BsidesLV 2025 - Common Ground - Wednesday

Yeah, [Music]

[Music] hey down. [Music] Hey hey [Music] yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey yeah hey [Music] Yeah, [Music] down

down down down down down down down down down down down down down down down down down down down down

[Music] Heat

up [Music] here. [Music] [Music] down. [Music] Hey [Music] Dang it.

[Music]

Down. [Music] Down. [Music]

[Music] Heat.

[Music] Heat. [Music] Heat. Heat.

Heat. [Music]

Heat.

[Music] Heat. Heat.

Heat.

Heat. [Music] Heat. Heat. Heat. [Music]

Heat. Heat.

[Music] Heat.

[Music]

Heat. Heat. [Music] Heat. [Music] Heat. Heat. [Music]

[Music]

[Music]

[Music] Heat. Heat. [Music]

Wow. [Music] Heat. Heat.

[Music]

Heat. Heat. [Music] Heat.

Heat.

[Music] Heat. Heat. Heat. [Music] Heat.

[Music] Heat. Heat. [Music] Heat.

Heat.

Yeah, [Music]

[Music]

yeah yeah yeah yeah. [Music] Hey hey hey hey hey hey hey hey hey hey hey. [Music] Heat. Heat. N. [Music] Yeah, [Music] down [Music] down

[Music] Heat. Heat. [Music] Heat. Heat.

[Music] Baby, [Music] dong. [Music] Fire. [Music] Doo. [Music]

Down. [Music] Hey. Hey. [Music]

[Music] Heat. [Music] Heat.

Heat.

[Music] Heat.

[Music]

Why we should be building infosc worker power through the labor movement. Uh all the slides, resources, and citations for these are all on GitHub already. Um and so hopefully you're here for the talk about the labor movement, not the talk about databases, though I think there are a lot of good databases talks uh here this week. Uh to get a sense of the room, how many people here have ever been in a labor union? Okay, three. That's about what I expected. How many here would like to be in a union? If you could. Okay, awesome. That's about what I expected. Anyone who's just ambivalent or here to have something to listen to while sipping coffee. Um, okay. And anyone who's here

to hack me, get me fired, or sabotage the labor movement. That's what I thought. They're all watching on camera. Hey, Elon. Um, okay. So, for a bit of information about who I am and for some context setting, I'm going to talk a little fast, maybe get a little y. Hopefully, I'll have time for one question at the end, but I assume that a lot of questions people are going to want to ask off camera. So there's resources and um I'll be hanging around after the talk uh for a bit about me. Uh so I uh and and why I'm arguably worth listening to. Uh I'm not some one from big union uh to be an outside agitator

uh and stir up trouble where I don't belong. Cyber security is my day job. I'm a senior cyber security security specialist at a government agency. Uh exact one doesn't matter for the purposes of this talk. Uh but in my day job I'm a cloud engineer and product lead. previously have worked on some privacy uh incident response and some other issues. Very importantly uh the opinions and views expressed in this presentation are my own and uh my union locals and do not represent the thoughts, opinions or positions of my current employer. This is a very important point. I'm here on my own dime own time and I'm not speaking for uh any other institution. Uh as I'll get into a

second, I am a union rep at my current job. been doing that for about five years representing some colleagues. Uh and in my free time I've built a blinky badge uh do do some tool development volunteered around the community at villages and other bides. Uh and I got my master's degree in tech law and policy which is relevant uh for some of the policy and law elements of this talk. I'm not a lawyer. This is not legal advice, but I did take some labor law, so I'm not speaking out of nowhere when it comes to some of these issues, specifically on the labor background and why I'm worth listening to in that degree. Uh, so I've been a union rep for

5 years and my current job, my union local, is with the International Federation of Professional and Technical Engineers or IFPTE because the labor movement likes convoluted acronyms just as much as the tech industry. Uh, I represent my IT cyber security team in our day-to-day work, but have also done uh bargaining, dispute resolution, and advocacy. And I'm a tech policy adviser for IFPT at large. And then I also organized with some cool grassroots labor organizations, uh, the tech workers coalition and the federal unionist network. Uh, all right. The I think the most important thing about my background is that I am really just some guy. Uh, I'm not that special. Uh, despite what my mom may say. I have no

black badges, no CVE, no lead stories about getting domain admin or hacking uh, nation states. Uh, if I can do the stuff covered in this presentation, you probably can, too. This can be pretty daunting work, pretty intimidating work. Uh, and it's not work that can be practiced in a home lab or a CTF or something that you can get a search for. Uh, no one really knows how to do it until they do it. And that means the only way for you to get good at it and to feel comfortable doing it is to do it. Uh so I would like to start the talk if I may by offering some thoughts on the current moment both broadly and

specifically for us as a community and a workforce compared to where we were where we were a year ago. I'll then give some thoughts on what makes the hacker community particularly equipped to meet this moment and to organize our labor. After that, I'll talk about unions a bit more generally and how our community and industry uh could fit into the labor movement framework. And I'll conclude with some thoughts on why we really need to organize as workers right now with some concrete next steps. So, who remembers the plan? Specifically, the plan for how we as hackers and infosc workers were going to build and maintain political influence so that the feds don't go back to

hunting us for sport. and we're going to maintain high demand for our labor so that we always had job security. Uh if you don't remember, it's probably because there wasn't much of a plan uh at least explicitly beyond some vibes and the idea that we were kind of set as an industry and a workforce. Uh to the extent that there was a plan to build and maintain political influence, especially among this community, a lot of it I think was dedicated to building dark tangents roll the decks. Um, that might be hyperbolic, but a lot of the work that was done to build this community's political influence came down to high-profile names, building individual relationships uh with policy

makers and journalists, and then using those relationships to speak on behalf of the community without much formal accountability or direct input to or from this community uh or much material input. Essentially, we've been doing policy advocacy more or less fueled by personal brands. Uh that now that's not to say that this is inherently bad, especially compared to where we were a decade or even longer ago. I'm not going to complain that the National Cyber Director came here every year to tell us how special we were and that we were needed and that they want to listen to us. Um but that type of individual-based advocacy is very fragile when it depends on a handful of people being listened to

with their individual relationships. Now, as workers, we were able to coast on scarcity to create high demand for our labor. Uh that demand may have been dramatically overestimated, over reported, and overinflated, but it kept our salaries high and our negotiating power strong. Uh essentially, we haven't really had to grapple with where our power comes from when it doesn't come from our individual relationships or our scarce skills. And we're still kind of stuck in that mindset. Uh this slide I grabbed from Monday morning's uh keynote, which was a great keynote, and I loved it. And it was all about how we need to come together and build a community and we're stronger together. And then this slide came up in the

context of uh having a bad employer. And I was like, "Yes, Bryson, he's going to talk about voting to form a union when you have a bad employer." And then it was a metaphor for voting with your feet to leave your employer. And we were so close. This is so close to hitting the nail on the head because you can literally vote in your workplace. You can literally democratically actually vote to have a union, as I'll uh touch on in some more uh later. So, if we cut to where things are today, uh I'm going to say things aren't going great. Uh that I think that's kind of a consensus here, but um this is pretty obvious in

government where a new administration has actively targeted leaders of our community for doing their jobs and doing them well. They've removed the voices in our community that were given federal government roles like DT's advisory role at SIZA. They've cut our peers jobs or pushed them to leave. uh those peers who were doing deeply important work to protect public interest systems and provide free resources to the rest of us. They barely sustained the CVE data that serves as a foundation for our industry. And they removed oversight officials. Whoop and they removed oversight officials who stood to hold companies and other government uh agencies accountable for running insecure, immature cyber security and privacy programs. The totalitarians in

government have been on a rampage replacing competent professionals with yesmen. And this isn't just dangerous for our republic. It's especially dangerous in our industry uh where quickly and honestly reporting bad news is essential to keeping systems, data, and people safe. Um not to worry, however, the push to quash our ability to disscent, raise alarms, and have protections on the job through union representation and collective bargaining has a carveout for IT and cyber security workers. It specifically carves us out from those protections uh allegedly for national security reasons. Uh and just on Monday, a federal appeals court has affirmed that the president can essentially declare that any federal executive branch role is national security essential enough to uh be

stripped of union protections, even if that position doesn't require clearance or is as uh routine as checking drugs at the FDA. If anything demonstrates the criticality of our work, it's that we were explicitly excluded from layoff targets at the same time that we were excluded from union protections. They know that they need us and our labor to keep the machine running. They just don't want us to be able to say anything about it or do anything other than run the machine in the way that they say. The feds are back to hunting us for sport. And it's not for DMCA or CFAA violations this time, but it's because we could possibly slow them down. As for those of us who are in the

private sector, uh our jobs may not be directly cut by the new administration, but certainly uh contracts and funding has uh gone away. Um and our bosses, more importantly, have felt emboldened to tighten the screws. Over the past few years, layoffs have been sweeping the tech industry, and we know the job market isn't what it was a few years ago. Our bosses have been fed the narrative that AI can successfully and competently take over our work. Something that those of us who have spent more than a day being forced to shape our workflow around a new AI tool know isn't true. And they think they have free reign to cut without consequence. For the second year in a

