we're trying to solve there. um with Bugroud it was really about creating a new market by disrupting the economics of defense versus attack. And then in

terms of the stuff that I'm working on outside of that it's really just about encouraging the pursuit of potential. Um that's kind of [clears throat] a passionate uh conviction that I have you know for myself for other people for pretty much everything I build. I think there's a lot of that sympatico in this room. Um, and you see it, you know, just in the really the vibe of the bides community, but especially besides Las Vegas, like you're all here because you see the gold in each other and you believe in the gold in yourselves. So, I'm big on that. Um, here's the hectic part. So, right about now, uh, last year, so I basically got, uh, cold cold

rebooted twice last year. Um I had a a valve failure uh that we found I actually had been it turns out ignoring um basically the fact that my heart was operating at like 20% capacity for probably about a year or two. Um it had enlarged and was going crazy as a result. So we eventually figured that out when I was in Australia on vacation um and managed to uh get open heart surgery and get a repair done probably with a couple of weeks on the clock before that would have been a bigger problem. Um, and then a month later, which is when when Bides was on, shout out to Carl who stood in for me at a

couple of talks, um, as I'm like riding them on the way to the hospital. Um, there was a complication from that and they had to go back in. So, all up that netted out to like pretty much three and a half months on my back, um, recovering from it and all of that sort of thing. And, you know, the thing is that Yeah. >> Wow. [applause] >> Yeah. Thank you. um doctors like the medical stuff that goes on here. I've got a new appreciation for that obviously. Um new apprec appreciation for community, family, like every it took a village. Like I got lucky, right? So I think I will drop the health nugget like don't ignore stuff

like we all, you know, like to be superheroes and and hard charge and that's a part of what we do. It is a part of what's necessary sometimes. But if it's coming at the cost of listening to yourself and actually like not dying, um, don't do that cuz I got pretty close to doing that and I don't recommend it. It's not fun. So anyway, um, >> love you. [laughter] >> Love you too, Josh. So this is my [laughter] cuz I figured I get emo on that slide and need to break it up a little bit. So this is my attempt at doing that. But but yeah, that's some context. Um, so here's the thesis. Um, like this is

actually borrowed from a book called the the shockwave rider. It's funny. I actually didn't know the book it was from. I just heard the phrase a bunch of times and uh loved it because it it it really does capture a lot of what what I believe around generational knowledge transfer. And I'll get into why I think that's important for us in a sec. So there's two kinds of fools. One says this is old and therefore good. And the other says this is new and therefore better. And I'm going to assume that's ringing some bells already. Neither are right and neither are wrong. The truth is almost always somewhere in the middle, right? Um, an example of this, this is actually

from two nights ago at at uh Mandalay [clears throat] Bay. Like I I firmly believe and try to live by this idea and I know that this is like a core thing within the Bides community. There's a couple of reasons I think this is actually urgently important right now that I'll get to in a sec, but basically um these guys were all very early bounty hunters on the the bug crowd platform. Um and all four of them have gone on to start companies that are now employing other people um and doing all that kind of stuff. like what we kicked off and what the team within Bug Crowd grew, passed on what we knew to these guys who

then picked it up, you know, interpreted it with what they believe is going to be the most important set of things to do going forward. And now they're off doing that and they're going to hand that off again, right? In the meantime, they're telling me [ __ ] I've never heard before. Like they're thinking about ways to solve problems that, you know, I can get into that stuff pretty quickly, but they're native to it. So they can think about how to solve these things in a way that I can probably get around to, but it's not where I grew up. It's not my kind of core suit in that sense. Um, so it's just a really cool example. And in

terms of my journey with entrepreneurship, I did the same thing, you know, in reverse. I was looking for mentors, like getting people in that have been successful, drawing from that, throwing out the stuff that didn't matter, sharing with them the things that I was learning that blew their mind. Um, and on and on it goes. So it's just a cool example of that. So yeah, I'm going to read a little bit here. As defenders, we are a diverse ragtag community of connected tribes. The strength of those connections ultimately determines our success. Like I firmly believe in that cross generational communication is something that society struggles. Like this is a hard problem. But the result of that

