← All talks

BSides Asheville Information Security Conference 2014

BSides Asheville11:59:069 viewsPublished 2018-04Watch on YouTube ↗
About this talk
BSides Asheville held its inaugural information security conference at the MoJo Coworking space in downtown Asheville on June 7, 2014.
Show transcript [en]

.

So this is not a morning person. You have to, I mean, only time I'm a morning person is when I'm in China. It works out really well that way, but we're not there. So I forgot what I was supposed to say on the slide, but it's a little cat, so we'll go from there. The title of the talk is Around the World Navy Cons.

Basically what I do is I started this talk to give a talk on how hacking culture is different around the world and then halfway through it takes a darker turn which I didn't expect and we'll talk about that and then I said well I can't just say how bad it is I gotta come up with some kind of solution or some kind of call to arms to do something so then it ended that way so we're gonna go for this ride and see how it works but I do give people warning I alternate every other year. It's like one year I'll do an offensive talk and then the next year I'll do a rant. And last year my talk was on spearfishing, so we know what kind of talk

this is gonna be today, right? So I do get ranty. It's like I'm very opinionated. It's like sometimes those opinions are actually somewhat correct, but not very often. And I really need to wake up. I love the fact that this one's all livestream and stuff. It's like, ugh. So, exactly. So, the only thing that you need to know about me that you don't find on, well, actually you find on Google anyway because all my stuff's on Google, is I love to travel. And I don't just travel to a conference, go to the conference, and then just like, okay, I'm out, bye-bye. It's like, I like to stay for the whole conference, and then I stay two or three days before or after the conference to actually see what the

city's like, to see where it's at. I've walked from the Coptic area in Cairo to the south part of the city to all the way up to the Cairo Tower in the north, which is like a seven hour walk through the streets. The non-tourist areas, there's actually a really cool Pizza Hut on the Nile River, which is really cool. That one's actually the Pizza Hut that's right across the street from the pyramids, the Spinks. The Transformer 2 movie, where it showed it was all abandoned and everything, just out in the desert. Nope, not really. And I've gone through, I did an 11 hour walk through the Zidan District in Beijing, which was really fun, I'm not saying I was being followed, but it was like, you

know, I'm sure I was a person of interest. And all I did, if you look at it on a map, was just do this huge circle that ended me right back up at my hotel. That's all I did. I just did this huge loop. It's like, just to see what was out there. So I like to explore. I like to see what the culture's like. I like to see exactly how the people are living that are in the places that I'm at and stuff, you know, not just the touristy sections. So that's what got me talking about the hacking cultures. Like the hacking cultures, I thought, were going to be different and varied and stuff.

And I wanted to give the talk on how the Malaysian hackers have so much hacker space and stuff, you know, versus the Brazilian hackers that do a lot of carding and stuff versus the German hackers that are all the privacy and activists and stuff. So I wanted to do a talk like that, but it didn't happen. And one thing that I wanted to start off at the very beginning, Russ Rogers put the best part in the survey was, I like tacos, that means all hackers like tacos, right? I'm only speaking from my perspective. I'm only speaking for me. This is my perceptions and my perspectives and how I feel the way it is. Everybody is

going to be varied. It's like everybody's going to have varied opinions and stuff, but that's just the key to it. It's like this is not to say this is a solution, this is the way to go. It's basically just ranting out to everybody going saying, if you agree with me, yay, if not, help me change it and let's do something different with it. But the first thing is I realized when I was going to start talking about different countries and stuff around the world, it was gonna come up with nation state hacking. So I wanted to nip that in the bud right at the very beginning because I'm not talking about nation state hacking. And

if you tell by this thing, one of the biggest problems that we have when we talk about nation state hacking and other countries hacking and what they do, we get stuff like this. This is the Verizon data breach report and stuff, and I'm not knocking it, no matter what flame wars I get on Twitter about stuff, I'm not actually knocking it, it's a good report. But the problem is, is that all of what's going on on the internet right now? Are we missing maybe a couple pieces, maybe a couple continents or something that may be not represented properly on that? Possibly? I mean, that's all I'm saying. It's like it's good graphic department stuff, you

know? It's really nice, the colors and stuff, shaded very well. That's cool. And Trustwave, I mean, let's face it, they did an awesome marketing department. They've got pie charts. We all love pie, right? I mean, that's great. But once again, is that the whole story? Is that the whole what we're all about? This is all that's going on on the internet right now is based right here. No, there's a couple little jabs. And there's one of the reasons why I like this one slide here, because I like this website, hackmageddon.com, not because of the fact that he had pie charts, which, you know, once again, pie, but... They actually, he put the flags of the countries they represented, because let's face it, we're America, so we don't

usually know other countries' flags until we invade them. So I thought that was really awesome that he actually provided that for us, so great. But what I loved the most about the whole site and his charts was his disclaimer. Let's blow that up. Again, don't need to repeat, the data must be taken very carefully since they do refer only to discovered attacks, the so-called tip of the iceberg, and hence do not pretend to be exhaustive but only aimed to provide a high level overview of the global cyber landscape. That is such a great truthful statement that I'm overlooking the word cyber in that. Okay, it's like because that is a great representation of what he's

saying. This is never going to be everything. No matter what we see, we see a skewer expected. Now there are some reports that will have a little bit more, let's say, focal point of what they're talking about. You know, this is this is a good report that says that possibly on May 9th of 2014 There could have been some possible activity coming from let's say China To I believe that's not Idaho. So we'll just say America So I mean it just shows that there are some focus and this is data. This was data. This was like one little snapshot This is like and I'm okay with these kind of reports and So you're not giving attribution saying that they're all coming from China because there's proxies

and no proper attribution, but that's still data that you can't refute. And I love that. What I don't love is the reports that are out there that are saying a little bit more suggestive and opinionated. I mean, I don't know, and I mean, quite honestly, no disrespect to Richard Beetlick, but I really do feel like sometime in elementary, China came over and stole his lunch money or something. And I really feel bad about that, but it's like, you see, and it's not just me thinking the Mandiant report may be a little bit one-sided, a little bit skewered, a little bit, well, it's early in the morning so I can say hypocritical and not care. But

yeah, because of the fact that when I did a Google image search for Mandiant 1 APT14, I kid you not, the first image that popped up was this one. So it's not just me. It's not just me thinking that. And it's like, by the way, if you're not seeing The Russians Are Coming, The Russians Are Coming, which is what this is based off, that was a great movie back in the day. But it's like, so it wasn't just me thinking about that. And I've seen the report and I've seen some of these talks and see some of this press and stuff, you know, and I keep hearing about, oh my gosh, the Chinese are doing

this. And I'm thinking, what, when you come down to it, what are they doing? What are the bad things? Why is it so the evil, scary Chinese coming after us? And basically from what I get from sources like Richard and stuff, the Chinese are bad because they spy on their citizens. They spy on other countries. They infect other nations computers with malware. They try to censor their press and they try to suppress protesters. Well, that's effing horrible. But let's break this down because I want to break this down as like why they're doing this kind of stuff. So let's talk about what they're doing about they spy on their citizens. Oh, wait, hold on. Oh. Maybe that's the wrong slide. Maybe not.

But I do love this one. NSA admits employees spied on husbands, boyfriends, and girlfriends. So they're now having to institute a policy where the spies are spying on the spies that spy on the other people that are spying, so they don't spy on the proper people that they're not supposed to be spying on, but the people that they're supposed to be spying on that aren't related to them. So, yay. Because it's like, when you've got a surveillance program like that, you're going to end up spying on an ex-girlfriend at some point, right? It's like, because you're spying on everybody. So... They spy on their citizens, which is a bad thing. They spy on other countries,

which again, oh, and this is what really makes you, look how sad Merkel is. Look how sad we made Merkel. I mean, come on, she's German. It's like she should not be that sad. And she was groped by George W. and still survived better than this, okay? It's like, so I mean, it's like to make her that sad is a really bad thing, people. And the one thing that gets me the most is right here at the bottom right here, an Italian magazine says, US spies listen to the Pope. But actually doesn't work. I don't care if you're atheist, Buddhist, Christian, Muslim, whatever. You've got to admit, this is a pretty good pope. I like

this pope. He is a cool pope, OK? We can all agree this is a cool pope. I mean, that last pope with the red sheets was sort of sketchy, OK? I totally understand a little bit of surveillance on that guy, OK? But this is a good pope. We like this pope. And you're spying on him? I mean, that's just not cool. Okay, so I'm saying, I don't really like that. But I also like the fact that we're doing all this spying and stuff. You know, it's still the U.S. security is to shore up spying on Russia because they had no clue what was going on with Crimea. So yay, I'm glad that all that stuff

is going on and being effective, right? Well, if they infect other nations computers with malware, too, that can't be good. Sometimes, I guess it can be, right? Because we did it. And I love the fact of how we did it. We didn't even go and say, you know, it's like, we possibly denied stuff, you know. We were basically saying, we may have done it. Possibly. It's like, it could have been us. Pretty good work though, wasn't it? It was a pretty sophisticated attack. I'm not saying we did it, but it was definitely done by a very advanced, powerful nation state attack there on that one. So, I love how they did that one. And then

if you go after someone else's network, it's like, you know, on us, it's like, oh my God, they were hacking us! It's like, they try to censor the press, but luckily we got the First Amendment, maybe, possibly a little bit, sort of. And a lady just yesterday got a judgment and stuff, you know, for $57,000 because she was arrested for wiretapping because she was trying to record a police officer doing a stop, a traffic stop. Her camera didn't even work. It was malfunctioning. She couldn't get the camera to work. They arrested her anyway because she had the intent to record it. So it's like, so there you go, that was a good one. But you know, we do have, they're trying to suppress protesters, we don't,

I love this one right here. This is my favorite because this is the free speech zone. You can tell it's right, the zone that's right there by the machine guns and the steel barriers. That's the free speech, that's the more Orwellian stuff right there. You know, it's like, I mean George W., he's got some, and I'm not trying to bash, I'm not trying to be political, but that's the more Orwellian stuff right there, your free speech zone. It's like, that's what I'm gonna do. And this one right here, New Evans, the US Army hired spies to go undercover among the local anti-war protesters. That sounds like, you know, sketchy. That could be like some terrorist

group. There were the Quakers. The Quakers, people. That's like one step above Amish. I mean, seriously, you think a little coffee clutch and stuff, you know, is going to be overthrowing a government? That we need spies going in there to see what's going on? And how do you radicalize those guys? You know, I'm thinking, I'm thinking we get some... Bigger signs. I think that'll do it. I mean, how do you radicalize those guys, you know? I mean, so, yeah, so they do that. So basically what I try to do comically is express this. These are command and control centers for actual botnets and malware and stuff, you know. That's what I'm trying to get to. Everybody is doing it. It is not

one country doing one thing bad. It's everybody has got some bad actor in there somewhere. Even in Canada. They do it in Canada. I mean, I can just imagine how the bot controllers are like, excuse me, I'm going to have to compromise your scene. I'm sorry. You know, it's like, I don't know. I mean, that's how I imagine Canadian hackers are. It's like, I'm sorry, but I have to pwn you. It's like, you know, so it's like, so even the Canadians and stuff, you don't have command and control units in their country. All the countries are doing it. Stop saying This country's bad because of X when your country is bad. If you have a

government that's worth its weight in taxes, which probably not because there's a lot of taxes, but still, regardless, they're doing spying, and they better be, and you want them to do it because that's part of their job. That's what governments do. Otherwise, they'll actually start doing something like passing laws or something and being dangerous. So it's like, that sounds really seditious and stuff on the live stream. I'm on somebody's list anyway. It doesn't matter. But we're all doing it. So this is not a talk about nation states. I don't care about your politics. It's like I'm not an American hacker. It's like I'm not an Oklahoma hacker or a Texas hacker. I'm a hacker. If

you are working, no matter where country you're in, if you're working to help better protect your networks and better protect yourself, I'm all for you and I'm supporting that. Okay? It's like we're all supposed to be, as hackers, it's supposed not to be about the boundaries. So let's start the tour of around, this is, how I do this is, I do a one picture, one slide is gonna be me telling an antidote from one of my trips, and then I sent out a survey to other hackers around the world to say, hey, will you please put out this survey and give me the answers back, so I can have a wider view of what the

culture's like. So we're gonna start off in Asia. It's like, these are my awkward hugs from Beijing, from XCOM. I love the, Thomas, Thomas Lim, for the record, he loves my awkward hugs. He tries to hide it. He tries to like act like it's not a big deal. It's like it's not a good thing. He secretly loves it and I'm going to keep saying that until it's actually true. But my first trip that I'd like to talk about on going to, what's a good country? It's something I'm going to talk about on one of my first experiences. Well, first of all, Singapore. It's like, let's just, I'm talking about Thomas Lim. Thomas Lim throws a conference in Singapore called SISCAN. And one of the things that got me is

like when I went to SysCamp was there is so much

curiosity. I think it's the best way to do it. It's like there's a lot of curiosity. First of all, Singapore is like the Canada, Southeast Asia. It's like if you've never gone to Asia and you want to go to a place, start off in Singapore because everybody speaks English. It's like everything's very clean, very well tidy and stuff, you know, because they'll find you for everything. But it's like it's a very nice... Low crime rate, very, very safe, very nice, very beautiful country to go see. And I love the fact that they all speak English because I'm American. And I tell people when I'm traveling, I say, look, I'm American, I'm sorry, so that means I only speak one language. And I'm from Texas, so that

means I don't speak it very well. You know, it's like I can't help it. So it's like, but Singapore, it's like, so when I first went to Syscan and stuff, you know, it's like, especially this last one, they are so welcoming, so open. It's like you don't understand that. when you're traveling, when we have visitors come over and you go to these conferences over here, you don't understand, you can't get the grasp of being totally foreign and not knowing anybody or knowing just a small select of people and stuff, you know, but they actually try to make you welcome, try to welcome. When I first went to Syscan in Shanghai, actually, I was like, I

was worse of a nobody than I am now. This was like four or five years ago. I just started traveling. It's like I hadn't had my passport for a year yet. And I went over to Shanghai for SISCAN. And Thomas didn't know who I was. Dave Adel didn't know. No one knew who I was. But they invited me to the speaker dinner when I got to the hotel. It's like they were there talking to me and stuff when I was going through lunch. They invited me to the speaker dinner afterwards. I wasn't a speaker. It's like I was an attendee. and stuff, you know, but they knew that I was a guy that was a

fish out of water, so they're like, hey, we'll take you, we'll let you hang out and stuff, you know, and chill with us, and I thought that was a very cool thing. Let's talk about the talk systems guide. These are the four questions that I asked a lot of other questions, but these are the ones that sort of resonated that I'm sticking with. And so one of the countries you're more familiar with is from India. It's like, how did you find out about hacking? It's like the Matrix movie. Cool people hacked into the Matrix and did cool kung fu. It's one of the only words that I censored on my slides. In your region, how is Hackenstein by the general public? Negative. If Hackenstein

in your region is more for crime, hazardous, nation state or other? Crime. Well, that's sort of depressing, right? It's like, so let's go on and see what else we can talk about. Let's go to Europe. It's like, one of the things I like to talk about in Europe is my first trip to Europe was 2008, December. It's like, I got my passport in September of 2008. November I went to Beijing for ex-con and then December I went, I don't, I like to just leap head first into things. And I went into Berlin to CCC, 25C3 was my first trip to Europe. And what got me was the politics involved. It's like, you know, we think that they were political hackers. These guys create, they did

a march halfway through the conference, a peace march where they just basically marched around the building. It's like they have a member in their parliament as part of the pirate party. It's like the reason why Germany has some of the strictest privacy control laws, the reason why, because they fight for the users. The hackers are political. They don't just go and say, well, I liked it on Facebook. Oh, I'm going to retweet that. I'm an activist. You know, they actually get involved in their politics, they get involved in their government, they try to wake up the people, they get involved in the media, they try to wake up the masses and go, hey, maybe you

should have some kind of controls like SSL on your email. That could be a good thing. So I was very surprised seeing that kind of activity and stuff going on there. And then, so what country are you more familiar with? The UK? How did you find out about hacking? Progression through technology. Tips, tricks, etc. Other ways to do things. Ways around problems. That is one of the truest hacker answers you will ever come across. Because that should be the very definition. It's like I'm hacking because I'm trying to see if I can do something or do it another way that's not been done before. New Region, how is hacking seen by the general public? Negative.

