Calling All Hacker Heroes: Go Above And Beyond - Keren Elazari

uh good morning ladies and gentlemen welcome to this uh after no it's not an afternoon Express it's a Morning Express talk into the future the future of cyber security I will be your captain for this ride and if you are seated I request that you put on your safety belts because it's going to be a fast ride uh as a reminder this is a non-smoking flight absolutely non-smoking if you do find yourself in the need to smoke and this is Vegas I know it is for for some weird reason allowed here uh back home where I come from in the Mediterranean uh we don't really allow that sort of thing because we're really sticklers for

rules but here in Vegas they let you smoke anywhere but not in this room okay guys and girls we got that down good fantastic and uh if the live stream is ready I'm also ready to really start the talk I do have a couple more stickers I'll be asking some questions during the talk so those of you brave enough to put your hand up there and try and get get the right answer that's great if not I still have the stickers for you later on Claus can I ask you for a favor can you grab that grab this put them down thank you much appreciate it thank you welcome people on the interwebs to besides Las

Vegas I am the caval track my name is k laari and what I would like to do uh with your time that you have graciously given me this morning I want to give you some of my ideas of why hackers are the real heroes in this world and why hackers are my own personal private Heroes as well now I'd like to congratulate you for showing up today because you have answered my call I called out all the hacker Heroes and I said okay you guys and girls are ready to take the next step to go above and beyond with your work with your security research work with your vulnerability disclosure with the policy work that

you're doing and what I'd like to do today this morning is give you some practical ideas and advice on how I think from my humble point of of you how I think you could do even more with your knowledge and your ideas sounds good you ready to roll everybody's seated okay let's do this so first off you're here because you already made the most difficult choice you took the red pill you realize it's up to us there ain't no other Heroes out there we are the people that are going to save the day we are the Cavalry as they say here so well done but now the real work begins you've made the choice to be a hero you've made

the choice to dedicate your life and your career to security work that is awesome and that's a choice I made about 20 years ago and here's what it takes to be a hero in my personal opinion you know you can be all kinds of Heroes by the way uh this is one of my personal Heroes that's Trinity from The Matrix uh one of my favorite scenes uh for those of you who remember the movie is when Trinity first meets Neo in a nightclub and do you remember what happened what would what did Neil think about Trinity when he first met herud yes he thought she was a dude uh well that happens I am not a dude I have

always not been a dude uh I have much respect for people who are dudes or UND dudes everybody's cool as long as it's safe saying and consensual and two adults or more however Heroes do come in all kinds of shapes and sizes and guess what sometimes we are the heroes but people think we're the Bad Guys does that happen to you it happens to me all the time when I go on a plane to go somewhere and I open up my laptop with all my stickers I can see the flight attendance get nervous when I uh you know go to get my hair done and then they asked me so what do you do for a

living and I was like yeah I'm a hacker they're like you're a hacker and you just say it like that shouldn't you keep it a secret isn't that criminal aren't you doing wrong stuff and what I do with everybody that asks me is that say I'm proud to call myself a hacker and you know what else it is way too hot to wear hoodies in Tel Aviv where I come from anyway all right just trust me on that one but you know some of us are kind of like day job hackers right like Clark Kent in the morning we're all cool and Suits then in the evening we're Superman or at least that's kind of the narrative

uh that people expect maybe people watching Mr Robot and shows like that they want Packers to have that split personality you know be the good guy and then you know separate their lives and their personal choices from that um I think being a hero is a little bit more complex that than that actually and it's not a cookie cutter thing right it's not just be the one thing be that Clark Kent or that Superman with the straight uh laced morals and ethics and that's it and that's the way it goes has anyone here seen the Batman versus Superman uh latest movie I think uh that's a movie that really brings to light that conflict I'm a big comic book fan FYI

also in the latest Batman super moon Superman movie there is a fantastic lady uh playing Wonder Woman did you all know she is Israeli yes galgadot she's one of us Israeli women represent y'all all right but this is you know if I had to choose my favorite comic book hero antihero villain maybe sometimes it would be Deadpool and you know what even Deadpool comes in all shapes and sizes like me and my friends here at the Deadpool Premiere in Tel Aviv a couple months back so we got a Lady Deadpool we got catpool that's me by the way um we got like regular you know double pistol Deadpool and we got like fan poool he's

