Step Up... Or Step Out: Leveling Up
Show transcript [en]
so I'm Josh Corman um Ian asked me to come rant uh I probably will fluctuate between righteous indignation and useful advice I hope um but as some of you that know me I say that every year at RSA I want to quit security and funny enough we're going to have a rage quit with uh Boris and Javid and Jack Daniel immediately following this so on the one hand you know I get very frustrated with the our digara on the other hand their family so I've been feeling a little raw lately and I figured I won't have the courage to be this raw and this honest uh I told people I was going to be more
candid and they said aren't you always candid but so please don't take this as preaching just take this as more of a confessional of why I find it frustrating to be in security and why I know we could be better right so I do very strange research I research a lot of topics a lot of you scratch your head as to why I research the topics I do and I don't matter at all I'm just desperately trying to seek knowledge I'm desperately trying to find a way to do this better because I think there's real consequences to what we do they didn't used to be consequences to what we do we would fight script kitties maybe a
little organized crime but it just really bothers me that we spend 95% of our time and money protecting credit cards instead of focusing things that actually affect our personal lives and every time I want to quit security I I I look at the fact that I have kids and my kids have to live in the world I have to live in the world you have to live in the world and the security concerns are well Beyond credit cards now it's not just about protecting your organization it's about your safety your critical infrastructure your medical devices and this isn't fud I mean we have very bad decisions on an ongoing basis about putting software and unreliable systems
in places where it is unmar and unwise so I want to take this opportunity right before the rage quit to talk about the parts of security where we could improve so that's just my Twitter handle if you want to tweet profanities at me I am uh I am not an expert right I'm so sick and tired of people calling themselves experts on something they've been doing for a year it takes a lot of work to become an expert on something we have pockets of expertise we have pockets of experience but I'm sick and tired of people calling themselves experts but but seriously I do worry about where things are going um we tend to get very
frustrated in how we Define our jobs but if you expand that scope a little bit um it becomes pretty serious uh one more thing because Conrad's going to accuse me of being self-righteous and sanctimonious or having some inflated sense of self-purpose I'm not important I think the things I'm concerned about are important so it's really not about me so let me try to diffuse that I've struggled with with this a little bit but one of the reasons I'm a little raw right now is um you know my my friends know this but I had a very rough year last year right I overextended myself I overcommitted I did some very risky vers risky risky research on Anonymous um someons really
respected it someons attacked me um leave the alone um but you know I was trying I looked at it as an important phenomenon I didn't mean to but I worked with uh and Kim on I it started the rugged thing several years ago and I thought it was pretty much cruising along and all of a sudden devops came up and we had a hard year with devops but at the end of an already really tough year um my mom was 58 years old she abruptly had a stroke it kind of messed with my head a little bit she started getting a little better and uh just after the holiday she passed away and you know we talk about these
things is you know maybe too personal for on stage and maybe it is too personal but what it's really done for me is you know we work really hard hoping that eventually we're going to uh enjoy ourselves right but it really kicks you in the gut and makes you wonder what your priorities are why you're doing what you're doing and if you're doing things that matter and I I definitely want to do things that have a purpose and matter and I think part of the reason we're burned out as a community as we are is because we're not finding purpose we're doing activities we're doing work it's feudal work at times but we lack purpose
so you know I hope to by the end of this maybe give you some ways to insert a little purpose into what you're doing I hope maybe I'm wrong so I worked with a Navy SEAL who had PTSD and whatnot and he he this is how he put it he said that he wanted to be a passionate purposeful principled protector and provider now if you like alliteration that's cool but the part that really resonated with me is you know as a father is you know every time I want to quit this stuff I realize you know if I don't do this if others like me aren't doing this it's certainly not going to come from the
government they don't have a clue it's not going to come from legislators they don't have a clue it's not going to come from the military they're looking to us for leadership so if if this room if this community isn't stepping up then really no one is so when I gave my mom's eulogy I was talking about how she will be remembered and I tried to ask myself how do I want to be remembered and I'm not going to necessarily live up to these things but at least in the the topics I choose I want to be very honest about it whether I like the facts or not I want to tackle the the hard things
even if they're scary and I want to uh have an impact that's how I'm motivated maybe you're motivated differently now unfortunately most of you know me to be a an kind of an ass right just being honest right told I told you I was going to be honest um but you know there's this great quote about you know a reasonable man conforms himself to the world it's the Unreasonable Man expects the world to conform to him and that's why all progress is dependent upon the unreasonable man so I'm hoping that I can make a few of you a little bit more unreasonable so it wouldn't be an infos SEC talk without ranting about failures so does anybody know what this number
represents what VT detection oh virus so in the New York Times so one of the things that frustrates me is and I I asked Javid and others who were doing show floor interviews interview the digerati the people who actually work in the security community and ask them what do you think the effective rate of signature antivirus is I just want their offthe cuff quick answer that's your answer I I I'm willing to bet most people will say in the 90s and 44 of 45 are the number of missed viruses in the New York Times compromise that's not 90% detection it's not right but most people even in this Inner Circle believe that AV is 90% 98% effective eventually but
