Asymmetric Impact: Adventures in funding infosec research

[Music] hello my name is Dean this is this is a talk um so I've been working in the infos space for a long time I like to build things I like to break things and I especially love building things to break things uh I have a website now it's no big deal uh I I sort of uh maybe I don't know a while back was thinking of like a guiding purpose of like why I do infosec stuff and I think largely it's uh I want to enable people to improve their quality of life using modern technology and feel safe doing it I think uh a lot of people are very concerned using modern technology for

good reason stuff breaks stuff catches on fire things are weird um and but it it's hard for some reason uh incentives are broken I think we all know incentives are broken uh the you you'd really like it if companies uh would kind of focus specifically on uh you know user safety and making sure that you know users are taken care of but often it's compliance compliance uh you know compliance has the nice Frameworks it has a lot of things that are pretty good and you know hopefully you live in a world where the the compliance Frameworks exist to are you know somewhat aligned with user uh user stuff but it's it's a lot easier to just do

the kind of check boox whatever kind of thing which is fine and um one one big concern uh is resource allocation is hard uh there's a lot of there's a lot of stuff in the world and people that need stuff and people that can't get stuff but uh resources are are light and uh the the world the global attack surface is uh just full of all sorts of holes that need to be fixed and uh people try there different projects different things going on and uh a lot of different efforts to to do things like that but um I want to talk about some of my experiences through time doing these sorts of things yeah and what can we do about it

we're we're just people most of us aren't massive Mega Corps uh but we can do little little things that kind of can grow into bigger things and can do cool stuff uh we can build communities we can build systems and hey here's the the talk title we can seek asymmetric impact that's uh the little tiny things that we can do that end up becoming big things having significant influence uh there there's there exist a lot of people that have useful things useful resources and there's a lot of people that have ideas for things to do with the resources but don't have the resources and they're not often the same people and then if you can find ways to connect you know

person type A to person type B uh there's a lot of really cool stuff you can do there and a lot of people view economics in general especially anything money related as a zero sum game that like you know you either fund this or fund that like a certain set amount of money exists in the world but economics doesn't have to be a zero sum game there are ways that you can uh build systems that are able to get resources to people that need them in very impactful ways which is kind of cool uh going talk a little bit about building communities so who who ever went to brain Silo anybody remember brain Silo it was this hacker space from a while

back it was it was weird uh me me and Loki were I think two of the main people kind of behind setting it up and getting it going and uh it it worked pretty well for what it did uh for what it was uh it wasn't too much of a uh Financial commitment which was nice uh and there was like some some time commitment but I I saw this this need for a space for people to hang out and also one of the really cool things about having a hacker space is I came up with this concept of the the hacker space Paradox where the people that uh tend to have the money don't have any time to

and and the stuff don't tend to have time to do things with that and the people that have all the time don't really have the resources to have the cool stuff so you have so many people that like you know they bought 3D printers or they bought whatever and like it's sitting in their garage and they're not doing anything with it uh but a lot of the people when they're you know getting yelled up by their significant other to like you know clean out the garage or whatever they would dump it off at the hacker space and so it became kind of a junkyard but it was a fun junkyard to play in because there

were people that would show up they were like you know college kids that didn't have a lot of stuff to play with and you know being able to connect those two groups of people I think that's that's where a lot of the power lies and some of these things so looking for those opportunities I think is really really cool uh who who's been to the control Acker space it's it's very cool I helped to found it mostly so that I could stop doing the other one uh John and Melinda have done amazing work uh basically they dropped everything that they were doing in their life and they're full-time working on hacker space stuff they've been doing it for I think over 10 years

now and it's grown into something super duper cool and they're they're still fostering that Community where they they bring in resources and they have spaces available for people and they actually they've built it out to a sustainable place where the money that they get for memberships is actually like paying for everything uh we never did that at at brain sto it was always there's overhead and other things and uh it's one of the great things when you can build a system like this and actually you know dedicate some resources to it and actually build something that's self- sustaining uh I think is a very powerful F thing because then it gives it a lot of room to

grow uh I made a bunch of like silly chat rooms anyone in the 503 hack chat yeah there's actually been several incarnations of that there's like IRC and xmpp and there there is actually like a 503 hack slack that exists um and Riot and wire was there for a while uh but now signal signal is signal is doing pretty good um I I sort of uh I I had started doing some of that as uh as chats to coordinate at conferences as ways to you know I'm going to get lunch I'm going to whatever and uh then I realized that there were some people that I would see at the end of a conference some

someone's beeping me a bunch I'm gonna I'm going to make it not beep as much okay uh there are people that I would see at conferences and like they weren't in the chat group and like oh like that's a bummer that's why like why do we you know we can only connect over these conferences and a lot of these people are people that like I only see in Vegas or something like that where it's like they live in Portland but you only see them when you're at these conferences which is kind of this funny thing and so uh building these spaces that allow people to talk and communicate or whatever very very low overhead it's very cheap to like spin up