row, we should all be booing CrowdStrike. And this year, I think a lot more than last year because uh this year the harm of laying off hundreds of employees was an intentional choice made by George Kurts, their CEO, and not an accident. And it's not just the uh threat of layoffs or AI and shitified jobs. Bosses are dragging us into the office despite every indication that we're as productive outside of the office as in it. And they're walking back already thin commitments uh to ensuring our workplaces are more diverse equitable inclusive and accessible as they caved outside pressure. The trends aren't looking good, and it would be unwise to assume things will change if we don't do

something about it. Fortunately, I think that we have the values and the skills that are necessary to meet the moment and protect what makes this community amazing and our labor valuable. Uh, coincidentally, those values and skills translate very well into successful labor organizing. First of all, we can self-organize. Literally, look around us. The beauty of Hacker Summer Camp, uh, not counting Black Hat, which I don't, uh, comes from a practically all volunteer effort to organize four conferences where we defer to each other based on reputation, expertise, and commitment to getting stuff done. As a community, we've bought into these models of self-governance and volunteer expertise, especially in the leadership of Bides and many of the

villages at Defcon. Not because we had to, but because we're practitioners who recognize skill when we see it and can and will and will call BS when that skill isn't there. Similar models of practitioner-driven self-governance uh with deference to trusted community leaders can be found in open source foundations and projects that serve as cornerstones for much of our work. And that's all without a CEO or shareholders making us do it for a paycheck or stock equity. uh we're organizing ourselves as volunteers to provide our skills and labor with mutual aid efforts uh as to the parts of our broader communities that need it most through initiatives like the cyber resilience corps and defcon Franklin. And then we also know

how to organize ourselves into kick butt affinity groups that support each other and build sub communities that make the overall cyber security community bigger, stronger, and more inclusive. And again, we've done all of that on our own and for each other. We know how to advocate. We know how to advocate outside of our community without waiting for someone to swoop in and do it for us. Hackers on the Hill organizes hackers every year to meet with members of Congress and their staff. I am the Calvary is downstairs right now building connections between our community and critical infrastructure communities. Uh and then advocating for critical infrastructure to get the security resources and incentives that it needs. Going back to

the 2000s, we've been self-organizing to advocate for policy changes that would let us do public interest work without fear of criminal penalties from section 121 of the DMCA. As far as our values go, we are an outspoken and autonomous bunch. We are certainly not afraid to tell those in power what we think or to call BS when we smell it. Since the 90s, we've been telling politicians that they don't know what they're doing to their face and ensuring the hacker voice is heard by policy makers. We also love our autonomy. We're certainly not afraid to stand out from the crowd. And we put a lot of work into building uh and supporting systems like tour and signal

that let us privately communicate and maintain our autonomy in the face of government and corporate surveillance. Since the hacker manifesto, I would argue we've explicitly recognized that our ability to challenge entrenched systems comes from individual thinking and crucially that we must work together to preserve our ability to act as individuals. So that may be all fine and dandy, but what does that have to do with union things? Glad you asked. uh legally uh formally in the United States, this is what a union or technically a labor organization uh is. In its most basic form, a union is any organization outside of your employer's control that you and your colleagues elect to represent you in negotiations with your

employer. The law spells out uh uh some stereotypical bargaining categories like grievances, pay, hours, benefits, but I want to draw attention to the conditions of work clause at the very end there. and encourage you to think creatively about what bargaining over our conditions of work might look like for our industry. Now, as if not more importantly are your legal rights as an employee in addition to being able to form, join, or assist a union without reprisal from your employer. You have labor rights with or without a union. Specifically, you have the right to engage in other concerted activities for mutual aid or protection, uh, which I'll get into more detail in a few slides. Now, unfortunately, United States labor

law uh kind of sucks in a lot of ways and it does exclude managers and independent contractors from having any of those rights. So, if you're in the private sector and you're interested in forming a union, here's a very simplified overview of what that process looks like. If you've ever organized a standing interest based group within our community, like a village, this shouldn't feel too unfamiliar. First, a majority of workers organized decide to form a union and what structure that union will take. This can include deciding who you want to be included in the scope of your union, like a single team, an office location or your entire company, which larger union you want to affiliate with

or if you want to start your own, and which colleagues you want running the union, bargaining on your behalf, and representing you in conflicts with your employer. If you can run a nonprofit, manage a CFP, and run a village or conference in the mayhem of the Las Vegas heat, you can probably do this. And if you're here participating in it, then you're probably familiar with structures that abide by similar principles. Now, after the union is recognized, which is a big, long, often times contentious process that is very hard to do, uh, but if you just skim over all of that, you get recognized. Yay. Uh, you bargain a contract that covers everyone in that union, regardless of if they

voted for the union or if they're do a duespaying member or not. Bargaining is where your boss is legally required to reach an agreement with you and your dedicated representatives. It's where you can tell your CIO, your HR department, and every other leader visited by the good idea fairy or some useless management consultant that their ideas are as workable as an Intel executable on a new Mac and that it's uh not something that you're going to agree to. Uh speaking from personal experience, it can be a great feeling uh to tell someone who doesn't know how you to do your job that their new idea is flatly unworkable. Um, the form of this contract and bargaining can vary

depending on how you decided to structure your union in that first step. It can be a very specific group of employees within your organization. Maybe the sock team organized to get better pay schedules on call treatment and AI protections and now they're negotiating a contract that just covers the sock team. Uh, for example, code CWA's uh, alphabet workers united organized some Accenture workers uh, that contract for Google's content team into a union. The CWA has also organized quality assurance workers at Blizzard to reach agreements that just cover those specific teams. It could also be all employees at your employer. Uh, this is more typical in small to medium-sized businesses uh, and in white collar employers. This is where everyone joins

the same union regardless of their team or position. Uh these uh industrial unions are pretty powerful because it allows you to bargain along your employer's entire line of operations and not as easily lose to like divide and conquer strategies that employers will frequently use uh among different parts of your workforce. So this could be everyone at your small pentest company deciding to unionize to get guaranteed training opportunities and a clear salary scale. Now, finally, there are craft unions or guild unions that negotiate master contracts with multiple employers. Uh, these are pretty rare in new unions and are mainly in the building trades or occasionally in the arts trades like the writer's guild, screen actors guild, um, things like

that. Um, they're pretty hard to build and establish over time, especially because it kind of requires there to be employer concentration. Uh, but I think it's worth thinking about. The Sky talk yesterday proposed uh a guild model and while they do take time to build given the fastmoving nature of our industry and bringing the same skills to multiple employers rotating quickly, I think it is uh a model that's worth pondering on and thinking about if it's something that we want to build towards. Um, after you have your contract, your union represents you if your employer violates that contract uh or other laws that protect you at work and then they advocate for your interests beyond the

workplace, which again I'll touch on in a few more slides. So, back to those uh rights that I mentioned earlier. If you don't have a union but still want to improve your workplace, which I think covers a lot of people who raised their hands here, uh that's where those rights that you have still come in. Your right to engage in concerted activity for mutual aid and protection lets you put those skills that you've gained heckling NSA directors to legally protected use as long as you're doing it with or for a friend and it's related to your status as employees. Uh I I'll say that this area of labor law has a lot of gray lines, fuzzy areas, and important

caveats. So definitely talk with someone who knows more about this before doing anything too risky. But in general, if you're advocating to improve your working conditions with one other person, your boss is legally not allowed to do anything to retaliate against you. Um, so for example, of what some of those protections can look like, you can uh uh talk about your wages and working conditions. Uh that is categorically protected. It is uh legal for your employer to have a policy for be forbidding a discussion about your wages and your pay. uh as well as forbidding you from talking about the union as long as they let you talk about literally any other non-work activity on the job. You

have the right to confive uh collectively confront your boss about your work. Your boss can set up Zoom meetings with HR to ambush you. You and your colleagues have the right to do the same to your boss. Uh and you can strike without a union. You and your co-workers can agree not to work, including when you're needed most to pressure your boss over an egregious working condition. If you're working 18-hour incident response shifts, you and your colleagues can refuse to work the next one until your boss agrees to provide some safe staffing levels. And then if and when your rights are violated by your employer, you can file a complaint with the National Labor Relations Board who

provides an attorney to prosecute the case for you. So what about the public sector? For my fellow feds, there are unfortunately some uh key differences between uh public sector union rights and private sector rights. Uh however that that first slide about forming a union uh and having a contract and having that contract be enforced that's all broadly the same. Um the the first thing is that we don't get uh that mutual aid uh protections to be able to creatively organize when we don't have a union and we're also categorically forbidden from legally striking. Uh however we do get some more vigorous whistleblower protections for our individual concerns and these rights extend to managers too. Private sector also has whistleblowing

protections but I am not an expert in them so I'm not really going to talk about them because I don't know them super well. Um as feds we usually don't bargain over pay and benefits. Certainly not if you're on the GS scale though there are some smaller independent agencies that do uh bargain pay directly with their agency. uh but instead unions provide that institutional lobbying voice to lobby Congress and the president over pay setting and maintaining solid benefits as we recently did uh with the big beautiful bill and got a lot of stuff that would have destroyed federal benefits out of there through the the power of unions uh sticking together and advocating on the