it's not right now there's a a small pocket of us that have figured this out maybe you had a state sponsored EAS breach maybe you had a kitten killing three-letter acronym breach um so you buy something really Advanced right you want to augment your limited signature and your virus because why would we rely on such an Antiquated thing so what does this number represent so if you were one of those people who actually figured out the signatur virus didn't work and you went with something on top of it such as bit N9 what happened to them recently I'm not mocking them I'm not shaming B everyone will have opsc failures but how do you stand a fighting
chance if you're defending an organization when we spend the most money on antivirus when it's the least effective control in our toolkit again the most money on the least effective control I wasn't here for Dan's keynote but I heard one of the memorable quotes we we buy antivirus to avoid getting fired right so I'm fine with that I'm not telling you to throw it away some people will tell you that I'm saying why do we spend the most money on the least effective control maybe we should value price it a little differently so I'm not going to mock bit nine but it's really tough that even the people who could justify something that wasn't mandated
by PCI on top of their traditional security investment are still having a hard time and then as I sat on my couch um grieving and I saw all the twitters go by about what's this number represent A1 right so here's an interesting tidbit we've been fighting for years to get the mainstream media and the mainstream to acknowledge the existence of very serious threats whether they're talented or not is immaterial and the second it comes out we go into full troll mode and we make fun of everyone per perpetrating I hate the term but what I like is that we're actually acknowledging and talking about the fact that there's been a breach of intellectual property or trade secrets
in most of the forun 100 companies all right but instead of talking about how do we rise to these challenges you know what my Twitter stream was filled with the rabbit Wars we have to be better guys everybody right so I feel that at times most times we are part of the problem all right so I asked this very simple question in the fall at RSA Europe I said are we getting better what's the crowd con sensus are we getting better hell no right now that's not negative we could always blame Anonymous we always blame kitten killing AP we can blame Canada X right we have a whole Bevy of things to blame but seriously how would
we know if we were getting better staying the same or getting worse you know what would the criteria be so for a long time I've been working with the cisos and I said where do your sources of change come from right and I'm not saying this is the comprehensive list but most things fit in into this category right either bad guys change compliance bad guys change did I just say bad guys yeah I think I did technology changes like we're all moaning about virtualization and cloud computing and bringing your own device so that makes our job harder uh business priorities change and economics and now politics change I mean you guys Beman my research about Anonymous but Anonymous
is the ones that pointed out to me that the itu and the UN we're trying to take over free and open internet are you guys paying attention to civil liberties we're talking about PCI who gives a about PCI who gives a about PCI I know we have to I mean if you were put in charge to be the sheriff of your town if you were the Constable of your town and you had to solve crime would you go first for pickpockets or for murder rate because what we do is we go for pickpockets we go for our most replaceable asset the one that every time you lose one is at most a $50 fine it's waved and what
we're really doing is we're protecting the card Brands we're not protecting ourselves so so anyhow those sources of change lead to fatigue and burnout right and one of the things that we didn't really plan to do and I'll talk about this in a little bit is one year ago we did the first stress and burnout session uh study rather um we use a mlock stress index it's an actual psychological framework for measuring the stress and fatigue of an industry so EMTs firemen SWAT team soldiers whatever they apply the same exact survey method to see how stressed out are you are you in the red zone are you at risk for alcoholism or substance abuse or depression or
suicide guess what we scored there's three measurements Jack's in the room right jack can get this right there's three measurements right one of them is your level of fatigue one of them is your uh level of cynicism I didn't make it up SC ever cynicism is our core competency and one of them is um this one's a mouthful perceived self-efficacy so in Layman speak that is how well do you think you're doing at your job not how well are you doing how well do you perceive that you are doing so we scored in the Red Zone in the high risk for um both fatigue because we love our 40-hour work weeks so much so we do two of them
every week I think that's Jack's joke by Wednesday okay value ad um and we we were off the charts for cynicism I'm sure that's a shocker so you know we we really need to put some more effort in this we did this kind of as a one-time project but you know we had some suicides over the holidays I'm not saying this was the sole cause but it's not so much that we have a harder job than some of these other life and death jobs it's that those other life and death high stress Industries have support networks they have their bosses looking out for early warning signs they have ways to have C celor on staff they have methods for
intervention if people are in the red zone so because it's undiagnosed and I'm no psychologist but because it's undiagnosed uh it's has a a tighter grip on us than maybe it could if we rended it more explicit so look out for your fellow man and fellow woman here because uh whether we deserve to be dist stressed and burned out or not we are I got to tell you I'm feeling pretty burned out I can't do this forever not this way we have to make some changes so I believe security matters I I watched a fairly life-changing Ted Talk it was one of the very very first TED Talks I hope you watch it on your free time but it's
Simon cynic and he has this uh the Golden Circle and and the core of his argument is that you know the neocortex he gets into like brain chemistry and everything but the neocortex understands facts and language so what you do which is why most companies tell you what they do some of them can actually tell you how they do what they do if you walk the show floor at RSA it's just going to be a bunch of what I don't know what but it's going to be a bunch of what but the really successful historical figure is focus on why right one of his case examples is Martin Luther King didn't say I have a
