Everything I Need to Know About Security I Learned From Kung Fu Movies - Paul Asadoorian

hey welcome everybody hope you enjoyed the keynote this morning with David uh we've got Paula stirring here with us Paul has been in information security cyber security do you like the term cyber security no no okay Paul's been in information security first over 15 years you may already know Paul because of security weekly and that's going on it's 12 year now publications and Paul will always be in information security whether he wants to or not because he's got three young boys and as they grow up you can be sure they're going to test his capabilities as a story about that there's a story about that okay so and Bernadette is uh is your room monitor so if you have any

issues let her know and thank you for joining us today thanks Tom welcome everyone so Patrick asked me at the last moment to give a talk and I'm like well I happen to put this one together I'm like it's not kung-fu one it's like yeah that'll work so here I am and welcome how many people here have children show a hands like that you know of like I always give people like I don't know how to to answer that so Tom said I have three boys and my oldest son Brayden is the best hacker and social engineer in the world I know you if you have children you might think that your child is and we can debate

that after the talk but here's why so the date of when all these events occurred is April 2nd and that's very critical to the story this is April 2nd I have all three boys by myself and I'm watching the boys and you make this promise to yourself when you're watching three small children that you're knocking to yell or raise your voice and your ridiculous things but inevitably it happens that you're yelling ridiculous things like don't put that life open your mouth or you have to repair to the table it's just ridiculous so I had one of those moments when I opened up the cabinet and I found a gallon of milk in the cabinet and of

course I yelled one of those ridiculous things why is there milk in the cabinet and my son Brandon's like I don't know he's like mom you know how crazy mommy is like you know could have just ended up there she thought it was the refrigerator she's like she's not and so oh my god so I called my wife I'm like did you put the milk in the cabinet she's like what are you choose I got you all right do I need to come home because I'm really worried about you right now Michael there's a gallon of milk in the cabinet and she's like you're crazy you put the milk I'm like no I didn't put

the milk in the cabinet no one wanted to enough to it I'm like all right well I kind of brushed it off as an anomaly so then I get all my children ready to go out and about 2 or 3 hours later but it's those of you that have kids know exactly what I'm talking about we get ready to get into the car and when I open the door so that I have a almost nine is Brayden four-year-old in a ten-month-old and holding the little one and I open the door and there is poop on the child seat and I'm like in my house it's not uncommon to see poop like it happens in our house quite a bit

actually if it looks like poop and it probably smells like I mean it's poop right so when I open the door my guys definitely cool I'm a hula hoop in the car again I'm yelling ridiculous things who will let poop on the child see in the car brains like I got there I don't know what you're talking about and then I look at it and I'm like it's definitely fake poop I'm like get in the car and I call my wife I'm like did you eat poop in the car she's like right now really I'm coming home now you're not allowed to watch the children anymore my god it was like pooping and then like it dawns

on me and I have to embrace in his not he's not owning up to anything I mean he is straight-faced not even laughing when I'm talking he's straight face the whole time and finally I have to sit all children down and say all right who's behind all of this and no one's owning up to it I'm like I'm turning the Wi-Fi off until some for everyone until someone confesses my four-year-old is hitting grading with his iPad will you just confess I want Wi-Fi and finally Brading confesses suddenly dude how did you do that like first how did you keep a straight face secondly how did you get the milk in the cabinet with no one looking now

haven't got to answer that one like you're going to tell me how did you make the fake poop because I mean you can see the picture like you would think that's poop right no it's raspberry applesauce that he found in the backseat of the car with a piece of cardboard and fabricated we also have four dogs I know we're insane and we have a puppy in fabric I'm like dude I'm so proud of you right now we've got it's so awesome when people ask me like why do you give this talk and try and draw inspiration for hacking from hacker movies I gotta keep up with my son Brayden so Tom kind of went over all

this I actually did study kung fu for about ten years I'm starting to get my kids back into it and I've watched like a lot of kung fu movies I don't know if you already use giffy in the flacc channel or puts up like images and sometimes it's like a movie like scene from a kung fu movie I'm like I have that movie and they're like nah ah in my employees in my studio I'm like go in the corner and in the DVD rack and it's there they're like wow that's kind of impressive actually so I've watched a lot of kung fu movies so I was sitting there so this is my standard disclaimer that I put it all my my slides so if I

like swear or put up an image or something and you're easily offended that could happen not so much with this song at the two o'clock talk though you want to watch out for that so I was sitting there watching kung fu movies and I'm like there's a lot of stuff in here that really like relates and I started making a list and the list started growing and I was like why I think I have enough for a talk so I broke it down into categories the student in the teacher dynamic security and kung-fu tactics political and social some other interesting ridiculous things and then of course I'm like well I have to share like my top 10 list of kung fu