hill. And as I mentioned earlier, the president can exclude agencies, components or positions from collective bargaining uh for national security reasons. The president can declare essentially without any checks as the courts have affirmed on Monday that any position is too national security critical to have a union and tell an agency to no longer collectively bargain or respect existing contracts. Uh even when you know CBP can have a union, they're not national security critical uh too much to lose their union rights, but uh FDA health inspectors and forest service people are. um it's blatant pretext to uh strike back against the institutions that have been pushing back against this current administration's agenda and winning in a lot of cases. Um

but nonetheless, the courts are kind of compromised if you haven't noticed and uh will let the president by fiat declare that people don't have rights. Um and also this the whole point of that law is to prevent like spook unions. Uh, so if you're in the NSA or FBI, you're probably not going to get get a union and you probably shouldn't have one. Uh, and then for uh state and local workers, it really differs uh by state and goes from no rights to all the rights. Uh, if you work for state or local government, uh, check with your state or local law, it varies kind of by political breakdown exactly how you would expect. Uh, as I

alluded to earlier, unions don't just exist in the workplace. They are advocacy organizations that yes advocate through legally binding contracts that cover a job, but also advocate for broader policy change and political power that benefits their members and working people. As good as we hackers may be getting at advocacy, we simply don't have the numbers that you get from building a coalition with working people across the country. Unions membership numbers and genuine ability to mobilize their members make them an institutionally recognized force at levels of politics. uh all up and down the spectrum and create an effective leverage point to push policy positions. Larger unions or groups and coalitions of unions are generally happy to carry

water for niche interests among their members, especially when they don't conflict with their other members interests. So in other terms, unions have a pretty robust policy command and control infrastructure that we could reuse to deliver our messages and our political uh policy payloads. We can dramatically improve our leverage by making things like critical infrastructure protection, right to repair, robust cyber security and privacy requirements and DMCA reform workers issues, not just hackers issues. To move from some abstract details to successes in or near our industry, the Alphabet Workers Union has won significant changes at Google without an exclusive union or exclusive bargaining rights. They formed what's called a pre-majority union. So, they haven't had an election to become the exclusive

representative of Google or other Alphabet workers. Um, that and Alphabet isn't required to bargain with them. Instead, they're organizing across Google's uh employees, contractors, and vendors to pressure and win concessions from Google. They've gotten the National Labor Relations Board to overturn a gag order on employees discussing Google's current antitrust cases, affirming the inherent legal right that everyone has to discuss their working conditions, even if your employer has a policy saying that you can't discuss it. And yes, the antitrust status of your work is a working condition. Um, they've pressured Google to use voluntary buyouts instead of layoffs during the recent tech industry wave uh industry layoff wave. They've gotten Google to extend the deadline for its return to

office policy, allowing workers uh more flexibility to change the living situation or find a new job. And you know, as I briefly mentioned earlier, they did win one uh exclusive uh bargaining unit with Accenture Workers contracted for Google's content team to help win protections for those folks there uh and do some actually exclusive legally binding bargaining. There's also this small relatively unheard of nonprofit around here called the Electronic Frontier Foundation. I don't know if anyone's heard of them. Uh they formed a union about two years ago and got their first contract in October. From what I've told, the EFF staff organized not in response to any particularly bad working conditions or a specific threat, but also they organized

to take the good conditions that they already had and just take it out of their leadership's complete and total discretion and put it into a legally binding contract that staff and leadership negotiated over. Um, in typical EFF fashion, they are fantastic and posted their entire contract online, so anyone can go and look up the wins that they got. Uh, these include guaranteed remote work, uh, employee and management engagement and DEI initiatives, clear pay scales and raise structures, anti-bossware guarantees, uh, and rental assistance for employees in the Bay Area. So many kudos to Cindy Cohen and the EFF leadership team for walking the talk on their professed values and many more kudos to the EFF staff who took the brave step to

organize and win a robust uh contract. It's stuff like this that makes me uh proud to be a monthly EFF donor and member. >> What was that? >> Uh I'll I'll cover questions at the end um just because I'm trying to make sure I I cover time, but I I will lock that one down. uh basically not being spied on by your boss and and monitoring when it isn't needed. Uh so at my organization, we had a more typical union origin story many many years ago, long before I started there. Uh we organized when a new leader came in and started making unilateral unpopular changes that prompted employees to form a union so that uh that boss couldn't

make additional unpopular changes without having to bargain or at least without a fight from workers. Since then, we've also won remote and flexible work as a contractual guarantee and are fighting to ensure that what is still a legally valid contract is fully enforced. Uh we've bargained over technology rollouts including AI to ensure they benefited uh how we actually got our work done and weren't a hairrained management disruption onto how we actually do our jobs. Uh and while security is still a management right, we get to bargain how security controls are implemented when they affect working conditions. It's in discussions like these where the power of having a multid-disiplinary union across an organization really shines through. So I as a cyber security person

can dig into the technical specifics of what managers are proposing and communicate the importance of having robust security and privacy protections to my co-workers but my colleagues who work more on the mission or business side of things uh can provide feedback on how that control will actually affect their work and when it will probably disrupt their ability to get their work done. um for management technical bargaining uh like this and impact rollouts. It's essentially a free uh consultancy user feedback session and uh we get to fix a lot of the stuff that uh they didn't think about because this may surprise you but management doesn't talk to each other across organizational lines in uh once you get above a

medium-sized organization. uh but workers do and so we can actually talk and work something out between us as cyber security workers with our users and business side workers that make usable security controls actually be implemented and meet the organization's needs. So despite some of these success stories I know that there are a lot of reservations and counterarguments about unions. There's certainly a lot of propaganda that gets funded uh to provide some anti-UN talking points uh especially in some of the highpaying, high-skilled or more technical work. Uh so let's walk through some of those common ones. Um the one that these rights that I'm talking about uh don't matter because employers violate them all the time. And yes, it is true that

employers violate uh the law for pretty much every one of the rights that I have talked about so far. As I said earlier, the president has decided that he thinks he can just take them away and private sector employers will do a lot to ignore the law. Uh it could take years for a complaint to be processed by the National Labor Relations Board and the remedy is essentially a slap on the wrist for employers. In the meantime, employers frequently use the time a case is processing the NLRB to shut down union organizing or or fire active employees. That said, those rights are still your rights. And while they may be a pain in the butt to enforce, the only

way to ensure that they get used at all and aren't effectively meaningless is to use them. Uh, more importantly, the power that we have as workers has never come from the law. The law has been a convenient backs stop. It's great to have those institutions and resources there and when the worst case abuses, but the unions didn't come from the law. The law came from unions. unions were organizing in the private and the public sectors decades before anyone said it was legal to do so. And our ability to uh use the labor that is necessary to create value wherever we work uh and to leverage that labor is always going to be the source of our power. In addition,

when you and your co-workers come together with allies, you can identify the other stakeholders and institutions that uh have leverage over your employee, whether that's their public relations, their investors, their supply chains. uh research those and leverage those pain points to make it easier for your employer to work with you than to fight you. Uh there's the argument that unionizing leads to being outsourced or being fired. So again, it is illegal for your employer to retaliate against unionization efforts uh with, you know, a threats of outsourcing or offshoring. Um you know, but as I just said, just because it's illegal doesn't mean your employer won't do it. Um and and again it comes back to the point

where our power comes from being well organized and to being ready to fight these threats, not necessarily from having the law ready to back us up because the law occasionally will will fall short unfortunately. Uh though if your employer has decided that it's cheaper to offshore you than uh to respect you, then they're probably going to eventually offshore or outsource you anyways. They might do it slower uh where it's harder to organize against because there's no one single flash point to organize against. Uh but if your boss is feeling the pressure to make cuts, uh and cut costs, then keeping your head down probably won't protect you. Uh organizing and making it painful for them to make cuts will

protect you much more than keeping your head down will. There's the concern that unions are corrupt or ineffective. And yes, some unions were historically corrupt and some of the larger unions have not been as effective in organizing as I personally would like. They are ultimately democracies. The smaller and closer to workers a union structure is, the more responsive it will be to your concerns. And you can always run against an ineffective leader or just organize around them or even vote to be represented by a different union. You cannot outvote your boss. You can't outvote the union that you are a democratic member of. Uh there's a concern that unions are lites. So first of all, don't knock the

lites. Uh read blood in the machine for some historical perspective on workers fight to control their work in a hyper exploitative conditions. Most unions want to make their members jobs easier. Um and will happily embrace technology that does that and that they control to the extent that technology threatens their members existing jobs or work. Unions can serve as a democratic forum for technologists and impacted workers to hash out an ideal alignment with a fair transition and clear pathways for workers. Um, as I mentioned earlier, I get to do this very frequently at my organization where we represent both the technologists developing the technology and the users who are going to use it. And it's great to be able to come

together and reach an agreement that works for all of us. Uh, unions will uh take and waste my dues money. So your D's money is more than going to pay for itself in pay and benefit increases. That money also goes to organizing more workers which makes the labor market even more competitive when more workers are organized. D's money also goes to help unions advocate for issues that raise uh the wage floors. Uh rising tide lifts all boats even if it's not something that you feel immediately or see on your payub. Uh and then finally, especially I think for this crowd, there's the concern that unions will take your autonomy by eliminating privileges for high performers and destroying our