The bad guy who spreads malware, takes financial details, etc. Is hacking New Region seen as more for crime, hackiness, nation state, or other? Don't understand question, my fault, sorry. In my region, it's seen as gangs who use crime, wear kits, spreading spam on Facebook, et cetera. Which, I don't know how you differentiate between the spam and the other stuff on Facebook, but okay, whatever. So there's that, okay? And once again, I'm not really, I'm starting to get a little discouraged, but we're gonna keep going. And this is a... The culture is like, I've only been to one country. I went to Brazil, which is the far left. And I remember, so I only got really one good story there. And that was at the speaker's dinner

for that conference. And one of the hackers was talking to me, one of the local hackers from Brazil. And he's like, yeah, man, there's like, it's not cool being a hacker here and stuff, you know? It's like, there's no laws against it and stuff, you know? No one's going after you and stuff, you know? We don't got no edge and stuff, you know? No one thinks we're doing anything, just we're nerds on the computer. And I'm like, I really was going like, I'm sorry, you'll get arrested at some point, don't worry. How do you respond to that, right? How do you respond to that guy? So I'm like, and the good news for him, I

guess, is that Brazilian laws are now catching up and now it's against the law to do computer crime, so maybe he'll have his dream realized one day, I don't know. So it's like he's getting that. So that was my brush with Brazilian hackers. And so... What countries were Brazil? How did you find out about hacking? Once again, a true answer, trying to get things done. In your region, how's hacking seen by the general public? Nowadays, it's a mix of good and bad. People sort of understand it. Back in the day, early 90s, internet wasn't quite widespread. BBSs or stolen credentials to universities were the way to go. At that point in time, unless you were doing something, you wouldn't really be aware of hacking. With online

banking being implemented in 96, 97, bankers' activities started increasing quickly in Brazil. Bankers' activities means The actual credit card theft, the credit card fraud breaking into the banks and stuff. Is hacking the regencies more for crime, hacktivist nation state or other? Considering that those that don't know anything about it just see the stuff in the news, mostly tied to crime. And sometimes hacktivism in the corporate world, a better understanding to ethical hacking. So are we seeing a trend here? Because I'm already starting to get a little riled right now. Because you see these answers and you start off and you see these answers, oh that's cool, that's a great way to get into it. And you learn how, oh that's how you want to become

a hacker and then oh, that's what you're dealing with. That totally sucks. So let's go to another one. I did a technicality on this one but I got speaker's privileges so it's like I'm gonna do it anyway. Because my only trip to Africa was, Cairo was to Egypt, right? Egypt is Africa. But they also say, no, it's Middle East. It's in Africa. It's on the continent, okay? So geographically, we're going to use that as my excursion to Africa. And one of the things that I got about that was the formality. First of all, they made me get into a suit, okay, which I sort of regretted. But everybody there was so businesslike. They were so conservative. They were like so,

it was not, hacking was not like, like me, you know, like I'm gonna go hack. They're like, this is very educational. So I can't wait to learn more and stuff about this. Educate me and lecture me on the topics of hacking. And it's like, and then there's these college teams there. I mean, they didn't understand because especially like when I was doing the rabbit ears on the guy. It's like, but my favorite, one of my most favorite is photobombs of the world was this guy right here with the scarf thingy or sweater jacket, whatever those things are called, preppy thing. It's like he was taking a picture for himself and said, behind the banner of

the conference, and he was like, you know, because he is at this hacking conference and stuff, you know, and he was very proud of it. He didn't realize, you know, 20 feet behind him, in between him and the banner, was me in a suit going. So that was great. It's like, that was a great photo bomb. But yeah, so it's like, I saw that it's like, it's very, you like to think of, you know, Egypt and some of the areas like being very Wild West, but it's like it was just they want as an education, this was a part of formal education was to learn hacking. Here's one from a friend in South Africa. He says like, how did you find out about hacking when

trying to call UK long distance numbers from South Africa during apartheid? There was a need, he found a way around it. It's like, you know, that's hacking. In your region, how is hacking seen by the general public? There is still stigma attached to hacking, as in hacking into network apps, overbuilding. It's seen as more criminals than anything. Is hacking in your region seen as more for crime hackers than the nation state or other? The media have dictated the view of hackers in most countries, so it's hard to put a positive slant on it. Also, criminals or genuine hackers are put into the same category. Okay, that was actually my statement on it. I didn't want you all to get confusing. I was just very, very fine. Let's

go to the, talk about the Middle East. It's like one of my first trips to Beirut and stuff, you know, and I'm not going to talk about the bomb that actually happened two days after I got there. But the thing that I've noticed about Beirut and Sybil was I was having, sitting down with a guy and stuff, you know, over like little coffee things and stuff, you know, me with Diet Pepsi. And he wanted to show me something on his laptop. He's like, oh, look over here. And he shows it to me. And he's got access to their national telecom system. And I'm like, what are you doing with this? Well, I've had it for years. It's like, it's really cool. And I'm like, but

what are you doing with this? It's like, he's not, he pays for his phone bill. It's like he pays for his cell bill. It's like he doesn't do it for that. He doesn't use anybody else's identities or try to mess with their bills or anything like that. He doesn't change the configuration files or anything. He could. It's, why not? You know, it's like, I mean, it's like, and that is the true nature. It's like, when you get over there, it is the wild, wild west. It's like people don't even know what's going on when it comes from the internet side of it. It's such a physical world. It's like one person explained it to me was in the security mindset there is, I'm trying to get it right because

I haven't thought about it in a while and it just occurred to me, but it was a good explanation. is that there, in America, we think about securing a building. We secure the whole structure. And so we think of it as a long-term, a wide aspect, wide ratio kind of protection. And in the Middle East, it's not like that. It is you hire bodyguards to protect yourself. You secure your area. And so there's no this why turn gap and stuff, you know, it is more personalized, it's more compartmentalized, it's more of a one-off approach to security. So you could have like secure areas and stuff, you know, but none of them connecting to each other. So I've mangled that analogy, but you know, you won't

care because you probably won't see this. So, but that's the way the Middle East culture and stuff, you know, to me and my perception was. So let's talk about the culture in the Middle East. And here's why I did my technicality because it's like, Jason, you said, the Egypt, West Africa. But right now we're saying logically instead of going on the logical standpoint, not geographically, we're going to say it's in the Middle East. So, because I love this answer. He says, how did you find out about hacking? Caught a virus in 2005 because a certain person downloaded pirated games and it was backdoored, wondered how those virus worms worked, learned some programming first by viewing sample viruses, sources, and walked that road and never went back. Freaking awesome.

I mean seriously, it's like, oh, I saw this. It's like, how did this happen? Let me try to figure it out and stuff. And you're reading how is hacking seen by the general public? Hacking is generally viewed as hacking people's Facebook and Yahoo accounts. And to me, that's really sad because they're still using Yahoo. But yeah, so it's like, but so we'll keep going, okay? And then it's like, is hacking your region seen as more for crime, hacktivist, nation, state, or other? Most viewed as a crime, few know about hacktivism.

Okay, let's go to the next one. Let's talk about North America. Especially when we're in the East Coast, we've got to talk about ShmooCon. That's Bruce Potter. I do not typically give non-consensual awkward hugs. It's like, and there are a couple exceptions, Bruce Potter being the main one, because I will chase his butt down. Okay? I mean, I have run through conference halls and stuff, you know, trying to get him. So whenever I catch him, it's like catching a wild butterfly. Woo! And that's him showing his appreciation for it because he really loved it. So ShmootCon, my first ShmootCon was at Shmoopocalypse. It was when everything was snowed in. And just think about that. You've got 1,500 hackers trapped in a building. That is totally going to end

well, right? It did. It was an awesome time. It's like people were having conversations, people were getting to know people, people were like just, it was a community like we're all in this stuff, you know, it was like we're all in this together. And it wasn't like the Donner Party, we're all in this together, you know. It was actually, you know, like we're all in this together, let's learn this and let's try to work off and make the best of it and stuff. So I really liked that experience. I really liked the coming together and how they handled that. So that was a fun time. So let's talk about North America, what country are you more familiar with? How did you find out about hacking? First, movies, then properly

through an instruction in a vocational program in high school, which I thought was pretty awesome. And your region, how is hacking seen by the general public? Negative. Is hacking your region seen as more for crime, hacktivist, nation state, or other? Crime. People seem to feel that anyone who makes something behave outside of how it was designed are automatically committing a crime. These same people during the 40s and 60s spend a good amount of their time working and building hot rods and modifying cars. Exactly.

But now I'm pissed. Now I'm upset. Because I spent all my time in trying to do my research on talking about the diversity of our culture. And talking about what we have that shows us that, and all I found was one common thread. That we're criminals. That we're bad people. I don't like that. It's like, because I've got some news for you. Here are our four families. Okay, right here. We are inventors. We are creators. We are artists. We are hackers. Alan Turing, hacker, father of cryptography. Saved thousands upon thousands upon thousands, let's say it again, thousands of lives in World War II by helping break the Enigma machine. A fabulous cryptographer, an artist in his own right with numbers, he was a hacker.

He was socially diverse and stuff in the country, so therefore he was arrested and castrated until he forced himself to commit suicide. That's how his reward was for saving that many people in World War II, saving his country. That was his reward. Nikolai Tesla. He was the father of open source ideology. We've lost so many inventions. so many wonderful works of our time because of the fact he didn't want to make money on it. So no one wanted to invest in it. And Thomas Edison had a good game going. You say, because I hate Thomas Edison, but you know, that's besides his point. So it's like, but that's what happened to him. He, his reward. They found

his body two days later, the maid did, in his hotel room where he was basically almost destitute. His only major love in his life that he admitted was a pigeon that he saved in New York City. That was it. That was his reward for being a hacker. Ada Lovelace. You know there's always these debates and stuff you know every three hours or something on Twitter about women in tech? Let me explain my position on it and I'm not debating it, I'm stating a fact. Ada Lovelace was the first computer programmer. Women weren't led into the tech industry. They effing created it. They let men into the tech industry. That's how that went down. So she started out computer programming. She started

how to do that. She was socially awkward and stuff, you know, with her family, which she was disowned. It's like, and she died because the treatment for cancer was what killed her, not the cancer itself. So that's what happened. That was her reward for being a hacker. I would talk about Leonardo da Vinci because he, I considered to be the Uber hacker. I mean, he was like the ultimate artist, creator, hacker. He created a flying machine, an armored car, scuba gear, all back in the day. But I can't talk about him because he died really well. People loved him. The prince gave him a house to retire into. And he was surrounded by friends when

he went. And that doesn't fit my narrative of outrage, okay? So we're going to ignore him. So I see all these people and stuff, you know, and I see... If we came from hackers, if we came from hackers who were inventors and artists and stuff and maybe didn't have liberals, but they had the same goal that we do, why did it change? Why did we become this?

Why is it this? Why is it cartoonish or diabolical? And this is not my perspective I'm talking about now. This is fact. Jeremy Hammond, 10 years for hacking. Andrew Weave got 10 years, it was overturned, but for directory browsing. When you're in the 90s and you're going to certain sites and stuff, you know, and you're going through the image thing and you like, you enumerated the folder so you wouldn't have to like keep going on the clicks. Breaking the law. Illegal. Not really, but that's what they got them on. We've all done it. It's like Max Ray Butler, 13 years for hacking. Roman Vega. 18 years for hacking. Albert Gonzalez, I'll totally agree with, 20 years for hacking. Okay?

It's like, but you get these sentences, and you think about it like, what justified this kind of sentence? When this occurs, Malik Richmond, one year for rape. Gerhard Becker, one year for involuntary manslaughter of a firefighter doing his duty, doing his job. Trent Mays, two years for rape. Seth Hornberger, three to six years voluntary manslaughter. Means he got pleaded down from actual murder. They could get him on the manslaughter. Jessica Ferreixo, five years for murder of a 23 month old toddler in her charge, bashed his head in. Five years. Half the time for directory transversal. You know why? Because we're hackers. We're the scary guys and stuff, you know, and we think it's so cool to

be all mystic and mystified. Well, guess what, people? When normal citizens don't understand what you do, they fear. What people don't understand, they fear. What they fear, they try to destroy. They don't know how to deal with it. They don't know what it is, so they go after it. And that is not all our fault, but we perpetuate that. But once again, what happened? What happened from this to this? Because 1970s, it wasn't like that. Just 40 years ago, it wasn't like that. Bill Gates and Paul had hacked into a company's accounting file to try and get free computing time. The charges mounted up that they borrowed the computer out of the high school. Gates and Allen began looking for a way to access

one of the free accounts at CQ. They somehow got access to administrator password and used it to steal the company's internal accounting file. Exactly. They broke into the system. Man, they were like, what's that, 30 years at least, right? They got their computer time revoked. They got muted off the computer time. And he founded a multi-billion dollar company. So, you know, that taught him a lesson. And I tell you, I don't do that. I trash all OSs equally and stuff. So what about these two delinquents? It's like Steve Jobs and Wozniak. Wozniak was interviewing saying, offering a guarantee on an illegal product in such a quirky way appealed to Wozniak's sense of humor. It's kind of strange in itself, it's kind of unusual, but I

felt it was worth the joke. Because he actually had a warranty for the blue boxes they sold. Which he admits is an illegal product. The FBI was trying to catch them and stuff, you know, and look in the laboratory to find out and analyze them, because they were illegal products. They sold

devices to circumvent the paying systems and utilities of the phone systems. How many years is that worth? Well, I don't know, but it's like my iPhone 6 is coming out in a couple months. I can't wait, right? That's what they got. That's what happened to them. 40 years ago, that was what was going on. That was what hackers were like. That was what was going on. What happened in 2010? Another young man who had already founded a multi-million dollar company, he already had one, broke into a utility closet at MIT. He hooked up a laptop to the campus network and downloaded four million academic journal articles, most of them in the public domain, from a paid archive to which he

had a subscription. He was arrested and indicted twice on multiple counts of fraud and at a trial that was begun in April could have faced 50 years in federal prison and a million dollar fine. Aaron Schwartz was hounded

He was hounded unto his death because he wanted to download subscription files through an archaic system and stuff you know and then release them to the public domain that most of those were in anyway. How does that happen? It happens because we don't know what hacking is. The general public isn't aware. They see this. Look at this.

It's like the freaking Naz Ghoul, I want to throw a ring on it. It's like, here, go! We have this representation of ours. I've got a computer room and it's pretty cold. I have never needed my hoodie all the way up, or ski mask to do my job. I do not have big frozen coats and gloves and stuff outside my door saying, okay honey, gotta go to work, let me put this stuff on and get going. But this is what they like to represent us. And where do they get this from? Where does the media get this represented? Well, sometimes from us. Israeli hacking school trained cyber lawyers. It's like, look at those guys. I wouldn't make more fun of those,

but I think those guys are the Mossad, so I'm not going to lay off a little bit. So it's like, but yeah, let's just go to the next one. And then we've got this representation. Judging like the hackers are the bad and scary people, we've got Welcome to Cyber U. Raytheon joins with colleges to train the next generation of net ninjas. I'm a ninja, okay? I take offense to this, okay? It's like, but you look at these, these guys are doing defensive work for the government and for corporations, so therefore, they're ninjas. They're okay. They're the cool guys. They're not just scary hacker dudes. Does that not look like every single hacker you see at every single freaking conference everywhere around the ever freaking world? Yes. It's like, look,

I can take a picture of you guys right now and put that in there and it would be interchangeable. It's like, that's what happens. But that's how they're represented. That's how the media changes the storyline. They change the narrative. Because then you've got this guy, Glenn Beck, criticizes watchdogs for promoting hacking. What the heck is wrong with us? First of all, watchdog promoting hacking and stuff, you know, and teaching you how to hack is like Gordon Ramsay's television show is teaching you how to cook, okay? Don't think that's going to happen. Another thing is, the main reason why I put this in here is just for the comedy relief because, you know, Gunbeck is trying

to talk about computers, which is hilarious and adorable. But yeah, but this is what they want to start off. These are the rally cries that they like to start off with. And so it's all fun and stuff, you know, when you get these representations, but what happens when people get to comment on it? What are the public thinking about it? Well, here we have Sterling Riggs' jerk-off. It's like, and that's the nicest form I can... I use worse language, but there's a child here, there's women, you know, gentle folk. So it's like, I can't say what he is, but he's a jerk off, he's a horrible person. And that's my personal opinion, so if you ever see the Sterling Riggs. He wrote about DerbyCon, and I'm gonna use the

voice that I think that he talks in. I don't know how I feel about this DerbyCon happening at the Hyatt downtown. It's a convention for computer hackers. Sessions include password cracking, Hacker War Games and a lock picking pavilion. Thoughts? And there were some thoughts. Oh yeah, you've got Greg in here going, the LPD and FBI should break the convention and arrest the people who are doing the training. They were in attendance, you idiot. Michelle Perry Richardson, it's scary. Poor Darcy was so scary she could only do an emoticon. Connie goes, I bet no rep. More like employment opportunities. Yeah, there were. Jenny Smith, wow, that's insane. I think this thread is, Sean, what about classes on mugging and car theft? I'm the witty one in the

group. It's like, oh, that's really good. Brandon's like, Sean, that's next week, LOL. Oh, she's cute. Amber, I think it's stupid. You didn't capitalize I. I think you're stupid, Amber. Arrest them all. I kid you not, the targeting ads for the Facebook, you know how Facebook's got those ads on the side? Were for pitchforks and fire.

This is ridiculous. So Iron Geek, Adrian Crenshaw saw this, and then he tweeted out to the Twittersphere, saying, hey, there's this post, maybe some hackers that actually attended DerbyCon should respond to it. And we did.

We like to think that, oh, we flamed them, we schooled them, and we told them, like, yeah. Logical, reasonable debate, thought-out responses to educate the public about what was going on. I mean, we're hackers, so some of them were like, yeah, they were that flame worthy trolling. But you know, the majority of it was an educational opportunity. Mostly every hacker that responded was, here's an opportunity to speak and educate someone who doesn't know what I do and give them the proper facts. So Sterling Riggs Jerkoff did the only thing he possibly could when faced with that kind of reason. Sterling Riggs Jerkoff deleted the whole thread. This is the only evidence that you have of it because I took the

screenshots. because I knew I was going to use it for this slide deck. This is the only record that this thread actually existed. Because it didn't fit his narrative. It didn't fit the narrative of what we wanted hackers to be. The media doesn't want hackers to be that. We're too busy making them scary. And you're thinking, well, that's a horrible thing. And I was thinking that too. But then I found out one important thing. I'm a hypocrite. I mean, I've always been a hypocrite on a lot of different things. And I'm honest about my hypocrisy and stuff, which doesn't make it less of a hypocrite, but I guess points for honesty, right? So I realized that I had been a hypocrite on something. The McDonald's coffee cup lady.

And guess what? You're probably a hypocrite too. Because we see the McDonald's coffee cup lady who gets $10.9 million for her coffee. We're too hot. And we think, what a scam. What do you think? I can't believe she hosed McDonald's and stuff. Now I've got to have, please roll your toothbrush, toothpaste up and stuff properly or cause choking or something. It's all because of her. Right? Is that the story? Is that what happened? Not really. It's like, even though we like to make a, no, let's go that way. Let's go that way. There we go. And we've actually made jokes of it. Which is all fun and games until we meet the hot coffee lady.