movies that you have to watch before you die so all right the first is the student-teacher dynamic and what I like about this segment is it talks about how to get into the security industry and one of the things that you would do is find a mentor I don't know if Keith hood is here in this room is he here in this room okay find him he runs a project along those lines which I'll talk about and I was like wow there's really like a good parallel between a kung fu teacher and your mentor in security okay so now here's the audience-participation segment of the presentation when I present these sides with the numbers and it's a fact about a kung-fu movie

everyone in the audience needs to say in the console movies all right you guys get right 1 2 3 ok your master will be a hermit living in the woods and reluctant to train you there's a lot of reasons for this that they are reclusive from society mostly because they don't want to a lot of the storylines go they taught a student and that student ended up doing bad things with their training and therefore they want to go live in the woods so no one finds them and they hide their skills right they don't want everyone to know that there are kung-fu master because then people will show up outside their doorstep and be like hey

can you teach me kung fu so they also hide their skills in the computer and hacking world it's the same level of responsibility right if I teach people how to hack into things and break into things that's the responsibility that I have that I teach the right people then is a responsibility the person that I've taught to make sure that they don't do evil things so it's a very similar parallel also learning computer security whether offense or defense or both it's really hard you have to have a lot of background and a lot of different technologies to understand how to break into systems understand complex systems and if I'm going to spend the time with

someone I want to make sure they stick with it and that's another reason why kung-fu teachers will be very reluctant to train people is that they want to make sure that they're going to stick with it they're going to be able to endure all of that hard work now fortunately for us we don't have to go out in the woods and seek out a kung-fu master also that'd be really cool though right like hey today we're going to woods and we're going to find some of the teachers hacking you can now you can just go to a website it's InfoSec mentors dotnet keys close it and Jimmy will run that site today this stems from

a project that came out of a besides conference a long time ago Jimmy and Keith have taken over the project they've built an entirely new website you can go there and it's kind of like a dating site for information security professionals is the best way to put it I don't think Keith read likes it when I print it like that but I'm like dude you kind of built like a dating site because I could register on there and I say I want to mentor someone and someone can say hey I want to be mentored and then we list our individual skills skills you want to learn skills I want to teach and then they match us together and then we

can like hold hands and go for walks on the beach and I can tell you about Metasploit so fans also has a mentorship program as well it's not as romantic as implementers net but it does allow you to take a class with sans learn some stuff and then help other people with that as well so yeah so again with the communications you know again you don't have to go out in the woods and find a computer teacher I mean a kung-fu teacher you can just go online and there's lots of ways you can communicate with your mentor today right we don't have to go live in the woods for 10 years and learn kung-fu we can

communicate with our mentor in any number of different ways right we can do IRC and if you're old like me or slack if you're not so old and do that social in interaction with everyone and mentor people in our field and I encourage you if you're not like if you're just getting into the field but you know some stuff like he's like I know some security stuff but my background is really web programming like dude that's awesome like I want to learn web programming and I'll teach you some security stuff and he's like yeah I'll teach you some you know web programming stuff so you don't have to be an expert kung-fu master to go on there and take

advantage of the site okay so now in the all right all together now one two three your master will be drunk and punish you for taking shortcuts how now the drunk part will get you so more importantly you will be punished for taking short now in the comfortable movies there are all kinds of like it looks like a bondage film I know when you put that stuff out there it's really not it's actually mimicking kung fu training and you think it's ridiculous right until I watched that movie right there that I can't remember the name top of my head I apologize but he's made to do push-ups warning mantis style kung fu right you have to have really strong fingers so

he's doing push-ups on his fingers and he would get tired and his palms would fall and so the teacher put eggs underneath his hands and then his palms would fall and squish the eggs and he couldn't eat them so he had to get stronger if he wanted to eat the eggs if he tried to take the Masters eggs or steak or whatever the master would like fight them off with his chopsticks awesome so I mean that was incentive like food is a good incentive fortunately for us in computer security we can still eat and learn hacking that's cool but not in the kung-fu movies so and after I watched that film I went to my own kung fu class and I

always wanted to learn mantis style and then my teacher is like we have to start doing push-ups on your fingers and I'm like you're not going to put eggs under my hands are you can see what he's like stop watching those ridiculous movies William so short cuts lead to a lot of really bad things on the defensive side short cuts lead to exposures in our network and that can manifest itself in a number of different ways what in one of the ways I think in the teacher-student dynamic that I like to use because everyone should use VI and if you use Emacs don't talk to me but if so if using a real editor like VI my

great story is when I was learning Linux in like 1998 or so 97 it was like Red Hat 500 ish timeframe is when I first started learning Linux and my friend that worked as a programmer with me for the company I was working for in college he had learned Linux in school like that's but they don't have Linux and I went to Bryant University at the time there wasn't much Linux there and then this was a long time ago because I'm old and so we started teaching me Linux and my dude I really want to learn like I see you in this editor dude and like you're doing amazing things like your hands are moving and like text is moving all over