plan he said I had a dream right it wasn't that people cared what he said it's that they valued what he valued so seldom do we focus on why we're doing what we're doing and therefore we don't necessarily have purpose or meaning to to drive it so I want to focus on why for this talk now one of the posts I did a while back is we tend to talk in terms of frequency and impact so screw impact nobody gets a good estimate of impact we've had so many fights about what's the impact so we know how many times a breach happens or maybe how it happened but we don't necessar know what the impact is so I'm
going to put a sideways slant on it how replaceable is an asset type as a function of how much we should care about it and what kills me is that we spend all of our time on the credit cards the most replaceable asset one of the reasons I fought the PCI Council for two years isn't that they're bad or isn't that we shouldn't be resp responsible custodians of card holder data it's that while we're focused on that end of the Continuum we're ignoring the really important stuff that affects my personal life my safety my medical devices my rights I mean again mock Anonymous all you want in this crowd they have people who care about making sure there's no
more censorship there's no increased surveillance State there's no more infringement on civil liberties they might go about it in a way different than you would and I'm not apologizing but we have to focus on some of those things so initially security cared about the performance of the asset that's what antivirus came from eventually we started seeing crime so we saw a fungible assets like credit cards stolen but now you're seeing with the kitten Killers like uh out of AP1 China um there's increased awareness you know by my rough tally a 100 of the Fortune 100 have lost intellectual property in the last 18 months it's a veryable vacuum cleaner sucking value out of our GDP so whether you're patriotic or not
if you know someone who doesn't have aob job that's got to contribute somewhere in there you know so that's a serious one and this year we'll have lots of bloviating about that one but I actually really care about my civil liberties and my rights a lot and you probably should too you know when you have something like soapa come to the senate floor or whatnot and almost pass it's really to protect the MPAA and the Raa and if it protects them at the cost of looking at your private stuff that's not a good trade right so how many of us have actually informed a senator or Congressman on the tradeoffs if you have kudos to you but
what we need to do is start stop thinking about ad just our day jobs and our credit cards and start thinking about how this impacts our lives right and then also safety and human life stuff which I'll get to now Dan gear is my idol I don't know if it's those sexy sexy mutton chops or just because he's such a smart guy but he talks about Security in terms of dependence you know uh I think the phrase he uses is uh security is the absence of unmi unmitigable surprise something like that that's how he talks but I like to think about this the simple measure why I know we're not getting better is that I see that if you
look at where software and secur and um embedded os's and whatnot are permeating everything it's really simple our dependence on it and software is growing faster than our ability to secure it we've known about SQL injection for 13 years and we still have headline after headline after headline it's one thing when it's easy to pop a server it's another thing when it's easy to pop a insulin pump I mean have raise your hand if you've gone on showan recently right it's not fud you can search for plc's programmable logic controllers exposed directly to the internet with default passwords and creds right now we have dependence where it is unmar and un and irresponsible so the the
question when you have this situation is do we make it more dependable or depend upon it less and I'm suggesting that we have been asleep with the wheel and we should probably discourage some of the increased dependence so there's Power Systems there's a Microsoft OS in almost every rental car I take now I don't like that I was really pumped about the insulin pump talk because I thought this was a pretty serious issue um they're going to keep putting more connectivity into more devices because none of us sufficiently explain to them why that's a bad idea you know there's some use cases I just simply don't care if it's connected via Bluetooth um but we didn't do is get
critical mass to actually get them to do something about it there's actually one company who has the Lion Share of medical devices I think it's called medatronics one talk done on insulin pumps didn't get them to change behavior and didn't get their competitors to change Behavior so here's an experiment for the next 24 hours every time you see there word software I want you to say vulnerability such that if you have a toaster with software on it you have a vulnerable toaster if you see the word connected I want you to exp substitute Expos such that you have an internet enabled toaster you have an A a vulnerable exposed toaster you know on the on the
flight over here on JetBlue I got to see commercial after commercial on Cisco is the internet of things I am not comforted by The Internet of Things I am very discomforted by the internet of things and I'm not a Luddite I'm not saying this smash stuff I'm saying if we can't protect a simple system against simple blind SQL injection why are we putting software everywhere there's some use cases where it's fine and there's some use cases where it's not so I think one of our challenges I'm not sure I'm right about this I'm happy to be wrong but I think we continue to bring a technical solution to what is first and foremost a cultural problem so I'm
looking at Jim there apologies in advance oasp love oasp and hate oasp oasp has been around for long we have an OS top 10 it's largely the same as it was when we first issued it we have a lot of volunteerism we a lot of technical controls screw the OS top 10 let's just focus on one thing and do it right can we please eliminate SQL injection please for the love of God but the answer is no because we sprinkle penicillin dust over all the sick patients instead of getting a sufficiently healthy dose to one we haven't earned the credibility to show that we can effectively and consistently and pervasive solve simple problems and until we do we're not going to earn the
permission to solve other problems let's actually put something in the wind column so I'd like to assert that we uh confuse activity because we're doing stuff with effect because some of the things we do matter and some don't right mostly we focus on symptoms the heads of the Hydra instead of the heart of the Hydra we focus on the easy instead of the important right with the loow hanging fruit we call it but guess what happens when all you do is Sol the low hanging fruit all you're left with is the hard which sometimes equals the important so I'm not looking to boil the ocean here I've been in the industry long enough I know we can't fix