He received 15% of her body received third degree burns that required skin grafts. Till we find out that McDonald's served their coffee at 180 to 190 degree Fahrenheit to make sure it was hot all the way through the ride. Till we find out that all these people Highlight and Pink were admitted to the emergency room for scalding from their coffee. Till we find out the fact that she only wanted her bills repaid for the hospital McDonald's offered her $800 and not even some McNuggets. It's like... That's what happened. And then we find out that that $2.9 million was a calculated settlement of two days of coffee sales for McDonald's. Not even the Happy Meals, just the coffee. And once that was negotiated, she received less than $500,000

for that. For skin grafts, over 15% of her body. She was in a stationary car with her nephew at the time. She wasn't driving. She wasn't in motion. They let that happen. But we like to make jokes about the coffee lady because the media told us it was funny. The media told us this was our story. The media gave us the narrative and we didn't question it. And we wonder why they think hackers are scary and they don't question that. We need to change the narrative. We're intelligent. We know the narrative is wrong. We know

that that's not the story for us. But unlike the coffee lady, we've got a voice. We don't just let things go. We try to change things. And we're doing it. It's like, and I really appreciate that. There are voices out there. There are voices out there coming out there. Thanks for wearing the same shirt, by the way. That's awesome. There are people out there trying to change it. I mean, I like to, I'll pick on Dave Kinney, because I like picking on Dave Kinney, because it's like you may have seen him on Fox News. and MSNBC and Fox News and Bloomberg and Fox News and CNN between plane coverage. And you also may have seen

him on Fox News and stuff, you know, and the Katie Couric show, which was a really good episode. Then he was on Fox News doing some stuff on testifying. And then did I mention Fox News? When I see Dave in real life now, I usually try to see a tyrant just like Fox News going right below him every time I see him now in real life. He's just like a hole in the chicken. But he's a great guy. One of the best things about Dave is he admits he's a hacker. He says I'm a hacker. Once his article talked about hacking. It's like we're saying we're hackers, we're here to help. We're hackers, we're here to help secure you. We're hackers, we're here to help educate

you on these issues. That is what is needed. We can let them paint the narrative, we can let them color the stories, Or we can start participating in that. And it's not these guys. They're the vanguard of it. But why not you? I say in my bio that I was Times First of the Year for 2006. I am 100% correct on that. The other part of that was so were you. Why not be that voice? Why not contact your local news station, your local newspaper? If you've got valid information and you've got the actual information that can help educate people on a topic that's being discussed, why don't you take part in it? It's not like you're just trying to pimp

yourself out and stuff you know and get a name for yourself. You're educating your community. You're helping and be proud of the fact that I'm a hacker, this is what I do. Even if you have to put the ethical hacking in front of it so they're not too afraid, do it. But let them know that you're there to help protect, that you're there to help educate. Because if you don't do that, if we don't have that vanguard, if we don't have those people out there trying to change the narrative, we're stuck with people like this doing it. It's like so many people may not know Brady Evans is the world's number one hacker, or I like to refer to it as the world's number one hacker full

of number two. But he'll be spreading that out for his own game, for his own purposes, and for his own ego. We have to be the voice we want to be or we can't complain about the narrative that's being taught. Because we're not like the local steel union, okay? We're not like a whole bunch of other fields and industries of optometrists or whatever. We are different because we see problems and we try to make them better. We do not let the status quo rest. We actually, for some strange reason, are mostly idealists and stuff, who want to see things better, to see things work different, to figure out how things work and see if we can improve on it.

There's a whole industry of us doing that and we are making changes. Here's blood code. Blood code was a barcode is the name of the nice ginger there. And it's like, and the cool thing about him, well not the cool thing about him, but the cool thing about how it started was he needed blood transfusions cause he was dying. So he received seven blood transfusions like within, I mean full blood transfusions within like weeks of him being diagnosed. So what did the hacking community do? He's like, sorry, dude. He's like, let me like that status on Facebook. Started a blood drive at DEF CON. The very first year it happened was for one day from 9 a.m. to 5 p.m. By noon, the lady who was organizing it

was in tears. The reason being is because she had to spend the whole rest of the day after 9.30, she had to spend the rest of the day telling people there was no room for them. They were already booked up by 9.30. They were booked up through 5. She had never seen that kind of outpouring. She had never seen that kind of response from any conference, any convention she's ever done in Vegas. The second year we did blood code,

the state's largest blood drive in history, the state's history, was at DEF CON. She was really touched by that as well. Also, I mean, just for full disclosure, the Ninja Party was giving out invites to people that donated. So that might have been a contributing factor. Okay, possibly. But then what happened on the third year, last year? Zero giveaways. Zero gimmicks. Zero Ninja Party invites. The second largest blood drive in Nevada State history. That's what hackers do. I mean, of course, there's a lot more people now that are buzzing around and after getting blood transmissions, but it's like, but that's what hackers do. Okay? We see a problem, we try to fix it. You've got Johnny

Long here and stuff, you know, not only doing a mission in Uganda and stuff, you know, and trying to help that surrounding area, but he also does logistic support and computer support for other people, for other charity organizations, for other aid organizations in that country. It's like he's being that support guy. He's that tech support people. I love the fact that his shirt is actually, you know, says I hacked charities on the front because then people look at you and go like, how dare you? How dare you do that? And I'm like, no, no, no, no, that's a good thing. It's like, it's like, you need to explain that and stuff, you know? So, and also just to show you that I don't want to be, believe

this or not, being contributing and being a charity and being someone that wants to do good and being a hacker and student that has that ability to want to change the world and make it a better place isn't actually reserved for Christian Americans. It's like, this is China Eagle here, this guy in the middle. It's like, you may know the name from China Eagle from Titan Green from 2003. Yes, that actually is the same Titan Eagle. And it's like, but you know what else he is? He's the Johnny Long of China. He has created a whole program of actually putting computers in schools in Western China, in the desert rural areas and stuff, you know, the non-city areas. He's been putting computers into those school systems.

He hates cyber criminals. He helps consultants stuff, you know, with law enforcement and stuff, you know, to help put the cyber criminals in China in jail because he's a patriot. He believes in, you know, his country and he believes in being a... And that's another thing that gets funny, especially talking about in America because it's like, we love patriotism until we realize that other countries can have that too. And then it's like, wait, that's not so cool. It's like, but he is a honest, upright, charitable human being and stuff, you know. He's just a patriot for... the country that he actually was born and raised in for some reason. So that's how that works. It's like our world is complicated, our world is confusing, but as hackers, we have

something that does unite us. The ability to try to do something and make things better. And we have to pretty fast, because believe it or not, we're having offspring and stuff, you know? It's like, I mean, it surprises me well sometimes, and two of those are mine. But it's like we're doing that. We're actually having, there's a young gentleman in the audience today, It's like, what do you want to leave your children? What legacy do you want to leave on that word hacker? 40 years ago, it was destroyed. How long is it going to take to bring it back to where it's something that your children can say with pride that they're a hacker? One of the most proudest moments of my life was going to my daughter's elementary

school, holding her hand through the hallway, and a child comes up, and my daughter looks up at me, and she says, this is my daddy. He's a hacker. That was one of the best moments of my life. Because she said it with pride because she meant it and that's what she thinks a hacker is. She thinks a hacker is someone that does something different and helps protect people. When are we going to let the rest of the public realize that? Because one other key thing, oh we're mystic, let me put on my hoodie and my wizard robe and hat. No, that's not it. Hacking is who we are. It is human nature. Stop thinking that this is a skill set that you acquired, that this

is something that you've learned and you've earned. I got news for you. It's not. It is in our DNA. A group of boxes were set out in front of a village in Ethiopia, unopened, with Android Zoom tablets in them. Within five months, the children had opened the boxes, figured out how to work the operating system without never seeing English, And they were able to circumvent the controls, get the cameras re-enabled and the parental controls unlocked from the devices. They hacked the Android system, operating system, to get what they wanted. That's hacking. That wasn't taught. That was ingrained in who they are. That is who we are. Five-year-old kid wanted to get into his dad's Xbox account, couldn't do it. So what

did he do? Oh, he was able to bypass security using a Microsoft law that needs to be patched. That was not something. He did not take the CEH course, which is on the right level for a five-year-old. He didn't do that. Okay? Okay? He did it because he wanted to get something done and he needed a way to circumvent something and do something that wasn't supposed to do. It is in our DNA. Every human has the ability to be a hacker. Why don't we let them know that? Why don't we show them that? Why don't we stop trying to be the villain they want us to be and start showing them why they are like us and

why we are the same and how we can help them be more like us? Because we are not an industry. We are a community and we are all connected. And if you don't believe that, by the transitive power of Kevin Bacon, we are only two awkward hugs away from him, thanks to Oliver Stone. Okay? So we are a community, people. This is not a union. This is not an industry. I will still always think of this as a community. I do not have a job. I have a passion that I get paid for. And that's what we should all have. So this is the wonderful time where I get to actually get some more doctors.

That's my solo head thing. It's over. I'm done.

Any questions? Let the Randy man get off stage now. Okay, cool. I'm good.

Real quick before I get rolling, give a shout out to the B-Sides Asheville organizers and volunteers. So let's give them a hand.

I gotta give a shout out for the local group I belong to, MISEC. It's the Michigan Local Security Group. And of course my boys in Hi-Hack Society, there's a couple of us here. So a little bit about me. I'm Jimmy Vo and two of my coworkers. I am not related to Wang Dong.

What's with this handle though? Ugly Gorilla. That's a terrible one. It's still better than Wang Dong. It is. It's like, I don't want to even go there. Ugly Wang Dong. So anyway, a little bit about me. I am Brazilian Jiu Jitsu Blue Belt. So I will triangle choke anyone. In addition to that, I am a Muay Thai practitioner. So if you do know me, I talk about round housing stuff a lot. I can throw a roundhouse kick. So I've been training MMA for about seven years. I fought in the cage once. And I typically talk about it a lot, especially when I'm on a date, but I leave out the fact that I lost. To

be fair, the guy who beat me is, I think he's the champion for my weight class. So I do work when I'm not punching faces and choking people out. I focus on SIM and security monitoring, and I do assist on some of the pen tests. So, my talk today is called How to Win Friends and Influence Hackers. It's sort of cheesy, a lot of people were trolling me about it, but it's an obvious title-jacking of Dale Carnegie's book, How to Win Friends and Influence People. If you have not read that book, I would definitely read it. Has anyone read that book here? Okay, so definitely read it if you have not. So today I'm going to talk about basically a

combination of psychology of personalities in information security and sort of my approach for winning friends and influencing people in the information security community. And I do want to put a disclaimer out there, I do not have a psychology background. So this is some collective research that I've done. And it's adapted for my B-Side Chicago call. I refined it down a little bit and now I'm here. So why do we care? This guy obviously does not care. So there's two reasons why I wanted to give this talk and why I thought it was important from my perspective. The first reason, and this talk is sort of geared to, it's applicable for anyone, it's more targeted to people trying to get into information

security, but hopefully everyone can get something out of it. So the first reason why I think this stuff is important is because of networking opportunities. It goes both ways though. We think networking opportunities is how can someone help me, but really it's about how can we help other people in the community. So let me share a story. So I was a little bit tired of my previous job. I was in sort of IT ops. I wanted to get into security. So I saw someone posted on Twitter about a job opportunity. And I hit the person up and said, hey, I'm interested. And this individual said, shoot me your resume. By the next day, I had a recruiter call me, and it

was pretty interesting. It kind of blew my mind that I was able to kind of circumvent the traditional HR process, applicant process. I'm actually at my current job right now because it's kind of funny, but it's from Twitter. So that's the power of networking and why influencing is important. The second reason, the more important reason is we face big challenges today as a community. We joke about it, security's hard, right? Just a little bit. And the best way to face huge challenges is working together as a community. So the second reason why I created this talk was to build a strong community. And this is from understanding each other and working together. we have a very strong

community today, I would say. And with anything, there's always room for improvement. So let's talk about the foundation of my talk. So I mentioned personality type stuff. And I had a talk with Dave last night, so he's going to be talking about some Myers-Briggs personality type stuff. And that's sort of the foundation of my talk. He has this awesome sheet. Did everyone get one of these? Yeah, I should have got them at the registration desk. So this is awesome because I'm going to talk a little bit about the Myers-Briggs personality types. And again, it's the foundation of my talk because if you want to influence people, you have to understand them. Not everyone's going to have the same personality as you. So let's get rolling on

the personality types content. So I use Myers-Briggs, like I mentioned. There's a lot of familiarity with it, a lot of research. A lot of people tend to know their Myers-Briggs personality type. I totally understand that there are some criticisms. To me, it's kind of a challenge to identify personality types because there's 16 of them. I talked to a buddy of mine who uses insights. Is anyone familiar with insights? There's four colors. It's a little simpler, but I'm definitely gonna look into that. So I created a survey. I was interested to see what personality types were in information security. The survey was four short questions. Do you know your Myers-Briggs personality type? What is it? Your job title. And

any additional comments were, I got trolled to hell. So there are 81 people who responded with their personality types. A bit of a small data set, so I can't really say that represents the whole community, or the whole information security industry. So I'll share some of the results from that. And again, the reason for this is understanding people helps frame your communication. And that's key to influence and winning friends. So today I only have time to talk about the top four personality types, Myers-Briggs personality types. There's 16 of them. And I just am encouraging everyone to read up on it. And again, this sheet is awesome for that. So definitely read this.

So I have a lot of puppies in my slides. I love dogs. So if you don't like dogs, I've never met a person who doesn't like dogs. You need a dog person versus cat person personality type. Yeah, I should do that. So let's talk about introverts and extroverts. And before I did this research, I had a big misconception of what an introvert is and what an extrovert is. I thought introverts didn't like talking to people, extroverts did. And that's not totally true. And it's interesting, it's about where you get your energy. So let's talk about introvert a little bit. They tend to think before they act, they create solid ideas, they feel comfortable being alone and doing things on their own. And they need time to recharge after,

typically after a social interaction. It's funny, my boss will actually block half an hour chunks in his calendar after any type of meeting. That's how much of an introvert he is. So on the flip side, the extroverts. I guess the extrovert is this puppy. So they tend to get energy externally. They get energy from being active at events like conferences or just talking to people. Excited to be around people. They rather talk a problem out loud and hear what others have to say. They tend to have a wide range of friends and they're very comfortable in groups. So what do you think the split is in my data set from introverts to extroverts? Any guesses? More introverts. More introverts. So

according to the Myers-Briggs personality type, the first letter in the Myers-Briggs personality type is I or E. So that's how I came up with the introversion to extroversion data. As you can see, 66.6% of my data set are introverts and 33.3% are extroverts. That's not too surprising. Does anyone have any theories why? My theory is security people tend to be very analytical. They look within for answers. I saw this interesting...

So I'm not going to read them all off, but some of them respect their independence for an extrovert, offer them options, make physical and verbal gestures of affections, give us hugs. And introverts, so they're a little bit different. Respect their need for privacy, let them observe first in new situations, reprimand them privately, And this one is big. Respect their introversion. So don't try to make an introvert an extrovert. And that's key.

So let's talk about some of the Myers-Briggs personality type stuff. I'm going to talk about the four that are highlighted. And you can see there's some grouping. And then there's the outlier. So.

These are the top four personality types in my data set. So we have INTJ, ENFP, ENTJ, and INTP. What's interesting, the interesting thing about these top four personality types is these four make up 54 of 81 personality types in my data set. So if you do the math really quick, it's 66% So, these personalities represent my data set of 81 people. My theory on that is security attracts a certain personality. I'm a big believer that not everyone can become a security person. It requires a certain way of thinking and passion. Now, I'm not trying to be mean. It's sort of like not everyone can be an accountant. I don't know if anyone wants to be an accountant, but that's the

point I'm trying to make. So when I gave this talk the second time, people wanted context for this data. So I found an awesome research paper that analyzed personalities in software engineers. So let's take a look at that data. So the puppies again, the introvert and extrovert puppies. In the red are software engineer numbers for introversion and extroversion. So the gap is a little bit smaller but it's still prominently introverted, so 57% to 43%.

These are the top four personality types within software engineers. So we have ISTJ, ESTJ, ISTP, TP, ESTP. It's interesting that they're all STs, but I won't go too much into the software engineer personality stuff. I just wanted to lay out some context of a different group of professionals. So let's talk about NTs. The NTs, there's three NTs, three or four NTs, so we'll talk about them a little bit. So what the NTs represent, or what that middle, what the middle of the Myers-Briggs personality type is, is the temperament. So they're known as the rationals. They're called the problem solving temperament. This makes total sense of why they dominate sort of the data set. Some of the

core characteristics for the NTs are pragmatic, skeptical, self-contained, and focused on problem solving. However, I never met a skeptical information security professional. Some other characteristics, they're ingenious, they're independent, and they're strong-willed. Take a look at a pen tester. get dropped in on a client site and do what it takes to accomplish the goal. And some more characteristics about the NTs, they trust logic, they yearn for achieving, they seek knowledge. And I mean, seek knowledge is big, that's why we're all here. So let's talk about the top four personality types in the data set that dominated the results. So INTJs.

There are 30 INTJs, so there's 37% of the data set. It's interesting because they only make 1% of the general population. They tend to be very highly analytical, creative, logical. They're aggressive for new concepts and knowledge. So, I mean, all of us, constant hacking, learning, reading, attending conferences, trying to be better every day. And they're stimulated by difficult problems. And again, security's hard, right? So breaking into hardened environments, it's difficult. That's the challenges that sort of drive the INTJs. The ENFPs, I'm actually an ENFP. I'm also a Flyers fan. And this is ironic because they're known as the champions. And the Flyers have not won a Stanley Cup in like 40 years. So they're known, again they're known as the champion, they make

about 11% of my data set and they tend to have strong people skills. They relate well to others, they're empathetic and caring. Tend to be disorganized, I'm extremely disorganized. They're capable of doing anything they're interested in and that's sort of why I think I'm in security. I am not an ENTJ but I was very interested in security so that's where I kind of fell in. Some of the job titles were interesting. ENFPs. They were there's some directors, CSOs and other leadership job titles in the data. So we have ENTJs. They made 9.8% of my data set. There's more puppies. Their style is known as commandant. They're known as strategy leaders and they're motivated to organize change.

They're pushing for change in their organizations or if they're consultants, their clients. ENTJs excel in logical reasoning. They enjoy the process of discovering and implementing a better way. And I mean, that's what we do every day. We try to improve security either with our companies or with our clients or within our community. And the The last personality type is the INTP. So they're known as the architect and they make up 8.6% of the respondents. And they see how things can be improved or what they can be turned into. There's security architect, even job titles.

So how things can be improved. So we look at a pen test report or something. We show recommendations on how things can be improved. They tend to primarily live within their minds. They focus their energy internally. That's sort of the introversion piece of them. They use analysis, identifying patterns. And they come up with logical explanations from within. And they tend to value knowledge above everything else. And they tend not to lead or control people. So this stuff is key, the personality stuff, because if you talk to an INTJ, they value knowledge, above everything else or logic. So if you try to pull their heart strings, it may not be effective if they're looking for logic. And again,

the sheet that Surfer Dave came up with talks about all this stuff. So definitely read it. It'll definitely help you frame communications to different personality types. So let's segue into... sort of my approach of how I win friends and try to influence people. So personality type stuff was the foundation and the house is my approach. So again, I am an ENFP, so most of this stuff will most likely not work for you. So you're probably thinking, well why is he up here talking? This is sort of a call to action. Find your own way for sort of influencing people within the community and outside the community because it's important. And that's how we create change. That's what Jason was talking about. That's how we create change. So I'm

going to focus some stuff that I do. I use Twitter very heavy for networking. And why Twitter? This thing just freaked out on me. It's cool. people disconnecting from the live stream.

