BSidesBCN 2019 - Keynote

i will go with your decision all right wow that's a full room we did not expect this i have to tell you these guys did not expect so many people to show up and on on a personal note before i start off blabbering about failing and b-sides and communities i just want to say again thank you to the organize organizers here i've known them for about a year now give or take and i can tell you that it they worked extremely hard to set this up for you er there's been a lot of emotions around it and efforts and it's every time there that i see a new b side starting off in in a city

i'm amazed at each and every time each one is a is a story of its own each one is is you know different personas and technologies and communities and each time that that it happens it's like oh my god it's it's mind-blowing uh so i wanted to talk today about failing and for the rest of the day you're probably gonna hear a lot of really cool stories about your community about you know people like us that are taking you know a big step standing on this stage not like me i'm just you know talking about stuff but they're actually doing research and putting out interesting stuff and telling you about it and educating you but they didn't get here just by chance

they got here by by doing a lot of this and and i think that that's one of the most untold stories that uh don't really get the the front stage in in our community or even in general and as someone who's uh made a career out of failing or failing successfully i think it's it's really important to to kind of understand that and and that's really a key to having something like this happen uh my you know initial conversations with with these guys was like yeah we can do it besides we probably can bring like 20 50 people something like that i'm like no no no step it up it's going to be a lot more

um let's start my name is ian i'm the the chief security officer for for simpress and in my my night job or other jobs i'm also the president of of the board of of besides vegas we've been doing this for 10 years now 11 yeah we suck at counting so we're celebrating 10 this year it's another fail um and there's oh my animations suck okay er i'm gonna kill you for this we have you know we're growing up on a lot of success stories uh kind of the heroes of our time the the jeff bezos and the bill gates and steve jobs and they're like the titans of tech they're the people who we look up to

that have made it that have started literally with nothing not like the american version of nothing really nothing and set up multi-billion dollar companies products that we're all using everywhere er things that are changing our lives but i want to talk about how they got there and what made them what they are and it's not really those successes the successes we celebrate all the time it's the failures and as you can see in my own personal failure of not managing my slides anyone remember the microsoft zoom okay okay i was expecting like a younger crowd that's awesome microsoft zoom was microsoft's attempt to compete with the ipod i think it even came out before the ipod if i'm not if

i'm not mistaken um it's a really interesting concept or or kind of understanding that this thing preceded the ipod coming out first doesn't necessarily mean that this is going to be the successful one and microsoft miserably failed with the zoom and is still not in the music industry you know i mean they've lost that battle a long time ago now it's mostly controlled by apple and spotify and and the smaller players microsoft is not even playing not on the hardware side not on the the media side and that's a again multi-billion dollar industry they had it they had it they had a they even had like a few versions of it it was competing head-to-head with with

an ipod the market was there complete failure when we look at apple apple even even didn't start as a successful company only after a couple of really horrible iterations of really shitty computers if you remember this is this is the apple ii no lisa yeah that's the lisa this is the apple one horrible computers they didn't work they're ultra expensive they're really really bad iterations of a computer but they needed that failure they needed to put something out there they went on a limb and they said there is nothing right now that fits what we want let's build it they got some feedback really harsh feedback trust me uh feedback that you know when i'm

thinking back about the the first days of of apple that kind of feedback would have crushed most people and they would just just like you know hot [ __ ] it you don't want it don't need it i'm i'm gonna go off make you know big big ibm machines but they didn't they kept on going and they said all right so so the one wasn't good the leesa is kind of uh it's almost there and then they came up with the apple ii which blew the market to pieces anyone remember this phenomenal machine the apple newton all right this was before iphones this was before ipads this was before the palm pilot this thing had

like handwriting recognition it was the most sophisticated thing it preceded its time by by a decade at least if i'm not mistaken they went out on a limb they designed a device with a touch screen with graphics the size of you know a mobile device like a proper mobile device the market didn't even know what to do with it it it was just like what do you want we're still in the apple and ibm like the pc era and these guys were innovating way beyond their time and guess what disastrous failure disastrous and now every one of us almost every one of us holds one of those in their pocket whether it's an iphone or an android