also cool so there's like like various levels and types of Heroes that you can be you don't have to be like you know like Bo and Josh you know quit everything you're doing move to DC join a nonprofit you know do all that stuff there's lots of different things that you can do right now actually and we're going to talk about this stuff but I want you to know that being a hero isn't like a you know drop everything else that you're doing sort of gig it's more like a Deadpool sort of thing you get it you with me yall seen the Deadpool movie yes how many times just the on six good very nice very nice guys at

least three if you want to get all the jokes and the stuff man like if you're serious all right but seriously this is my real actual hero this is Angelina Jolie in 95 when I was 14 and I can see you guys doing the math I know it's complicated don't sweat it I'm 35 now uh so when I saw this movie 95 I was 14 I realized that it was my calling to be a hacker hero just like acid bur in the most epic film ever made Hackers from 95 and I've seen that movie maybe like 1,337 times approximately uh but here's the thing here's why that movie meant so much to me this is who I was uh back then when I

discovered that there's this thing called being a hacker and you can be the hero so that's an actual yearbook photo uh I I'm in the photo it's not one of those trick questions I did show up for school that day uh how many of you have already heard me speak somewhere else and have already seen this picture you I know you hi hi okay so don't those of you who' have already seen uh this picture of me are excluded from the following competition also friends and family uh cannot participate this time uh but for the rest of you have fun trying to find me in the picture I guess a bunch of you already trying to get it

anyone got it there is a prize yeah is it you in the lower right corner here this this this girl no that's not me going twice over here this this one this one this one okay no going third last chance on the bottom row the right here this yes okay no no I'm sorry all bets are off ladies and gentlemen I hope you are prepared for the truth the honest truth it hurts that's me yep take it all in the nness uh is there and you know I wouldn't go anywhere without my state-of-the-art 93 Sonny Walkman even the yearbook photo and I was so much of a nerd that even the guys playing DND d uh Dungeons and Dragons

FYI uh decided I'm too much of a geek to join their crew yep but I found a better crew yeah the Deadpool crew only took me 20 years but I finally made it anyway that's who I was and this is who I wanted to be um uh you know 20 years later fast forward I'm pretty happy with how my life turned out um speaking at Defcon a couple years ago 2014 was a real dream come true for me personally um if you haven't been to Defcon yet you have to go if you haven't submitted a talk to speak at a besides or Defcon do it it will be the ride of your life uh I

also had another dream come true that same year maybe some of you have seen or heard about it uh in 2014 I was invited to be the first Israeli woman to speak at the international Ted conference that's the like the big Ted Like The Bill Gates is sitting in front of me kind of Ted and I freaked out obviously but I think the talk went very well and my idea that hackers are the heroes or the immune system uh for the information age really kind of became viral if you don't mind the biology pun okay stand up not going to do it moving on so uh this talk went viral lots of people have seen have responded

to me but I have to confess I have a confession to make I got something wrong in the talk which is very embarrassing when like two million people have seen it so in the original script what I was supposed to say what I was going to say was that that hackers are the immune system for the information age not just for the internet right because we all know the Internet is just like one part of what we all do that's not everything the internet does not include you know I don't know laser shooting autonomous robotss for example not yet anyway uh but we'll get there but the Ted folks just you know caught me saying the

internet and that's it you know it lives on for posterity but here's the thing we do really need that immune system for our entire world in fact for our universe this is the internet or rather the worldwide web about 10 years ago and that's kind of a visualization of you know websites or servers that you could discover on the internet it that's not the only place that we need to defend as Heroes if I wanted to show you what our current world looks like it would be like the Milky Way right it's a Galaxy and just like our universe it keeps expanding it becomes bigger and bigger and there are dark Corners to it dark