the place and edit so I'm like dude I gotta learn that I'm like that's awesome so he's just reach out in front of the eye and I go back to my little like arrow keys and he literally hits my hand I was like what are you doing he's like never use the arrow keys in VI he's like always use the keys so that your hands never have to leap so after much training and practice I never use the arrow keys again and I was much better in the other I could type faster I could edit faster so that's kind of like a crossover between like learning from a kung-fu teacher and learning you know computers and security well the other

thing you know where shortcuts will getcha is in a pen test or vulnerability assessment now granted we have a limited amount of time however don't take shortcuts when you're assessing the security of someone's network obviously you're going to miss something that could be the bad things happening later so one of the the interesting things that people tend to take in shortcuts that I've noticed I'm a non faculty member I also talk about a lot of people in the community who are in various levels in their organization of security and when we start talking about a solution a lot of times it comes down to these things that are up on the screen behind me and that is they're like well

I want to do into the response is a good one I want to do some kind of endpoint protection I want to do whatever you want to do in security and I start asking these questions I'm like so what constitutes sensitive data in your environment and what are the different criticality criticality levels of that data in your environment and who has access to all of that data and where does that data travel and like at this point they're like oh my god that's so much work I don't know what you're talking about I know we just want to take a shorter like can I just put like a firewall and antivirus like no like you really have to know that stuff in

order to effectively put measures in place for security in your organization if you don't you're taking a shortcut and what I've learned about this process is one it's hard to there are actually some vendor solutions if you talk to me after we can we can talk about some of those we actually just took a sponsor on on security weekly because they when I started talking with them like wait you help with this problem they're like yeah yeah we do I'm like good I know I want you as a sponsor and then my other friend went to work there which further validated it but if you want to talk about that comply going down after so there are

things that can help you with this process because it's hard but don't skip it because it's a shortcut now back to drinking this is one of my good friends passed out in a chair at DEFCON can anyone identify the seemingly infamous person that is in this photo anyone no aside no I'm not there I wasn't there for this one I was passed out on the other lounge chair on the other side of the pool anyone recognize this person right here as Jeff Moss the person who created Jeff Kahn and black hat this was my friend chance to meet Jeff Moss who's a super super nice guy he's awesome and this was his chance and he he drank too

much so when you mentor people in this field make sure you tell them that yes when you go to conferences there will be drinking I use this slide also when I present them on security to high school and college students as well when you're getting into it you got to be responsible and like don't miss your chance to meet Jeff Moss and have I don't know if you can see if there is stuff written on his forehead as well so it's just saying okay now in the you can learn kung-fu by getting your ass kicked this is so awesome so we already talked about how teachers don't want to teach you kung fu' right so one of the tactics

that they would use in the movies is they would just challenge them to a fight and if they resisted like they would just throw things at them and just basically force them into a fight and as they were getting their ass handed to them they would take take mental notes like oh he's using this technique or that see me and they would try and learn kung fu while they were fighting now you see this picture that's a chicken okay in this movie Shaolin vs. Lama which is one of the greatest kung-fu flicks ever he is bribing the teacher with a chicken to get him to teach him kung fu hopefully we don't have to bribe our

mentors with chickens to learn computers and hacking but this can be a very painful process so one of the questions I asked many of our guests that come on our show is how did you get your start in security one of the more popular answers is well I got hacked and I was curious and I started looking into it and I was like wow I can do this as a job so certainly you know that's been a path for many people in our field is getting hacked and having that experience definitely breeds interest and can get you into the field also you can do that in a formalized setting in CCDC competitions which is great you can

be in the fire was involved with many of them they're awesome so yes and getting hacked shows you not how not to play defense right and you can learn now short of like just putting up honeypot systems are not patching your stuff and coming to a conference and using the Wi-Fi like that's one way to learn how to get hacked probably not the best idea just saying you can go read about breaches now I did not get a chance to update I think Dave talked about the shadow brokers release right and all the tools that's probably a little more updated information however this hack team breach they went into like excruciating details and exactly how they hacked the hacking

team's systems this is great you can learn how to get hacked just by reading about it you don't have to have your own systems get hacked like red hat 5 - when you put it on the internet in the late 90s that would always get hacked I was trying to come up with a parallel to this and I kind of just came up short but basically in China and especially specifically in Taiwan my teacher would tell me this story my teachers from Taiwan and he would say you know there was all these people that wanted to learn kung fu there were more students than there were teachers so at the local school the conclude teacher would put up

a message board that said hey anyone that wants to learn kung fu come into the auditorium after class so all like 100 students would come in the teacher would walk out and say get in the horse stance that's horse stance and everyone get into horse stance and then he'd go back and was off he'd read the paper sip some tea come out about 25 minutes later 30 minutes later about half the people are long gone they're like screw that and so he's like out still too many go back into his office read more the paper sips tea come out you know maybe there's like 20 or so people he'd do that one more time come

