BSidesAugusta 2023 - Keynote: Ed Skoudis

click click there we go there we go all right it is 9 o' so good morning everyone it is my pleasure to introduce our keynote speaker today uh first time I saw Mr Ed scotus was at a Sans event when he was teaching track four in Orlando Florida in a room probably three times the size of this with a a a packed crowd with a thousand people listen to him and and I heard him talk about all of these magical superpowers that I wish I would acquire someday and then I I learned um my very first offensive uh activities from Mr scotus I took those back to the workplace and when I got back to the workplace I found that if I

demonstrated actually how these attacks work then it was so much more impactful to the people that were making the decisions about these risks and as a as a chief information security officer I could really have an impact on the leadership team by demonstrating these things and then I I can remember I don't know if you remember this but I I can remember coming out of a very frustrating meeting and um and uh having talked about all of the different things we need to information security and getting support for none of them and I walked back to my desk and and I just sat there and I thought about all the great things that counter hack was doing

with virtual um virtual machine escapes and all of these different attacks that that um Ed scotus and his teams um were the pioneers of and thinking gosh wouldn't that be great and I sent you an email um back at the time said I just came out of a very frustrating email uh meeting and I just want you to know that I'm fantasizing about working for uh for working for Ed scas fast forward several years he's become a very dear friend and I am I am so uh it is my distinct pleasure to announce that Mr Ed gootus our keynote here is to talk to here to talk to us about how things have changed in the military landscape and cyber so

join me and give me a warm Round of Applause and welcome to Mr Ed scottus thank you brother thank you much appreciate it uh thank you Mr baggot it is an honor to be here can you hear me good morning morning I give that about a 70% you want to try again good morning good morning yes welcome to bides Augusta I am super excited to do this talk really I haven't been this excited to do a talk in years I got some cool stuff I'd like to share with you stuff that I've been thinking about for the last 11 months it's a brand new talk I finished writing it yesterday I've been working on it while

thinking about it for 11 months writing it for the last two months and honestly working on the stuff behind it for about 20 years the talk is called dragons and Eagles and Bears wherever that comes from oh my nation states and cyber power hacker reflects 20 years in now I'd like to point out that for all of the artwork that I created for this presentation I used mid Journey anybody here use mid Journey it's a AI uh image generation tool and I'm providing to you the prompts that I use to create each of these things some of the prompts are very simple some get more complex for this one it was actually rather complex to create because I went to Mid journey

and I said simply I want you to create a picture for me so imagine prompt that's what you have to type in um of a dragon fighting an eagle fighting a bear and it creates did these Dragon Eagle bear entities three of them fighting each other which is not what I wanted at all they were like mutants or something so I tried again I said there's three things fighting one is an eagle one is a bear one is a dragon and again it's got this Dragon Eagle bear thing where each being has aspects of all three of those try again try I spent probably three or four hours to get this thing done the way

that I ended up doing it those of you who use mid Journey have you used the region modification tool in it yet it came out about a month ago very helpful so what I did is I said draw me three dragons and it drew an image of Three Dragons an image of five dragons an image of seven dragons I just wanted the three so I took the three and then I carved out the one on the right hand side and I said make that Dragon an eagle and it did fighting of course an eagle fighting and then I kind of carved out the other one I said make that Dragon a bear and there you have it now

we have dragons and Eagles and bears oh my but I provide you the different prompts here so you can kind of see how I'm using AI in creating artwork for my presentations so about me look at the prompt here what I I kid you not I just went to Mid journey and said image prompt scotus style and it drew that obviously it looks just like me no no not even close but I'm going with it I'm going with it so I I'm the president of the SS technology Institute College I know we have some folks here that have graduated from there we have 1,700 students now uh about half at The Graduate level level uh earning their master's degrees or

certificates we got a whole bunch of different certificates uh at that level and also we have undergraduate degrees now bachelor's degrees as well as undergraduate certificates there's two of those um I'm a fellow as Mark introduced me and instructor with the Sans Institute uh I direct cyber ranges at the S Institute maybe you know about net Wars or the holiday hack challenge we'll talk about that a little more later I have a security consultancy that I founded and run it's called counter hack we do a lot of penetration testing I speak at a bunch of conferences holiday hack oh of most importance I think for you and kind of setting the tone here I worked on a project from