hard problem is that every subsequent generation that's that's disconnected ends up reinventing the wheel and we don't have time for that anymore um in terms of securing the internet. Um [clears throat] yeah, the reason this matters is twofold. The older generations will never be native to the technology and times that the younger generations and vice versa, but everything is currently in play. So if you're an old like packet rat, like the internet still runs on that stuff. So what you know from a technology standpoint still matters even though most of the hotness and most of the focus right now is abstracted up into business logic and all those other things. That's one technical example of

that. Um, on top of that, we need wisdom as well as knowledge working together, right? Um, and yeah, like I said, we're out of time for continually reinventing the wheel.

This is where it's like, oh yeah, he's still getting his breath back. [clears throat] So, [snorts] why this? Why now? Um there's a there's another piece of this that I'll that I'll add add back in here, but um you know hybrid conflict is is here. Like there's been a bunch of talks on this either you know referring to it directly or kind of alluding to it. Um this is kind of the new normal for how we're defending cyerspace at this point and it's not going to slow down. Um you know thread actors are blended. It's accelerating. couple of examples that are up on there that I think about a lot, but you know, I know

there's been a lot that's sort of gone on today. There is this aspect of technology evolution outpacing defensive readiness. Like from my perspective and from the vantage point of having hacked the internet at scale for the last 12 years, like we were actually there a long time ago and just kind of didn't realize it. Um but you know when you think about how quickly we're deploying new things um that's part of the the eye broken icon you know vibe coding joke you know our our rate of deployment of new technology is only going to accelerate and meanwhile we've got all this debt to pay back right um nation state is one of my my favorite ones there. The whole idea

of like the uh the opportunistic spraying of the internet that started happening in 2020 that's just kind of ramped up ever since. And in the meantime, the tools that you need to do that and the barrier to entry for really anyone like chat GPT LLMs like the the you know the agentic stuff that's starting to come out. It's put the idea of good enough to cause impacts hacking in the hands of literally anyone. Like if you found metas-loit difficult to use and that was kind of your bar to ride, you can now like there's a lower bar now. So, you know, we've got this kind of confluence of different things that are coming together that I only see

accelerating over time. Um, [snorts] and I I removed some slides uh here cuz they they were a little bit heavy. Um, you know, the other thing in terms of like my own story with with all of this is like generations aren't permanent, right? Like we've lost a lot of heroes, you know, [clears throat] that have left a legacy that we're all following. Um, and like I came pretty close to that last year, right? So that's been a reminder for me. I've always been appreciative of, you know, in memoriam and folks that have passed away. Um, but that's that's going to that's that's life. That's the thing that's going to keep happening, right? We're not permanent. What we're working

on is not permanent. We need to think about it in that way and just be comfortable with that and look at ways that we can hand off what we know and look at ways that we can learn from people that are up and coming so that we can stay in the game as well, right? We good so far? >> Yeah. I'm trying not to frame this as like it's still big because like I look at this this it's a it's a heavy topic, right? But we're already doing it I think pretty incredibly well here. Um I'm not sure about outside but in here like this is kind of the default certain culture of Bides and I do think it's a

critical time to get this right. So [clears throat] tools. Um, shout out to Bow Woods for reminding me to tie this into Alice in one L because this is actually kind of handy. Yeah, the part where Alice uh I think eats or drinks. I'm forget which one is which to make herself small so that she can navigate the thing, right? That was a choice. Um, humility is about knowing what you're world class at, what you're good at, right? and not being ashamed of that, not backing away from that, but also recognizing you're going to need help with everything else, right? Um, and that requires it's a posture. It's a thing that you like deliberately adopt

and accept. Again, this group and this room, I think, is amazing at this stuff. It's not necessarily a feature of the cyber security community, right? Um, and I think we could go a lot faster and be a lot more, you know, productive in handing things off to each other if we took this on. Um, it's not a weakness either. I think it's it's a it's a guard against blind spots, right? On the flip side, when Alice took the thing to make herself bigger cuz she needed to do that. Sometimes you need leadership. Um, you know, this is how bug crowd started. Like I just literally said, "Fuck it. This is a problem that shouldn't exist.