out there'd be five people left still standing in for stance after an hour come back tomorrow to learn kungfu I don't know that there's a power like what would you do a ping this host or hacking in this host until your fingers fall off I don't know if there's a parallel into computer security for that and good thing we're not made to sit in horse stance before we learn how to hack okay in the kung-fu masters have friendly battles where they test each other's skills this is a variation on the theme I think it's best represented in the film if man we're done again who actually his mom trained here in Boston actually in is a very well decorated

kung-fu master I'm kung fu teacher and Donnie again actually trained here in Boston for some time as well before he went on to star movies with Jet Li so I'm getting a little fun a tangent here really back in so he plays it man is very famous kung fu teacher and when the in the first movie he is challenged by a master and it's very clear that Donnie yen's character it man is more skilled in kung fu but they fight in the other teacher fights and they're testing each other skills right because you go off and you learn all of this stuff whether you're learning kung fu whether you're learning hacking and you're like I get

to test this stuff out in the real world I get to see if it actually works so kung fu teachers would challenge each other to duels they wouldn't hurt each other right they would able to be a friendly fight to see where they were at with their skills so they knew what they had to work on you can do the same thing in computer hacking right you know the lesson is like boards don't hit back right you want a more realistic training environment than just putting up a vulnerable host in your lab sure that's one thing but you're not actually doing that in the real world so here's where I want you to challenge yourself I want

you to number one don't be afraid of a capture the flag right very different from I set up you know a vulnerable system in my lab and I'm breaking into it too I'm in a live fire hacking environment in a CTF I have a team and I have to apply my skills so definitely do that indoor I think people get intimidated like I got to know how to code an assembly and write exploits in order to do a CTF no you don't you can go and learn and test your skills and it's okay you'll come out of that with what you have to improve on in your skill set right and I also encourage people to take classes

that are above maybe above your skill level if you're like I don't know if I'm skilled enough like that's the purpose of the class is to teach you that stuff now if you don't have Linux fundamentals down don't take a class on exploit development okay like there's limits here take a class on Linux and learn Linux you could probably get people to teach your Linux for free we're trying to actually putting together a free seminar for my employees who are not security people they're media production folks but I've told them they have to learn Linux there's much of our code base runs on Linux it runs our podcasts because I wrote a lot of it and so

they're going to take Linux for in it once you get the foundation then you can start testing your skill level they get the foundation first the other thing is speaking of free stuff attacking challenges go to holiday hack challenge calm all the links that are on there my good friend ed SCOTUS has given away all these hacking challenges for free you can go download them you can do every single individual it's like an individual capture-the-flag event like he gives you some files and you have to decode them and decrypt them figure out puzzles and do hacking along the way all of those are completely free you can leave this presentation and go do these today for absolutely $0 and they're all

available there they're available as challenges and the answers are there in the entire archive of I think there's seven or eight of them the ED has done and he does one every year the last couple have been holiday hack challenges which involve a video game on a website and all that stuff but they're all out there for free okay so that's the teaching stuff now we're going to talk about security and kung-fu cactus in the if you are in a restaurant there is a 100% chance that you will be in a fight and it was watching kung fu movie and then like they're walking in the restaurant like thank god there's going to be a fight scene and like before I

get the words out of my mouth someone's like throwing a chopstick at someone else and like a huge fight breaks out it's awesome I just don't know when everyone eats and I didn't I started thinking about like why is it in the restaurant I think it's because in a restaurant setting there's lots of props they can throw bowls and benches and tables and if it's multi-level someone always falls off the top level into the bottom level through a table so it's very conducive to fight scenes so if you're on the internet you there is probably a 100% chance that you will be hacked this means you're always engaged with attackers and you need to then look

inside of your network and say okay I understand I have all these defenses in place I've done some user awareness training I've done all of these things but you're still probably hacked in some way shape form or fashion that's when you need to turn to some of the newer techniques that we're talking about with threat hunting where you're looking for machines that are already compromised in your environment and you're not looking for how it was hacked you're looking for the data that was being passed once the system was hacked and in my other presentation at two o'clock you all don't show up for that or the great things I'll talk a lot more about the math behind how we're detecting so

detecting backdoors and callbacks inside of a network and we have an open-source product for that which is this one Rita right here so you'll see more and screenshots of Rita in my presentation at two however bro IDs is typically also used for this type of threat hunting and there are two awesome resources here this one comes from squirrel I think put this together it's like every blog post in research article on threat hunting catalogued in one place completely free you can just go start reading and learning about it there's also one for threat intelligence which is awesome because they have ties to each other it's one of the correlation points for when you're doing is this IP address bad or is this

associated with some bad behavior so those are some open source threat hunting websites for you okay in the if you rush your training you will get your ass kicked 100% of the time and there's this great movie clan of the White Lotus some of you may recognize the the priest there PI may right actually if you watched Kill Bill Vol 2 that's Gordon Lee you he actually plays PI May in Kill Bill Vol 2 but in clan of the White Lotus in 1980 he played the person fighting him which I thought was pretty awesome in Quentin Tarantino actually dressed for the part of Pi May and he was told he looked absolutely ridiculous so the him paid Gordon you do I'm full