Corners that the world does not want to know about or protect or even visit but we are the Pioneers we are the explorers in this universe because we go there first right we go to the AR web first and we go to uh we use Shodan to identify devices and Hardware that is discoverable on the inter webs before everybody else knows about it so guess what we like we have a huge responsibility as the pioneers of this place maybe even the natives if you're with me on the analogy there I know there's been a lot of analogies this morning so maybe less analogies more funny stuff well here's a funny thing in this universe we have are villains every good

hero needs a good villain and here's what I think the villains are I don't think the villains of cyber security are government agencies or cyber criminals in the Ukraine or you know somewhere like that pardon my friends from the Ukraine I think the real villains that we have to fight are bugs software and Hardware vulnerabilities and guess what as our universe keeps expanding they going to be more and more bugs and they're not like alien bugs they're you know software and Hardware bugs and they're in stuff that we didn't even think about stuff that is just now getting connected to other stuff whether it's GSM or radio frequency stuff or you know a freaking laser shooting autonomous robot on Mars

uh that just happens to be running uh one of the most vulnerable and most popular software and Computing environment in the galaxy and he guesses what that popular software and computer environment in the galaxy is by the way it's not kingon somebody try that it's not any guesses Windows XP uh thank you Patrick it is not Windows XP it is Java it is Java uh Java Java runtime JavaScript all that stuff and guess what even the Mars Curiosity Rover has Java in its operating system and a hardened embedded operating system as opposed to you know live out there in space for decades so that's a scary concept right there isn't it and guess what we are

just creating more and more code as humans write more code even if we let AIS or Bots or machines or algorithms write our code we're going to go from the you know 100,000 count of you know like 100,000 lines of code for an iPhone app uh maybe a couple more for a game design engine like Quake but we're quickly jumping into the 50 million lines of code 100 million lines of code for stuff like cars so it would naive to not expect the bugs to already be there and it would be even more naive and perhaps even childish of us of us to expect the companies that make this code or the governments that are supposed to

regulate all of these different new fields of of Industry that have never before thought about cyber security you know the automotive people or the medical device people or the uh Aviation people you know the the airlines they're just kind of waking up to something we've known for a while so it's going to take them even longer while to adjust while they figure their you know Frack out we need to be there we need to step up we need to be the Cavalry how can we do that well one thing I think uh which could help us do that is be really vigilant for these sort of like super villains right these are like the super

mega bugs like heart blade and bass shell shock bugs that are in stuff that everybody uses and have been in the wild for like months and years and nobody knew about them and nobody fixed them because nobody cared or nobody bothered to book so that would be the area I would encourage you to focus your energies your research and also your protection uh efforts in your organizations I would ask where is our third party software coming from and you know what it's it's a puzzle right when you get a piece of software for somebody if you're a company that's buying a product I find it hilarious that right now I could have like a candy bar I

could buy a candy bar or a kind bar and it would say all the things in it it's got nuts and it's got chocolate it's got cherries and I'd know exactly what's in it but if I'm a multi-billion company that's buying another multi-billion company's code and software and Technology I don't really even know what all of the third party software libraries are in it don't you think that's a little bit silly how are we going to keep track of all of this vulnerable software well one idea which I'm excited about and I think you'll learn more about uh later today is the idea of software bill of materials so a list of ingredients for what's in the

software and guess what this is an area where you can be the heroes in your place of work let's say you make decisions about buying technology can you ask the vendor what's in this software actually if you are a consumer how many of you guys use Facebook I guess a bunch of you use Facebook I recently decided to maybe not use Facebook as much I made a personal choice based on some security analysis I did uh and one thing I did was look at the app on my phone and trying and figure out what was the thirdparty software that that app was using and I found a bunch of stuff that I did not enjoy finding so take a minute to think

about the stuff that we just accept blindly and willingly as a product like a black box would you eat like a candy bar that was in a black wrapper and you'd have no idea what's in it would you put that in your body well some of us are more adventurous I guess you'd put all kinds of stuff in your bodies and that's cool too no judging uh however when it comes to software that could hurt hurt or you know influence human lives that's where you need to make a difference with your choices I think and you can make a stand as a consumer as a private individual as a corporate uh but guess what we leave it

to governments we leave it to The Regulators to figure this out they are going to fail not because they're not good or because they don't want to fix this because it's they're just slower to adapt because they're not natives to this world and we are so why should we be looking for bugs and doing this sort of security research work not just just for fame fun and Fortune although all of these can be found in the security professional's life not just adventure and excitement no for the future do it for the kids I know it sounds like a joke but I'm actually serious I don't have kids yet I'd like to have some soon I'd like