they've literally paved that way through those horrible business failures a project like this kills companies kills them and this is not about some financial resilience whiz-bang like running the numbers this can kill a company because the amount of resources and the man-hours and the money that you put into a project like that to get it into a commercial version is insane you're betting a company on something like that and it fails what do you do now windows me if we're moving on to gates so we're done picking on on steve jobs we know zami again colossal failure not that the windows 98 before that was a phenomenal operating system but you know what you keep iterating i

talked about the zoom so we're going to leave it alone basis i used to work for for amazon you have no idea no idea how many failed projects major projects amazon allows itself to go through in order to be that hyper successful company amazon fire phone one of the few projects that actually make it out you know going through those additional gates that a lot of other projects just stop and and kind of recognize the failure there so by itself it is a double failure because it failed to stop getting to production when it where it should have and then it went into production went into full failure mode and amazon managed to i i don't know

within six months if i'm not mistaken they've killed it they were able to make the decision that again manufacturing lines software hardware everything that went into this stopped and they just killed the project colossal failure guess what still one of the most successful companies in the world i think the i've seen a graph of the number of people that work for amazon they're topping 600 000 people like 600 000 employees when i got there in 2015 they were at around 200 230 000 employees in a year they hired more than a hundred thousand employees insane numbers you can't get there without failing on the way there is no way to do that if you keep succeeding it's just not gonna

work and we'll skip pets.com because that's uh that's really old school let's talk about some of our own heroes like hacker heroes anyone recognizes the guy in the left mitnick of course anyone recognizes the guy on the right

not bonnie no that's borderline racist but no i'm just kidding nothing thank you shimamura rings a bell starts to ring a bell all right out of these two who's the more successful hacker not famous successful you don't want to play all right it's it's the first the first hour i'll give it to you so most people go like oh my god kevin mitnick why is he famous because he went to jail because he got caught how does that qualify someone for being our you know hacker community hero because he got caught by the fbi come on the real story about kevin mitnick and i invite you to google this and read about it it's a

fascinating story is that kevin got caught because he picked on a guy he kept on he picked on shumamura kevin was having problems uh because he was he he kept getting traced back to his landline or to the landlines that he was hacking and using and he decided to go into mobile and he didn't know [ __ ] about mobile not that he knew a lot about technology but he was looking for someone who knew mobile phones and had the right software and the right access and he found this guy humamura was working as a consultant kevin stole his software stole software from him started using it and shiromura just went into xiaomi wasn't really a hacker hacker but

guess what he was deep inside it's not about what you do it's it's about a mindset and humor went on full-on hacker mode and decided to go after kevin because now we're talking pride and you stole my software now you're using it illegally to do bad stuff went after him all of the forces in the us all the fbi the police mit berkeley all the all the universities pack bales att's of the world couldn't catch mitnik one person did shimamura he hacked back that's the first hack back that that we know of well there's probably before that but that's the most famous one and shimamura learned along the way failed a lot of times and managed to get back and catch kevin

he was the one that enabled the fbi at the end of the day he was consulting them eventually and tracked back kevin into his his location in north carolina if i'm not mistaken that's how he got him um these are some more relevant pictures of those two uh so this is shiromura back at his uh office in in california if i'm not mistaken when he was working on the the mythnic case back at the time and this is kevin in a more natural environment we talked about steve jobs before the real success of apple and the real ability to iterate on failure and iterate on products wasn't really jobs it was was steve wozniak he's a real hacker

inside of apple he's the real kind of innovator and techie these are the heroes that we should be talking about when we're talking about successfully failing [Music] failures of grander let's talk about how to successfully fail how to do this correctly first first and foremost you have to step on a limp it's about innovation it's about stepping out of the comfort zone and saying i am willing to take a risk and part of it is getting into that mindset of planning to fail if you start something off with no plans of failure with no ability to understand this is i am taking myself out of a comfort zone this is not just following instructions one by one