relationships with our bosses that might be pretty cordial or, you know, working out pretty well. The current level of autonomy that you feel is because your boss has decided to grant it to you and they can take it away or threaten it when they decide that they no longer need to offer it to you. By making a small sacrifice for a small amount of your autonomy for a collective contract, you build a shield that guarantees protections for you and your ability to act autonomously in the workplace. You also have the autonomy within a union democracy to campaign against agreements that you disagree with and try to get your colleagues to vote them down. So to tie things back to the current

moment, we are in a unique position as information security workers to protect each other and our communities. and we will only get there if each one of us decides to do something about it. It is a lovely paradox where our individual actions won't save us but will only build sufficient collective action if we take action as individuals. Thankfully, there are movements with the infrastructure and community to support us and we don't have to do it alone. For us specifically as information security workers, we are uniquely positioned because everything is in fact computer. Computers are how policy is turned into material material reality, how payments reach our neighbors, and how social interactions are mediated. As I argued at the top of the talk, the

current form of fascism realized this and really wants complete and total control over the computers with no ability for us to use our labor to descent. They do not have enough people with the combination of competence and loyalty required for them to meet their objectives by themselves. So, they want us to get in line and be afraid of them. If computers are the spinal cord of government uh and really in most organizations, infosc is the bones protecting it and ensuring that the nerves stay in place. Given our positions of control over these systems, we can either rapidly allow bad actors uh to get in or we can enforce the guard rails that we know should be in place.

If we try to protect it as individuals, no matter how elite we are, how many black badges or, you know, how many talks we've given, they'll just fire us and replace us with the next person who will do what they want. If we organize our response, they have to spend time fighting us that they'd rather spend uh using what we built and protect to screw over our neighbors. As infosc workers, we're also uniquely positioned to force concessions from our bosses. By the time we're being hired, our bosses either have highly valuable assets that they want to protect or burdensome and, you know, costly compliance regulations that they're trying to be in line with. The marginal losses from losing those assets

from an incident or from a heavy fine um are dramatically higher than the uh cost of what we're normally asking for. uh that gives us a lot more leverage than say the typical tech worker who's building a new product that hasn't yet been integrated into an organization's value stream. Uh if we look to Corey Doctoro's causal theory of initification, and should prevented by strong competition, regulation, interoperability, and worker power, I'm not going to count on any antitrust enforcement over the next three and a half years. And while we might maybe see some regulations on tech issues, maybe some right to repair laws and interoperability requirements come down at the state level, I'm personally not going to be super invested in state

legislators or any legislature taking robust action to meet the current moment. My confidence in those institutions isn't super strong. Um, our leverage as workers is the only systemic lever that we can count on not being captured and we are the only ones who are able to pull it. So, our rights uh you know are not something that you just have to take from me. Take the word of Daniel Buruis, a cyber security professional at the National Labor Relations Board who blew the whistle on suspicious activity in their Azure environment. He and maybe one or two other people were the only ones with the visibility into these systems. No one else could have flagged this or saved the day. In his words,

you're not alone and you have rights that empower you and there is a community that is here to support you. Your rights to speak out about your workplace conditions and le or legally blow the whistle uh as both Google workers and Dan have shown us carry more weight than your NDA or corporate policy. Our bosses may want us to feel like atomized individuals but we are not. There is a community that has each other's backs when we step up. And that community isn't really waiting for us either. The labor movement has recognized that privacy rights are workers rights. Unions with the help of community allies like EFF have been leading the legal fight against DOA's

invasions into our privacy. Unions have also been leading the way into bargaining fair AI use into their contracts and advocating for policy restraints on AI controlling and surveilling us at work instead of the other way around. When ransomware incident strikes, other unions have been creatively showing what it looks like to demand an effective and transparent response and ensure a properly resourced cyber security program to protect their working conditions. And now I grabbed this slide because I was at Cyber Medcon a year ago and um uh Dena uh whose last name I'm blanking on from uh OPIU Local 40 representing nurses in Eastern Michigan around Detroit came in and because their union was being very vocal

after the Asenture ransomware attack that took out 140 hospitals and they were going on the news and advocating for like we weren't prepared for this. organization has might have an IT incident response plan, but we as nurses are completely swimming upstream when it comes to running a hospital in a ransomware incident. And so now, you know, Dina came here yesterday and was here at the I am the Calvary track and they're are getting a ransomware clause into their contract. They are making sure that they have the protections in place uh to be able to respond to those incidents. Now, whoops. Uh there are large swats of workers in every field who are ready and willing to be in

solidarity with us. And again kind of speaking personally from a moment like I love cyber security work. I love getting root. I love finding the thing that makes things better. I love it when my code runs and compiles. That sense of dopamine is great. It's what got me into this industry. Nothing makes me feel better at night or is as nourishing for the soul or makes me feel like I have neighbors in a community than doing this labor work. From enforcing my contract, getting a simple term, joining a picket line with food service workers who are fighting for better contracts at their jobs, standing with other federal workers who are trying to save civil services right now. That's the type of

stuff that can be exhausting. It can be draining, but the relationships that you build doing this work, uh, it can be scary, but it is the most rewarding work I have done in my entire life. Um, the way that we win, what we do next is first of all, build relationships. That's the theme I've heard throughout all of Bides in multiple contexts. Relationships are how we win. If you're a manager, um, basically be chill about it. I I think there's a lot of if you're here, you're I'm going to assume you're a good manager. If your employees try to unionize, it's not because they hate you specifically or it's a personal attack. Like the folks at EFF, they might just

want to get their good conditions enshrined into a contract. Um, but basically, when you let your employees unionize, you also get like a dedicated workforce will give you honest feedback and not become an insider threat because they feel like they, you know, are respected at their work. And that's pretty cool, too. They'll also, you know, give you some better ideas and um not have turnover. So, that's nice. Uh and then there are other things that you can do uh outside in uh civil society. And then for the rest of us, I think these are some great organizations that are here to help you. If you don't have a union, if it's just you and you're

looking to get started, uh I'm going to call out the top, the tech workers coalition, which I'm a part of. I've got some friends here who are with me. We'll be here to answer questions. Please join. Uh and then once you join and get added to the Slack, come to the cyber security channel. We're there. We're waiting for you to have a conversation, to provide you resources, to answer what comes next or what can you do to chat, give you whatever advice that we can. This isn't, you know, go out and and be great in with in vague terms. There are concrete resources for you. The QR code, I promise, is safe. It's just the GitHub

that has all of these resources and the slides, as well as many many many more resources like this fantastic book, You Deserve a Tech Union, if you're looking for some reading material. Uh there are some unions that uh represent tech workers. So there's code CWA which includes the alphabet workers union. They're also organizing at Microsoft. OPIU Local 1000 uh is doing some work as well. Uh organizing mostly smaller tech companies. Um and if I've got to shout out my own union, they don't really dedic focus on organizing tech workers as much. They mostly organize STEM uh workplaces and nonprofits that tend to include tech workers. But both me and EFF are represented by IFPTE. So I've

got to give them a shout out. I really enjoy uh the representation that they provide. So, and and yes, uh this is a pitch for tools that will help you in your workplace, but this is also uh a cry for help and an ask for solidarity. My working conditions are tied to our industry's working conditions, and our industry working working conditions only improve if we all do something about it. There's a community and a movement that's ready and excited to support you, but no one can do it for you. So, my ask is to go out there, organize, hack your working conditions, and win. Thank you very much for listening, and don't forget to tip your bartenders and

cleaning service. And I and I think I've got time for like one question possibly. I don't know where the mic is. I can if someone wants to yell something out and I can repeat it. >> Um, I'll also be out after. >> So, you said that visas.

>> Oh, so like comment was on like H-1B visas and like the tech workers who who come in from other uh yeah countries. So yeah, I think that a internationalism is really important and the idea that our working conditions are inherently tied together extends beyond like geographic borders. Like it is inherently a global industry. Um I think that like to the H-1B visa point, like I'm very glad that, you know, there's good tech jobs in the United States that other people have access to. I also think that the H-1B visa program in particular is incredibly exploitative um because it ties your ability to stay in the United States to having a job. And so if you

say wanted to speak out about your working conditions or improve them um and your boss fires you, you know, even if it's illegal, that doesn't matter because then you've got to leave the country. So you're um much more tied down and it makes it harder for you to be in solidarity, for you to fight against your boss when you're on those visa conditions. So I think there's definitely a need for reform there in the protections that come with those visa programs. But I I think once workers start seeing other workers, you know, as threats based on their countries of origin, again, that destroys those that community that destroys those relationships and that's how we start to lose.

>> Um, and I'm at Logan Arma. Um, pretty much everywhere. Uh, full government name. Uh, come fire me Elon or whomever uh you send your way. And I'm getting the stop sign, so I'm going to come hang out. I've got other people who have also done this work who are here to give present uh to answer questions. We got a handful of stickers on the table. Uh, come say hi. [Applause]

[Music]

[Music] Dirty Parker.