of useless knowledge like that by the way so a lot in this ties back to a point that I touched on before insecurity you know I think a lot of us had started before there was really an official security role in the organization like you were in a in some other form of IP right when I started it at Brown University I worked in the systems administration's group there was no security team like 15 years ago obviously things have changed since then however the benefit that we had back then was a lot of us worked like not in security for a while before we started doing security so we worked on the help desk we work on the network operations

team we worked in the sysadmin team we got a taste for it it was like to actually build systems and make them work before we started breaking into them and this is what I mean by rushing your training don't just go and start taking Metasploit classes without understanding how stuff works set up in your own labs stuff that make stuff work right when I went for my job interview at Brown University they they asked me like if I had experience with NFS inland UNIX and I'll take a guy that's over at my house they're like what do you mean oh my god I brought a picture of my you know server rack at home that I use for

my lab and they're like you have more than some of our data centers in your house like yeah that's where I setup NFS they were like wow like I cut the grass at home and stuff oh they're like and they hired me I don't know if they'd work for everyone but figure out how to get stuff working right set and I can tell you right now the research Avenue lately if you want to get into penetration testing in any capacity you have to learn Active Directory I mean you have the new Africa rectally like really well it's one reason like I don't do a lot of pen testing anymore because I don't have the patience or the time to go learn Active

Directory learn enough to be dangerous but you have to know that stuff inside out and backwards you should have that setup in your home you should be learning it figuring out how it works so that when it comes time to break it you have a foundation so when you do build your lab at home right have a plan what are your goals what areas do you want to focus on what are your goals in your career build the lab sign up for free and low-cost training ok cyber re has free training that's available IT Pro TV we have a 50% discount code that we're running on our show for IT pros evey they're both awesome websites we're

partners in some capacity with both IP protein is actually a full sponsor of our net were entire network and a lot of people have done projects with them cyber re is also a partner as well we're starting to indicate some of our content on cyber re but for you the benefit is it's like either free or really low cost training that you can gain access to libraries and libraries of training on the internet which is awesome practice every day and make sure you get a mentor we cover that ok so in those there is always someone more skilled than you and in this movie Wing Chun actually there's another famous martial artist who happens to be

a woman and in the movie Michelle Yeoh is dressed up as a man I mean she look like I mean she's supposed to look like a man but like you can you know the actress so you're like that's ridiculous and the movie Scott is extremely ridiculous and it's funny but she's dressed as a man and I people don't think that she has the skills but spoiler alert she kicks everyone's ass and it's awesome right so you know while you may not think someone has skills they might and someone out there probably has more Skills than you and attackers might be more skilled than you as well you need to learn from that now a lot of tackers don't get me wrong I've

seen a lot of attackers be really really dumb and that's usually what we see right the ones that are really smart we may not see but when we do we have to appreciate that they might be more skilled than us and others in the security community may be less skilled than you in the other light don't poke fun at them I mean basically when I've spoken with people like HD Moore and the kids met Mike Kershaw and fielder of nmap right they've run these really large open-source projects and people ask them questions all the time and all three of them pretty much have the same advice because I was like how do you you deal with that and how do you prevent a

toxic environment from being created on your mailing list and chat and all that stuff where people are asking dumb questions and they're like basically don't be a dick what's what they told me they're like be nice to people and that message really stuck through with me as I went through my career and InfoSec and it's something that I've tried to coach people on as well don't dismiss people if they have a really stupid question now I Dave Kennedy post some of the feedback he gets on his website I think to Facebook and clearly there are some really dumb people that are like hey can you hack it into someone's email account for me it's like no no that's not what

I'm talking about here some people actually asking legitimate questions okay in the the weapon you choose matters little it takes skill to win that is unless you're loud Carly young he was teaching kung fu at five years old it's amazing he's one of the most amazing martial artists he holds the lineage for hung gar kung fu or he did until he passed away and passed that on to others as well and this style of Kung Fu comes from Wong fei-hung very famous Chinese hero he has his own theme song okay like that's awesome like I want my own personal theme so I'm gonna be awesome Longfellow had his own theme song because he was so influential in in