everything so the Paro principle says let's focus 820 fine it's not magic are you sure we're focused on the right 8020 ratio I'm pretty sure we're not right I I I think we could articulate where we're spending our money our time our effort is on less important stuffff all right so best practi practices I'm going to program you to think every time you see this you can know definitively that they aren't right best practices aren't not anymore we we crafted these in 2003 Everything's changed except for our practices all right and good enough isn't all right so let's not just complain scream in the darkness so what do you want to do about it well the
problem I find when I show people this stuff is some of you don't actually want to do anything about it right so I'd like to think the people motivated to come to a b sides are more motivated to actually make things slightly better but a lot of us just want excuses or plausible deniability when things go bad so I'm going to assume there's at least two or three good people in the crowd that really want to get better and this the rest of the presentation's for you so here's the thing you can't look in the same well-worn places if you want to improve things so if it's a mainstream accepted idea it's pretty much already being done right I think we
have lots of private sector incentives to solve private sector incented things um what we aren't doing anybody know the tragedy of the commons you know what that is all right tragedy of the commons basically says selfish greed will solve certain things the private free market will solve those things but there are some things that everybody needs but no one will pay for no one will actually pay attention to and I think increasingly as I become more of an activist I guess I'm increasingly my heart's in the public good it's the things that the private sector and the show Flor at RSA can't possibly POS solve and what I really hope to accomplish through this is for the few
of you this strikes a cord in your heart that you help pick up a a shovel and help do some of that good work because again we're going to inherit the consequences of what we do or don't do so you have to look off the edges of the map now unfortunately sometimes that involves uh pissing people off and there dra there be dragons on the edges of the map so the very first time I pissed people off was my very first time I took a risk and I'm not going to read all these but these are my seven dirty secrets of the security industry the one that matters is the one that's still true which is that vendors do not need
to be ahead of the threat they only need to be ahead of you and most of the vendors out there pedaling their wees aren't really trying to make security better they're just trying to be buzzword compliant so after I pissed off the the vendor Community um I realize you can't just punish the charlatans out there you also have to supply better ways to do things so I looked at OAS and I said okay they're providing the H the what to do or the how to do it but they're not providing the why to do it so a few of us started this idea of rugged software so in in a nutshell none of you look up at the
ceiling none of you sat in Perpetual fear that this building was going to collapse upon you none of you right you know steel and concrete oh all right so we have one okay so yeah it is San Francisco good point so the point is that steel and concrete are core infrastructure we need to depend upon them they're transparent because they're Dependable but the problem is that software has become as core to our infrastructure but it's not nearly as reliable in fact it's infinitely attackable so we were trying to say instead of trying to put aftermarket security and fight the heads of the Hydra Downstream on indefensible it infrastructure is there some way to instead of calling developers lazy
to actually get people to to select procure deploy more defensible it we're not looking to make perfect code it was more the idea that when you build a skyscraper in San Francisco they have these pesky problems called the earthquakes so you have to factor that into your design and what we were saying is factor into your design adversar is seeking to undermine your code but then I turned to the community itself you know I was a big fan of fud secc and fighting fud and as an analyst I destroyed vendors who tried to use fud I made them cry sometimes so we had to fight fud but the problem is you know we're the opposite
of fud sometimes when we know that there's kitten killing Chinese out there and someone uses the wrong word and instead of celebrating the fact that they're actually ready to engage us on a serious adversary we know about we do the opposite you know Blind Faith and unsing dening we say no it's not or that's fear-mongering or that's war mongering or that's just trying to justify their budgets which might also be true but you know when you add the noise of the echo chamber when you have bloggers and experts on everything and someone wants to promote their idea how do you find the signal in that sea of noise so I was trying to say you know
it's not enough to just add signal we we also need to fight noise which is probably why there's certain rabbit Wars sometimes next I said you know what screw Legacy stuff so Chris Hoff and I he ended up putting all this stuff in the cloud security Alliance but through ions we put together stuff that said well we screwed up traditional it maybe we can get Cloud stuff better but unfortunately we blew that opportunity so then I took on the mafia I mean the PCI Council and I said is the PCI the noch Child Left Behind Act and I got in a two-year fight with not only the PCI Council but with one of the founders of
bsides Mike Dawn and we've hugged it out but essentially my motivation was while we're spending all this time and energy on the card data and the card data environment we're neglecting much more important things that keep the things that keep your business in business so it wasn't that I hated PCI it's not that I thought you shouldn't care about your custodial responsibilities it's that it was all consuming and as an analyst who had data on publicly traded companies and private companies I watched all the money shift from good security stuff to older security stuff the PCI digital dozen required 11 controls our oldest and least effective controls and despite people knowing that they had to solve
other problems all the money shifted to the required stuff so what I said is in our attempts to make the dumb kids smarter we made the semi- smart kids Dumber um we defined a minimum and we got it but you know I put that hatchet to rest so then I moved to metrics because people think metrics would save us so I said uh the zombie apocalypse Moneyball and security metric and Alex Hutton and I worked on this and basically in our desire to go from faith-based security just listening to Bruce schne and our high priests we wanted to go to evidencebased security right but the problem is our evidence base is so bad that it's equivalent to