you will never succeed i love this image everyone's like what the [ __ ] is going on think about it when you're starting a project and you're not creating failure plans this is the real feel when you're doing anything that is not that has not been done before at least not by you make sure to take into account kind of a couple of exit points all right what happens if this this little cart doesn't have brakes so i jump out of it at this point good idea before it picks up too much speed what happens if you know i can't break a certain algorithm or or get to a point where my memory optimization or you know

my rop my rop tricks don't work in this environment have a failure plan if you don't have those you're just not going going to succeed deconstructing and building on lessons learned think about all the times that you try to attack something try to learn something new and you kept running into things that eventually turned out someone else already found using other people's lessons and and failures is key look guys i'm lazy all right there's no other way to to go about it but i'm using my laziness and convincing myself that there's got to be someone else that did something like that before i'm only leaving whatever mental and physical energy that i have left to do actual work

for things that i'm pretty certain no one did before for everything else someone's got to have a solution so focus your energy on doing things that actually matter deconstruct other people's work use their failures to plan your your own failure is the real experience if if you talk to someone who's only had successes there's nothing to learn like what what did you learn by doing something and it just worked is it going to work every time are you sure is it repeatable can it work better if you do something and you're just like all right that's it done you've done nothing it's like gee thanks nothing to learn from here let's get a little personal um

because people are like oh you're staying on stage you're keynoting no no let's talk about some real visceral failures um this is a cool story when i when i was starting off during red teaming um and this this fits perfectly because yesterday we're sitting around picking locks and everyone's like there's this this big monstrous master lock yellow the yellow that no one managed to pick and everyone's like it doesn't work doesn't work doesn't work and i'm talking picking up the lock talking to to some of my colleagues and i'm starting to pick at it because it's it's like it's fun and and i popped it i picked it and suddenly everyone just stops and goes like

you just pick that lock i was like yeah of course i didn't get good at picking just out of the blue i actually really sucked at it and one of my first red team engagements were i had a physical element sawn into the engagement i managed to first of all convince myself to sell something that really didn't exist my skill sets were not set up to do any kind of physical like lock picking testing in a real environment that is not this one lock that i practiced on and i found myself at an office building after i somehow brilliantly managed to lock myself in a conference room i spent a couple of hours there you know

as under the guise of a guest i'm inside i'm hooking up to like the the av systems and hopping i'm pivoting inside the network everything's going fine i'm getting data i'm doing like hopping on voice over ip networks everything's great at some point someone comes in apparently the room wasn't booked anymore someone comes in opens the door a little bit peeks inside i'm kind of cowering in the corner they don't see me they close the door lock it walk away it's 4 30. it's like a semi public company so by five everyone's gone and i'm like starting to realize oh [ __ ] this is it i'm locked inside i spent the next 45 minutes 45 minutes

sweating bullets trying to lock to to to pick this like six pin cylinder like super tight lock sweating bullets i'm like i'm gonna stay here until tomorrow and this is gonna be embarrassing i'm gonna be a pillow sweat is this is horrible why am i doing this i started doubting my whole career path life choices i was on the phone after four or five minutes with my contact at the company starting to play out like how am i going to explain that i need someone to get back to the office get up all the way to the like the 14th floor and unlock me from the conference room i was supposed to break into so i can go back home and start writing

the report as i'm on the phone it was literally within like my last shreds of dignity i managed to unlock this this monstrous which is now i realize a piece of [ __ ] lock make some some fake ass excuses on the phone and and drag myself and and my shattered dignity back home understanding that this thing is either never going to work again and i'm not dealing with red teaming ever again or i'm going to have to get a little better at this and get some more practice fast forward if four or five years this is a from one of the red team classes that chris and i gave in colombia and this was the first