Chinese martial arts history and law crazy on can pretty much pick up any weapon there's a movie legendary weapons of China where in the end he picks up every kung-fu weapon that I knew to exist and even ones that I didn't and uses them to like beat someone asked awesome definitely highly recommend film so just because you have a sword though it doesn't mean you're dangerous right I mean not all of us started teaching kung fu when we're five right that's an anomaly we can't just pick up a sword and be effective with it right we need training and so my advice on this level is also from in awesome film 36 chambers Shaolin with Gordon Liu he figures out

that he can't beat his teacher to get to the next level he has to be the teacher get to the next level and he just keeps losing and losing and then he's like in the woods and he's all mad and he smashes the staff against the tree and it breaks and like makes his section so then he smashes the other side and he makes like three sections and then spoiler alert he takes his teacher's ass which is awesome it's all he creates the three section staff if you've ever tried to wield one it's awesome I should probably bring one to the talk for demonstration it's awesome you hit yourself in the head in the shin at the

same time it's amazing uh-huh so but in so he built his own tools right now there may have been other similar to out there that's okay me personally I decided I want to write a port scanner and see just because right I decided I want a honey port script in Python oh there's lots of honey port type scripts out there but I wanted the experience so when you go build something yourself a tool if there's other things that exist that's okay build it for your own experience the same thing we do a show start up security weekly you want to start your own company don't worry about being the only one in the space that's

like a freakish anomaly like uber is like you in anomaly that's like one in a billion or a hundred million of companies that are going to be the next uber right don't worry about going into a crowded space focus on what you do best and follow your passion that's going to be a much better path for you than worrying about how unique you are when you write a tool or or create a company also along these lines tools don't necessarily help us get the job done I mean unless like your truck Norris that's different right that's the other anomaly but in this quote from this awesome article Gary Kasparov was once the greatest chess player in the

world he played the IBM computer he lost teams after that played the computer now they weren't the best chess players in the world right there were good chess players but they weren't the best in the world they also had a computer in software to help them with that they also had a really good process and we read this article more like oh wow so like when we look for vendor solutions like you can't just buy software and have it solve your problems you need smart people you need a good process and you need some tools and you need all three of those things to be successful in a lot of the things we do offense or

defense ok in the best defense is always to have a good offense one of my in it this is a terrible movie actually the one with Jet Li has anyone seen the one with gently anyone couple people you wish you could get your time back feels pretty bad but one of the awesome things in this movie was there's two versions of Jet Li there's the good Jet Li the bad Jet Li and they come from alternate universes I told you it was a bad movie and so but the style of kung fu that they use in the movie fits their character perfectly the good Jet Li uses bagua right very soft circular motions right the bad Jet Li uses Jing Yi very

hard fast movements both internal styles by the way but you know it said ba gua will go around the walls uni will just burn straight through the wall so it was really cool to see those styles in use now in Jing Yi every block is also a strike it's all about being on offense at all times in this particular style of comfortable ok I liken that to a lot of things we're talking about with web applications and the web application landscape right now is very very interesting and I think to be really successful we have to be on the offense the entire time to defend our web applications and we started out with this thing called whack right turns out

processing all those requests and having very little understanding of your web application and trying to block things not such a good idea now if you use a web successfully we should talk it might be a short conversation I hope I could persuade you to some newer technologies that are out there so then we said let's develop rasp right and rasped is a small program that sits inside the web application server the application server and monitors all of those requests so it has knowledge it can look at a function call and to say that function call normally does this but now it's doing this other thing it doesn't have to worry about hundreds of thousands of requests from the front end

it's just looking at the back end with knowledge and intelligence right and there's some vendors in that space then there's the cloud dmz vendors they take your entire application they put it up in the cloud they do all the protection and you just manage it remotely so that's kind of interesting you give up some control however they're able to put it up in that DMZ they have technology that can kind of throw away basically everything that's coming at them and they're just looking at what's going on inside of your application it's kind of like a hosted rasa think of it now there's some some new ones that are like a I call it like a whap rasp cloud DMZ I

think they're creating a new market right it's a bold move you're creating a new company you're trying to create a new market right because everyone likes we know what a whap is right some people are starting to learn what rasp is like that's a market as well signal science is an imino they're creating an entirely new market what they're doing is they can put an agent on your system they can hook into your web server not your application server but like an Apache module or they can hook directly in your application server they collect data they put it up in the cloud they do machine actual well signal Sciences does actual machine learning there's actually the folks that came

from Etsy and developed their security program for their web applications they founded the company full disclosure they are a sponsor but I like their technology because it lets you look at all the performance things and all the security things in in one screen and it's doing that differently from all the other web application technologies so that's kind of a brief overview of the web application landscape okay how we doing on time okay thank you uh number ten the softer styles of kungfu always lead to victory has anyone seen the Tai Chi master for Jetley anyone a couple couple people awesome movie right my favorite part of the movie is when Jet Li literally goes insane like he loses

his mind in the movie and those who think jelly isn't a good actor you have to watch that movie because he does a really good job and it's really funny because he goes crazy and then like magically he comes to his senses and realized because his best friend turned on him and is now in cahoots with the government and killed his friends and all stuff happened and then gently realizes that the only way to beat his friend is to learn Tai Chi and integrate the hardware styles of with the softer style of Kung Fu and he goes on to victory so I started to think about some of the softer styles and actually integrate this in a different