I'm going to go after it." and it worked and people came in behind it and all of a sudden, you know, I'm not the one like driving that anymore. It was just kind of kicking it off. There's so many other examples of that that exist. Um, and sometimes it does take, you know, the one person seeing a thing that no one else sees and saying, you know what, n screw it. I'm going to I'm going to take that hill. Right? That's not the opposite of humility. I just think people tend to position those things against each other. I actually think they're kind of on the same, you know, coin uh side of the coin, if that makes

sense. But framing that up. Um, and and you know, practically for those people if you're in that bucket like step out like share what you're seeing, ask for help. Don't be afraid to do that. If someone does that to you, like be emotionally and intellectually available and like consider that a privilege when it happens. It might be a dumb idea. Maybe it's not, right? Balancing curiosity and ego. I partly just wanted to use this picture because I freaking love it. like it was [laughter] it was a a Defcon um 2013 I think had a barcode with with this particular illustration on it. It's awesome. Um we're a naturally cur curious group of people but like we've

got egos um that I don't believe in the idea of killing the ego if that makes sense. I think without some sort of sense of ownership and pride in what you're trying to get done like often times nothing gets done but you've got to balance that out. Um, and you've got to be careful about how your ego might quash someone else's curiosity. I think if you if you think that part through and you just stay mindful of that and um, you know, encourage I guess that's that's when you get to draw out the gold, right? The pursuit of potential thing I was talking about before. It's like what do you mean by that? What do

you like what's the thing that you see that I might not see? um community nobrainer, right, for this group. [clears throat] This is coming back to the why this why now conversation, right? Cuz I think we're all all in on community as a uh you know, as a as a room and as a group of people here. But it's not to me it's not just about you know, friendship and and belonging. I actually see this as a strategic asset for cyber defense, right? Because it's that diversity piece. It's the sharing of wisdom and knowledge across generations, across different groups. The bad guys look diverse and they're pretty good at working with each other to get the job

done. Um, this is our asset to actually counter that with the creativity that we've got. You know, the best solutions come from collective brilliance of a community willing to share, challenge, and collaborate. # it takes the crowd. Like, this is kind of what Bugrad was founded on, but it's not I'm not saying it because of the company. I'm I'm saying it because I deeply believe this is true. [clears throat] This one's fun.

How's my driving? We're good. >> Yeah. Okay, cool. It's been a while. Um, yeah. So, gratitude, right? Gratitude is a force multiplier. And by the way, like part of why I I I set up, you know, sort of giving the the the heart surgery story at the start, like this is the this is the [ __ ] I've been thinking about like kind of laying in bed recovering, right? Um it was really interesting trying to assemble this talk because it's that's a lot of time to think about stuff. Um and you know what I've tried to do is is to to pull it together into the things I think are valuable and useful and actually

actionable for this group as as things to prioritize. Um but this is a big one, right? the whole idea of like just being grateful for the care I got. Thinking about that in terms of like how does that work in the defender space? How does that work in business? How does that work in policy? Um we've got a lot of things to get annoyed about and it's really easy to be kind of dumpy and and you know a bit of a car margin as a as a security person. I don't think that's a bad thing, but if it comes at the expense of gratitude for the things that are good or for the people that are

trying, then you know, maybe we're not quite doing that part right. Um I don't think it necessitates a apathy. So the whole idea of being grateful for a thing doesn't mean like, oh cool, it's done. I'm not going to, you know, continue to try to make it better um myself. I I think you can carry an attitude of gratitude and still desire change and pursue change. And honestly, this is one of the things I I do love most about this community. I love about working with security entrepreneurs, like folks that are at the coldface and seeing like how hectic things actually are. Cuz if you can do that, if you can stare some of the bleakness that we have to deal