red team class we gave er and these are colombian school girls that go to a american can do a american school really fancy neighborhoods really like rich families they were our translators they weren't even like doing anything there are translators for the class and we were teaching them how to pick locks 10 minutes later our security detail which we invited inside because they were going like what are you guys doing they didn't speak a word of english we're like hand waving them inside our security detail is working on locks the schoolgirls are teaching them how to pick themselves out of their own handcuffs we wouldn't have gotten here if i didn't end up locked up in that office

building five or six years earlier contemplating life choices and considering like changing jobs maybe because this is horrible and and i suck at it and i failed if you have any idea what is it to pick locks and i highly encourage you to do so 45 minutes working on the lock [Music] i can't believe i did it back in the time i was like i didn't have my choice but it was a colossal failure and that's one of the best experiences that i've had that kept me driving forward and kind of expand my horizons into you know more and more and more into the physical security side of things look for the signal in the quiet so we i

mentioned our hacker heroes before and are kind of industry leaders and as you'll note there's a lot of noise that these guys are making there's a reason why almost every hand was raised here when i ask who's the guy on the left that's kevin mitnick again media hero he's everywhere everyone knows his name he goes on tv he gets paid thousands of dollars to speak with conferences he's running some shady businesses doing some shitty stuff done by other people but a lot a lot of noise shimamura no one's heard about him i had to like almost go one by one until the guy at literally the back of the room was like oh chimimura no one heard about it because there's no

noise but there's a lot of signal and it's really key to try to pick up the the signal in the quietness look for the guys who are not putting themselves out there who are who don't have thousands and tens of thousands of followers on twitter who are not on every freaking stage on every freaking security conference look for the guys that are putting themselves out there maybe have like a little get repo maybe make it to a small conference look for these guys this is hd more on the right and spoon m on the left uh for those of you who don't know there they wrote metal split anyone knows metal split yes of course

metasploit was a shitty program i know i've been there at black hat 2012 no 2000 and what i wrote it down here 2004 oh my god i'm getting old um i couldn't find pictures from black hat for some reason so this is their defcon talk the same year when they released metalsploit for the first time it was written in pearl now again i'm old enough to be able to hold on and and do something functional in pearl i'm betting you if if any of the young kids here understand what we used to do in pearl they would just go like oh that that is horrible that is the absolutely wrong way to do anything related to computing so they wrote this

thing there this project in pearl in 2004. horrible but if you know what it kind of worked it worked like in a hacker way it's you know for the four or five things that it was supposed to do it did it did it horribly but okay they are brave enough to understand this is shitty we need to fix it we failed complete rewrite not like complete rewrite you know what let's pretty up the perl code let's make it more effective let's document it complete rewrite as in let's change languages let's change platforms and took all the hackish stuff translated into ruby built a new framework in 2007 and up to this day without that initial failure we wouldn't have

proper metasploit modules and interactions and interpreters and all the fun things that came afterwards initially medically didn't have interpreter it's like you got you you know you create a payload send it out bam done now we have all those frameworks because of that initial failure because they wanted more and they weren't happy with with what they had but they had to fail and there's no way that matters would have gotten there and think about all the other talks that were out there in at blackhat i was just fortunate enough to be in the room because i couldn't get to the other talks because they're packed they're full and the only reason i know hd and spoon

and no metasploit it was because i couldn't get to the you know the popular talks at black hat i was like ah you know what let's sit in this this thing these kids can probably teach me something and they did and i was like a fanboy and it just worked but without that failure without going on a limb without me by again by by luck now i look for speakers that i was like i was just talking about this with chris yesterday and i was telling him look i think besides barcelona is going to be awesome i know none of the speakers i'm super excited to hear what they have to say because you know i there's no noise