So why do I talk about Twitter? I found it really effective for me. I want to genuinely connect with people and I want to learn from people. My colleague Scott Thomas gives an excellent talk about learning from others. So this is why it's important to connect with other professionals within security. We can't just our own thing and not talk to anyone. So the first piece of my approach is building my brand. Yes, Brown House as a Service. So that's important. So I do not have two Twitter accounts. I see a lot of people with two different accounts. I don't roll like that. What you see is what you get if you follow me on Twitter. I focus on keeping it real. I have four LinkedIn endorsements for

keeping it real. So if you are connected with me, feel free to endorse me in keeping it real, roundhouse kicks, and various other things. The thing is there cannot be a discontinuity on your online brand and your actual brand. This isn't a problem if you're keeping it real. The only caveat to that is your reputation management goes up if you only have one account. And

your brand is important, so ability is definitely important for people who are looking for security jobs. Your ability is definitely important, but how you are as a person, how you fit the company's culture is even more important in my mind. And the only problem with Twitter and social media is it's a great way to broadcast negativity. I try to avoid it at all costs.

The second approach I do is I turn into a dog and I put my hand on another dog. So it's being personable.

So Dale Carnegie talks about a principle that's in his book, How to Win Friends and Influence People. It's be interested. Get to know people. Get to know their interests beyond security. I mean, we're all here because we're very interested in security. But don't stop at do you do in security? Get to know that. Like I know Bill loves moonshine. Yeah the more legal the better is my philosophy.

Yeah so and it's funny because people talk about their cloud scores I'm like why do you care about that stuff? What I care about is how well I know people. And that's sort of how I measure that stuff. So next approach is situational awareness in guys with guns. I break this out in two parts. It's emotional intelligence. So how do you define emotional intelligence? It's the ability to emphasize and to hope. How I define it is knowing how someone will feel in response to what I do. And the second part is knowing what's going on with everyone at all times. So that's situational awareness. So what do I mean about that? And it's kind of strange that

I even have to say it, but I tend to focus heavy on it. If one of my security buddies has a new job or just married or got a new puppy or something, ask about it. That's what's important in influencing and building better friendships. The last thing that I really focus on is avoiding the battles. And I mean, we never see drama insecurity, right? Not at all. Not once. Dale Carnegie says, don't criticize, condemn, or complain. And that's key. Drama may be entertaining. Whenever there's drama, we post pictures of popcorn, and we're like, yes, drama. But is it constructive? see much constructive feedback when people are going off on each other. I think feedback is

important, but criticism without feedback is not effective. So what I'll leave it at is avoid the battle, win the war. So our war is facing security challenges, building a strong community, and working together and teaching each other. So that's all I have today. So we have a little bit about personality type stuff and a little bit of data. I'm going to continuously build that data set. I need to release it. I keep saying that I'll release that data, but I get lazy and don't do it. So I'll do that. And then sort of my approach. So my call of action is build your approach for influencing and making friends within the community. Give someone a hug today. We'll be lining up to get awkward hugs.

So my contact information, I'm Jimmy Vell on Twitter. Shoot me an email if you have any questions or feedback, jimmy at roundhouse.in. I'm Votek on Freenode. I hang out in the MySec room in the Hi-Hack Society. Thank you.

Good home.

Okay. Give y'all guys a chance to crawl over couches and get all settled.

I handed out, just before I started, I handed out a couple of keypads. If anybody wants any more of these, give that a try. Just raise your hand and I'll throw some back there. And that way,

you would just pass these.

That way you got one of the blue sheets. What you're actually looking at on the little sheets that were passed around was an actual one-time pad. And a one-time pad has been around since about 1917. And it's just a very simple sci-fi, very, very easy to use, but was actually used in the Cold War and even later on. And it turns out it's got some pretty cool characteristics to it because Mathematically, when you look at this, every character is not related to any other character. So from a cryptography standpoint, it was a great thing to have because there was no relation. They would actually build small little one-time pads of these keys, hide them in all types of things, microfilm, microfiche, all types of places, hand those out,

give it, you know, one spy would give to another, and then they could use one sheet at a time and actually brought, this one's actually huge. It's really big. But if you look at it, you know, it's got the numbers on here. They would use one sheet at a time and they would pull it off, eat it, burn it, do something with it to destroy it because the only thing that makes this not safe is to actually use the pad more than once. And so the cool part about this is, you know, I got to looking at that and it's a great thing if you're just getting into cryptography, just looking at cryptography. One time pads, great thing to look at because it includes all of the

important things about cryptography. It includes key distribution, how important randomness is, cipher. It includes also everything about the actual algorithm and everything else in there. Plus you do cool stuff like this. Because what I actually did was, I actually kind of took my Raspberry Pi at home. It actually has a hardware random number generator built into the arm. Unlike most random number generators that are all mathematical in nature, this actually uses quantum tunneling. That sounds really cool, doesn't it? But actually it's just some electrons jumping around, kind of acting a certain way. They're both random and not random at the same time. And so with my Raspberry Pi, I actually generated a couple million bits. I wrote some quick,

oh, I gotta tell you right now. If there are any Pythonistas out in the crowd, if we got anybody who's really, really sickers on this, don't be looking at my Python code. Just assume it's good, okay? If I see someone pass out, I'll know exactly what to pass out from. So I took my million bits, broke them out five bits at a time, made up my own alphabet, generated a bunch of these pages, slapped it in a book, and that's what you were actually looking at. So if you're looking for a project, that's a pretty neat little thing to play with and talk about. And there's also, if you really want to geek around with this, there's actually a movie out called The Numbers Station. It's actually

got something to do with one-time patch, but it's not that great of a movie, but hey, you need to see it. Actually, my name is Ron Parker. I'm here to talk about when to use and really how to use cryptography. If you came in as a cryptographic expert, you'll leave as a cryptographic expert. Otherwise, don't expect much, honestly. You know, just this is what it is. I'm actually in insurance business. I've been in insurance business for about 20 years. I'm security architect for a Fortune 250-something company. I've got 12, 15 years experience of security and risk management experience. And so that's kind of my background, a lot of programming, a lot of that kind of stuff

in there. And I do have to reach down for my water bottle there. And so this short talk, we're gonna actually talk about cryptography. It is foundational. When we look at our jobs and what we do every day, a lot of times we worry about physical locks. We got guys back in here breaking locks. We've got guys working on blinky boxes. We got other people doing all kind of stuff. So at the end of the day, really, the only way that you could really protect your data is to add some of this at that data level. Because eventually, they're going to get past the blinky boxes. They're going to get past the lock doors. They're going to get past all those things. So eventually, cryptography comes into

play in what you're doing. So obviously, the next thing that we need to talk about and look at is cooking. Because years ago, I figured out I like to eat. And I figured, you know, along with that eating, I also figured out that, hey, if I cook, that goes with eating. So I really do enjoy cooking. And so one of the things that I really, you know, one of my favorite dishes, and this is kind of what we're going to go through, you know, one of my favorite dishes actually just has three simple ingredients. Three. It actually has milk, it has flour, and actually has lard, of course. And so those are my three simple ingredients for my very

favorite dish. And if you look, you know, what all can you do with those types of things? So we could look at those three ingredients and go, hey, Ron would really like... No, no, that ain't happening. You know, that's no good. That's not what we want out of those three simple ingredients. You know, I'm talking about the sky opens up, rainbows appear,

Yes, you guessed it. Gravy and biscuits. Look at this. What we've got is gravy. You actually make gravy. Now think about this. You put grease, flour, milk in a pan, and you stir, stir, stir, you have gravy. To make biscuits, I turn around and take flour, grease, milk, I put in a bowl, I stir, put in an oven, and I end up with biscuits. Then I take and put those two things together and I come up with this spectacularly amazing dish. It's that good. So what we've got to look at is these were simple ingredients. These were three simple ingredients and I used them a certain way, put them together a certain way, came up with a certain result. And that brings us to our problem.

when we really look at our problem, when we're starting to talk about cryptography, is that I've got no easy guaranteed results by looking at the ingredients. If you were to look at cryptography, I've got all these simple primitives, I've got many simple ingredients, many simple tools. You know, I could go through there and point out all these tools, all these simple things, but the problem is result that I get may not be what I want. It may not be what I expected. So when we're talking then, do we know what we want from cryptography? You know, can you go and describe to the person next to you about what your desire is or your end result or your expected result

is? Are you using the same terminology? Do you have the correct tool? Now the tool conversation has totally changed in the last couple of years. You know that the whole, you know, just in the last couple weeks, we can go backwards and talk about what happened to TrueCrypt, the NSA, RSA. You know, we can kind of back our way through all this, and we're not even too sure about the tools we're using. So there's a lot of things we need to look at with tools. But even if we assume that all that's okay, do you know the proper steps, the proper order to put those in? Just like the gravy and biscuits dish. you have

the simple ingredients, do you know how to do that? So we're going to look at a really quick, really quick demo here to actually take a very simple case of, you hear this all the time, how do we look at passwords really quick, store those passwords or the hashes of those passwords, and then figure out and verify those. And I'm just going to look at a small piece of this because that comes up all the time. How do you safely store a password and check it later on? So, a quick 17 screens later. I'm going too fast. It's danger, danger. There we go. So what we're going to look at is, we're going to look at a piece

of code here. And once again, don't... Don't look too much. I want to make sure that's there. So you go out to your local crypto closet and I apologize. It is a demo. What's the next word in the dictionary past demo? Disaster. You're right. They come really close. They come really close in the... There we go. I was kind of nervous and typing ahead of myself. So I go to my crypto closet and I go grab a hash that I'm looking for and that particular hash happens to be SHA256. What is that? That's a really, really good hash. Returns a 256-bit hash that I can, so I can basically feed it information and it's going to give me that hash back. It's approved, it's a good one to use,

and it just seemed like the right thing to do. So I'm going to go pass it my password, I'm going to create that hash, show you what it is just to give you an idea. Then I'm going to go do that a thousand times. Is that pretty straightforward? I think so. So let's start again. There it is. There's your actual hash that came back from the password. And there's a thousand of them. So what we did is I also didn't mention, I did solve that in a very poor way by adding the number to the end of it just so they'd be different. But that was a thousand. You look at that and you go, well, it worked. I have hashes of all my

passwords. Everything looks good now. I'm great. No. Actually, this is bad. This is really bad. The reason it's bad is, look how quickly I just ran through a thousand of these in this very slow language displaying them on the screen. This isn't a good algorithm to use if you're trying to prevent people from going through your database and trying to determine and guess your hashes. Because it's so quick, It allows me to use a graphics processor. It allows me to use other pieces to fly through these at billions of them a second. So, great primitive really works, not the one I should have used. So, let's go look at another one. This happens to be bcrypt. I just picked bcrypt. There's a

couple more out there. You know, you could use different ones. Same thing. I'm going to take bcrypt and... generate a salt, generate a hash because that's the way Bcrip works. I'm going to show you what that is. Then I'm going to generate 10 of them. 10. Just 10. Not thousands. So there's the first, you see me again.

So there it is. And if you'll notice, the first line is the salt up there. The way it looks is the first two letters, the 2a is actually bcrypt's algorithm. The 13, the next past that, is actually the cost of this. So I can actually adjust how slow I want bcrypt to run. I can say how computationally intensive I want it to be. The next 22, one characters or so is the salt, then the rest of it's the hash. So now let's generate 10 of those. Are we ready? There we go. Now looking at this, this is 10. Very slow, glacially slow. And if I was a hacker trying to come into a database trying to look at whatever it is, I

can't fly through millions and billions of these a minute. So knowing the right algorithm to pick, even though both of these were primitives, both of these were simple to use, very important. You may have both of these at your disposal. which one you use makes all the difference in the world. Which one's the first one? It was just a SHA-256, just the normal everyday government approved. And how do we win the argument with our developers about performance on web servers? There is a trade-off. So that's why we have to do performance testing. And you have to have a discussion with your with whoever's gonna be your security SME, right? You gotta look at your subject matter expert

and there has to be a trade off. Because what you'll do is you'll adjust that 13 and maybe it needs to be eight, maybe it needs to be 14. It's actually an exponential number so you have to be careful. If you go to 14, it may take, depending on the hardware, it could be minutes. So that's a discussion. And we're back up.

and it's even changing, that's amazing. So the recap here, really looking at this is, cryptography perimatives are easy to use. That's the big deal. The problem is, implementing cryptography, as everyone tells you, is actually hard. And that's what we can't take casually. So we actually need an approach to this. We need a way to come at this that will help ensure that where we're going. So what we want to look at then, is how do I get to explicit results? When I was talking about the biscuits and gravy earlier, I had explicit results in mind. I was not looking for a cracker. I was looking for biscuits and gravy. So when I'm looking at that particular approach, we have to think, what does it matter about the

explicit results? How do I get there? So going back to cooking, when you hear someone say cut, well, you normally say cut what? And of course, you come back and say, well, cut carrots. makes perfectly good sense until you know if you happen to have some cooking skills you may step back and look at that and think what did you mean just there did you mean to die slice what would you mean I suppose to do in those die you know small chop well how was I supposed to do that we can't really ship a naughty carrot but you can do the room laws down there but what what did you mean when you when

you said that the problem we need we need to be more explicit Being more explicit with cryptography is actually a good thing. So we need to look at the vocabulary, the context, and information gathering. We need to, as a group, if you're dealing with cryptography, you need to sit down and think about where's this coming from? What's sending it? What's the target of my cryptography? Is it a message? Is it something else? What are the mechanics of the algorithm? What are the different mediums or states that it's at? Is it going to be transported? Is it going to be at rest? is it going to work? And then finally, the recipient. And we have to think about the specifics of things like, do I need to

authenticate the recipient? Do I need to authenticate the sender? Does the integrity of the message matter? You know, all those things matter. And we need to have a vocabulary amongst ourself and amongst our group. Otherwise, if we miss one of these important attributes, we could be just, you know, you could be totally off. You could get a cracker instead of your biscuit. So when we hear this, we hear things like, from our business, I work in a corporate environment, so I hear things like, I need to protect my data. That needs to be private. You hear that all the time. The service provider must encrypt all non-public data in transit to the, I'd never hear

that. That's the state of Delaware. That has nothing to do, you'll never hear our people say that. So what do we do? We actually need to take, vocabulary that we talked about a minute ago, those attributes, and we need to put what the business or what our customer or what our project is saying, we need to put it in context and really map it to these things. And that's not a casual thing. It's actually kind of hard. And we don't spend enough time thinking about that. We may just take the word secure it. Well, that's no good. That doesn't actually tell me what to do. It doesn't tell me what tool to use. So you

think about it. How many times have you seen one of these? Every time that you sit down at a restaurant, what happens? Not every time, because sometimes you're driving through and you're like, yes, I want fries with that. But I mean, sometimes when you actually go in and you sit down at a diner, you've got someone who comes out and they give you a menu, you look at a menu, then you start rattling off all this crazy stuff you want, eggs over easy, not this, not that, and they're writing. But what they're writing is probably not what you're saying. They have their own notation. And everyone in that kitchen knows that notation. And so the

important thing is when they walk away, that they know their requirements, but those requirements have to be in context and have to be ready to be used. So for us, we need to be gathering this. It doesn't matter whether you are an Agile shop or a whatever shop. If you're using story cards or napkins or use cases, whatever you're using, you need to have some method gather those requirements and make it consistent from time to time. So when we do look at it, at the end of the day, we can say, I have explicit requirements. I can say, I want you to julienne those carrots. No question about what I meant. So explicit requirements as part of an approach to explicit

results. Sounds very simple, hopefully. So

Moving forward, now that you actually have those requirements, what does that mean? You may have tools. The tool may be bad, may be good, we don't know. Your industry, I happen to work in a regulated industry, that means everyone is my boss. Every state government, every federal, whatever is my boss and I have to listen to everything they say. I have to look at what does the industry require. If you're in the federal government, you've got NIST and FIPS and FedRAMP and all these other pieces to look at. You know, key handling can be complicated and most people don't think about the full life cycle. So we've got all this stuff to think about. So what do you need to do in order to get ready? Well, what you

actually need to do is much like what they do in restaurants. If I go out and I to my favorite Chinese restaurant and I order house special orange beef, I expect it to taste like it did the last time I came and it should look the same. If it comes out and looks like it plopped out of a TV dinner one time and looks like the next time like it's a five star dinner, something's wrong. The consistency's not there. What does the kitchen, what does the cook, what does that restaurant do because they have culinary knowledge, know they have equipment they have the menu knowledge they have the recipe knowledge all of that is there what they have done is if they have

set things in place they have tidied up their work environment and that's you know the whole mise en place thing here is really just French for set in place and that's what we need to do if we're working with working with cryptography we need to get our stuff in order and that's really what it means so that's the second part of this approach is a consistent implementation. And the two pieces of that consistent implementation is really around standards, and right now we're just gonna call it recipes. And that will push us down the road. And standards, that's an overloaded word, but I'm gonna use it anyway. There are ISO standards, there are measuring cut standards, there are standards out there like standard measures and weights.

But really what we're looking for is We're looking for a document or a place of documentation that actually tells us who in the company is my security contact for crypto or is it external? Because if you work in a big team, you need to know who you need to talk to when it comes to this type of stuff. You also need to define your vocabulary. You need to spend some time on that so everyone can be consistent. Also put out how not to approach it and so forth. Know what you have to do and not do for certain know, certainly if it's data at rest or data in transit, you can describe what needs to happen there. And also algorithms to avoid, and that list is growing

every day. It seems to be growing faster than our other list. So what should we do? How do we handle keys? And so we could take all this, and really what it does is it sucks the creativity and guesswork out of all of your cryptography. And I know all you creative, you know, you think about this, all these creative people, they see that and they go, oh. You know, but that's actually what you want. You don't want creativity here. You want consistency. You want the ability to, if all 12 of you, just think about heart bleed. I hate to say heart bleed. It's been oversaid. But, you know, when you think about that, do you know what types of cryptography used

and encryption used and where? So if you do find a problem with it, know exactly what to fix. If all 12 of you did 12 different things, now you've got 12 different vulnerability things, 12 patches, 12, 12, you know, that's just not, you know, not the way to go about it. So really what we're looking for is a way to bring all that together in one place. And once we do that, then we can come about to, okay, I've got these tools, I've got a place to work, I know my boundary, What am I actually doing? Well, that's really where a recipe comes in. Because you think about what is a recipe. I pull up

a recipe and it says what I actually want to make on it. It includes ingredients. It includes directions. It includes kitchen configuration. Because that's what setting a temperature on an oven is. That's kitchen configuration. We just don't think of it that way. But the problem is, this is most of our recipes that we have right now. If we were to go look in our current businesses, this is kind of what we do today. It's all in your head. Every bit of it's in your head. If you went to your granny or your great aunt, she might could have cooked 100 different things, but she probably didn't write down any of the recipes. The problem with that was, she was the only one who could cook

it. And we don't need to be in that situation. We need to be in a situation where we're not doing this, that we're not just getting there any way we can. So what we can do then is, Let's find those patterns. Let's find the topics. And for example, when we looked at earlier, how do I verify a saved password? That should be written down. That should be a recipe for your area, for your group, for your business. When you look at how do I send a confidential message to an authenticated recipient and be able to verify the integrity of that message, that needs to be written down for your company on how you do that.