lens in my other talk as well the soft softer styles in security almost lead to almost always lead to victory more so than the harder styles right so I did it this little pie chart right and these are how vulnerabilities are really fixed in an organization and this red area right here that's your vulnerability management program like on its own without working together and this is like the yellow this is your patch management program like working in a silo and and not working together and it's like little green sites right here that's like Bob the IT guy just going around and like fixing stuff on his own and patch things and this blue area is

actually working together as a team the most successful vulnerability management programs do you know which product they use from which vendor anyone I used to work for a vendor anyone anyone it doesn't matter they use whatever they want the most successful one develop software themselves to integrate the work flow between vulnerability management and patch management and remediation almost always homework I mean they will actually come to me and say we kind of I don't know if we want to maintain this anymore it's really expensive like what can we buy and like nothing you're doing awesome like you go you can go go get a drink like you're fine that has those have been the most

successful programs that I've seen and I've talked to a lot of people about their vulnerability management programs so working together as a team is an integral part and it's one of those software styles right that we have to learn as information security professionals we're often put in that situation where we have to get someone to do something that might not be in their job description so we definitely need those software styles Incident Response is a great example of that right we have to get our entire team on board today hey you know what with we're hacks really bad hey you Bob do you have to stop what you're doing whatever project you're on and you're going to do

stuff for security and bobs like put security Paul's problem no no no no no no no security is everyone's problem okay we all need to work together and that's part of the software styles then I'm talking about so we have done some of that right I am the Calvary we had Katie moszer's and Josh Corman on our show to talk about healthcare security it based off of a tweet that I put out there because I'm like well first of all you just can't go poking fun and all the heinous moment well you can but all the hands vulnerabilities and IOT devices that are using healthcare right so my tweet somehow garnered a lot of attention my

son was born in June last year and when my wife was in labor I had my phone out and she was like you're not tweeting are you like no no I'm not tweeting fire and labor we said no social media while you're in labor right and since she's like oh look at the baby's heartbeat on the screen and I'm like is that Windows 98 she wasn't too happy with it at that point and then she was like you're not tweeting that are you like no no and so I tweeted it and it was the most retweeted shared and likes tweet that I ever made Katy Missouri said it got more retweets than when she launched some very famous

programs at Microsoft so I was like wow this is really a problem that we need to address until we have them on a show to talk about well yeah we can point at things and go that's windows 98 and that's bad but what do we really do to fix the problem it turns out like talking to people and trying to affect change is a lot harder than just pointing at something and saying it's Windows 98 she did my wife did lift the social media ban I'm like we're trending on Twitter this is awesome she's like really while I'm in labor she's like wait how many retweets did you get you also don't need expensive tools to win

one of the things when you first started martial arts training is you learn to use the staff because once you learn to use the staff conceivably you can pick up any other weapon and be effective with it because the fundamental principles are the same just like you can pick up a chair or bench right like they had in China and be very effective with it and that's really cool it turns out that you really don't need expensive tools to win a computer security either and there are some examples here and it's actually this was actually the foundation for the talk I'm giving it two o'clock my original thought was I'm going to talk about enterprise security tools that are

free right and I don't for whatever reason I decided to go in different directions but that's kind of how it all started and as I talk to a lot of organizations whether it's a casual conversation at a conference or in the bar afterwards or if it's a more formal thing and some consulting I do for ions I notice the theme emerging that a lot of enterprises are using open-source software a lot of enterprises are using bro a lot of enterprises are using Microsoft advanced threat analytics which is not a it's either included or free right pfSense firewalls so there's a lot of stuff out there that's completely free so you don't need the tools to win okay

so this is some political and social things number eleven the bad guys are always in cahoots with the government take from that what you will draw your own conclusions about politics today but almost always as an iron monkey right the the enemy in this case is the government and the hero in this movie is a Robin hood-like character that steals from the rich and gives to the poor is basically the plot of iron monkey but the bad guys are definitely government and the people like even the Shaolin monks in this movie are in cahoots with the government so this is where we talking about state-sponsored hacking and being includes the government you know this is obviously Dave

consciousness in this keynote this is obviously an entire talk in and of itself however if you're knocking if you're tired of watching kung fu movies because you're gonna go watch a lot of times for movies after this talk you should also watch the documentary film zero days little little coordinates in there I don't want to spoil it for you I won't spoil this one for you but really delves into this topic and kind of get you thinking about how the bad guys are in cahoots with a lot of governments not just one okay number twelve the protagonist always wants to learn kungfu to take revenge i would say 80 to 90% of the kung-fu movies out there our

revenge based plot right the best revenge based spot is eight diagram pole player again with coordinate law Charlie young also in that movie as well this movie was awesome just as a side note there was a famous actor in chinese kungfu cinema that actually died in a car promoter cycle or car crash during the filming of this movie and that feeling of the actors and actresses in this film really comes through like you can just see the expression on his face in this final fight seem like they're just visibly upset and it really adds dimension to the film that is just awesome I mean it's like some of the greatest scenes in kung fu is like he walks up