a chat room and get a few people into it and then do whatever and then you can kind of grow these sorts of things uh that's one of the reasons I started doing the 503 party at Defcon also is uh there was a lot of people that were local Portland people that like you know weren't getting invited to like the 303 parties or like the other party and uh a lot of the parties there were like very exclusive and the idea is that you know we would have this party that exists and if you have like you know an Oregon or like a Washington like a Pacific Northwest kind of ID you'd be able to

get in an hour early and get like you know the good whatever the good food and the good everything else and this was as simple as basically I throw up a GoFundMe every year and say give me a pile of money and then people give money and then I get a hotel room and then that's most of like there there's a lot of kind of coordination and getting drinks and Logistics and everything there but uh for not a whole lot like you don't have to be like a big corporate whatever sponsor thing to to run an event like this which is kind of a cool thing that like any random person can just do weird stuff like that I

think that's kind of cool uh I like to make stupid websites I'm going to talk about a couple of them uh I made hash Bounty this is a long time ago uh 2013 I think um and basically the idea was uh I had gpus that I wanted to do stuff with and I also had like hashes that I wanted cracked um um and I had Bitcoins and so I thought it would be cool to like have a website where you could uh post I I was originally doing a Shaw one and md5 hashes but those are kind of boring and then eventually set it primarily for WPA hashes so you could actually you capture the EA pole four-way handshake uh and

then turn it into like an HC cap file which is typically what hashcat uses to to crack then you upload it to the website and then you send in Bitcoins and then uh if somebody figures out the password they can type it in and I can actually simulate the EA pull verification on the back end and then send out the coins if it's successful with like you know fully automated whatever I I was very proud of that and I kind of like this idea of being able to connect these communities and we did actually have real people that were like you know trying to crack Wi-Fi and people that were actually working on breaking them and I mostly know that

because one of the hashes uh that got posted was a uh wpa1 hash which I did not support I only supported like the WPA 2 uh and somebody called me up like they ented whatever they're like hey you know I'm supposed to get this like Bitcoin Bounty here like here's the P like they just kind of like called me at home and it's like accent from somewhere I'm like who is this person and they're like yeah I'm like oh yeah you know that's not quite implemented yet but I you know it took maybe like an hour and a half or two hours to just flip a couple things around to switch between wp1 to um and

that worked and then the payment went through and it was cool everybody was happy everyone's everyone's cool you guys anyway so that that was fun um anybody remember cheat bugs. net cheat bugs this is another silly website that I made uh I I set up this website and I gave a a fire talk at shukan about it that was my only mukan talk I've ever given was a fire talk about cheap bugs um but the idea was heavily inspired by uh a sales pitch from Exodus intelligence where you pay I think it was like $30,000 a month it was some some crazy and they give you um this giant you know Buffet of zero days for

like you know Firefox and major like VPN providers and different things which was kind of cool um but I wanted to do one where it's like Netflix prices so for $10 a month uh you know people could subscribe and they get really shitty bugs and it worked it worked really well for like maybe 3 or 4 years or something then something broke with the mailing list I don't know if it was getting caught and whatever but anyway uh that that was a whole fun thing and so you you can build these little mechanisms um and I wasn't able to find the message but I have this story where uh somebody found a stupid SQL injection and I paid

them $50 for it and they sent me a message and they said like thanks like you just paid for like my kids tuition for two years with like this $50 like SQL injection thing right and that's super duper cool that uh especially like on a global scale these things that you don't even think about like uh small amounts of money can go a long way and it's very cool that you can build these systems that like have like long reaching impact and I don't know it's very neat uh I'm going to talk about some weird uh some weird crypto stuff just hold hold your breath for a minute I'm sorry uh has anybody read the book radical

markets it's a very cool book I like it a lot uh they talk about a lot of cool Concepts in that book and one of them is quadratic voting and quad quadratic voting is kind of a neat mechanism that's almost like halfway between a one person one vote system that you have like at the local government level and a just like a charitable kind of donation thing where you um people's votes are influenced by the amount of money that they give and so people donate and their influence on there's a set of projects and people can donate and they can choose which project they want to donate to and the amount of influence they have over which uh

projects are getting funded is equal to the square root of the amount they donate which is kind of a cool concept uh and so if there's somebody that has a $25 donation and somebody that has a $100 donation uh the square roots are you know five and 10 and so the influence for the $100 donation is only twice that of the $25 donation which is kind of this cool system and uh Kevin aaki this this guy uh super cool guy he he built a system called gitcoin that was made for uh doing fundraising like this and a lot of the money go has gone toward some really great security research in mostly in the cryptocurrency space um what did I say