So if you're a person coming in if you just never have worked with cryptography it's all there for you you can look at it and it's there so that's why we would build these recipes we could then take that expected result what the inputs would be which is the same the same as the ingredients algorithms needed what specific tools you need so forth to actually build out information then we could take that information and I would build equivalent of a cookbook. And actually, I wouldn't even do that. I'd put this on a wiki. I would take everything that I've just got through saying from the very beginning and build me a crypto wiki. And in that, I could actually build my standards, build my direction,

build what, you know, what tools can I use? I'd put it all in there. I'd put it all right there to where you could have a set of people go in and vet that out. And if there were any changes, it'd be one place to change. And it's not some big lumbering document that you've got to carry around. So I would honestly suggest doing that. And finally, that really does bring our approach to the explicit results. Because if you think about it, if you start off not knowing what you want, you'll never get what you expect because it doesn't make sense. But with knowing what you want and a consistent implementation, it's going to be much easier for you as a security professional make sure the

level of assurance is higher because that's really what we're talking about when my bosses come to me and my business comes to me they're asking me for a level assurance of assurance how safe is this how good is this are we at you know what is the level and hopefully with this approach you can raise that level of assurance and really that's what I wanted to give you today was really that approach not not individual pieces because we could talk all day on that The more important piece is for you to actually have a way to approach it and a way to raise that level of assurance. And so you didn't know, the final thing, the secret sauce to cryptography is? Milk

gravy, yes, that's right. You got it, okay. I was just seeing if you were paying attention. Any questions, comments? Throw anything?

E-pass. There's a couple of password savers out there. I use a password saver because honestly, my theory is I cannot keep up. I use a YubiKey. Have you seen a YubiKey? Get a YubiKey. YubiKey's are cool things. You can get a YubiKey from Yubico and basically it's just a keyboard stuffer. You know, it's a very small fob. You can go look that up and shoot me a note. I'd say a You can find me, I'm SecretChipMonk on Twitter, SCMonk, or you go to SecretChipMonk.com, shoot me a note about YubiKey and I can send that out. But as far as the password savers, you really just about have to do something because the number of passwords that we need and the complexity that they really need to

be at, you can't keep in your head. So you're going to have to trust something because it's just a complicated world.

Yeah. I don't know. You know, what do you do? Here's my problem with that, and I'm going to use TrueCrypt as an example. When we look at TrueCrypt for all those years, it really wasn't open source. We really didn't pay for it, and it really wasn't commercial. And so now when TrueCrypt bellied up, everyone kind of had the, oh my goodness, but yet at the same time, we weren't really paying for it. It wasn't really open source to where I could control it. It was source-focused. It was, yeah. You could see what it was, but you really couldn't. Right, it was not a community effort as the same as the rest. Anonymously built. Anonymously built, which you had to, you know. Licensing issues. And the

licensing issues. So when we look at Gmail, what I worry about Gmail is,

am I paying for that? You know, how do they make their money? What do they do with the data? And so no matter what I'm doing, you know, I do have, I have issues with that period. I have bigger issues than what you do with the actual, you know, the actual email. So, any other?

Absolutely, yeah. Which with the other privacy concerns, especially if you do any international travel, that was, I think, the bigger thing. And that's also one of the things that is, the first things that stripped out when they started stripping pieces out. And I think that there isn't anything else that competes with that sort of thing. No. BitLocker is not in. You know, that's just a, you know, I will say that.

on our own cryptography or whatever, and something gets released and immediately blows big holes in it or whatever. But at the same time, the last couple weeks, I've heard somebody's announced like there's possibly a chink in the arm or a 50-dollman and all that stuff. But the difference is, the big difference there is when I take and I invent, you know, secret chipmunk cipher, the problem with secret chipmunk cipher is I have two eyes and I may have a couple of buddies who look at it. When we at least go through NIST, now you can say what you want about NIST, when they go through that process, they at least get a lot of smart people to look at that. The algorithm needs to be opened. The algorithm needs

to be on the table and everyone needs to understand the algorithm. Because you're not protecting the algorithm, you're protecting the key. And so when you create your own, you don't have the same level of assurance and vetting. And that's like one of the first rules of cryptography is don't Don't do your own. You know, that's like number one. Don't do it. Go find something else to do. And definitely, this talk was not for cryptographers. This talk was just for us general people out there trying to use what was already there. So back on the serious topic of biscuits and gravy, what's your take on the sausage? You know, I'm very, I'm more of a no sausage person because I think there is a, I know.

You just lost credibility. No, no, no, no. I have no problem. I have no problem. No problem using sausage grease to make my gravy, okay? That is just a different type of gravy. I see it as two different types of gravy. Both of them equally have their place, but honestly, I mean, when I'm really talking about biscuits and gravy, I think there's something to that.

to actually go through that effort? Yeah, to put things out in the open so that your process is transparent. Well, if you don't have, and when I say open, it could be a closed wiki to your team. So that's okay. But still, it's a degree of openness. It is, but the problem is, to me, it's worse if I have tribal knowledge. Does that mean I'm operating off tribal knowledge at that point? everyone is holding something in their head but I'm not too sure what it is. To me that's a much more dangerous thing when it comes to think about what's happened lately. Patching, vulnerability management, just knowing what algorithms and procedures I have where. You know, that to me, you ought to

be able to sit down and draw a case out for that especially, you know, to say this is much more dangerous and costly if I do have to patch or fix or do anything like that. So I think there's an argument. If you don't have a longer conversation, be sure and shoot me a note. Seriously. If you want a real world example to offer to management, point out the case of a security guy that goes and designs, maybe he uses the right methodology, but he's the only one that knows how the cryptography works. And if he leaves the agency, he knows everything about that crypto system. He knows how to backdoor it, and nobody else

knows how to stop it. There's lots of ways. If the entire team knows, then at least the entire team does have a protection. Right. There's a transparency. Level of assurance and transparency is really what you're looking for. I like that. As a learning one to work, levels of assurance. Level of assurance. I'd say the easiest way is to make it part of your disaster recovery plan. And that's the crazy thing that I guarantee probably 90% of the people in this room have not done. That's a great idea. That is. That's a good idea. What happens if one of these guys dies in the car wreck? What happens if this guy gets stuck and he can't come or he gets sick? It's amazing how many people have shops put together

and they realize, I haven't thought about security, I haven't thought about development, because you realize everybody has the whole ADC developers that they rely on heavy, but if you don't carve out those roles in a contingency plan, you can really experience security. We actually have key resource dependencies. They actually tag people in our company who are key resources because you actually don't want key resources. And so you try to minimize those. And that's a DR thing's a great point. Do we have time for any more questions? Did anybody work through it? I have another question. Did you start out in the military doing signal analysis and crypto? No, no, not at all. I just did secret chipmunk and I just did it. No, no, no,

not at all. I am ground up just... security and just everywhere all the time. Homegrown. Homegrown. That's scary, isn't it? That's why I saw it. You heard me say a hundred times, get someone who's smart, vet this out.

Back in the corner there. Do you see any chance for something like P2P encryption for email with private keys and stuff to actually ever work? If you could make that work where I can explain that to my mother and father and it's built into the OS and built into the system, then I think it's gonna work. Otherwise, if they have to actually maintain keys or have a notion of what a key is or life cycles or disposal, I don't see how. I think people in this room could get it, but extend that out to the rest of the world and I don't know how. I tinkered with it in college and the only people I could get to actually

the other people using our security experts he works for it needs to be done on and really is a matter of making it all right services It's like a smart card. If my company issues me a smart card and puts a certificate on it, I don't actually have to know that that certificate's there. I need someone or something to manage that certificate, manage that life cycle to make it to where I don't know that it's there but usable. Got a thing. So the government classifies strong cryptography as munitions. And industry classifies strong cryptography as requires for business. Yes. So, you know, where do you see that smack down going? That's a great, I'll tell you

what's happened in the last couple of years. If you look at NIST 853 Revision 4, if you actually look at that, what they finally got around to doing was, is they figured out privacy was important. So this is like the first, you know, the first inkling that we're seeing coming out of the government about privacy mattering. And that's really what, what, commercial people care about is the privacy. So I think you're going to see that. I don't know where they're going to go with it, cybersecurity framework, all that other stuff. I think it's going to get to where they have to accommodate those other, more than confidentiality, integrity, and availability. There's more to it than that. So I think you're going to see that merge over

the years. You see them slowly, slowly starting to accommodate that. Do you think industry is pushing it over? I think, I know our industry, we're heavily regulated.

Before that, I have a quick announcement. The conversations that we just had talking about PGP keys and how hard is it to get people to use them and all that stuff made me think we have a nice big collection of people from around the country and maybe the world here. You are a much more likely population to have PGP keys and know what they mean than most people. So why aren't we doing a key signing party? What I want to do is, later on today, anybody who has a PGP key fingerprint and a photo ID that can come up at base blue and do a key signing party. If you can get your PGP key

fingerprint, if you don't have it with you now and you don't trust the wireless here, try to walk down the block and turn on Wi-Fi and get it, and a photo ID, then whoever wants to participate, we can exchange, hand out our key fingerprints, verify with our ID, and then I'll take that, and whoever else takes that and goes home, we'll verify it later and sign it and send it back to you with our signatures attached. Let's get this party started. Like I said, we'll do this several hours from now, so go ahead and figure out how you can get your key fingerprint between now and then in a way that you trust. And let's

increase our own web of trust. That's a great idea. Thank you, Dan. Thank you. First, a big thanks to Daniel and company for having me out. Really impressed that we're doing this here in my adopted hometown, originally from Charlotte. But I love it here, and I'm glad you all came out. So thank you for that. Big thanks to Jason Streep for the awkward hug. It's the first of my career. It could be a career interest, but I'm curious. I'm anxious to see where it's going to take me. So if you haven't seen it, check it. It's a pretty classic picture. So my name is Justin Troutman from here in Asheville. I've done a lot of work over the past years with Vincent Ryman,

who you'll probably know is the guy who co-developed the Advanced Encryption Standards. So he's a pretty hard hitter as far as crypto goes. So basically over the years, we've been looking at how cryptography fails to work in practice. When I first got started, I was really into the math, building algorithms, learning the algebra behind it. But then I realized that that's pretty much a solved problem. really in the business of breaking cryptography at the mathematical level anymore. And that's evidenced by recent leaks about random number generation being tainted by the NSA. What that tells me is that the NSA, they're trying to break the part that's universal. We can taint the keys and weaken the cryptography. That works better than trying to break individual algorithms. So over the past

few decades, we've migrated from breaking math to breaking implementations. So that's what got me obsessed about implementations. But then I got to thinking about that too. Even if we harden cryptographic implementations, nobody's using cryptography. And PGP's a prime example of that, and how it's been around for 20 plus years, but very few people actively use it. And why is that? We have strong cryptography available. People obviously care about security and privacy. So why are we not using this tool? So that's really one of the foundations behind this research, moving from the math being solved the implementation still being kind of shoddy, but even if we solve that part, we have to really focus on the interface of cryptography. And that's the one part that we

can't solve in the cryptographic community because we're not user experience designers, we're not usability experts. Our community has lots of really good developers, lots of good mathematicians, but even if we get that part right, and even if we could build something remotely NSA proof, if it looks like PGP, nobody's gonna use it. So that's sort of the launching pad for this work. Hope nobody has motion sickness because they got a little crazy with Prezi. All right, so it's hard to tell from here, but that's the tip of an iceberg. So after 20 years of cryptographic software, this is sort of where we are as far as the user experience goes. You almost have to have

a PhD in cryptography to really benefit from that practice. That may be a stretch, but at the same time, usability studies going back 10, 15 years have shown that But even college educated computer science students that have no background in security and privacy have a tough time understanding a lot of the concepts that take place, largely because there's no physical analog to the language we use in cryptography.

So I like to start off with a quote, something slightly beautiful, more beautiful than most people find math. I love math, my wife hates it, so this was probably the easiest way to get her in tune with a lot of the work we're doing. I think this quote sums up where we need to go and how we need to approach cryptography in the real world. Basically what he's saying, instead of asking people to build a ship and work with tools, let's teach them to love the ocean, to long for the sea. And that's really what the consumer industry is built on. You know, when I get in my car and I'm driving on a mountain

road, I'm not thinking about internal combustion. If it depended on me to understand how that worked, I would probably have to take a bus. Because I'm not a mechanic, I don't work in, you know, of engineering. I really want to get in the car and drive. I have things to do, places to go. And that's the disconnect we have in real world crypto. We're asking people to care about the cryptography when at the end of the day that has nothing to do with what they're trying to accomplish. So this has got me in a little trouble. Some people find this to be heresy. A lot of the purists in crypto when I say that real world crypto has nothing to do with cryptography

at all. Solving this problem is really gonna be a matter of product design because we already have the math. We have decent implementations that we're hardening all the time. So that stuff's been solved for the past 10, 20, 30 years in many regards. But we've never really looked at security and privacy, especially in the context of cryptography, as a matter of product design. And for two good examples, well the first one, Tylenol. If I get a headache, I go to CVS, for the Tylenol label, it's a brand I know and trust, take it off the shelf, open it, read the instructions, take it, my headache's gone. That's a consumer success story. Somewhere in some lab,

there was a compound of chemicals sitting there that they knew would relieve headaches. But if they didn't have people that could turn it into a product and give it a brand, it wouldn't have turned into a billion dollar pharmaceutical industry. So that's that gap we face now. We're still in the lab. We're still giving users the raw materials to put together. I probably would deal with a headache if I had to compound tile on myself. That would probably give me even more of a headache. But yes, that's really where we're at. But I think we're in denial. So if real world crypto is about products, which I firmly believe that's where we'll find a lot

of the answers, then that means it's about people, understanding the roles of people when it comes to security and privacy. You really have three groups of people represented by real world crypto. You've got cryptographers like me who obsess about the math, obsess about the algorithms. You have developers who may or may not know a lot about cryptography, but they're asked to implement it and they have to work with it. Quick show of hands, anybody implemented cryptography sometime in their career? Depends on what you mean by implement. Something as simple as a call and an API saying I want to use to encrypt that. Okay, so most of you have dealt with it in some way,

but at a very high level. It shouldn't be required that you understand what's taking place so much as having a safe, benign surface to work with. So we have to respect that too, but I don't think we do. We still give developers a lot of raw pieces to try to put together and build ad hoc protocols, which tend to fall apart, but that's not the fault of the development community. And of course, we have consumers. And when you think about What we ask consumers to do, we ask consumers to encrypt, authenticate, decrypt, verify. These are the same terms that I use as a cryptographer. So what we're doing now is looking at the language we use for developers. There are really terse ways to describe

what happens in a car as far as internal combustion. But for the consumer, we just tell them to start the car. That's a very high level abstraction, but it works. So why are we asking developers and consumers to work with language that really doesn't fit where they are in the process? So the golden rule going forward, if you're building crypto products or working with crypto or have any sort of influence of how crypto shapes up in your organization, make sure you're respecting the individual roles of the people involved. Make sure the language and the decisions you're asking them to make lines up with their job descriptions, basically.

Photographers expose way too much to developers. A prime example, another quick show of hands, who knows what ECB mode, CBC mode is? Okay, so you've probably heard by now and you've probably seen the images of the Tux penguin that's encrypted with ECB versus CBC. So we know not to use ECB, it's a really bad mode. It's not even semantically secure. It leaks a lot of data regarding the plane tech. So we don't want to use that. CBC is probably the most commonly recommended block cipher mode of operation. So you would think that if you're using CBC, you're automatically okay. But CBC takes what they call an initialization vector. That's what sort of starts the chain sequence. But there are some conditions imposed upon the initialization

vector. It has to be unpredictable. If you use a fixed IV, you end up with something that's no better than ECB. So it really depends on this implementation detail that as a developer, you may or may not know because it's not really crucial to you programming. It's crucial to us as cryptographers when we're building systems. But this is something we shouldn't be asking developers to do. If I look at 10 implementations, sometimes close to half will use fixed IVs. They'll do things because it makes more sense from a programming standpoint. It's more efficient, it's easier to do. But since you're using CBC, you should be okay. That's sort of a fallacy we're trying to get

around. I guess it's timely to mention TrueCrypt. I'm sure a lot of you have heard about the fate of TrueCrypt, so this is not a problem anymore, unfortunately. TrueCrypt's not asking users much of anything, unfortunately. But the good news, I think some folks in Switzerland are trying to keep it alive, so it may come back. But anyway.

Long-lum TrueCrypt. Yes, long-lum TrueCrypt. can tell me, let's say, the mathematical difference between the advanced encryption standard and 2FISH. I'll be really impressed. Anybody want to take a stab? Big numbers. Big numbers. So we're at an information security conference, and you may or may not know the difference. And that's OK, because this is not a problem for developers to really understand. It's not part of that job description. But this is what we're asking end users to decide between. And I used to participate in the TrueCrit forums. I was very critical, but only because I loved it and I wanted it to succeed. But then one day I couldn't log in, I couldn't get a response from the admin, so I'm sure my criticalness may

or may not have been to appreciate it. But I always said, why are you asking users to stress about which block cipher and which hash function to choose? Thread after thread on the forum was about which one's more secure. So we had lots of people saying things like, well, I really like snakes, so that's why I use Serpent. AES was approved by NIST, so it must be backdoored, so I'm not gonna use that. But Two Fish is by Bruce Schneier. And who else are you gonna trust than the Chuck Norris of cryptography? That's a pretty safe bet. So in reality, it doesn't matter which one you use. If you're using one or using three together, this is not how people are gonna break into TrueCrypt. They're going to

snatch your key out of hibernation files. some cash on the system, they're gonna find an easy way and those ways exist and there's relatively cheap software out there that can siphon out key material while people are stressing about which algorithm they're gonna use. So we need to stop showing cryptography to users. Stop asking them to choose algorithms. My car doesn't ask me to choose anything that's under the hood. I just get in, stick in a key, start it and I'm gone. That's how we reach consumers, not by asking them to make decisions that they really don't understand.