numerology which is still faith-based security it's just faith in random numbers but the one I think is the most close to the bone is the is the stress and burnout study so I already to find that for you but I I really think you know it our ability to rise some of these challenges is going to be throttled and limited by our ability to make sure that we're not burning out ourselves right we're chewing choosing the right battles we're choosing winnable battles we're actually getting cooperation to win a few battles so that's why the SEC burnout stuff's becoming important now the controversial one is when I tried to understand and engage Anonymous but Jericho of
attrition organized said you know everyone's afraid to talk about it so how about we try to talk about it not judge them not dismiss them not apologize for them but this seems to be significant you have large groups of people who are fed up enough with the system that they're opting out of social contracts some of their grievances are legitimate some of them you might not agree or legitimate that's up to you and while we dismiss them as script kitties their motivational structure is pretty clear it might be diverse but it's pretty clear so we spent about a year and a half two years writing on our free time um a dialectic to get talking and
get understanding because at the time there were all sorts of media bad media coverage about them and when you don't talk about something um you let the fud take over so we talked about it so we did our building a better Anonymous blog series is basically we accidentally wrote a small book I didn't mean to but that's what happened um then comes HD Moore's Law so you saw that earlier if you saw Ed bis's talk but in my attempt to talk about are we getting better what I realized is the only adversary that we're strong enough to defend off is the self-imposed auditor right so the idea was that these compliance regimes this is my better way
of talking about the PCI problem if you look at metas sploit as a as how strong a script Kitty is because they can have no skill whatsoever they can do anything that that open source distribution can do and every day smart people put more capability into it our friends put more capability into it so without debating the the The Mortals of all that CU it's it's immaterial every single day a script Kitty gets stronger but our defenses don't and when I've given the pepc challenge and I've said can your defensive hypothesis handle HD Moore's Law invariably people go home from a conference they try and they say nope I haven't found one yet who in
their current default configuration could actually stop the Bevy of metas sploit so here's the problem if you can't stop metas sploit you can't stop organized crime and this idea of hack back when you can't even stop metas sploit is preposterous right we have a very large gap between what we're trying to stop and what we're what the strength of the attacker is that you're trying to stop so this becomes a feedback loop this isn't academic this is actionable you can go back to your company next week and run Metasploit and see how well you Faire and then it's almost like hitting rock bottom as an alcoholic right people who do this they like wow and then the
sobering point is I have no idea how I'm going to actually close that Gap now you can make fun of metas split if you want pick a different free attack tool but if you can't handle the free attack tools then what makes you think you can stop any attack so if all you're doing is PCI and you're not going to rise to meet HDM War's law you might as well just do PCI don't waste a penny on something something half measure of course not but you know there there's certain there's certain step functions in echelons where enough security for a particular adversary tells you when you've done enough to actually move the needle it doesn't mean
you're going to be safe not even asserting that then I focus on adversary stuff and all these alleged thought leaders told me that you shouldn't have to care who's attacking you and yet all the banks and institutions and and and victims of Espionage certainly seem to care so I'm promoting adversary stuff now the one I really want to talk about is again I learned this from an on I didn't learn this from my congressman I didn't learn it from an RSA security conference I didn't learn it from a bide but basically the un's trying to take over the Internet this isn't fud through the itu they're trying to take a free and open internet kind of loosely governed
by what's called a multi-stakeholder model and they're trying to make it the sole province of a sovereign nation state now the problem with this is some nation states want to censor their their their their people they want to surveil their people they want to block VPN in Tor they want to tax and tariff traffic that traverses through there and this is not exactly what the digital natives of the internet believe in it's not exactly what I believe in right we kind of like this free meritocracy of ideas this free open internet this democratization of things so in the world war 3.0 article um Kaminsky Jeff Moss myself and vent surf were profiled on how the
relationship between the response to too much travaillant is chaotic actors and the counter response is more surveillance which makes people more pissed off which encourages more surveillance so you have this finger trap for fast escalation and what the itu and the UN don't realize is they're creating an Insurgency counterinsurgency escalation now I'm not trying to get all political on you but yes you are we are we're the technically informed folks that should be explaining how you can't actually do this do anybody remember how the CDC poked a hole in the great firewall of China remember peab booty the attempts to control the internet are feudal they will not work there is no upside what the downside is it's fueling
more chaotic activity it's destabilizing and it's encouraging more bad laws so it's not going to actually ever lead to control of the internet but anyhow I digress and then we picked the douchiest topic we could possibly think of jro and I said you know Anan wasn't controversial enough let's talk about cyber War we only did the talk once I'm trying to convince him to do it again for Thon but essentially what we said is most of the Cyber War stuff is nonsense but let me pose a question to you knowing our friends knowing the people in this room if the American Revolution was fought right now by you because people in this room have started Citizen
Soldier miles I've talked to them last night if we were to do gorilla Warfare asymmetric warfare using metas using showan using social engineering using propaganda using an open source intelligence you know how much you could do so while we grown and dismiss stupid phrases like cyber War because it is a stupid stupid phrase we're not actually talking about the realities of the situation so let's get past the groaning and what can be done about it so I'm a big fan of experimentation and unfortunately we've done very little experimentation okay so Jean Kim and I worked on um Jean Kim is one of my heroes Jean here Jean Jean just wrote The Phoenix project lifechanging book okay so I like zombies I know