oh yeah uh so far last I checked they raised $64 million and have had over 51 million donations total of people because what's really interesting about that is when you have a quadratic voting system you are incentivized to be a person that puts in a dollar right uh and you put in a dollar and you have outsized impact relative to you know everyone else which is kind of this cool system because it uh incentivizes large numbers of people to donate small amounts and there still are people that donate large amounts and it's just kind of this cool uh mechanic where it's able to make people feel better about giving small amounts while at the same time

making sure large amounts go to the right places uh yeah uh there's this whole retroactive funding system where uh like optimism is doing this thing and the interesting thing they're using a lot of the gitcoin quadratic voting system but it's for public goods that have been built retroactively so like you built this cool thing last year here's money thanks for doing that and that's kind of a cool system that's another kind of weird uh mechanism they did uh I've done I've done a bunch of other weird stuff I talked I think last year about some of the ZK Bounty stuff that I'm doing for helping for uh automated Bud triage and stuff like that I I also made this uh

bastet thing I talked about it at tour Camp uh it's a AI that gives you money for doing security research anyway um what's next okay so the main part of this talk uh there's some cool stuff and there's a really great key and peal sketch where they they're they're plotting a bank heist and their Bank highest is basically they they get jobs at the bank and the bank puts the money in their bank accounts every month or whatever yeah anyway it's a very funny sketch but uh turns out there's this thing uh you know low lowrisk Securities uh like mutual funds different things like that you put in a certain amount of money and they usually will safely acre

5 to 10% yearly and so somebody who puts in a million dollars can pretty safely make $50,000 a year and $10 million is $500,000 a year which is the kind of 1center income range uh but it's very interesting that you know there exists people with like you know billions of dollars and then that still gets multiplied through the thing but uh that it's kind of an interesting observation here um secondly the the US tax code is interesting uh there there's a 501c3 besides Portland is a 501c3 lot of 501c3 is around and it's sort of it's the I want to call it like the US native funding mechanism and a lot of times what people

can do is if they have you know certain gains or certain income um they can donate to a 501c3 and they can uh remove that from their taxable income which is super useful up to 60% of your just to grow gross income can get into that so it's like not quite but like almost kind of free money and like you put it to good causes and very cool and so um I also want to say uh like my my mom worked at Shriner's Hospital and so like growing up like that was like this whole thing that uh they they have a very similar model where what they do is they have this big Treasury and then

everybody that works are like all the research my mom did through her career was all funded through the gains on you know the whatever is in the treasury and it's kind of it's cool system and can can we can we combine this for a Perpetual funding mechanism and yeah I think so uh I made a new website uh chat GPT is really cool you can put up websites really fast um PDX hf.org you should go to this website it's cool it's the Portland hacker fund and that's kind of the main project that I want to be talking about here for the next two minutes uh wait maybe three I don't know um yeah so the way that we've set it up

so far is it's operating as a a fiscal sponsorship under the PDX hacker space that I mentioned earlier the control AG hacker space has a 501c3 they've been around for something like 10 years uh still working on finalizing paperwork but it allows us to take tax deductible donations uh and then throw all the money in a big pile and get the interest and the idea is basically to uh to pay out uh to give um Grant grants to people that want to do cool stuff and we are going to be starting with a $60,000 seed uh which is going to be cool and if you do the 5% on that that's $3,000 a year so basically I'm

thinking for 2025 we're going to be giving at least $3,000 in probably uh seasonal like three different $1,000 grants to people that in the Portland area who have some weird idea of something cool they want to do yeah and you're a local hacker that wants $1,000 I think I there a couple people in here I talked to earlier so they they did that uh I'm thinking three- Monon timelines for these projects uh and we're we're going to have like gas and like lunch and stuff I think it'll be cool um but the the yearly Gala the project will be demoed there the projects that uh go through the through the year that way um some project ideas

I had is you know writing an open source tool making some resources for digital self-defense which could be increasingly useful in this crazy world we live in uh buying some weird off eBay and then like tearing it apart and seeing what happens uh something something with radios radios can be expensive not everybody can afford that and so yeah the idea is uh giving people the ability to to do that sort sort of thing uh also do if you if you've got a bunch of money and want to give it to me that would be cool we're going to have a like monthly subscriber kind of thing where people can pay I think I don't know $10 a month

it's it's the same as cheap bugs anyway um and then you you go to the the the lunches and everything else uh we're we're having our first hack lunch uh November 6th at noon at the hacker space if anybody wants to do that you know come talk to me um become a sponsor join the signal group if you go to PDX hf.org there's a button for a signal group and then you can join the signal group uh yeah do you do you like meddling in weird group chats yeah join the signal group yeah it's it's the button with the website anyway do that thing this is the last slide okay uh that's it thank you

[Applause] [Music] w