with in the face and still have this attitude of like, you know, [ __ ] it, I can take that hill. Um, and I'm actually grateful for the opportunity to do that. Like, that to me is clutch. Um, it's truly a force multiplier, I think. Shout out to Josh. [clears throat] This is a really practical one, especially for I think for the younger um generations. And I'm trying to speak to this not just as like the old fart in the room in if that makes sense. Um I do believe there's like you know the younger generation, the middle generation and and the older uh in in that sort of sense. And I don't really have clear lines on like how to

define those. But there's folks that are coming in, there's folks that are active and connecting and then there's folks that are kind of on the on the tail end of things if that makes sense. Um, but yeah, Josh [clears throat] out this uh this great oneliner when we were chatting about this like on a long enough timeline, many of us end up doing things for the public good. Like I think working in security on its own is an awesome thing. Um but like there's other there's force multipliers that we have access to um that often times people don't really discover until they're later in their career, right? Uh and you know often times that actually makes it

easier to get into that type of thing because later in your career you've you've developed more influence, you've developed more you know optionality, all those different things. Um but you got less time to do stuff, right? So, you know, I do think that um you know, one of the things I love about hacking pol uh sorry, the uh the policy village at Defcon and like things like hackers on the hill um you know, it used to be like a group of 50 of us and and that was kind of it. And then walking in there, I think it was 2022 and like I didn't know 90% of the people in that room. I'm like this is awesome. This is exactly what we

need, right? Um same on the entrepreneurship side of things. I think there's a lot of ideas. There's a lot of opportunity. There's a lot of help available for people that want to do that. Um, this is really the practical part. I think that the folks that know how this work, like we're all willing to help you get started in all of that stuff. Um, I kind of want to call that out cuz I think again this is sort of preaching to the choir in terms of y'all being at Bides Las Vegas. Um, I do honestly think that outside of these circles like these sorts of ideas and these sorts of messages, we need to be

practicing them there as well. So, it's not just us and our group here. Um, but when it comes to that, you know, the the policy stuff, there's all sorts of folks that have worked in that space that that will help you get into it and lots of opportunities to do that as well. And this one's fun. Don't forget about old man's strength. This is um I forget the name of this guy uh from the book. Anyone know the dude on his head? Father something or other. Anyway, he's basically showing off like he's older. He's kind of, you know, aging out doing doing that whole thing, but he has this habit of like standing on his head to show that he still can.

>> Um >> Father William. >> Father William. There you go. Thank you. Um and it's a thing, right? Um, I'm not saying that I'm old and aging out by any stretch of the imagination. I am like literally, you know, tailing out on recovery at the moment. This is kind of a bit of an I'm back thing that's going on at the moment as well. Um, but I can relate to this a lot cuz like my son is like this tall as you could imagine. He's getting kind of big. Um, and we'll rough house and and do all those different things. Uh, and I'm starting to, you know, especially as I've been kind of recovering from the stuff,

struggling with that a little bit. Um, but he knows that if I want to get it done, I'll get it done. So, there's this there's this idea of I think, you know, it doesn't need to be old man strength. That's just what I call it as a as a older man. But, um, yeah, that idea of like the folks that are that are in that position, like there's that sort of no, I'm I'm going to rally and and do the thing cuz I'm motivated and inspired enough to do that. Um, and then set something else in motion. Like, I'm trying to teach him how to fight, like do all those different things. There's a purpose to

that. Um, and that's, you know, part of why I do it and part of it's just to show them that I can. Um, so, you know, that's how that works. Um, for younger generations, I think knowing that this is a thing is actually kind of good as a as a mental model. It's like, no, come on, you can do that. Like, let's let's go. And throwing out a bit of a challenge. And I think for the older generations, like, use it, make it available. You're not you're not done yet, right? We're rounding up. Um, so yeah, who's doing this? Oh, this was a really interesting one to think about cuz, you know, I think the uh there's there's a