[Music] Da [Music] da da. [Music]

Hey. Hey. Hey. [Music]

[Music] Heat. Heat.

[Music] Heat. Hey. Hey. Hey.

[Music] Heat. Heat. [Music] Heat. Hey Heat.

Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music] Heat. Heat. Heat. [Music]

Heat. Heat. Heat.

[Music] Heat. Heat. N. [Music] Heat. [Music] Heat. [Music] Heat. Heat.

[Music]

Hey. [Music]

[Music]

Mhm. [Music]

Wow. [Music] Heat.

[Music] Heat. [Music] Heat. [Music]

Heat.

[Music] Heat. Heat.

Heat. Heat.

[Music] Heat. Hey. Hey. Hey. Heat. Heat.

[Music]

Heat. Heat. [Music] Thank you for coming. We want to thank our sponsors that make these

sponsors.

Please visit them and we sponsors as well including formal and are two of them. So let's get started here. The gentlemen are going to speak with you today with PayPal and they're funny

and I'm going to turn the floor. If you don't have your phones off or on vibrator mute, please do it. The talks are being recorded and also you'll be able to get the record. Thank you very much. >> All right. Thank you. Thank you everyone. All right. I'm kind of a pacer a little bit so hopefully the microphone doesn't go in and out too much but uh yeah. So I'm Caleb Sergeant um and this is uh Blake. Uh just real quick intro quick blurb about this uh this talk. So this isn't about security itself being an illusion um because you know anything can eventually be broken, right? Anything at all. This is more about challenging the status quo that modern

endpoint detections um that they're so advanced, right? That the only way they can be defeated is with advanced attacks, right? Um or super complex novel techniques. We just want to show that that is not true and that security can be broken actually with very easy methods. Um, and then so who are we? Hey >> everybody. Yeah, I'm Blake Hudson. I am a adversary emulation team lead at PayPal, which is just essentially a very very fancy way of saying that I do purple teaming and red team stuff. Uh, roughly seven almost eight years of experience in the industry, kind of specializing in cloud security, infrastructure testing, and uh, this is now my fifth talk. I started last year

at Bsides here and went on kind of like a slew of them last year and back here again. Man, this place is pretty awesome. And I just want to say if any of you ever have any information to share, get up. I recommend doing this at least once in your career. It's a pretty interesting experience. >> Yeah, definitely. It's been a great experience for me as well. Uh like I said, I'm Caleb Sergeant. Um Oh, we missed a really good opportunity. You had that shirt on. I could have wore the same shirt. That would have been amazing. Um but I'm an adversary emulation uh manager at PayPal. Um basically I do like a lot of bridge

building between the red and the blue teams. um helping them emulate threats so they actually get like a red signal, right? I've been in offensive security for about eight years now. Uh I specialize in endpoint um security controls and emails. I know people are emails. What? Well, actually that's what those other two talks were about. So I recently did a talk in Troopers Germany about some email stuff. So if you want um shameless plug, go look that up. And black hat I did a talk with how Wong um he's also my manager in the crowd right there. and we did an email talk last year. So, yes, highly recommend it. You'll learn a ton. Um, and you'll meet

some pretty cool people. Uh, standard disclaimer, especially since we're here from PayPal. Um, we could say this all we want. Hey, we're saying this from uh, you know, us. We don't represent the company, but they say too bad you represent us anyways. However, there's a disclaimer up here anyways. Right. With that out of the way, let's quickly talk about agenda. Sweet. It worked this time. Okay. So, uh, we're just going to quickly go over and talk about what endpoint controls are, some typical bypasses that you'll see, uh, and exactly kind of why we are here and like what type of different approach we're taking. Then we'll talk about bypassing Zcaler, tampering with Defender, real attacks that actually work. Um, and then

we're going to have some more fun with some persistent admin. Um, and then once again, user stories. Uh, that'll be an interesting topic and we will go from there. So, what are endpoint controls? So, can anybody name an endpoint control? Just shout one out. >> It's not up there. I tried. Failed the magic trick. Uh, but yeah. So, like, so that's really split into two different types, right? So, we have like supportive and like direct sort of security controls. You have the things that are actually on the endpoint themselves, right? So, Crowd Strike, you have agents, um, you know, defender, uh, and then, you know, there's other ones that are more supportive like zscaler or, you know, like J, um, in tune,

right? That's going to be pushing custom scripts, doing something to protect the endpoint that isn't just running code, right? People get super hyperfocused on stopping the shell, stopping running the code. There's so many other controls on that endpoint that you can break. And what are those typical bypasses, right? So, we're all familiar with living off the land stuff, you know, bringing your own vulnerable driver. I don't know if anybody's familiar with that one. Uh, building your own custom payloads, doing some um API hooking evasion, module stomping, DLL hollowing. I could just list all of them, right? These are all, you know, like more complex sort of things that you you do need to know how

to code. you do need to you know understand something about Windows system internals etc right um well the key um challenge to this is that we want to just uh evade that traditional you know like signature so of doing these type of techniques right so you know we want to bypass an for example but we don't want to um uh you know write like a custom script for it and that's that's exactly what makes this talk different right uh This actually started from a comprehensive evaluation of enterprise security controls that we were doing. We took a holistic approach to where we're not just looking at hey this is defender crowd strike whatever all these different things uh by themselves but

like as a complete stack like how do they actually work and what can we do to like break them and then not have like a signal like be able to bypass and not have this um our sock the blue team be able to detect anything right and most importantly we wanted to like challenge this like status quo type of term that's thrown around right now. Tamperproof, right? I don't know how many of you guys have advertised or have been advertised to that, hey, our product is completely tamperproof, right? Well, we saw that and we were like, what does that actually mean? And like what are you really claiming with this? So, we wanted to like challenge that uh why we were

doing this and um with that, how can we make this uh easier, right? So I'll take a step back uh and then there will be like a little caveat with this right a lot of this stuff does require administrator access right so it does you know I think it even says right like yeah it fundamentally changes the security balance which is true but you could do a lot of really really terrible things to endpoint um you know with admin we know that um but also as a low-level user and here are going to be some of the things that a regular user anybody could do right you and uninstall. You can manipulate the file system you there are custom scripts that

are running who can access those scripts who can you know modify those who can modify registry etc. So um that is that and we're going to start with Zcaather. Um I guess we're starting at the end of the alphabet. I don't know. Um we just decided that this is where we were starting. Um so when we started this uh we wanted to like have some sort of like pre kind of like requisite for this, right? So, a good way whenever you're doing research for things um especially like this uh I'm sure people are familiar with the idea of um memory like or not memory comparison um patch comparison right so you go and you look

at one patch and then new patch and you're like cool what's the difference right and then you go you know but but that that that's way too complicated for us so we just look at CVEes right so we we go look at old CVEes so did they fix this thing and is there a new way to bypass it right so there are different techniques you can do that besides um you know going and actually doing some patch diff right so in certain cases here it says zscaler can be disabled by powershell commands right so we took this as the basis all right well they claim to be tamperproof let's actually see um what they can do so with

that I've talked about for eight minutes so now it's Blake's turn >> all right so uninstalling zscaler so typically when you have zcaler running on your system you're going to go an end user is only really going to go to say like the settings menu or control panel to try to uninstall it and they'll get message they'll get a pop-up window like this. You have to put in the password. Well, okay, that's that direction, but they don't anticipate a lot of users just going through programmatic access. Just very simple PowerShell commands. Okay, hey, use basically PowerShell wmick get a uh whatever the application is based off of this name zcaler and then append uninstall function. This

will wipe out zcaler from this. It doesn't ask you for a password whatsoever. And at that point, swipe from your system. Here's another route. Uh, basically this one's in the cmd terminal, but again, wmick command. Find where it's like zcaler. Go ahead and uninstall it. Here's one that's a little bit different, but you use wmick to get the gooid for zscaler, and then you use msi exec to then uninstall it. And then just a pure powershell. Get the package name like zscaler force uninstall. All of these again do not require any sort of password to do this. However, uh by today they are fix or this has been fixed and now there is a separate password you have to set to

protect yourself from this way. So a lot of the stuff that we are going to talk about is fixed today. Uh it might just be a misconfiguration on your own end if you don't have these things uh readily available or set. So something that a lot of organizations do as well is they try to enforce, you know, there might be some sort of security policy enforcing that you have Zcaler on your systems. Well, usually that's kind of pushed out by something like SECM. And this is just kind of like an example. Um, what you can do to try to stop that is just go hunting through your SECM folder and just look for these installation files. Again, SECM is going

to be trying to roll this out at whatever predefined uh time period, and you could just go in and wipe these out. It's never going to get reinstalled. It seems like SECM tries about once once a week, and then after that it gives up. So, just kind of an interesting little side tit with it. >> Um Oh, back to you. >> Uh back to me. Oh, yeah. So, so this is super simple. Uh very, you know, poor man's way of uninstalling. Uh you can do this on Linux and Mac, right? you just rename the thing. Uh and after you rename the thing, um you just uh reboot and then you can just remove it, right?