them to grow up in the world with technology they can trust technology that I can let them trust because I am a techno Optimist in my nature but it's it's not just going to happen by itself it's not a you know it's not like gravity security and privacy are efforts that take work and time and thinking they don't just happen by themselves and bugs are going to be there so one thing I've been asking myself recently a lot is what's the impact of bug Bounty programs I'm sure you all heard about bug Bounty programs yeah you've heard about them if you haven't they're great uh I think there are great ways for companies to collaborate with hackers

but I know a lot of people are questioning you know there's so many bug Bounty programs out there these days and thanks to bug crowd for creating this great uh Evolution or timeline of the history of bug Bounties in the past 20 years theyve really come very far now you can find a bug Bounty program to report errors in popular sites like uPorn Yahoo and United Airlines just to name a few big Brands and I think that's pretty cool actually um however I've been really asking the question what is the value of these programs and one thing I know people are discussing for researchers why should they give up their vulnerability that they found or

their time or their effort to help a company maybe they get like a gift card like a $100 gift card or a $1,000 gift card you can't make a living from that you can't make a six figure salary from that uh well that's right no you can't however that's not the point bug Bounty programs are not there to help you get rich fast they're are there to get more people to find more bugs faster so it's about scale and scope and size it's got It's about getting the thousands of you know independent friendly hackers out there in the world to have a easy way to find problems in code and uh I did a little research into some of the data

coming from programs like the Google program which is very big uh the Facebook program the Microsoft program I interviewed some individual people running programs and participating in some and this was all done as part of my work at Tel Aviv University I'm a researcher there and one thing I discovered which was very surprising to me is that bug bounties are great for finding more bugs faster yes we all know that that's kind of intuitive uh well they also create awareness and reputation and media attention because now you know United Airlines wants to talk to people about their bug Bounty program because they want the positive PR that's a part of that I'm okay with them I'm okay with United getting some

positive PR points if it's because they have a bug boundy program and let me tell you why my mom was an airline manager for 20 years I can now come up to my mom and say Hey you know United this huge airline did you know the website has bugs but hackers are actually helping fix those bugs and they get some miles in return and my mom would be okay I'm cool with that that's pretty awesome so that's why it's cool to have bug Bounty programs even if people can't make six figure salaries out of them or you know huge Defcon Blockbuster 4,000 people talks about moving planes from side to side that's okay if they're getting bugs fixed

that's cool I'm cool with it but last thing which really surprised me was that these bug Bounty programs around the world are creating a new Workforce so let me give you a practical example this is from the Google uh data for their bug Bounty program in 2014 and what this map shows is where the researchers are coming from and what Google has said uh is that most of them are not from North America as you might expect but actually Europe Central Europe Eastern Europe Asia Africa uh even uh down here in Australia so it's a global thing especially in some places like Africa Asia and Latin America some of the researchers reporting for these bugs

these are people getting legitimately paid on the up and up for security research work in the first times in their lives so it is already created an alternative to the dark side in a sense yes maybe they're not making six figure salaries of of their zero day vulnerabilities but they are joining our Workforce they're getting their first steps who here uh started the first steps in the industry um 5 years ago how many of you been in Industry more than 5 years 10 5 five okay uh keep your hand in the air if you've been more than 10 years hand in the air if you've been here more than 20 years 20 years security industry yeah you guys 20 years

in that's me we're the desert generation desert generation is a concept from the Jewish Bible I won't get into it but the fact is 20th century is gone and now it's a new era and we need all the help we can get so we need more people in this industry and Bug Bounty programs are one way to get people in which is why I'm a fan and you know Cisco says we need 1 million people more in this industry that's their data uh they did a pretty decent study on the workforce million is a lot of people this is a room of 40 or 50 so we're going to need these programs to help get more people

on board and the programs also help build the bridges so what do I mean by Bridges some places where there was one a firewall there is now a collaboration opportunity case in point the Pentagon right the US DOD one of probably the most conservative bastions of old school Power opening up wide to work with hackers I guess that sounds like really romantic and naive uh but it's actually creating some cool impact in the real world and it's showing other organizations Other Nation States other countries other agencies that there is potential here because if the Pentagon is doing it well maybe know the government of Israel can do it maybe United Airlines we spoke about that