it's going to be all signal and we're sitting you know over dinner last night and i was like getting giddy on everyone that introduced themselves like i'm talking about this sometimes it's like i'm like yes i have no idea what this is i have done no work on that this is super interesting i'm gonna learn something new finally this week be able to pick up those ideas and even you know what i guarantee you one of the talks here is going to be about something that really didn't work or that's not going to work for you but if you can pick up a couple of ideas from that that is going to be the best success

that you'll have here turn into the community don't try to look for again this is about making out the signal from the noise tune to the community because the talent is here this is again this is literally why we're here because i know and chris knows and everyone knows i've been to barcelona many many times before there were security conferences and hacker conferences in barcelona i know i was there i was speaking there and then they're gone and this is exactly what i was telling the guys i know that the community is here i mean they couldn't have all just left within the past five six ten years turn to the community and this is the literal proof that it can

happen that the community is here the talent is here the content is here the money is here everything is here this is where you can find the signal you don't have to look for the noise that everyone else is making if you look at the big conferences the black hats the rsas try to look behind the scenes and understand how they work black hat submissions and talks are due almost a year before the event sorry rsa the black hat submissions they're designed to create media buzz people are releasing research specifically to get into black hat it doesn't make any sense why would you sit on information on data on research where you could have shared it you could

have iterated over it you could have failed and made it better and better and better and eventually made it make it to the next black hat or you know what gives a [ __ ] about black hat go to b-sides i might be a little biased but most conferences run once a year do you really think that there's innovation that gets published only once a year screw those big conferences have a b-sides have a barcelona hackerspace you know the barcelona cybersecurity thing you meet every month i've been there and it's amazing and you can get content talk about it fail over it show stuff that's incomplete show stuff that you know what shouldn't be shouldn't make it

to like a black hat or a b-side show stuff still in work so you can iterate and and successfully fail so you can get to that final submission tune out the noise this is the most difficult part social media is is is oh god i love social media um it's it's it's great for some things i have to say something something positive but it's a dumpster fire for most other things it's filled with emotions people are are very easily detached with humanity before when they go to onto social media they turn into into horrible horrible people and they're spewing out it's a dumpster fire tune it out learn how to utilize social media to your needs

i'm using it purely to either troll my friends and get horrible things out of them or use it for marketing for myself or my company for things that i want to promote and that's it it's not about family it's not about friends it's nothing if i need to call my friends i'm like dming or you know other things i don't care about checking into places taking pictures of food you know commenting on politics again unless it's trolling my friends tune out the nose try to find the quiet ones on social media the ones who post you know oh i've updated something on my github i have a problem with this this doesn't work for me can anyone help

me anyone anyone wants to pitch in on a project look for those it's really hard because they're surrounded by

last but not least i think i'm good on time right you're not freaking out yet you're not sweating so i'm i'm gonna keep going last but not least and this is the most important method i think that that i have noob it out we're all learning things i mean today in the last couple of days i threw a little conference you know in our company and i learned new things because my staff and my colleagues and my peers stepped up and put up content and and made a big thing and i was like ah this this is interesting i'm still learning i mean if i if i were to get to a point where i would be like

you know what i'm good i think i am a professional now you know those i no no sorry i think i'm an expert i have a cyber security expert call me out because that's the point where my career is done literally there is no way to become an expert in this industry and i'm willing to fight like physically fight anyone who says otherwise or at least get someone to fight for me but understand and embrace this newbness it is it is an amazing energy that kept keeps me going again i'm excited this is the 498th b-side event that is thrown worldwide since this guy who here started it 11 years ago because he was pissed at something

and we participated in it and we learned and we still learn and i'm as excited to you know to stand here on stage and and clear this area of [ __ ] and let the real people who are doing work talk about what they're doing because i understand and as i said earlier like last night i was giddy understanding that i'm gonna learn new things that i have no idea about but unless you get to that unless you embrace that state of mind i'm a noob i'm going if i try to touch this i'm going to fail so badly but it's going to be so much fun and that's the only way it's going to get