And the reason you have to reboot it is because it does put locks on a lot of these uh you know uh these files and you know we don't want pesky locks. So we restart the system and then you know hey we're now zscaler disabled and then we just uh yeah then we just get rid of it. And speaking speaking of um we can also abuse built-in scripts. So this is kind of we were talking about with the uh like the Intune and the JF even SECM to an extent, right? So things get pushed out and a script gets ran, right? Um uh and sometimes you can modify and like get all screwy with them. Uh sweet, this

video actually looks great on this screen. I wasn't sure I was going to look. So um it's a video, but I just want to kind of like walk you through what's going to happen and then I'll talk through the rest of everything, right? Okay. So, uh, we're going to uninstall Zscaler, but we're going to not, um, we're not going to like just use like, uh, you know, the method before. We're not just going to rename stuff, right? We actually going to use the proper executable to uninstall this. Well, uh, if you've looked at some applications, they have like a bunch of like weird scripts sometimes in there, and they don't really like you don't really know what they do. And that's

what we found here. So, we're just looking at our Mac and then we see within the Zscaler directory that we have a whole bunch of scripts, right? like config any you know um clear data etc right well this clear data one was the one that I thought was really interesting right so I was like what does clear data do so you know I you know hackerish I'll look at it and then I'm like hey this says this is deleting a generic password with like com.zcaler Zcaler everything, right? And I'm like, that sounds really bad. Like what happens if an administrator just ran this like out of order and you know, you didn't know what happened. So, or you

know, so that's exactly what I did. Um, so we take this or we look at the script and then we're going to run this clear data and then that's exactly what it does. It goes through and it deletes uh everything out of the keychain that says com.zcaler, right? Well, the way Zscaler works is it actually sets a password locally whenever you want to uninstall it, right? And whenever you run the uninstall script itself, um, it goes and it validates that password. It checks it, right? And but if that password isn't there, anybody guess what happens to that >> uninstall. >> Yeah, it fails open, right? Cool. Yeah, we love when it fails open. So, that's

exactly what happens. Woohoo. Right. So, so we run um the script. The password's no longer there. It compares against nothing. And whoa, where' Zcaler go? Yeah, that was my thought, too. It's gone. So, uh, yeah. So, you just use the regular uninstall um command or executable, but you run a prerequisite script. So, this actually tells you some information about like some other security products, right? They're probably storing a local password. If there's a password to tamperproof it, um, it's probably on the system itself somewhere. So, if you delete that password and it goes to do something, it's hey, it it just may fail. open for you as well. So, that's that was a pretty cool trick. Uh, no, I I won't

bore you guys again. Um, all right, more bypassing Zcaler. And back to Blake. Yeah. Um, and that's kind of like a common theme with a lot of this stuff, too, is the same tactics work across multiple different products and even things that we're not talking about here today. The same ideas kind of applied to a lot of different stuff across the board. But, uh, so bypassing Zcaler. Yeah. So, one of the things that we kind of tested and we use this great tool called EDR silencer out there. I wish I knew who actually created that because I'd give them a shout out, but essentially it is putting in WFP filters basically kind of like firewall filters

and you point it at the specific binary. So, when the processes start up, it will just basically block cloud access out to the internet for these specific things. And you can see here in the image, the Zcaler is having a AV error and it can't reach out to the internet. What does it do by default? Fails open. So you now can access whatever you want out on the internet and then basically remove all of these firewall filters and you're right back on basically kind of no one knows that you did anything to circumvent it. Another really really simple one is just keep killing the tunnel the process. I created a really simple bat file. Every

second is going through task kill. Just kill that DSA tunnel process over and over and over again. It keeps failing fails open. you get access to the full internet at that point. And again, both of these have actually been fixed and they have process protection on these things now. So, you can't do these. But the same idea is again across the board. You could try this with a ton of different security endpoint tools out there. uh VPNs. Uh I'm sure everybody here or at least some people have. You can go out to AWS uh stand up an openVPN server very very quickly. You know, just a couple minutes, install the client locally on your system, force all the

traffic through that VPN, and you bypass Zcaler completely as well. Get whatever you need, whatever malware from the internet, install it on your system, turn this off, and hey, Zcaler doesn't have any idea what you just did. Oh, this is a fun one. Um, so this is actually as a low-level user in the registry there's something called the pack file and I don't remember what that stands for. >> Proxies >> proxy thing. Yeah. >> Yeah, that thing. Yeah. So this pack file, this is actually the rules essentially what Zcaler is going to be following for like allowing or blocking specific things. Well, a low-level user could go right into the registry and then set this to whatever

they would like this to be. So you could put another local file up there. You could put it on a remote cloud server, something else on your internal network. And basically on Windows, you could tell it allow everything. And this would fully bypass everything for Zscaler as well, and then point it right back to the original thing, and you're you're back in action. No one in, you know, your sock would even notice. I think it was a little bit different on Mac. >> Yeah, I was about to say Blake one up me on that one. He got it to work on Windows and tried my dandis. I cannot get it to work on Mac because the way

Mac actually handles the entire proxying it it it defaults to zcaler not the pack file itself. Um no. >> Oh, yeah. So, so this is actually kind of like where everything started, right? Uh, this this entire uh, yeah, this everything, right? So, I was looking at zscale and I was like, well, how can I like mess with this, right? So, I started looking at a P list file. Um, any Mac gurus out here um, know what? Yeah, there you go. What the P list file is, right? It's basically like a properties list. It says hey this is the application and these are the things when you when it runs um it it needs to like know about these things. First of

all, one is an environment variable for this one set as opt and it actually just passed in the the string zcaler, right? So what happens if you just remove zscaler? Uh that's exactly what I did, right? So I just went in and I edited the pist file. I took the word zcaler out of there because if it doesn't know what this variable is, then it just fails, right? And this goes back to the same thing. It's failing and then it has some sort of error. Zcaler is actually pretty good about giving some sort of error uh within the little guey that's kind of like pointing you in the right direction. Uh later on we do have some

configuration fixes. So you know it's not all doom and gloom. There are ways to fix this to like not make it fail open but these were configured in a way to like hey if you broke this um like it the traffic would just go out wherever right and then you just Yep. So that that was pretty cool. Um, once again, just like Blake did, you just take down the tunnel, right? So, any if anybody's done any sort of like Wi-Fi work, that's exactly what you're doing right here. You just take down the tunnel um or the interface uh and then use a packet filter uh just hey, anything that comes through this tunnel, drop it, right? And

then you actually get like a different error um in here. Basically, kind of the same thing. Uh another one, restarting from the UI, right? So we give users access to the UI in a lot of things, right? And a lot of it is uh you know like locked down, but in this case uh you can actually really just spam that button. You can just spam it and then for about 10 seconds like Zcaler was none the wiser to whatever you were doing, right? This also doesn't require admin route. Um once again, this is another configuration that you can change. But as you see, uh does anybody know what this is that I'm running over here? What we downloaded from that that

code? Anybody look at it tell no that's secrets dump right so yeah we downloaded secrets dump zscaler doesn't care but generally it does uh it does block that it does not like it another way uh by default we could actually just download and install tour um and all of the tour traffic would go through zscaler like it didn't care and I was like that's kind of weird right like zscaler you would think network proxy like block the bad network stuff right well it didn't possibly go wrong >> well Right. Yeah, exactly. Onion. Never heard of the guy, you know, sort of thing. So, yeah. So, uh this also doesn't require admin root. And of course, somebody is going to be some

somebody from policy out there is screaming right now, well, you shouldn't allow applications that you don't know what are installed, you know, etc., etc. Well, there's actually another bypass for that. That's this top one up here, right? It says like Safari Light. Cool. We allow or you allow Safari Light in your environment. And that's what we did. Well, that's not actually Safari Light up in the top. We just once again told a a P list file um that hey this is actually Safari light but that's really tour. So we just renamed tour to Safari light and we're like cool we're in business again right so don't come at me with your policies you know uh and then and then this is pretty

simple too like if you work with Python or anything in your environment this is a common thing right you know like if you from the terminal you want to run um you know something over some sort of proxy that's what you do here and there yep there's our secrets stump right there this like once again is no big secret you can kind of do this anywhere but this does by default bypass the scaler. Once again, not just be we're not just beating up on them. They just like exemplified a lot of the things that we were coming across and we found ways to bypass that. And then kudos on to them. We'll talk about it a little

bit more later, but they did fix a a good amount of these issues. And then, all right, we're done with that one. So, we also did this to defender. >> Yeah, good stuff here. Um, so bypassing defender, uh, well, obviously with the same thing, EDR silencer, it's kind of built into the tool name, right? Uh, putting in these WFP filters, you can just point it at the Defender advanced threat protection, so the EDR portion of it, and it will block all the cloud access. And you can do this manually as well. This is just an easy, convenient tool to do it. Um, but this will basically silence so all of the telemetry doesn't go out to your sock anymore. And the one

thing you still have to worry about obviously is the defender AV is still working. So that will still send data out. But at least from the socks perspective, if they're only paying attention to the uh advanced threat terminal, they're not going to see anything that you're doing at this point. And then very very simply, you can just uh turn off or uh remove all of these filtering blocks. That's a pretty standard one. Uh and then this kind of goes out there. I'm sure a lot of people already know this, but if you give people local admin on their Windows systems, you can just download something like Mimi Cats, obviously Defender is going to catch it. It's going to