zombies are becoming cliche now that we have The Walking Dead I was a Sha of the Dead fan myself but but essentially I look at the Zombie Apocalypse Now some of you have seen this model before but I'm going to make it I'm going to take it a little bit further so what's going to save you during the zombie apocalypse is do you go in that dilapitated wooden barn with your survivors or do you go to the actual defensible structure and what actually fixes what has the biggest impact on whether or not you're going to survive the zombie apocalypse is if you have defensible choices right is is your it even defensible and in many cases it's not
and we kind of just give up we've surrendered this the second most important thing isn't what you secure with an RSA blinky light box it's how well do you run your environment right so someone tweeted to me I asked for people to say what should we say to the crowd they said the best security you can debate this but they said the best security people were CIS admins right anybody agree with that all right or you used to be CIS admins and now the security people have a have an audit background and a cisp um but one of the reasons that's an important thing is being able to run things well matters as well so if if
defensible infrastructure is about reducing your attack surface this is about reducing your chaos and entropy in the network right how do you well do you run it know what you have no when it changes zero on plan changes this is why I love Jean Kim right the visible opsman Mantra now what seeing lately is some of us are starting to figure out this third layer now as we go up the stack we're getting towards the empty calories the things that have very little impact on defending and surviving the zombie apocalypse so if step one was choosing defensible infrastructure step two is making sure people keep their together right they don't panic they act as a unit the
third one is as we fight in the dark do we have flood lights and video cameras and door sensors to know how many zombies are attacking and from which direction CU we're very very poorly instrumented this is is why you're seeing things like network analysis and network forensics and more instrumentation and better security logging and as you saw Andrew Hay's presentation more forensics you know anticipating the forensics requirements in advance so this is about having more eyes and ears to notice more Whispers And Echoes and then comes the stuff PCI makes us do I'm sorry to pick on PCI today I'm in a bad mood but these are the specific blink Blinky lights and pieces of software okay these are the
empty calories now most of our efforts focus on the tippity top of the pyramid some people are actually talking about actually doing situational awareness better but the real gains are going to come when we pick defensible infrastructure and we manage it well and we don't typically use those so let me map out I wish I had SEC core data have you guys any seen SE core who hasn't gone to SEC core yet there were a thousand over a thousand security cons last year because clearly the measure of how well we're doing in security is how many cons we have now what I'm trying to denote here is most most of our cons most of our
conversations are focused on specific countermeasures and they're typically narrowed towards the mandatory security spending of Regulatory Compliance so things like credit card numbers or personally identifiable information that's what the acronyms stand for so all that red cluster if you were to heat map those think of every talk at every single conference how many of them mattered right now because of the kitten killers and the recent report and all the stuff on CNN and MSNBC and fox and everything everyone talking about the AP1 stuff whether whether it's fastic or real or both we're starting to see certain vendors try to rise Beyond compliance into actually defending intellectual property but it's it's a vast minority compared to the thousands
of talks at RSA on basic compliance stuff and then if you look at critical infrastructure there's a couple talks you sometimes see the base camp type stuff you saw people do a couple skate of things it's fashionable once in a while to do but there really isn't a lot of stuff focused on critical infrastructure vulnerabilities and then you have the one or you you count it two talks on medical devices like insulin pumps aside from our Defcon 20 talk I haven't seen very many talks at all about infringement on civil liberties or the itu Takeover what's that hope hope yeah there are exceptions no doubt in fact you know I want to commend shukan they they got rid of
their break it track and they added a uh what they call it ble it track I watched the track I you know it was there's some good talks but in general it's really really e really easy to attack something and it's really really really hard to defend something and I'm disappointed by how much time we spend on pen testing and breaking and how little time we spend on actually making it better I don't need more OD days we can't handle the OD days we have so I'm I want to see how do we Migrate how do you differentiate yourself as a researcher by tapping into some of these undernourished and under addressed issues you know instead of one insulin
pump why don't you have a month just like the month of Apple bugs or the month of browser bugs why don't we have a month of medical device bugs that would get mainstream attention that might actually tip things you might actually put pressure on those organizations actually someone just said full disclosure I reread one of the original anti-c manifestos not the new anti-c the original anti-c and go back and read that they talked about how the disclosure debates were going to lead to scen I don't think we have any of those and War profiteers selling snake oil I don't think we have any of those they were kind of right go back and read you know they were they were basically
keeping their vules and their OD days for the inevitable conflict which may or may not come but looking more likely to come see one of the problems is we always focus on the quick win the Tactical stuff and this is the wonky part but there's this thing called Horizon 1 123 right Horizon 1 is right now and we tend to do lots of right now we react Horizon 2 is supposed to be 12 to 18 months or 12 to 24 months and Horizon 3 is supposed to be things that won't really provide value for three to five years so how do you actually rise to fill the Gap well part of it is using that pyramid in an