All right, so PGP is a great example. I'm also critical of PGP, but only, it's not really PGP's fault in there. It's more or less that when we adopted PGP, we kind of stopped there. We didn't really try to improve the user experience. Instead, we tried to get people to just learn PGP the way it was, and that this is how it is, you have to learn it. And if you don't learn it, then maybe you don't care, or maybe you're incompetent. So a lot of arguments have been started about why people don't use PGP, but I think it's a user experience problem. You know, PGP was wonderful in the sense that it made strong

cryptography available. You know, that was a revolution at the time. We didn't have access to crypto software, let alone secure crypto software. But at that point going forward, we should have said, okay, now we have it, but now we have to improve it because there are lots of high risk situations that still call for PGP. You know, journalists working in impressive environments, activists, You know, you can go on and on about the situations where PGP is critical, but at the same time, it's often used improperly. I know a study, I think it was probably 10, 12, 15 years ago, at Carnegie Mellon, where they had computer science students, quite a few different groups represented, people were accidentally uploading private keys to the server. You give them an hour and

they're still doing things like sharing their private key. And that's not because they're incompetent, they're very bright people, A lot of what's taking place isn't clear. And that's simply because PGP was the first incarnation of strong cryptography. There are gonna be rough edges, but that's where we have to sort of adapt and learn to speak to the user experience community to try to solve this in a way that can reach the masses. So a timeline here. 1991, PGP, the source code, hits Usenet. That's a long time ago. Eight years later, first paper comes out referencing that study I mentioned, why Johnny can't encrypt. So basically they conclude that five versions in, really nobody can use cryptography, or use PGP, which

in this case was really all of cryptography at the time. 2006, why Johnny still can't encrypt. So we're almost 10 versions in, and the user base hasn't grown. People are still having trouble with it. So there are lots of conclusions you can draw from this. You could say that, okay, well, Everyone's stupid, they just can't use PGP. That's not reasonable. But at very few points along the way that people stop and think, well, maybe the whole model of PGP is wrong. Maybe it works for a very small set of people who are willing to put up with it or work in environments where they have to set it up, they have no choice, like activism,

journalism, where this is the best we have, so we have to make it work. But the campaign, the cypherpunk dream of crypto for the masses, is just not going to be realized with tools like PGP staying the way they are. You can tell me that your product gets 10,000 downloads a month. At that rate, I mean compare it to WhatsApp that's been around, what, maybe a fourth of the time PGP's been around. And they have half a billion users. To me, half a billion is reaching the masses. 10,000 a month is not reaching the masses. That's impressive. I'm proud of projects that get user bases like that. At a certain point, we're going to reach

stagnation where we think 10,000 is a lot of people, but at the end of the day, it's such a minute fraction of what Facebook users, Twitter users, the apps that people really want to use, that's where we need to target the adoption of cryptography. So here we are in 2014, and I'm going to tell you that Johnny doesn't want to encrypt. So we should stop asking him to try to learn it. I mean, we've had a long time to try to get Johnny in shape. And Johnny's not stupid. He cares about security and privacy. But maybe we need to look at it from his standpoint of, OK, why can't I use this? How do we fix it? So again, these are just numbers. I mean, we can look at

1991 and say, OK, that's quite a bit of time. But I like to look at pop culture to see what else we were doing, whether right or wrong in 1991, to really capture how long ago that was.

Zima. So I hear it's still alive in Japan. I've never been, so I don't know, but I figured I'd put that there. But Zima was a long time ago. People have lots of memories with Zima. Good old man. But this is, yeah. So this is part of 1990, early, 1993. So Zima wasn't even out yet when PGP came back, if that tells you anything.

This is what we were also doing around the same time PGP came out. I don't know that we've improved with dancing or music since then.

And Friends debuted, and we taped it on VHS. So again, these are a few early things that were taking place that we've migrated from. But

if you're not convinced that that's a long time ago, World Wide Web, first description, came about two months after PGP launched. Okay, so how far has the web come since then? It used to be something back in the day where you had to have some moderate understanding of computers to make things work. People were still building tools because they didn't exist. But nowadays, if it takes more than one click, people aren't going to pay attention. They're going to move to something else. So it's really changed from the consumer's perspective. So it's been a long time, but PGP is still pretty much the PGP we knew in 1991.

So this is sort of what we're giving users now. We're giving them diagrams of engines and asking them to click this and choose this link of key and choose this algorithm. So this is what they really wanted to, they want experiences. And that's evidenced by the fact that people get annoyed when it takes more than two seconds to download and start using an app. That's sort of where we come. Back in the day, we might wait 20 minutes for the Flash-based Joe cartoon, Frog in a Blender, to download because it took 20 minutes to watch a Flash animation back in the day. But people aren't going to do that now. They want experiences. And cryptography

really gets in the way of experiences. Cryptography, in many ways, is more of a barrier than it is a boon to people. And that's because we haven't found a way to turn it into something that's really useful. Henry Ford was even looking back in the days of the Model T at the user experience. Cars were pretty primitive back then. There wasn't really a lot of safety. There was a lot of hands-on that you had to do to maintain the car and keep it up. And that was expected because cars were new. But even he understood that he wanted people to enjoy open spaces. He was all about the experience as much as he was about

the engineering. So for 100 years, we've understood user experience. But in cryptography, but we're really far off. So I think there's no such thing as usable cryptography. And I say that because usability happens at the product and service layer, but cryptography doesn't happen there. Cryptography is very low level. So usability, if I want to send a tweet, I get on Twitter, I type it, I click send. That's sort of the usable product level. Cryptography should be happening behind the scenes. I shouldn't have to select anything or choose anything. So the idea that we're going to get people to use cryptography is sort of a mismatch of levels of where things happen. One thing that we're just now starting to realize

is that we're at a point where real world cryptography, it's no longer like it was back in the day when you had an academic paper you were implementing cryptography and things played out sort of the way they play out in the paper because there wasn't a huge surface to work with. There wasn't a lot in the sense of attack services. But now, once you take cryptography from theory and put it into practice, it becomes a really small part of a really large ecosystem. It's almost nonexistent compared to other things. And the effectiveness of crypto depends on so many other things working. And we can't solve this with cryptography alone. This is not really a cryptography problem. It's a much larger problem. It's a composite of different types of problems.

But cryptographers can't do this alone. We need the UX community. It's really the only way going forward that we're going to solve it. So I implore you, if you're building any sort of cryptographic apps or software, if you have the funds to hire UX people, consult with them. them to your company, sort of get a good idea of where you're going wrong and different key points you need to work on to improve, definitely hire UX people. Those are the ones that understand the masses that we're trying to reach, not cryptographers. It's not in the security community's job description to build usable products. Now we need to get what we do into usable products, but again,

that's not our job. It's very much a cross-discipline thing.

So going back to Macro, Macro we chose the name because all throughout history of cryptography, people have used fish to name things. So it seemed appropriate to honor the field in that way. One of my favorite functions to analyze in crypto are MACs, or message authentication codes. So I figured the first three letters corresponded to something I really like. So aside from that, Macro has no meaning other than it's sort of a way to honor the crypto community. So what we need a design and development framework, something brand new for building cryptography. But we don't need the traditional software lifecycle where we're looking at it in terms of very terse security concepts and jargon that way. We need something that's driven by user experience. In other

words, Microsoft, for example, I got a chance to go to the Blue Hat conference last year. Met a lot of really bright people, a lot of really smart people in the security community. I also got to talk to some people that work on the Xbox. And I thought, okay, what would happen if I got into a room with people that designed the Xbox, a very successful consumer product, and said, okay, this is what I'm trying to do. This is the security concepts I'm working with. As a console developer, as someone very successful at building your consumer product, how would you, as an Xbox designer, rebuild cryptography? I think we need to have those kind of

talks. Mainly because they're not going to understand all of what I'm saying. So that's really of the gap between these communities. And they're gonna be able to solve some problems that we think are really hard, like possibly key management or the way that we ask people to work with certificates or PGP as a whole. They may have a really easy way to look at that and say, oh, this is what you do. This is how you use language to fix this problem. So I think we're gonna find that the language we use is It could be 90% of the solution to this problem. But until we have those conversations, it's not gonna work. I think we need to drop crypto for the masses as a

campaign. I think it's time has come and gone. We've had plenty of time to try to reach the masses with what we're doing now. So we need to drop it and we need to move into a campaign that really emphasizes crypto that's context for user experience. Crypto is not the focal point by any means. Any questions thus far? I'll take a drink.

So, you know, I really believe in the Cypherpunk dream. I think it can be realized, but I don't think it's going to happen so long as we tell users about cryptography or ask them to make cryptographic decisions. I think at the end of the day, people are moving into the expectation where they want all-in-one experiences. They want stuff that doesn't require them to step out They want an all-in-one experience. And companies like Google are already providing that work. You've got email, you've got messaging, you've got search, you've got Google office applications. You're able to do more and more without leaving this ecosystem. So if we ask them to step out and install cryptography, they're going to tolerate this less and less as we move along.

So we need to move into that mentality that crypto is not the focal point. As much as we love security and privacy, this doesn't represent the end goals of the users. They want to accomplish things, they want to experience things. So we need to find a way to abstract the cryptography into products and services that are usable. So they benefit from it, and we can engage them, we can give them feedback, so they understand what's taking place. But at the same time, they're not required to actively make decisions that affect security. They're not asked to choose which block ciphers and key loads, because at the end of the day, doesn't really matter. We can choose

safe defaults. We can use language to let them know what's happening without asking them to be a part of it in that technical sense. So we started looking at the macro framework and we got a little ahead of ourselves because we don't even have this cross-discipline field yet, but we want to build a framework in it. So how do we do that? So I'll get to it in a minute, but we're sort of establishing this idea of crux or cryptographic user experience where that was a part of the user experience, it's context for it. It's just a basis for designing a product and a service. But working with journalists and activists, we started to look at what three main things would you want as a journalist

working in some oppressive environment where you have to communicate with a source and you may not have a really good connection or a lot of time to deal with it. So, and this is good for any app, but three things we're really focusing on with this framework zero learning curve. As soon as I click the icon and the app fires up, how quickly do I know what's taking place or what's expected of me as a user? That's really important for the source more so than the journalist because we can train journalists. We can go to journalism schools. We can go to newsrooms. We can teach them how to use these things, but a source may

be anonymous. A source may be somewhere else and we can't reach them safely. So for them especially, the app has to fire right up and be intuitive. Rapid accessibility, there's no sense in reinventing anything. We have, like I said, consumer success stories that already work very successfully. So we need to build on top of that. Whatever apps that we're going to give over the next decade for people to use to encrypt, authenticate with, they need to look and feel like the apps people are already used to. We need to try to mold what we're doing the style and language of apps that are already successful, that already employ user experience that we know works. And

minimal code footprints. This is especially important for developers and analysts who are looking at the code. It's really easy to build something like TrueCrypt. TrueCrypt, I think it passed the first audit with flying colors, but at the same time now they pull the plug, so it's hard to say what's going on with TrueCrypt, but the likelihood that to make a mistake by implementing a dozen block ciphers and hash functions is magnitudes greater than any one of those things being broken. So having that in the code, you have to look at it from that way. If I'm implementing this, what does it cost me in code complexity and what does it gain me in practical security? All you really need is the advanced encryption standard or

if you prefer something else, a single block cipher, a single hash function. You don't need dozens to choose from. This is the strongest link of any system. So yeah, these are the top three things we're really focusing on. And these are good, generally speaking, but we didn't have access to the threat model we originally looked at, and that was militaries and governments, what sort of threat models they deal with. And we felt that journalism, activism was as close as we could get, and pretty right on the money as far as threat modeling and what's at stake. So this came up in a paper about six or seven years ago, some researchers in Canada outlined utility,

usability, and usefulness as sort of, and I call them the three U's of getting it right. When looking at an app, the utility of it is what does it do? Like PGP, what does it do? It's supposed to protect my confidentiality and integrity. That's what I use it for. You know, usability, how easily can I do it? Well, PGP, not so easily. It requires a basic understanding of the concepts of public and private keys. You have to understand the web of trust. Very few key signing parties take place. And even when they do, people will randomly sign someone else's key without really knowing them, even if you meet them at a security conference. The web of trust doesn't always work the way it's intended. Usefulness, what am

I getting out of it? I think PGP hits really strongly on utility, but it's not very usable. And even if you have something that's really strong, but you can't use it, then it's not very useful. And that's the one part that crypto can't solve. So usefulness is sort of a combination of utility plus usability. So as a cryptographic community, we're really good with the utility part, usability, that's the other half that we've completely failed at, honestly. So key ways to gauge if you're doing it right, if you're building a real world crypto product, and this isn't always possible to do, I understand that, you get funding, if you're building a security and privacy product, I urge you to set aside some

funding to have UX help come in and guide the process. Because, you know, since the NSA revelations, it seems like every night someone's coming out with a crypto product, a secure messaging app, something to try to be the next greatest thing. But what's going to set you apart? What's going to allow these products to compete is how usable, how good of a user experience they are. You can't just rehash PGP and expect that to catch on. So we really need the guidance of UX people. So the first fruits of your funding, if you can in any way, try to get some UX people in. And also to understand the mentality that even if you eat, drink, and sleep cryptography, this is never going to be a focal point

of any consumer. This is something that people may care about at an abstract level as far as security and privacy. They may want those things, but that's as close as you're going to get to the consumer. They're not going, nobody really wants to encrypt. That's the main thing I'm saying. So when we're designing something, if at any point along the way it asks the user to encrypt, you need to backtrack, you need to redo it. You need to rethink what you're asking the user to do. Again, nobody wants to use cryptography. The really bad thing about good tools like PGP is that's what we have and people are going to use it. And the worst thing that can happen aside from having no tools at all, is for people

to lose discretion when using the tools that we have. And you can actually end up being less secure by having something that is pretty good than you can if you have nothing at all. Because if you have nothing, you're more likely to be cautious. But if you have something, you might loosen up. You might feel comfortable using it with whatever you're trying to secure. And that sort of speaks to user experience as being the key part, because without that, many people are going to continue to uploading private keys to servers or sharing the wrong pieces or posting it to their website for people to download. And they're going to be compromised all because we failed

to make something that made sense to the consumer. So yeah, moving forward with Mackerel, sometime late next year in University of Leuven in Belgium, we're going to put together a conference. And we're also going to call it Crux, where we're bringing together we specialize in user experience design. We're gonna bring cryptographers, developers. My idea is to have people that design console gaming systems right across from the table from someone who designs mathematical algorithms. To try to find a common ground as far as the language that we give users. And again, this is something that just came to me last night, but I think that user language is going to be 90% solution to the problems we have in security and privacy,

getting people to benefit from it. I think a lot of it's just finding physical analogs to draw from, looking at other consumer success stories to build from. So, sort of a summary of what we're doing. Any thoughts or questions or heckling? One thing is that when you're talking about the usability, the feature that gets you the most using PGP like Valpo, read that out, the add-on, it's like it's so hard to configure, it's so hard to get it going. What are they gonna start learning to streamline it, make it more easier to use PGB or cryptography in email communication, which is one of the main reasons why you want to use it in the first place? Right. So, I'm sorry, what's the

question, exactly? When is that gonna be easier? When do you think they're gonna be coming out with more add-ons for browsers or for email communication for like Gmail or Yahoo or whatever email sources out there? I sort of think we're gonna see two things. We're gonna see add-ons that try to take away some options, try to select secure defaults. And one thing I also see happening with that is, let's say you download a plugin, and by default, it's the simplified interface. And just to appease to developers or power users, as they call them, you might have some fairly hard to get to alternate menu that allows you to fine tune things. And

that could be the trade-off that we have to make. we try to simplify the interface, go secure by default for as much as we can. So I think we're going to see a lot more of that. I'm not sure if you've heard of MailPile, but there are a couple of other like MailVeload and alternate apps where stuff's baked into it, integrated into it. It's a lot less painful than I would. Sure. You know, I think it works better. I'm sort of on the fence as far as integration goes. I like modularity, I like when things fail locally as opposed to globally, but with email encryption I think it helps in a sense to have that

crypto framework built in in all aspects of the program. Because email as it is, it still leaks metadata. There's still problems with that protocols. So I think the more integrated we can make it, the better. So that could be a more secure route that plug-ins for Outlook, having standalone apps that replace it. But again, the problem with that is but people are used to the interface of Gmail. So what's going to make them want to download a standalone program that happens to be secure? They're only gonna do that if they're more amazed by the interface than they are with Gmail, or if it's easier. At the end of the day, it's gonna come down to

would I leave this really beautiful, usable product to migrate to that? So I think better plugins is probably a stop gap to where we need to be going forward. I think just this week, Gmail launched that beta for a PGB plugin. They did. I'm still looking into this, so don't quote me, but I think they use elliptic curves only, rather than RSA key generation. And if I'm not mistaken, what that means is there are two branches of GPG. There's the 1.x branch that supports RSA keys, but not elliptic curves. And then there's the experimental enhanced 2.x branch that does. So what this could mean is that if you're trying to communicate with somebody using GPG, using what they're doing at Google, may have some interoperability

issues, may have some compatibility concerns there because of the ECC support. What I've heard, rumor has it that they're going to really move forward with making a stable 2.0 version of GPG, try to get that possibly to take over as the main branch. I'm not sure exactly how they're working that out, but it's a lot of work. So I'm really excited about what Google's doing with that plugin, but I also worry about So if you're a journalist, you may not be able to communicate with your source using this easy to use GVAL encryption thing. You may not want to anyway. But it's going to be interesting going forward. So there's this tension between open source, which is easily

inspected, easily forked, all that good stuff, and user experience. And open source is generally not great user experience. proprietary is generally great user experience but very low inspectability and trust. Is there a new or do you foresee a new business model where people can create products that are both trusted with user experience? How is that problem going to be solved? It's really tough because the industry is not driven by security and privacy. People want They want to have a business model. So that tends to be what drives that. And they want to protect their interests if they have something that's very novel. They don't want to open the source. At the same time, the community doesn't want to trust anybody that doesn't open the source because they are driven

by security and privacy. They're not concerned about the business model. So it's going to be hard to get around that. And especially, you know, people love and trust brands. So as long as the brands that people trust remain closed, I think they hold a firm grip, even if open source gains traction. I sort of like to play a faux closed source apologist in a way, because if you compare BitLocker, for example, which is relatively easy to use, to TrueCrypt, which is not the hardest thing, it's not as difficult as PGP, but at the same time it exposes a lot more than BitLocker does. We don't know anything about the developers of TrueCrypt. anonymous guys that we trust because they're open source and they're all about security and privacy.