quarantine it and then delete it. Well, maybe a lot of people don't know this. You can just open up Defender console locally and restore it back to disk and then there's another popup that says, do you want to allow it? Yes. Mimi Cats is whitelisted on your system now. And you can see you you run it perfectly fine. Um, so that's something you know we're we're also sharing a lot of this too so that you can take this back to your own organization, run these same things, make sure you have detections because all this stuff no one should be doing in your environment whatsoever. Uh, and after we did a lot of this stuff, we were finding people in

our network doing these things. Um, so yes, pay attention to that. Um, okay, what about fully disabling EDR? So here is a video. I'll kind of walk through it real quick. Um, we're just going to show here that the MSSense or the advanced threat protection is running. And then we're just going to go through and show like the permissions on it. You can see that trusted installer is basically the owner. And then we're going to go through and there's a really really critical uh DLL uh msense. DLL. Well, you can tamper with that and then completely wipe out and disable the EDR portion of Microsoft Defender very very easily. And okay, so yep, we're just showing that

it's running. We can see that the uh MSDLL. Yep. And it is owned by trusted installer. What we're going to do first here is take ownership of it. And then we're going to give administrators full access to that specific file. Once we do that, we're just going to go ahead and rename it. You can delete it at this point. You have full ownership of this specific DLL. Go ahead, reboot. And what when this comes back online, you'll see MSSense keep trying to start up the service, but it fails because it doesn't know where this really important DLL is now. And uh at this point, the EDR will be completely killed. Your sock has no visibility into what your system is

doing. They can't quarantine you. They can't isolate your system. They can't jump in and uh take any sort of preventive actions. And you can see it is uh the service has stopped now. And we have a pretty good response from uh Microsoft about that. And then uh so yeah, so we disabled the EDR portion. Uh for those aren't familiar, Defender has like two different well depends on who you ask. Um but it has two main parts, right? It has like an anti virus and it has like the EDR portion, right? The actual like protection piece and it does all the telemetry and everything, right? Well, Blake, he disabled the EDR, right? Um and um I couldn't be one up, so I had

to, you know, disable the AV. um itself and I'll go ahead and pause this and I'll kind of talk through it a little bit first as well. So the I'm running MDAP um health uh on the Mac which basically says hey like what is the status and tell me everything about defender what is going on with the system itself and then as you see it's like hey it's healthy it's true it's running we're going to make it very unhealthy here in a second though so and we're going to do that once again by permissions. So um with defender is what you need is it needs definitions right it needs a library of definitions to be

able to say hey this is bad this is bad right sort of thing. So is what we're going to do is we're going to go into defender and we're going to change the permissions to the entire directory um and make it where nobody could touch it, right? Like not even root, right? So we're going to give it no permissions and whenever it does that, we're going to restart the system and whenever the AV goes to check back in um uh to the libraries to see if it can do the thing, it's not going to be able to do the thing. So anticipate seeing that. All right. Uh back at the beginning, we run this. Uh this is I'm downloading the uh

IICAR file. Um I don't know if anybody's familiar what that is, but basically it's a file if you ever want to test AV like clam or whatever and say, "Hey, is this seeing the bad thing?" Um you can download it and it'll see the bad thing. And as you see, um Defender actually deleted it. It was like, "Yep, that's terrible." We'll actually pause the video right here. Yeah, it's like, "Hey, that's a bad thing. We're going to delete the file." So it says zero files. Um whatever. uh v uh zero files are there because it already deleted it. Then we're going to go through and we're going to um change the um chod to all

zeros on that directory. And then uh we'll try to look at it and we look at it and then we see that hey this is actually now false uh for the MDAP health. We'll go ahead and restart um time travel a little bit and then we are actually just trying to update the AV right just hey um check the definitions making sure they are all working and once again we'll check MDAP health it is very unhealthy now right it's like yeah I'm not working at all and just to demonstrate that it actually works I'll download the IICAR file and it's on the system before you saw how it automatically got deleted now it's like one file scanned and it's still there.

So, yeah, just with simple um uh file property manipulation um as far as permissions go, you can entirely disable your EDR uh your EDR and your AV, right? So, I imagine you're like, "Cool, did you guys tell Microsoft?" You hear at Bites talking about it. Well, of course, we told Microsoft about it. So, then you're like, "Well, what did Microsoft say about it? Surely they gave you like a $30,000 bounty or something, right?" They were like, "Hey, you can do a lot more damage with administrator access to to that." I'm like, "Yeah, but what else besides disable your AV and EDR? What is more important than that?" I I don't know. But um but yeah, so they closed

out both of our tickets saying, "Hey, that you you can do more damage with that." So >> very expensive products that you can just disable that easily and it's kind of like >> Yeah. >> All right. And uh into safe mode. >> Oh, yeah. Um before we get to that, but it's kind of looped in with this. So we did test another EDR product that we got our hands on uh to do some additional stuff and we found out even with that one uh it you could basically do the exact same thing. A lot of file manipulation uh to just take ownership, deny access to everything uh throughout Windows so that none of the specific

services could be even executed or run. Uh, what you could also do though is if you are local admin on your systems, you can get the Bit Locker recovery key. Nope, I'm skipping forward. >> Really? Okay. >> The >> uh you don't need to be local admin to get the Bit Locker recovery key from PowerShell. That's true. >> Okay. I think I only tried it as admin. >> Yeah. >> Um Okay. Interesting. So, yeah, you don't even need to be admin for that. Well, uh, obviously once you get into safe mode, then as a regular user, you can then just start uninstalling a lot of the really, really important stuff like the kernel drivers, taking

ownership of those and then deleting all of that stuff. Uh, and that's kind of the point of safe mode. My understanding is that it's to boot Windows into a mode where almost all third party applications aren't really running so that you can debug and troubleshoot things. Uh, so Bit Locker. Yeah. Uh, here it is. uh this real simple command you can get the Bit Locker recovery key which as people have stated you can do this as a low-level user so even worse uh than what we anticipated. Um once you have that obviously you can go in and start disabling a bunch of stuff. Um obviously in here too in our experience uh you could create new users, you can download

things. Well, you can't download things, but if you already have like Mimi cats on the system, uh you're going to be able to run all of these things and then once you get it back onto your corporate network, it didn't seem like all of these logs then just got dumped and a whole bunch of alerts were generated. Uh you were able to do all of this stuff kind of blind, get back on the network and no one no one would be any of the wiser that you did these things. Creating new local admins, you know, running mimi cats, things like that. uh crash plan. Anybody here familiar with that service? Yeah. So, pretty popular in the backup kind of like uh in

the backup space to help with, you know, obviously with ransomware. They don't make any claims that they have tamper protection by any means, but just to show, you know, this is another really important one for ransomware. You can just very quickly and very easily run the exact same things to uninstall this specific service as well. Now, that's not that big of a deal. It still has tons and tons of backups, right? Well, uh no. >> Okay. Uh, that doesn't really matter. If you go through the actual console that's on your system, you can navigate around and it will bring you to this admin page for your systems. All of the systems that Crash Plan has for you. And very

simply, you can just click on the system you want and then set to deactivate. All everything is wiped. Every single backup that that they had on your system for the past 90 days is gone now. free to do ransomware unless there's other protections, but for the most part, that's kind of like the big uh glaring hole there. Other controls. >> Yeah. So, there are other controls on your system, right? Um besides, uh just, you know, the EDR, all this fun stuff. So, uh simple ones are just like gatekeeper, right? If anybody's not familiar what gatekeeper is, that's essentially mark of the web on Mac, right? Uh up here in the top right, you'll see that, hey, I'm downloading

something just from a local server. it. But since it's coming from a a browser, it puts the mark of the web on it, right? When you go to like execute that thing, in this case, it's like an app inside of like a DMG file, right? Nothing malicious. Um, and it says, "No, I'm not going to let you run that because you download it from the web." And I'm like, "Well, I'm the administrator, so I'm just going to turn this off." So people in your organization, if they have local admin access, they can just disable Mark of the Web. And if they're doing that, then bad things could happen because then it actually asks you, it's like, "Hey, you

sure you want to open this?" It actually gives you the option. Um, and yeah, we've actually run successful campaigns with this. So, you hit open and then it'll just pretty easily uh run the code over there. Uh, we talked about pseudo and you know run um or uh run as administrator access uh quite a bit. So, there's a way you know you can detect right if somebody is running pseudo that shouldn't they're going to get you know reported to the administrator right? Well, we know a way if you just run it through the OSA script and just say, "Hey, with administrator privileges, it doesn't actually if you're looking for pseudo in your command line, any sort of

telemetry, it's not going to show that. It'll show this and then you get to like type in your password and everything. So, this is a pretty neat little trick to like bypass um any anybody trying or, you know, trying to bypass any sort of detection around uh around that. Uh once again, yeah, you can erase a lot of things, right? just hey if you're um you know inside your SIS log if you are looking at everything for uh or if that's where like all your limits are going you could just delete it right uh and then this is also another thing that we kind of touched on right uh you can change um well does anybody know what