intelligent way right it's looking for the asymmetric winds a dollar spent on a countermeasure is worth 10 cents a dollar spent on defensible infrastructure is worth a thousand so we don't really look at the the return on activity so yes it's going to take while to make more defensible infrastructure we have to start now so what I realized is no one's going to be altruistic right we're primarily motivated by ego like how many cons do you speak at and how Elite are you and how many Keynotes did you give or how many blog posts or how many retweets or how many followers like the whole thing makes me sick or you go to show floor at
RSA and it's all about you know how much money you're making I mean someone just said today on camera that the we measure the success of the industry based on the the revenue growth of the security vendors how is that even close to the right measurement of success it's not so I'm not stupid enough to think we're all going to be all of a sudden altruistic or altruist SEC but that is where my heart is right I I try to focus on the things that affect our personal lives and there's no one that's going to pay me to do that that's why Jericho does his work about plagiarism on his nights in his weekends no one pays him
to research plagiarist no one pays him to research char and people who think he's mean he does a ton of that work on his free time osvdb is the open source vulnerability database I mean there are people who do this stuff on their free time so there is a a gene a streak of altruism in the industry even if you don't understand it or agree with how it's done so I don't think that everyone in this room is going to all of a sudden be altruistic I mean you clearly call me nuts right so I don't care what your motivation is find a different motivation it can be rational selfish greed it could be your ego so be the
most badass medical device Discovery vulnerability researcher there is no one's doing it there was there was one and a half talks about it so let me talk about social contract theory for hopefully 60 seconds this is the idea that everyone's selfish and out of rational enlightened self-interest we make contracts with each other so if we're on a deserted island I'm with jaded and there's a limited number of coconuts I should kill him his sleep and steal his coconuts but he should steal me and my sleep and steal my coconuts but the problem is with that model neither one of us will ever get sleep and we'll be grouchy cranky bastards oh wait that's exactly what we
are bad bad analogy but what we basically agree to out of rational self-interest is I won't steal his coconuts and he won't steal my coconuts that's what a social contract theory is right so let's just be selfish but more strategically selfish the problem is every time we get overwhelmed by how hard this is we have this thought terminating cliche of H at least it's job security you're going to have job security regardless this is the thing that stops us from being uncomfortable you should be uncomfortable because when you're uncomfortable what's that quote in a fortun cookie thing uh necessity is the mother of invention discontent is the first step for any man or Nation there
are things to be pissed about and your question is do you just say it's job security or do you actually try to make yourself better so I couldn't do it alone I'm still not doing it successfully but what I figured out is some problems are bigger than just one person so most of the most substantial research I've done has been with Jean Kim with Jericho with Kaminsky with uh Alex Hutton with Jack Daniel when we combine our strengths we do better work it's not 2 plus 2 equals 4 it's 2 plus 2 equal 20 so some of the really interesting things came from someone who I respected but disagreed with and we tried to Hash it out and hug
it out and we came up with better ideas so let's juxtapose some of those ideas Wendy nather who's the research director at 451 she's come up with a brilliant concept called the security poverty line and what she basically said is while we try to give all this advice on fighting state sponsored adversaries most organizations have barely enough budget to pass an audit so they live at the poverty line and she's right now just oppose that with HD Moore's Law so if you have to be this tall to get to the poverty line and I'm saying you need to be this tall to stop the weakest adversary we have how do we resolve the two of
those you can't it's too hard to even stop script kitties now it doesn't mean you give up it just means that working harder won't get you there you have to work smarter which is where that pyramid comes in let's talk about metrics and numerology I had uh lots of fights over the DB I've had lots of fights over the mandm trends report I've had lots of fights over different data sources information collection we desperately want evidence the problem is it's not reliable there's selection bias there's capricious use of it we don't use metrics to inform our decisions we use metrics to justify our decisions and even though there's metricon going on Thursday or Friday we don't yet have the
right kind of data so don't put too too much hope we have to push to get better data but right now it's not really working so I promised a few people I would bring up terms that they asked me to bring up these are the ones where we're going to fight all right so professionalization I'm not talking about syis I'm not talking about sand certification this community resists professionalization I'm not taking a stand on it I'm simply posing when we have bloggers or bloviators or false profits that we hate when we have fighting about who knows what and who has the credibility to speak about what one of the problems is if you're a lawyer and someone breaks
the code of lawyers they're disbarred they can't practice anymore when you have an architect who designs unsafe and irresponsible Bridges they can't be an architect anymore we have no correction methods that are robust and sanction to make sure that we our signal is always signal we have lots of false prophets not a few we have a lot of false prophets we have people spreading their thought leadership with zero research behind it so we lack any sort of professionalization and more importantly our culture is allergic to the idea of professionalization I don't know what form it should take but I know we're not going to grow until we talk about something that we could live with for
our own rational self-interest how do we re regulate ourselves besides fail blogs you know Chris seoyan some people love him some people hate him he basically said to me once on the phone he's like vendors don't respond to research vendors don't respond to disclosure they respond to class action lawsuits I don't know if he's right but we haven't really looked at l ation much we haven't really looked at how do you use the legal system to possibly cause better activity and put the onus for defense ability of infrastructure on the supply chain instead of on you as an operator legislation um I'm good friends with crya he helped me on the anonymous project um he is completely allergic to