Whereas BitLocker hired among others, Niles Ferguson who co-developed Two Fish with Bruce Schneier. So I have more reason as a cryptographer to trust BitLocker because I trust the people who designed it than I do TrueCrypt. At the same time, even though the guys that designed BitLocker said that they would not develop a product if they knew a backdoor was being inserted. small fish in a really big pond in Microsoft. So they have no way of knowing if it's tainted somewhere else in the product development. Exactly. And it's so tightly integrated into the product that it's hard to say, even if as a cryptographer you would have no part of a back door, you can't really put your life on that promise. I mean, that's commendable. I love them for

it. But again, the business model, I don't know how we're going to fix that.

One thing we're seeing now is a lot of funding from companies that build proprietary products. They're funding things like OpenSSL, which is open. Now, I'm not convinced they're doing that because it's open, but I am convinced that they're doing that because it is critical infrastructure. It just happens to be one of these open things that is used everywhere. And if it falls apart, people suffer. So, you know, I'm not convinced that's an open source. type of thing so much as, okay, we need to fix this and we have some money, let's try to fix it. I think you're dead on that the way to really get widespread adoption, like the way to get my parents and my aunt to use crypto in their

daily lives is for them to not even really be aware that they're using crypto in their daily lives. That should be the way things work. One big concern I have with that is snake oil problem gets worse and worse when you start saying we're going to move away from things that we've studied for a long time and implement something new and it won't even be a top line list of here's how we implement all the privacy stuff. We'll take crypto, we'll take privacy, whatever. But Snapchat claims to be private. It's nowhere near. We all know that. But if somebody comes up with private chat, Whatever. And there are, you know, people could be drawn to that because it is,

like you said, a topic high in the concern of the average person. But the average person is so unprepared to vet whatever's out there that we need to make sure that we're doing a good job of throwing, you know, of testing things out and complaining when snake oil gets the market. I think Twitter might be one of the single greatest things to happen to the security community because a lot of dialogue is taking place very quickly. Like, you know, true cryptaudits probably might not have happened or at least not as quickly had a few people talk about it on Twitter. So I think we're in a position where we can catch these products and call them out fairly quickly. That's good. That's not ideal. I

don't know if anybody ever followed Bruce Schneier's old mailing list. where he set up his blog, but he used to have the doghouse column. And if you looked at snake oil back in the day, it was really easy to tell it was snake oil because it was something like polymorphic chaos theory where beams of light from the heavens coincide with these bits and you have, it was really easy to see. But now, ever since the NSA revelations, the Snowden debacle, since that, we're seeing products that are snake oil in the sense that they're not very good, it's not like it's as noticeable as it used to be because they claim to be using AES. They all look the same from that security standpoint. So I think the SNACO

problem gets worse and it's not so much because people don't have good intentions, but you have people that are trying to capitalize off of all of it overnight. And then you have those who really want to do something great, but they don't really know how, but they put out a product that looks nice and people buy it and use it. So that part's gonna get hard. And crypto is still Wild West frontier. It's not regulated. So anybody can build a crypto app and make it look nice and sell. So that's going to be an issue. I think we're in a position to maybe fight it better, but it's always going to be there. Just a

suggestion. If you don't have lots of funds for user experience audits, one of the things you can do is take it to a university. Even if you're close to a university, just have communications. in it. You can buy a bunch of pizza, you can get a $30 award for the best suggestion for whatever price you choose. I appreciate you bringing that up. That's really important. I just had the opportunity here recently to work with the university, pretty much doing the same thing on an almost non-existent budget. It's just basically printing material. Right, and as long as you're listening, you can learn a lot, but if you go in with the concept of my stuff is perfect, then you're not going to learn anything. You just wasted your time.

Yeah and that's I think we're in a community and industry where a lot of us a lot of folks are in denial and there's a lot of back and forth about what's the right way to do things there's still a lot of flack that we need to read through especially when it comes to user experience because it's hard for some people to say that we're doing a really bad job at this but I think again it takes an open mind.

There's plenty of people out there that will say this sucks because it's closed source, because it's this, this, this, and this. Until you try to put up a background where I see you contributing to someone else, you're just as unimportant to me in the long run. Because it's very easy for us to look and throw stones at this product. Until you've actually contributed code back and you've helped change that, you know, you're doing better than that product that's closed. And so I think that's part of the problem, too, is there's a lot of socials. I'm kissing here with open source is the best. And obviously if we can collectively build it, it is great. And

it does surpass things. But you run into an issue where unfortunately sometimes people don't contribute. And I'll give you a big case example. So before I came back to the East Coast, I helped design and implemented a tool called OSIM. It's a SEM technology that's out there, right? We have an open source product. In the two and a half years when we had the source code open, product, which is using OpenSource tools, we had four major commits that actually did any enhancements or bugs. The majority of stuff we got were complaints about how things didn't work and how they would do it better, but they never want to elaborate on how to fix it. So then we would get complaints of why do you have a paid version

that you're doing private development on? So there's two sides to it, right? So if you want to change that business, show that interest. And actually, we pay out people for doing stuff like that, too. But you've got to contribute back. I mean, don't just point out a problem to be honest with you. Absolutely, I agree. And the fallacy of open source versus closed source is people mistake open source as being inherently more secure because it's open versus potentially more secure. And that's the many eyes principle, which I completely disagree with. I don't care how many eyes are looking at source code. I care whose eyes are looking at the source code. You don't want to have me look at your source code in order. That's not what I

excel at. I may catch a few things here and there, but Even working in cryptography, I don't consider myself an expert at auditing code. So just opening the source, because are you paying the people to look at the code? That takes time. People have to put food on the table to have day jobs. And if you look at a lot of really successful open source projects, they became successful, but they only have like a few developers. And at a certain point, you have this huge user base that overwhelms the developers saying like, this is not our day job. can't fix all these things, but nobody's helping you, complaining. So you end up with products that people really depend on, like TrueCrypt, but you have two anonymous developers

who probably don't do that for a living or get much of anything for it. So yeah, you have to commit code. And I think that's a downfall of the industry, too. There's a lot of, this sucks, but okay, well, it sucks. Help me fix it. I hope that SSL is a really good example of a product that was developed by everyone used everyone depended on so hardly no one wanted to pay for it. Now they're ponying up money. Exactly. But at least they did have bug submitters who would reported bugs as far as like two and four years ago that including suggested patches and those patches in their bug tracker until the Libra SSL people resurrected them and cultivated themselves. They

at least had two meeting reporters.

Ready to go? Ladies and

gentlemen, this is Dan Deaton. Hey guys. Thanks for having me. That was an awesome talk and discussion that we had. So I wasn't really in any way upset that it went into my time. So I realize I'm up against pizza, so we'll kind of do this quick here. I want to thank Daniel and Josh and everyone who's here at B-Sides Asheville for inviting me to the first B-Sides Asheville. This is really exciting. I'm from Charlotte. I grew up, I was born in North Carolina. Asheville, really considered a second home. I'm a craft beer lover. So your 18 breweries to me is like a Mecca. I will be at Wicked Mead, Twin Eve, all those tonight.

So anyway, thanks for having me. I live in Charlotte. I work for a company called Gotham Digital Science. I'll tell you a little bit about my company and my background before I get into my talk. But the talk that I put together is basically focused on some recent security breaches and the trends that we're seeing in our company over the years and also some common pitfalls of network penetration testing. That's a lot of what we do. And so we've kind of identified, you know, when we all came into the company, we all had our different methodologies and approaches and so we've kind of put our heads together and come up with some you know what

we think of is a pretty good methodology and we know where we started and so we basically just wanted to kind of share some and nothing's groundbreaking by any means but just some techniques that we do that really I think closes some gaps and helps you know ends up with more comprehensive results when it comes to doing some network penetration testing so before I get in I just kind of want to know like what type of people are in the crowd are people test penetration testers

Okay, what's that? Former lives. Former lives. People working in, people are from Asheville? How many people are from Asheville? I'm just curious. Oh, so good crowd. Okay. So this is kind of, that part of the segment is kind of designed for testers and also organizations who want to protect themselves. So here goes. So my company is Gotham Digital Science. We've been around since 2005. We have a team in Charlotte. We're headquartered out of New York City. We also have an office in London that started in 2007. The majority of the clients that we work with are like financial, banking clients, technology, also healthcare. A lot of the services that we offer you're gonna be very familiar with. Web,

fit client, mobile application testing, also network pen testing, which I'm gonna talk a little bit about today. Source code review, threat modeling, social engineering, and phishing.

A little bit about me, I started off as a web developer in 1998 and then around 2003, 2004, I got into security and started consulting. I worked for Bank of America for a while and then I worked for a number of consulting firms. I've been with GDS for about four years and I'm a manager here in Charlotte or here in North Carolina. Also, I mentioned craft beer lover. I've been home brewing for about 13 years, so if there's any home brewers in the crowd, I'd love to talk to you after this. that's that's the story about me. So we're gonna cover some recent breaches, some that you're probably already very familiar with. There was a recent report that came out from Verizon that kind

of blew my mind, had a lot of great data and I wanted to share some of that. It was really hard to kind of pick and choose what to share but I think there's some kind of interesting graphs and bits and pieces to it that I want to share. And I'm also going to share some trends that we've seen at our company since starting in 2005. I'm going to share a case study of a recent that we did, talk about some common methodologies, some common pitfalls, and then also some new techniques or not new but just some techniques that we used to kind of close some of those gaps. So first of all by a show of hands, did anyone else see the Verizon 2014 data

breach investigation report? It's awesome for several reasons. First of all, it's very well written. It's like a 60 page document. You would expect it to be really dry and you'd only make it to like page five. really there's a lot of creative writing it's a lot of fun to read it's really pretty grass and colors and pastels and all those fun things that people like to look at too so I think this came out in like April and I've given this talk once before and this came out like two days before the talk and it was exactly what I needed to kind of segue into talking about network penetration testing and some gaps and trends that we've seen because it really just strengthened everything that I was thinking about

at the time so to kind of little bit of background if you haven't seen this report I highly recommend it I got a link here at the bottom but basically it's it's based on ten years of data aggregated across 50 different companies that just volunteered it a lot of it's you know then they had to normalize it and put it into different categories and groupings and they did a fantastic job with it I was in no way part of it at all so you know I'm not like tooting my own horn I just I just thought it was a great thing so I wanted to share some of the data In 2013 alone, Verizon reported

that 1,367 confirmed security breaches happened and that 63,000 some-odd security incidents. A lot of the well-known breaches that you're probably already familiar with, just wanted to list a couple here, Evernote, Harbor Freight, Vodafone, Adobe, Bips, which is the Bitcoin, Washington Post, Target, just to name a few. There are many, many more, and a lot of them are included in the report. And those are in sequential order over the course of 2013. One data point that I found really, really interesting is like what were these attackers after? And no surprise here, it all came down to money or user credentials. And I'm gonna get into some graphs later that kinda show you some hard facts around that. So I won't spend a lot of time

on these, but I do have about five to six graphs that really jumped out at me. There is so much more in the report. This first one here is the number of breaches per threat actor. looking at like the partner, the internal or the external threat actor and you see a huge spike here in 2010-11

for external. So you're talking about external perimeters of organizations and that's where the attackers are really, really focusing. The next one here, I love how they categorize this into, you know, different types of patterns. So the four that I really wanted to point out here are point of sale intrusions, attacks, card skimmers, and cyber espionage. Those are the ones that really jump out as far as the 2013 breaches. So the number of breaches per threat action and the actions break down to hacking, social, physical, misuse, error. You can't see in yellow that's malware there. But basically this is 10 years of data here. And you start to see an upward climb for hacking and malware. And I think that sort of tells the same story that

we're seeing a lot more automation and the tools are getting better and the different kits that people are using. It's a lot less manual, a lot more automated these days. So it's a lot easier to load up a scan and start running against different organizations. So I think that's why we're starting to see that upward trend there.

The next one here is the number of breaches per asset category. And one that jumps out at me, obviously here, is servers. Servers, usually you think about, that's where the data's stored. A lot of people think, well, why is it network included? The way I look at it is network is what carries the data and transmits it, but server's really where it lives. So if you're an attacker, that's really what you want to go after. That's the assets you care about. User devices is also seeing a spike here. And in the report, they sort of allude to the fact that that's because so many people are using user devices that are connected to those legacy databases and those back-end flagship apps that have been around for

years. But these user devices are now just another vector on top of that. They're getting more mature, but a lot of the software is new. A lot of the devices are new. So that means they're very rapid, agile development platforms.

how it is, vulnerabilities get exposed when you're developing quickly and you're timing to market. So those are being utilized as well as a vector to get kind of back to that same data. So this is one I touched on earlier, breaches count by data variety, like what are the attackers after? And the two that jump out here in green, which is the payment, which is money, and then yellow there is user credentials. So that's mainly it for the report. If you haven't seen the Verizon report, I highly recommend checking it out. So sort of correlates some of the trends that we've seen over the years is when I got into consulting in 2004, I was doing a lot of network pen testing, and then that moved into

more app testing. and maybe some people in the room have seen a general trend like that. We're starting to do a lot more network penetration testing over the last couple years. And I think this is kind of why, like in the past, since app testing kind of took an uptick, companies still care very much about external network security, but a lot of that has really shifted to a commoditized approach. So a lot less manual pen testing versus on scanners which are great but you're thinking about vulnerability scanners such as Qualys and OpenVAS and Nessus and things of that nature. Those are all great and they serve their purpose and we use them but at the same time they can't find every single nook and cranny. So some things are

kind of left on the table or maybe some open gaps. So now with the rise of external focus attacks and the reliance of commoditized automation, many gaps are left open and we're starting to see companies come back to us because they're seeing all these security breaches and they're like, we really want to make sure that our tools are doing the right job and if they're not, Where are those gaps and how do we close those in? That's what we've been helping a lot of people with. So I wanted to share a case study that we had. This is fairly recent. Just to give a little background on the project and why I think it's interesting to this talk is, first of all, they are a very large

global healthcare provider. They came to us and they said, basically, we want you to do an external penetration test. Their network is massive, but had a very specific range set of ranges they want us to look at it came out to about just over five about five and a half thousand potential external live hosts after we did the initial discovery on it we noticed we realized that there were about 500 active ips so the interesting thing about they didn't tell us this until after we did our assessment they had another vendor that did an assessment similar to this and they came back to them with a zero findings report familiar with that is a report that has absolutely no findings informational or risk or anything like that and

this scared them just given the size of the network they knew that there must be something out there so we had already been doing some other application testing for them they said hey we know you guys do network penetration testing would you be you know we'd like to bring you on to do a similar scope test So they shared the results with us afterwards and it turned out, we didn't know about the zero findings report until later on, but we came up with 20 critical findings. I'll give some details of some of the things that we found and then also some numerous mediums and lows as well. And the reason I'm sharing this is because

we sort of took a step back and said, well, I mean, there's a lot of other really talented testers out there and vendors like what could we be doing that they're not doing? How did we find these things and they didn't find them? So we kind of came up with a list of things that we do and I wanted to share them in a little while and it may help people in the room who do network pentesting. Maybe you can add this into your methodology.

So first of all, we did a comprehensive network discovery. We discovered numerous IPs, many that were running virtual host, administrative interfaces, customer portals, single sign-on portals, and also legacy applications were found. We also found some metadata, a lot of documents containing sensitive information. And this is not our tool, but we found it and we loved it. It's called Informatica 64 FOCA, and it's great for finding like PDFs, Word documents, Excel documents. They actually call it FOCA. FOCA? I didn't want to say FACA. Do you know what that stands for? No, but it's a bunch of Spanish guys that write it. Yeah, it's a fantastic tool. What we found with this is a lot of like architecture diagrams, a lot of information about

servers, some logins. Actually, I used this one time against the government and I actually found an employee on a network that was stealing joint strike fire documents because they were leaving the path in the documents and they were putting on their iPod to take them out of the network. Interesting. It's a great tool. So if you haven't used it, definitely check it out. A lot of the things we found in these documents kind of helped us and led us to discoveries. So here's kind of the results. There's a lot on this page but I'm just going to kind of summarize it. First of all we were able to compromise the external web presence. We gained access to 13 million personal and business customer accounts.

We were also able to basically, you know, we could have defaced, we could basically just change all the content on the web properties. Our customer asked us like can you quantify what this data breach would be and actually have a way to calculate it at the time but we found in 2013 Poneman Institute and Symantec did a fairly extensive study on US data breaches and they came out to $188 per record. So basically just did the math and that's how we came up with $2.5 billion would be the estimated cost if this had been breached or was breached. We also compromised an externally facing secure email system. This This company being a healthcare company, they had a secure messaging system that basically

patients and doctors could use to communicate. And everything was stored in clear text in the database. We got access to the database, some really, really confidential stuff about different medical conditions and things you would not want exposed. So we found, got two million records, estimated cost of the breach there would be $500 million. gain unrestricted access to the internal corporate network. We were basically, had the security cameras, took screenshots, got on their internal corporate wiki, internal corporate workstations and so forth, gained complete control of the corporate domain. And then finally we gained access to the customer portal, which being a healthcare company and they have millions of customers and we gained access to the portal, which actually had connections back to

a lot of other application servers as well so we had the credentials for those as well. Yeah, go ahead. This is what we call a pants down spanking. It was a pants down spanking, yeah. It was. I mean, this is probably one of the most interesting ones that we've had, that's why I'm sharing it, but it really brought things to light for this company and now we're doing a lot of looking at all the other areas of it as well. So this brought us to kind of do our own internal analysis, like why do Pentest and here's kind of some of the things that we came up with. So as pen testers we observed that there's numerous approaches and methodologies for penetration testing. There's

significant inconsistencies across testers and test teams and that could be in a consulting firm like mine or in an organization like I've worked for. I know that like you know what I the way I approach it next to the next guy is going to be very very different so that can you know lead to gaps in an assessment. If you put this test here and this is just to do the same app or the same network are you going to come up with different results are they going to be the same? Engagements are largely automated in a lot of cases for a number of reasons. Clients you know obviously they want to save money so you know they only give you like a week's time or a short amount

of time we've all been there it's challenging so you kind of have to come up with a an approach that gives you a good balance of coverage but also you know you're not going you know You're not just spending a lot of time just scanning. So there's a lot of times that leads to no manual validation of discovered. And that can lead to reports that contain false positives or false negatives.