immutable is somebody shout it out what's immutable some somebody say it >> you can't you can't cover something up there's always a record of what happened in the past >> that's right there's always a record and then you can't change it right like so if set something to immutable, it means it can't be changed anymore, right? So, like even if you're the root user, you have to unset a um an immutable flag on something to be able to touch it again, right? So, as a bad guy, if you want to go in and then like back door or mess with any of these different um you know, sensitive files um right here, you change it and you set the immutable flag

on it. Even if there's something that's supposed to come up and clean afterwards, it won't actually work because you set the immutable flag on it. So, that's another neat trick. And what would a talk be without AI? >> Oh yeah. Uh everything has to have AI, right? Um including this talk. So AI gets looped into everything these days, right? And uh one of the things that we have seen out in the industry is that they're starting to hook AI for like role permissions or granting roles into something like teams. And maybe you guys have an internal, you know, AI bot that handles a lot of that kind of stuff. Well, very simply, you might be able to

just ask it to give you local admin permissions on your system. And this might bypass all of the, you know, there might be a um an approval process for you to normally get that. This might just give it to you, and it might get just give it to you at the longest length of time that you're approved for uh a specific admin. Um going into some persistent local admin stuff. This is probably going to be stuff you guys all know, but um say you are you're granted, you know, you have that that real brief window of local admin. Well, how do you get that to be a little bit more persistent tampering, continuing to tamper with the

system? Well, there is always that built-in local administrator account. Just go ahead and change the password for that specifically. And um obviously this might be controlled by something like laps or local administrator policy password solution. Yeah, password solution. And by default, this actually sets that password for that user for 30 days. So you could set this for yourself and you might be able to have uh you know a a semi-persistent local admin for 30 days. And these are things that you need to be aware of in your environment because there might be people doing this to try to circumvent some of these uh approval processes. Now what you can do to make it permanent is just go ahead

and uninstall laps. But you have to do this after you've set the password. Otherwise you no one's going to be able to get into it whatsoever. uh unless they have a much much higher permissions. So uh yeah, once you did this, now you control this account. Any sort of like help desk or desktop support that tries to get into your system to do something administratively, they're not going to be able to use that account whatsoever and they'll be locked out. Uh yeah, obviously you can create your own local admin as well, but uh in our experience uh just throughout all of the years, it seems like there's always some sort of script that will take strip that

away at some point. Yeah, exactly. And the reason that we're talking about this because um you know we do need to allow people to do some sort of administrative actions like on their their systems, right? And there's a lot of like just in time access that you do give users temporarily. Well, this is more of like, hey, if you give them temporary access so help desk doesn't need to help them install Adobe um then they could do it themselves um kind of thing, right? Well, what can they do to like bypass that, right? and then actually like maintain that access even if you put a banner up there says thou shalt not you know circumvent

security controls um you know they don't really have to listen uh so you can enable the root account right um that's a pretty easy one neat trick I don't know if anybody knows about it um but the root account on Mac isn't enabled by default but if you're root or you have pseudo access you could just enable the root account and then use that and if you don't have anything checking to make sure the root account isn't enabled it could persist. And here's a list of uh different things that you could do, right, to create like a stealth admin on a system. This is a script that I ran. Um uh and the neat parts about this are

I guess like on the third fourth line where it says unique ID 509, primary group of 80, etc., right? You see that like it's not like actually setting anything to the administrators group itself. Um so you know in Linux Mac world you can like assign um different ids like to the or the group ids directly to the user itself without putting it in those groups. So if you're doing something like hey check for all admins in the group you're not checking for everybody in group 80 or group 10 the wheel group right that do have admin access. Um you're just checking for um you know add admins right. So yeah this goes through creates a shell you know

does eventually like add it. Uh, and then this this script right here is just exemplifying exactly what I was talking about, right? So, not the cleanest looking script, but at the top you'll say, hey, this is going through and um, you know, doing a loop and it's looking through all of the users um, and then it's getting the primary group ID, right? Well, we see that, hey, our stealth admin user is assigned to group 80. But next, if we look at all of the administrators in there, we'll see that our administrator is not in there, right? So, just be careful what you're checking. you need to actually be checking the group ID membership itself not just like relying on hey who's in

the domain admin group sort of thing right um another thing uh so hey users they could just add themselves right if they have admin access who what's stopping them from you know four or five different ways especially you know with AI assistants out there to tell them how to like bypass um the security controls right how can they just add themselves um they could just add themselves um to these and then yeah just set uh set the immutable flags. So that brings me kind of like to our users, right? I wanted to quickly like talk about user stories, you know, like don't have like any like Jira flashbacks or anything. Not those type of user

stories. I'm talking about the user stories that like you hear from the trenches, right? So as like security professionals, um we look at a lot of this stuff, right? And if I asked you, I was like, "Hey, you know, like go to the MITER framework and show me what you're talking about, right?" Most of you would probably come up here. Impaired defenses. That's like what a lot almost everything that we're doing, right? If you go to like TT or you know MITER, this is what most of you would come up with like from a technical point of view, right? Well, what what do the users actually like see or like what do they hear, right? Um they hear

no, right? Like that's what they hear from you. They hear no, you can't do this. No, you can't do this. This isn't like a preachy thing about like hey allow users to do whatever because obviously we don't want to allow the users to do whatever but um we need to like give them a reason why you can't do that thing or at least prevent them from being able to do it in general right and I'll just quickly run through some stories here this is I don't know if any whippers snappers this is Stack Overflow like we used to use this before AI assistance you know uh and this is actually what would you know give us

like all the code for us to copy right This is what started a lot of this like basically contract worker went in there was like hey how can I disable zscaler it's just out there for everyone to see right um so yes so you can just disable it um what about like talking to the users themselves right well you know I we we've had this instance of people saying hey I'm not in the I'm not in the pseudo file anymore even though I put myself there wait a minute why did you put yourself in there right so users will do crazy and weird things right like hey Um, uh, you know, hey, I wanted to I forgot what this one is for, but

yeah, like, oh, this is the email saying, hey, why did you do this, right? Hey, I'm just vibing, you know, and then I just want to disable some UAC because, hey, that's security control. I don't really care for that. It makes my job hard. So, let's disable UAC, right? Actual things that have happened. We've seen these things. Um, but yeah, so enough about user stories. Uh, more about, uh, like the disclosure. Um, so, so we we did actually report all of this to Zcaler. Uh, but it took a little bit of relationship management to actually be able to like get some of this stuff to go through because last November is whenever we reported some of this stuff

and it was kind of like crickets. But, you know, relationship management, we actually got some stuff moving. Um, and they uh they released uh patches or have fixes for 14 of the 17 issues. So I guess if you want to go like hunt and see which three still work uh have at it. Um so uh these are the configurations what if you ask them um and say hey uh I'm having this issue these are the things they were going to tell you to do. So I made it easy for you if you want to take a picture and uh run with that. Oh no I'm sorry. No pictures what she said. Yeah what she said. Uh mental

picture right. Uh and Microsoft. Yeah. Hey we we reported it. No impact. um there. And then with that, Blake, you want to do the recap? >> Uh not prepared for that. Um let's see. Recap. Probably not because I haven't read it. >> Oh, okay. Um it says, "Can you uninstall the thing?" Yes. Uh so uh yeah, this is just another sheet or another slide that uh if anybody uh basically this explains all of kind of the ideas a lot uh of a lot of the bypasses and how to um you know take advantage of them and yeah that's pretty much it. It's usually a picture slide but no pictures. Um and with that any questions?

>> Thank you. Yeah.

>> What was it? >> Uh if we had tamper >> Yeah. Supposedly we had everything set to like the maximum protections according to all of their standards. But yeah. >> Yeah. >> Yeah. So can you talk a little bit more about the illusion like what kind of And then also with this possible true or false >> um yes to an extent right so like yeah the illusion part like I I spoke about in the beginning it's that hey we wanted to like challenge like the uh the tamperproof right a lot we have like tamperroof enabled on all of this stuff right but even with admin or low-level user access there is still some way um

to like get around it right so really wanting to like challenge that since that's kind of like a buzzwordy um thing right now. And then yeah, we had tamper, you know, proof um you know, everything installed.

>> Any other questions over here? >> Did you get any bounty money for the disclosures? >> Uh any bounty money? Uh no. We're actually trying to get like CVEes for some of the stuff as well. Um uh since there is a precedent for them actually issuing, but they haven't. So yeah, we're here talking about it. >> Yeah. >> Okay. Oh, yes. >> What Microsoft suggested privileges to dose? >> That's a good question. >> Yeah. >> Uh yeah, at some point I would say, yeah, we need to dig into that a little bit more. Let's see what >> they think is actually as is bad. >> Yeah. slides. Um, yeah. I mean, I guess we can

put them up, right? >> Yeah. >> Yeah, we should be able to. Yeah. >> Yeah. >> Okay. Well, awesome. Thank you very much everyone. >> If if you look at my my GitHub, I'll post them up there. Caleb Sergeant GitHub, and I'll put them up there. >> Thank you very much. Yeah. >> All right. Thank you, everyone. Please watch. [Music] Heat. Heat. N. [Music]