better so with that i just want you to recognize that first of all the bravery of everyone standing here i mean i'm almost done i'm like i'm ready to go um it takes a lot and to come up with content and not just like fancy words and talk about oh you should be brave and fail and motivational speaker is amazing it's absolutely amazing so embrace that recognize it and step on that stage it is scary as hell it's not for everyone but it is so rewarding because it gives you so much feedback and it connects you with other people and it enables them to connect with you and that's the only way that really successful projects and really

successful code hacks people end up together thank you [Applause] comments this is not like a questions talk but i'm happy to answer anything that someone might have nothing it's too early oh there we go yes

yeah what is that oh my god how much time do we have red team testing in a nutshell is full adversarial simulation uh are you familiar with pen testing good it's not pen testing think pen testing but in the real world no scope no limitations no rules and as a red teamer you have one task which is to simulate a certain adversary whether it's a script kitty or a professional hacker or a competitor or a nation state you are tasked with assuming that role in being able to subject your target with everything that that adversary has in play from a technical perspective from a knowledge perspective from a threat intelligence an intelligence gathering perspective from a physical

security social engineering accessibility everything no rules no scope everything's in play your target is the company it's the business assets it is not an ip address it is not a url it's not a database it's not a computer that's in a nutshell and correct me if i'm wrong red team testing all the things yes more questions yeah go ahead no yeah so what will you consider your biggest failure that has helped you the most it's funny so the the couple of slides that i added this morning and i was talking about on the way here that this is awesome we're using google slides so i can i can make edits until the last minute and they're automatically synced

this is my latest but uh the slide that i actually added there i had the two slides to be honest uh one that talks about someone else's failure which again you learn a lot from is last night if you don't know the fourth nation that landed on the moon was supposed to successfully land on the moon it's a couple it i know one of the the guys that started this israel had its uh lunar lander or not knotlander faller get to the moon crash into it because they had some failure along the way again failure the second slide and and i was all about like this is a colossal failure it is amazing there were the sixth or seventh

nation to put something around the moon and the fourth one to put something on it i'm not gonna say land because it made contact with the lunar ground the live stream said last night as i was like [ __ ] but it's an amazing endeavor and they failed so successfully and now the media is filled with like kids are inspired kids want to go and learn science and math and we just took i was like oh let's do the math on something that no one has ever done before at that scale in gravity that we cannot simulate here um my personal favorite failures are not professional per se and i and that was the other slide i had like three

so picture this picture three uh like facebook profiles the the default ones and i want to talk about uh learning from the three worst managers that i've ever worked under horrible atrocious and chris knows some of them because i was i was bitching and whining and it's like it's horrible but i'm i'm at it because i think i can do something here and in hindsight which is always easy i learned the most about running companies managing people managing resources projects all of that stuff from those people because they were absolutely [ __ ] at it horrible horrible horrible to a point like like that should be a a prosecutable offense um that has been my personal favorite again

and it's about sticking it out and and making sure that you get that experience i know it sounds super counter-intuitive i know that most people like millennials are like if i don't like my job i'm going to quit i was like really how privileged of you no stick it out there's a lot to learn from shitty jobs and shitty environments and managers truthfully the best like management lessons from there i didn't learn anything from like running a successful organization i learned some but most of it was with through that uh lock picking again probably on on a personal note one of the worst ones i had a major project that again completely failed that forced me

to to create a new attack vector back at the time i think i talked about it back at the cyber security meetup um where we just could not complete the job and i had to find a way to exfoliate data and i ended up like creating a hodgepodge of hopping techniques and exfiltrated over voice over ip again that that's the cool story but what preceded that was a horrible failure and what i neglected to to tell you was the initial report that we had to send them that basically offered a full refund because we sucked but we stuck it out and i was like that sucks i don't care about the money but i can't go back and say that i failed an

engagement and it was a disastrous failure i mean we we literally forgot the money it's done but leaving it off without the ability to say that i meant it i got something can't do it a lot of questions awesome all right thank you so much