with this gigantic car of staffs and then like drops it and then like pushes a whole bunch of the staffs and they're like stabbing people it's just spectacular it's awesome it's a really cool movie but very much revenge themes revenge hacking is not really a good idea though in computer security not where you want to go hacking into other people's systems even if you're the good guy trying to get back at the bad guy the FBI's gotten into a lot of trouble lately they've been a lot of public scrutiny for some of the things they did a specialist operation playset and new information is coming out about that all the time word is the latest on on this story is

they've got an exploit for tor they can uncover users they won't bring it up in court because then it would be public so okay number 13 the most popular kung-fu movies aren't always the best ones and this one really pains me because everyone talks about five fingers of death right it was a movie in the 1970s that started the come cool craze it was in screens all across the US and people like this is the greatest comfort movie ever yes yeah I mean it's when his palm glows red like that's really cool I think that's awesome the original title of that film is actually a king boxer for those who want more useless kung fu movie trivia but so

the most popular vendors aren't necessarily the best and we have a lot of choices out there today we have an entire show we're looking at new vendors new products new product features and integrations called enterprise security weekly and I have to say a lot of the larger players either bite off more than they can chew or they don't keep up with their technology Trend Micro just had an announcement they're like we use machine learning like said nothing else on how they're using machine learning in their antivirus product I'm like really like is you just saying that because like all the other cool kids are saying machine learning like oh we can say machine learning too yeah we got that we're cool

too like no just because you're the popular doesn't mean that you're the best there are some like silence a bit up a little more they can chew wanted to be the next big antivirus player not so much working out for them although they put a lot of money in marketing so they would seem like a big player that doesn't necessarily they're mean they're the best now silence may work for some people and that's fine I'm not disputing that so and big players in Sim - I mean they're losing to some of the smaller players puva companies are coming in saying hey spend like 20 grand less with your sim and give that to us and we'll

give you more functionality or maybe even save 20 grand after you pay 20 grand for the product so there's a lot of interesting things happening in the vendor space okay moving quickly because I probably only have about five minutes left in the console movies student use comes through to over go home personal challenges the crippled Avengers is one of the most hilarious movies there's like undo this blind another one that has no legs another one that just goes crazy which is really funny to watch now I forget the other but they use kung fu to overcome personal challenges um and what's interesting is many use hacking tools that I've met in my career here in information security use hacking

and hacking tools in the community to overcome personal challenges you know we have our own awkward hugging website like how awesome is our community like Jason is Jason he's not hidden come to my talk jerk never mind forget what I saw I'm just kidding so we have our own awkward hugging website like how awesome is that the security theorem is really great and there's always a new challenge that constantly evolves right it's always keeping your attention and helping you maybe overcome those personal challenges by just having a really engaging and fun job in computer security and I think it builds your confidence too right we're all trying to do the right thing and protect people hopefully we all are

better not kick your ass all right number 15 the righteous path is fraught with peril but always leads to a hero so the protagonist in the film often has to endure several challenges Gordon Lee you has to jump over this moat in this movie in order to eat rice and if his clothes get wet you can't eat the rice it's a really interesting thing that he goes through so there's a lot of peril and then they come out of that like better people essentially so security is hard there's my token unicorn and what you know what people say is that well I can just do acts to prevent breeches or my network was easy to secure I just did

this like you don't hear people saying that I hope you don't security is hard and there's a lot of challenges that we have to overcome in order to achieve a secure network so in that respect it is a parallel to some of the comfort movies okay number 16 so sometimes the heroes don't start out as such this is gently in film in this film with gently he is kind of a well he's an [ __ ] in the film he beats people up and he hurts them really bad and he kills someone and then jellies family gets killed and then he goes out into the woods and he learns Taichi and he comes back and he kicks everyone's

ass needs a hero okay hope it's not too many spoilers in there you still watch the movie it's awesome so but he did not start out as a hero right at all there are a lot of people in our industry they did not necessarily start out as heroes but have turned over a new leaf and are doing good things and hopefully you recognize everyone in here kevin Mitnick Samy Kamkar and Kevin Poulsen okay okay I think we're gonna end the climb how much time to have a like two minutes okay I'm done useless comical movie facts and other stuff this is my top 10 list of kung fu movies right here okay so take a picture of

that I'll try and post the slides for you I'll let them take a picture that your homework is to go watch all those movies they're awesome they're great they're on my website now I should have put the link on the left side maybe a tool clogged up with the link for this talk because I have to look it up okay so here's five more for good measure like these are really good too and like I just I couldn't like these are five more which like they are really awesome too and I'm not the best screen on screen martial artist that's actually me and that that is a shovel re-enacting a scene from a kung fu movie but these are

what I thought were the best on-screen martial artists definitely not good thing I have a job insecurity is all I have to say ridiculous facts people say you must be tired of living like a lot which i think is a really great line and other stuff and I think that's it