bunch of communities. There's a bunch of different like what we're doing as a part of this. I think what the other, you know, bounty and disclosure platforms are doing as a part of this cuz we're connecting these different generations of knowledge together in order to be better defenders as a whole, right? Um, obviously I don't want to throw that out there because it feels a bit biased, but you get it. Um there's like companies like um the hacking games that are working on basically diverting uh early gen Z and Gen Alpha from getting recruited into cyber crime cuz they're all getting hired on Roblox at the moment. That's a thing. It's like literally a thing. Um and it's crazy cuz

it's kind of like, you know, how drug meals worked, you know, 20 years ago. It's just like the online version of that being diverted into crime. So how do you stop that? How do you meet them where they are? You know, same thing. It's like have someone who comes in who's been through the bad sides of getting dinged for hacking the wrong stuff. Get them talking to that generation saying you don't have to be like that. Like this is harmful and it's going to cause you harm. Here's some better ways to do that kind of mentorship. There's lots of different things, but I I do come back to this kind of being cer of besides like you

think about the proving ground. you think about, you know, all of the different even besides itself as like an outlet for folks that weren't able to present at the main conferences like that to me is is like connecting the next generation of what's going to be important with the folk that are available to hear it right now. Um, so I think y'all are awesome at this. Um, again, I don't know that people outside these four walls are that great at it. Um cuz we keep on making the same mistakes like we keep on learning [ __ ] the hard way, reinventing the wheel. It's not necessary. I think if if you know the folks that have that tenure

and that wisdom and perspective can come in and not tell the upandcomers how it's done cuz we don't know what they know, but there's axioms and there's wisdom and there's all these different things that that we learn along the way that we can actually, you know, make available to them if they want it. I think that's a big part of how we can uh we can get better at all this stuff. And again, like y'all rock, right? I think anyway. [cough and clears throat] All right, summary. So, younger generations, what you bring to the fight is critically important. You will end up inheriting these problems. Um, and you're amazing at solving hard things. Don't let anyone tell you different,

right? Um, middle generations, like you're the connectors. like we're the ones that actually are probably going to be most effective at plugging all this stuff together and making it more of a thing, right? Um that's what I see as our role in this. And take it or leave it, but this is a framework that to me is kind of useful. Um older generations, you're not done yet, right? Two ears, one mouth, stay in the game. Um so yeah, that's the uh that's the big hairy takeaway slides there. And then everyone look out for each other and look look out for your health. Um, coming back around to that, like we can't do it all ourselves.

Like I I I do think that there is a lot of pressure that can come on the things the different people in this room are doing. Um, and again, some of that's necessary. Some of that's just part of the job. Uh, but you know, adrenaline's not a great diet. Um, and it can cause you to ignore things that you know will kill you um or at least take you out of the game. Um, that's a thing that happened to me. Like, don't do that. And if you see friends, if you see your peers doing that, jump in. Like, let them know. Tap them on the shoulder. Say, "Hey, like you seem to be burning it at both ends. Like, are you okay? Do

you need help? I'm worried about you. I want to help you." Whatever it is that you that you uh however you do that, however appropriate. Um, I [snorts] think coming back to just calling out the fact that like I I was totally caught off guard by [clears throat] by the stuff that happened to me. Um, you know, like I said, it was a genetic issue. Um, so we had been testing for it, but it normally presents in in the 30s, and I'm older than I look. Um, so we'd stopped looking for it. Um, and then when things started to kind of, you know, it started to slow down, get a bit of arhythmia, like whatever else, I

thought it was because I was stressed or working too hard, you know, it was part of the job. Oh, that's just being insecurity. That's just being an entrepreneur. And it nearly killed me. Um, so yeah, don't do that. Right. And that's it. [applause] Obligatory humor slide at the end there.