their million mile uh reward for vulnerability Discovery yeah so maybe they only did it because of this guy and they wanted to spin the story I don't know why United decided all of a sudden to have a bug Bounty program but I don't care I'm happy there is one right and I'm happy that this guy did his research and spoke up about it in the way that he did in fact for those of you not familiar with Sea Dragon one that's the tweets heard around the world where last year he got on a plane on his way to bsides in San Francisco and was tweeting some of this stuff up and it created a whole viral mess unpleasant

for him unpleasant for United in the end though one year later maybe some difference in the world maybe that's my point of view anyway uh so these programs for hackers and companies to talk to each other are creating an alternative to the dark side if you will I think so here's another tweet I saw recently I don't know who this guy is by the way if you know him tell him I say hi uh he's a guy who found a zero day and the vendor ignored him so he decided to create an exploit in the hope that now they do not ignore him that's his choice to make and I understand where he's coming from however guess that

vendor could have done things differently by not ignoring this guy so if you are working for a vendor don't ignore hackers really simple you know just do the basics respond uh there is no better disinfectant than the light of day right that's so powerful it's worth saying it again there is no better disinfectant than the light of day we need to get more research work done faster and out there in the world in every way we can so something I'm extremely excited about and I tried out personally is this totally new project that you can all join the beta it's free and it's up for download right now it's called zero patch zero like the number o and zero

patch is a new technology by a bunch of Hackers from Slovenia uh who got got tired of their pen testing work being so easy so they would always use vulnerabilities that were already in the wild and had known exploits for them what these guys created was a tool for micro patching software without the vendor's consent approval or no knoow but that's cool they're not interfering with the vendor software so let me give you a practical example once again I try this out let's say I'm running foxit uh do you know foxit the popular PDF reader alternative to uh AC also has a bunch of zero days or you know vulnerabilities maybe not zero days well known well

documented in the wild vulnerabilities the guy as a zero patch created a micro patch that you run in your machine and it prevents this exploit from running in a I tried it out with a weaponized PDF and this is the I got this uh message that it blocked it and this is done without any knowledge cooperation or authorization by foxit but they didn't do it in the darkness they blogged about it they talked to them about it they let them know they're doing it because they can get these micro patches done much faster than foxit can get their attention to fixing their vulnerable code if you're interested in that I suggest you take you know give it a try

maybe create the micro patch yourself so perhaps the the next generation of bug Bounty programs will be patch Bounty programs people creating micro patches for vulnerable software and fixing it hey what's up you want a sticker yes okay then stay quiet till the end of the talk thank you all right that's how we do it in Israel guys all right my heroes if you want to read more about my ideas the stuff I recently posted an oped on motherboard. vice.com uh you can read more about this stuff I know I have to wrap up pretty soon I have a couple more minutes or are we done no no more minutes okay you ate into all of my time Josh I will eat all

of your raspberry pies so uh just uh you know just to recognize this guy and the work that he did Barnaby Jack a true inspiration to many of us here in the room I think a researcher that pushed the envelope in what he did with medical device stuff Jay Radcliffe a member of I am the Cav is he here yes where is he no okay well I say hi Jay Radcliff awesome guy uh this is Dr Mary Mo she has a pacemaker in her body and she is a professor of information security and she did a tedex talk on hacking her own pacemaker I recently had the pleasure uh thanks to the Cav and thanks to Bo thank you very

much of Hosting Mary at bsides tlv which is in my hometown it was just last month and we got bsides crew right there represent y' wo yeah don't leave me hanging thank you uh so a bunch of our speakers are here Ezra my co-host is there if you want more bide SV stickers I got them uh save the dates so these were the dates for last time it's in June in Israel so uh the big conference that we're a satellite to is called cyber week it's organized by T Aviv University and guess what it's all free so come out to Tel Aviv whether it's guaranteed to be sunny or your money back did I mention it's free and I'm the

Cav thank you so much guys we all earned this together I had a bunch of other stuff that I want to talk to you about but I won't take into uh other people's time anymore I see Jack though Jack oh he ran away you know he's like one of those mythical unicorns well if somebody sees Jack let him know I have a gift for him uh you have to demonstrate a threat to spark a solution that's what barnab Jack said I try to do that in my line of work in a ethical responsible and moral way uh it's really up to each of every one of us to decide what kind of a hero we want

to be but the call for the hero is