So we kind of came up with what we think of as a common methodology. I've actually practiced this methodology in my past as well. So if anyone, if this, and here to in any way hurt anyone's feelings but if you feel like this is you I'm going to maybe give you some tips on how to improve this. So common methodology, first of all you get the assessment, either it's an intern or you work for a company and they're like we want you to assess this range or your client comes to you and so first thing you do, you start up inMap. You're going to do a discovery, you're going to see what's out there, what's running, what services are running, what's listening. A common inMap

configuration kind of out of the box is right here, a slash SS slash SV, you're basically looking for a common, like just a TCP SIN scan here. You're also looking at like top 1000 ports, but it's not looking at timing or running some of the advanced scripts or anything like that that comes with NMAP. So then you would run a vulnerability scanner such as Nessus, Qualys, OpenVAS on those same systems, you know, the ones that you found to be running some, port or a service from the nmap scan. You're going to see what that comes back with. A lot of times these can take a while depending on how to read, right? Not usually. So you've got 100 plus pages of nmap results to go through. And nmap

is a wonderful, wonderful tool, but it can't tell you every single thing and invalidate every single thing. So you've got a lot of false positives to go through. So that's going to take some time. Hopefully you have some time left over to actually manually go and see if any of those are exploitable, because that's what your customer or your internal or your boss really cares about. Great, you found this open JBoss vulnerability out there, what could you do with it? And it's really unfortunate sometimes to say, well, we ran out of time, we couldn't exploit it. So you want to make sure you have enough time at the end to try to exploit some of

those vulnerabilities. Are you using like Canvas or Core Impact or... A little bit. We are playing around Metasploit for sure. Not so much with Canvas. I mean, I'm interested in it for sure. Our core toolset, we have some proprietary stuff that we've written that really helps us analyze a lot of the Nmap data and the Nessus data, gets it into a humanly consumable format. But mainly we're starting with Nmap. We've really just tuned our configurations to try to maximize it, also using Nessus, some Qualys. and some metasploit when it gets actually to the exploitation. I also had a question. You also run this in-met scan first. You don't do any passive reconnaissance first? Yeah, we do. We'll do sort of zero-knowledge type of

reconnaissance, looking to see what's out there, absolutely. But this is more like they give you the range. Let's see what's out there and what's listening, what forts are running for sure. You're saying this is what you're seeing as common guns. We build on top of this, but yeah, I'm not saying this is bad by any means. I'm just saying this is a more common approach. I'm going to share some things that we've learned over the years. If this is your entire methodology, then it's bad. Yeah, if you stop here and copy and paste the results into the report and deliver it to the client, I think you're leaving some things on the table. Right. What's that? You've got to put a cloud in there. You've got to put a

cloud in there, right. Pretty graphics. Yeah. So some of the common pitfalls, you know, an inadequate methodology, like I just mentioned, um, insufficient reconnaissance and discovery. So, you know, these two things, in my opinion, are like really like this, the second bullet here is this is where you're starting. So if you don't start and have a comprehensive plan and approach and coverage up front, then, you know, this really propagates down the line to your results. Yeah. Inside the,

There. Exactly. That brings another good point. I mean, a lot of the things, some of the things that we found for this assessment were not like really groundbreaking, like cutting edge. We weren't like writing custom scripts or anything like that. It was right there under our nose. And that's, I'd say 95% of the stuff that we find is not really that hard to find. It's in source code. It's in HTML source code coming back and rendering the browser. Sometimes it's just how you look, knowing what to look for. So as I mentioned, this can lead to massive gaps in your coverage. Some examples include virtual host discovery, authentication methods, extraneous web components. I'm going to get into some of these

in a little while. From my perspective, these are things that are typically not looked for. And so you've got virtual host, for example. host is basically multiple applications running on the same server, the same IP address, so they're sharing that IP address. But a scanner is typically just going to pick up that one, the one that's actually tied to that IP address, not all the others. So there's some techniques of how to find those, but you may be leaving 20, 30, 40 apps out of scope and not even know about them because you didn't know to look for the other virtual host, other apps running on that server. So

I think also we have become as a, you know, just sort of an industry excessively reliant on automated vulnerability scanners hoping that it's going to find everything and it's not going to find the admin admin in the source code for sure.

So as far as the methodology goes, you know, some of the things that we found were like, you know, a lot of times the activities are not scalable. So running that in-map scan for five weeks before you actually open up Metasploit or something like that and start looking at things, how is that gonna work? Because most people aren't willing to pay for that or they're not gonna, you don't have as much time to do the actual manual testing and validation that you want. So that's the difficult part. Also, the data coming out of NMAP is not really consumable. So you're pouring through all these reports and that takes a lot, a lot of time. So you also have an incomplete view of exposed networks and hosts.

going back to the virtual host discovery, if you don't know that those other virtual hosts are running on that system, then they're completely going to be out of scope for anything else that you do during this assessment. And then it also leads to overall inefficiencies that could lead to false positives and negatives in your reports and in your final product. So there's two core things here, you know, for two different audiences. First of all, as an organization, can't secure what you don't know about. So if you get a pen test done or if you run your own discovery scanning and you're only looking for top 1000 ports and you've got some odd port that's outside of that range, then you may not know that that host is out

there. So that's not even gonna end up on your asset list. So really having a good understanding of what you own is really key to how you can secure it and knowing how to secure it. And then similarly for a tester, test what you don't know about so going back to like really having a good core discovery and reconnaissance phase to help build on top of is really key. It's got a lot of great advanced scripts and there's like a really great community of people writing a lot of these scripts and we've been leveraging them and we've also been writing a lot of our own to do a lot of the things I'm going to talk about and we've been trying to give those back to the

community as well. That's one that we like. But whichever one you use, just become intimately familiar with it so you can really maximize it and know how to use it. Another key thing is determine the depth of the port scan. So if you, for example, know that you're going to have 5,600 hosts to scan, and you only have a week to do it, you're probably going to have much more of a breadth than depth perspective on your scope and your approach. So whatever the depth is, you know, that on the amount of time that you have and the range of hosts that you're going to be looking at. Leverage the scripting component of the scanning tool. And then also don't forget about UDP ports. A lot of

people forget about these or they don't include them. And there's a lot of interesting stuff running on UDP as well to take a look at. A lot of people don't run the UDP because it's really time consuming. would be to split those off and do a TCP scan, have your UDP scan running. It's going to take longer, but at least you'll get your TCP results back and you can start going through those and then UDP shows up later and you might find something really interesting on those as well. So there's three things I want to kind of cover here quickly as to how to go about identifying virtual hosts as the first one. I want to cover some discovery methods that we've kind

of over the years and helps us find some virtual hosts that we wouldn't have found in the past. And then also you want, when you find those hosts, you want to validate with your client or internally with your IT group, make sure they're in scope for the assessment. So the first one here, actually back up. So there's really four ways with virtual hosts to discover them. First is very simple through DNS. Look at the host that comes back, the IP address, plug it into a browser, see if it matches up. See what that host is. Add that to your list that's in scope. The next is an SSL certificate. The SSL certificate's going to have the actual domain in there as well. You can look at

this manually. You can also look at this. Here's an example here of the one for Yahoo. You can look at this manually. You can also automate this as well. Another interesting one is that you can look at the subject alt name. So for a lot of hosts, it's going to list out, here's an example for Yahoo, it's going to list out a number of domains and subdomains that are also running on that same host. And so you would consider all these, assuming that you confirm this with your client, you would assume all these would be in your list in scope going forward for the testing. So just kind of imagine if you didn't, these and you would only have

yahoo.com so you might miss all these assuming they weren't linked from somewhere else in your scope. And then the final is we actually use Bing. You can go out to Bing and plug in the IP address and Bing basically gives you back all the information about that server. It's really valuable. If you want to automate this, there's a Bing API that include and automate this in a script and it'll pull back all that data as well. Just make sure, there's some quirks to it, so just make sure that you go out and validate that everything that you have is in scope. I can't say that enough. So the next is authentication methods. So a lot of different systems out there run a lot of different

authentication methods. NTLM over HTTP, over Telenet, you've FTP servers. There's a lot of different ways to authenticate to a system and a lot of people don't know that you can actually make brute force attempts to log into a system and it actually is going to give a lot of information back about that system that you can use for further attacks. So here's an example here for this. Here's one and this is not Redbox. This is just a name of an internal system that we have. So I just want to make clear that we weren't hacking Redbox here. So this here is a It basically comes back with the 23, port 23, telnet, and it comes back with all this

information based on an NTLN authentication. So we know what the target name is at the box, we know what the NetBIOS domain name is, the computer name, the DNS domain name and computer name, a lot of information about the underlying software that it's running as well. So this can be, you know, leveraged during a penetration test to running on that system and maybe use it, you know, finding out what the version is. So a lot of this can be used sort of as a stepping stone for further analysis of this system here. Here's another example here, very similar HTTP, and this is all based on a script that we wrote that we've actually submitted to NMAP, and it's going through revisions now and I

think very close to acceptance. So this will be out in the script library very shortly. You can utilize it. The third one is identifying extraneous application components that may be running on that same system. So we're looking at web services, web protocols. An interesting one that we see a lot is WordPress and it actually doesn't get picked up by any vulnerability scanners because WordPress has its own admin login for administration, but that's not a vulnerability. something that gets installed. For us, we see it as a vulnerability. You're exposing administrative functionality to the public on the internet, so that's not something you would typically want to do, but something like Inesis wouldn't pick that up. So we want to make sure

we point that out to our client. We also want to make sure that it's not something that can be used and is exploitable. Another example is JBoss consoles. The one foothold for the assessment that I shared earlier was a JBoss console. We found a lot of interesting things on the perimeter in this in that range but we found an exploitable JBoss console. It was not picked up by Nessus because it was running on a non-standard port and so it completely missed it but we have some scripts that we've written that go out and look for different extraneous web components and it actually picked it up on a non-standard port. We found it and that actually got us into the DMZ, the secure email system further into

the corporate network and that's something that didn't actually get picked up by the scanner.

So another technique here that we've really used and we're starting to work with our customers on this is front loading. So how did we go about doing the five weeks of scanning before we had four weeks of manual testing? We basically front loaded all that. We said, look, this is not man hours, this is machine hours, we're not gonna charge you for this. very little time to get everything crafted and scripted up and ready to go and start our scanners and then we say okay we'll talk to you in a couple weeks when it's ready to go. So we recommend this for anything other than a small network. It's going to allow you as a

tester to really gain efficiencies because you're going to put all the time that they're paying for into the manual testing and validation versus the actual time of waiting on a scanner. If you're a tester, you've got an internal kickoff call. If you're working with a customer, if you're a consultant, request this as part of the kickoff call. Let them know that we're not gonna charge you extra for this. This is gonna give us more time in the long run to actually look at this from a manual perspective and have a person working on it. Organizations, your internal test team, ask them if they're doing this, and if not, why not? And maybe recommend it as a way for their team to become more efficient. In

the end, you want to pay for man hours, not machine hours. To recap on the case study and the lessons learned, I've mentioned some of the things along the way. Root causes for finding differential and insufficient discovery methodology and excessive reliance on automated scanners can a lot of times lead to gaps and missed things. Virtual hosts, Public sites and numerous admin sites were found during this assessment and the admin sites would have obviously been undiscovered previously just because those virtual hosts wouldn't have been picked up by a normal scanner. Authentication method discovery. Discovered numerous authentication methods on multiple virtual hosts. They were form-based, NTLM, FTP, so on and so forth. We were able to also use weak

admin credentials to authenticate, so we do some very light force testing we're not in any way slamming these authentication methods but we're going to look for common things like admin admin or you know if it's a database connection you know we're looking for SA and blank password and things of that nature those things are still you wouldn't think so this thing they're still out there people are not hardening these things and configuring them when they're setting them up and they may even just be a test server that someone stood up to test out a product and then it never actually went to production but that test server sitting in the same network segment as all

the production boxes exposed to the internet and it's used as a foothold to get in to the network. And then the extraneous web components, the one I mentioned was that non-standard JBoss configuration. We didn't pick it up in a scanner, with a scanner. It was running on non-standard port, non-standard sub-path, and it was a critical foothold for the assessment. Well, we, based on the NMAP results, We basically take all the information that we know about each of those servers and then we go out and we're looking for non-standard ports and see if anything's running on those. We'll also really tune our in-map scans in the beginning to go outside of the top 1000 ports. I'd be happy to send someone if anyone's interested. I

mean our in-map configuration script is like a page long and we tweak it for every assessment just based on what we're looking for. picked it up on one of those and then we had another script that was running after that that goes and follows up and looks for virtual host, NTLM authentication, also just web components that are running out there and you found it through that. So I know everyone's hungry so I just want a quick summary here. You can't test or secure what you don't know about this approach. Hopefully for you, a lot of you will, you know, or your company would give you more time for manual testing. And good methodology provokes consistency and repeatability across your test team. And a comprehensive

discovery and end is going to lead to increased security visibility for your assets so that you actually know where the gaps are so that you can secure them. And that's it for me. I know that was quick, but thank you so much for having me.

He just pronounces my name. Jason.

What? Nothing? Nothing. Did you take attendance? I'm sorry. Thanks for inviting me down to Asheville to speak at B-Sides. This is a great event. It reminds me a lot of my first information security conference. We were so kind of out in the boonies. We organized our own. That's how we got together one because our employers wasn't all that excited about sending us to one so we started HackerCon. Who's been to HackerCon? A couple of you. Awesome. My name is Will Gardner and I'm assistant professor at Marshall University where I teach in the digital forensics and information insurance program. You may know me as Onsi online. It's my Twitter handle.

This is my CCDC team. The purpose of this slide is public shaming. They participated for the first time last year, we were in the Middle Ag Conference, and they quit halfway through because they got frustrated. So, the public shaming will continue until their productivity and their standing improves. So, first year the goal was to fill the team. Next year is to go to Regionals. As I said the last time, this is our current team. Some of these people may not be on it next semester. I'm co-founder of HackerCon, which I already talked about. Former past president of AIDE, the Appalachian Institute of Digital Evidence at Marshall University. Who's been to aid? A couple of you have, maybe? No one's been to aid? You've been

to aid? You've spoken aid, that's right. I'm a volunteer for Hackers for Charity. go buy something from that man back there. You want to be trained?

So what we're going to talk about today is security. Surprise. Marcus Raymond is real. I'm sorry for the streaming people, but I'm a pacer, so I'll be pacing a little bit. Marcus Raymond is my hero because basically he thinks everything's bullshit. Basically, that's because a lot of things that we do in security is BS. But we're doing it wrong. We spend millions of dollars a year on products which don't protect us. We buy IBSs, firewalls, next generation firewalls, but yet we're still getting pwned.

I read this slide last night. Sorry, I'm still looking at this. This is something Frank Hacken and I did a couple years ago, which is basically the security barrier. So you start out with policies and procedures. Tell your users what they can and can't do. Policy and procedures, the next thing up is user awareness. You don't really start talking about buying products until you've done the groundwork. So everyone says, an information security awareness program, but no one tells you how to build one. No one tells you what needs to be in that information security awareness program. So that's what we're gonna talk about today. I got really bored with this paragraph last night, so I have a little treatment on it. It's gonna

keep me awake during the presentation. So this is my, this is Bill Gardner's definition of what a security awareness program is. program with the goal of training users with potential threats to an organization's information and how to avoid those situations that might put the organization's data at risk. You're a barn burner, isn't it? Anyway, you have to come up with definitions. So that's basically what a definition is. So basically, the only catch for social engineering is awareness training. And the first thing you have to do is get management buy-in.

You need to develop policies. You need to have some sort of framework. Has anyone ever been through an incident without policies? I have, it sucks. Flying by your seat in your pants is not fun. And sometimes it takes an incident in order for people to do the right thing. An organization I was in at the time, that was our wake up call. So they started building policies after something bad happened. You should build policies first. Policy enforcement. Information security awareness programs help you enforce the policy to the already built. And of course money. You're gonna save money if you're not having problems or incidents. If you keep people from clicking on links or downloading attachments, and that's not all security awareness is, but it's part

of it, you're going to save big bags of cash. And that makes management happy. production increases. I'll talk a little bit about metrics near the end of this, but basically based upon our internal metrics at the organizations that we develop security awareness programs, we've seen production go up and we've seen cost savings because not all users face the same risk. If you're a road lawyer, you're on the road with a laptop and a phone, you have a different set of risk and the guy in the mailroom who never ever takes his computer home, who never ever takes his computer on the road. So you gotta target security awareness training toward each user is gonna be different. Don't

forget the IT department. Their job is to keep things running. And sometimes,

a lot to think about, so they're not the most organized people. I spent 20 years as an information security, I mean, information technology before I got information security. So I've worked in places like this. It's not mine, but it can easily be one of my former offices. The job of IT is to keep things running. So you have to remember to tell them, hey, do you have risk? And these are how you address these risks through security where it's trained. forget about them. You target it. Different users encounter different risks, different education levels. So you're going to have to make training different for a lawyer than you are for a secretary. And yes, that takes some time and energy, but you're going to

get better rewards if you target people based upon an educational level, based upon your skill set. The problem with most education professionals is they think they know everything. Lawyers and doctors are the hardest. You have to remember that when you're tailoring an information security awareness program. How often? So, do you just talk to people when they come through the door? We chew people's ears off when they come through the door. You need, here's your keys, sign these forms. Here's how you get insurance for your kids. And here's, oh by the way, some security awareness stuff. Don't click stop. not effective. Some people do it quarterly. But generally what I've found is you have to build

a culture of security. You have to build a continuous message. You have to always be selling it. You have to be in internal public relations campaign to make people more secure. Because you say it one day does not mean they're going to remember it the next day. So try to always you're doing something continually. It's hard. Part of management buy-in is to show them how they can save money, increase production based upon people being safer online. Because a lot of people will say, well, I don't have time for that. Lawyers, I used to work with lawyers, just don't have time for it. So what we did is we told them, hey, we're having a golf alley. an hour before your tea time, we're

going to have this little session where we talk about dangers on the internet. The network, fine, because they got to play golf. So sometimes you have to trick people. You have to social engineer the organization's employees into being safe. You see social engineers on the outside of your network making it unsafe. Use some of those same sort of ideas to make your network safe. The other The thing about security awarene

Related talks

11:59:06
BSides Asheville
BSides Asheville · 2014
9:10:48
5th Annual BSides Asheville Information Security Conference Live Stream
BSides Asheville
8:21:34
BSides Asheville 2016
BSides Asheville · 2016
8:18:56
6th Annual BSides Asheville Information Security Conference Live Stream
BSides Asheville · 2019
43:16
Testing Endpoint Security Solutions with Atomic Red Team
BSides Asheville · 2018
51:31
Breaking Everything
BSides Asheville · 2018
[ feedback ]