liberman's cyber legislation language he hates labor men with a passion he's written blog post after blog post after blog post on how bad the legislation is so I have a simple Counterpoint how about instead of complaining that they use the wrong words that they don't get it why don't we have a few of us bringing them ready-made articulate actionable correct proposals that they can then put their name on and be famous for now I don't actually want to start a lobby but right now you have charlatans on CNN how many how many times did we tolerate lagot on CNN n how many of us stepped up to replace him so we like to complain about people doing it wrong but we
haven't actually figured out what are the top three issues that this industry wants to promote does anybody agree on that and and who are the best spokespeople to take that to mainstream media to promote those three ideas I think it's a douchy idea and yet we got to try something and then media hacking we have some of the best social engineers in the planet in this community some of them in this room and yet we haven't really applied that benevolent social engineering to actually controlling the narrative we let vendors control the narrative instead of us deciding what we should Expose and when we should expose it into which critical mass so the irony is when we wrote the building a better
Anonymous series I didn't realize it at the time but I might as well have been writing building a better infosec series I asserted there were three things that people could do number one is the first and most important step is why do we do what we do so how do you state your beliefs right what are your values what are your first principles what why do we do what we do what's important to us and I don't think we've actually as a community thought about the community level concerns not for the community but for ourselves be selfish I can't expect human nature to change so as a selfish individual thinking three to five years out what do you really
want to see differently done differently second thing is how are we going to prosecute the pursuit of those first principles and values so what's our code of conduct you know what is our operational parameters on how we're going to do that and then we had a whole section on unlocking your inner badass right measure twice cut once type stuff choosing fewer battles right do fewer things better um you know a a new swordsman will flail wildly with little impact a master swordsman will seldom draw their blade but when they do it's a Deathstroke so how do we actually seek impact with the things that we choose to do and this is the one that might make
you laugh a couple of them are in the room but uh because some problems are bigger than me or bigger than any one of you or pick your favorite three security researchers they can't really get much done on their own so you know maybe we need to assemble a stronger
team so if you can't tell who that is I like Scarlet Johanson well so so Scarlett Johansson yeah was actually part of my secret squirrel team I didn't have to put a face on hers because she was actually part of it um but because I didn't have a Scarlet Johansson I did have a really angry squirrel um but seriously um these are people I shared a stage with last year these are people I did joint research with some of them privately some of them publicly and it's really powerful when we don't just do a solo act so as fast talking and Brilliant as Jean Kim is guess how much more of a badass he is if you
combine him with an Alex Hutton who looks at the data and you know one of our Keynotes yesterday was Dan Kaminsky that's the Hulk um you know Dan is mocked sometimes which is is funny and perplexing to me but he's one of the only people who's testified in front of Congress he actually got DNS SEC pushed through whether you like DNS SEC or not he's also carrying color blind he's also curing color blindness that's right so the one in the back that you can't really see is Alex Hutton but these are people that I tried to team up with on one-on-one team ups but imagine what could happen if a few of us got our
together and brought bigger ideas and bigger talent to bear and I think we're at that stage you know the the the days of just trying to get a talk accepted it's not challenging anymore it's not interesting anymore it's not impacting much anymore so i' really like to see what happens when really talented individuals team up and if you think this is douchy Honey Badger Don't Care because honey badger does care and I've teamed up with some of those guys individually and collectively and we may magic happen and I'd like to see going forward we actually try some of that and I want to see more people brought into the fold so I'm not the kind of person that needs to talk to you
for two hours or an hour and a half so I'm going to try to end a little bit early but essentially I'm pretty certain we need to be better it's not saying that we suck it's saying that we've been at this level of play for long enough and I don't want to focus on the things that don't matter and don't affect my personal life or my future I want to focus on things that do matter and do affect your personal life who cares about me care about yourself focus on the things that affect your personal life your your rights your safety cuz there is no Cavalry right that there are no grown-ups when I did
that Vanity Fair thing I expected he talked to me first I expected he was going to go to Congress and go into the Beltway and go in the intelligence Community he said I'm going to go talk to the grown-ups now that's what he said to me he goes I'm going to go talk to the grown-ups now and then about a month and a half later he came back he goes Josh there's no grown-ups they don't understand and he was right they don't we are the grown-ups and that should terrify [Applause] you but we are the grown-ups so we need to be better where's Conrad because he better get his together right we need to be better right so make it
better if you're sick of the if you're sick of the futility if you're sick of just doing PCI rocks and you know that other things matter more it's up to you whether you want to do things that have purpose or impact or if you want to keep doing the same mundane stuff you have to make a living you don't have to do stupid stuff I'm not denigrating your day jobs but if you feel a lack of purpose there are other ways to contribute I I'd be thrilled if I got one or two more collaborators after today just one or two it doesn't take everybody so we're going to have this rage quit thing it's going to be Jack and Javid and Boris so
let me let me try to frame this for you using a social engineering term if you're going to quit if you're going to get up here on the mic and rage quit don't quit the important quit wasting your time when the shut doesn't matter right or add to what you're doing for the that doesn't matter thank [Applause] you
Related talks
49:54
27:02
48:53
52:55
40:53
10:43