2004 to 2009 called the Cyber power project you're going to be hearing more about that in a little bit um also I happen to collect antique encryption systems steampunk artifacts uh and other pre-1940s gadgets that I like to bring back to life and connect to the internet because why not so have you noticed that there's been a lot of cyber military stuff going on here's just a little bit of a sampling to kind of set the tone here if you go way way way way back to 2019 there was a big story about us Cyber attack hurts Iran's ability to Target oil tankers um this is kind of a big story at the time hey these you know

the the Iranians are attacking American oil tankers so according to the Press we hacked them and they stopped well that's interesting so now we're applying cyber offensive activity to maybe fuse kinetic offensive activity very intriguing oh and then last year we had General Paul nakason uh quoted just in the Press I'm just telling you what the Press has said US military hackers conducting offensive operations in support of Ukraine says head of cyber command that's quite a headline Now isn't it interesting and you can read the details of the quote that he actually said um and then well if you go way way way back to 3 days ago here was an article in the Cyber Edge by

signal us 2023 cyber strategy we're learning a lot of lessons from what's going on in the Ukraine regarding cyber that we're applying to our strategies for dealing with Russia and China this is kind of an interesting and Hot Topic so this presentation was inspired by a series of things it was inspired by the Cyber Pro cyber power project that I mentioned earlier this was a project that I was fortunate enough to be a part of from 2004 to 2009 and it really informed me about cyber milit implications interactions a lot of thoughts it was a it was sort of a big think piece and I was involved in that project for 5 years maybe almost six

also some talks that I did on this topic from say 2009 to 2015 and also a book that I read about six months ago that's very interesting I'll give you a lot more information about this book it's called cyber persistence Theory I'm here to kind of get you up to speed with what some of the thoughts that are happening in the world regarding cyber military stuff now many of you are current military members or previous military members I hope this just inherently interests you but even if you're not if you're not associated with the military this stuff is vitally important and is happening right now so I'm going to Define cyberspace very briefly because that can get kind of nauseating if you

get into too much detail I'm going to look at some of the predictions of the past that we made back in 2004 through 2009 and show where they they really didn't work out they didn't really apply the way we thought they would I'm going to take a look at Cyber persistence Theory and predictions for now and into the future I'm going to give you some thoughts on AI and cyber and Military interactions I'm going to give you some thoughts on satellite technology I'm going to be dropping hints about holiday hack which I've already been doing actually while I was playing music for you this morning you did know that right and a whole bunch more so look at this

prompt conquering cyber Terr cyber territory in an epic battle thank you mid Journey so this just occurred to me two days ago it's like okay I'm doing this presentation on Cyber military interaction and stuff and I've done Pres presentations on the past on this but I want this to be meaningfully different so I started to look at what I've done in the past just to kind of refresh myself and where we are and I noticed this trend it seems if you go back eight plus years ago every three years in September or October I did a keyote on militarization of cyberspace go all the way back to 2009 and again this two days ago this occurred to me it's like hey

how about that um I went to hack in the Box in koal and poor Malaysia anybody go to hack in the Box not hack the Box hack in the Box it's a great conference over in quor Malaysia I actually was the keynote speech right after Julian Assange actually no he came after me I went first I was the opening act for Julian Assange I went first and man he did not like what I had to say because I said militarization of cyberp space is inevitable get ready for it here's what it'll look like he came up to me afterwards you know Julian Assange right Wikileaks he's going to present on Wikileaks he shook my hand because I'm

handing the microphone to him he shook my hand said great presentation but he said I can't believe how someone who knows what you know know can possibly believe what you believe they're all bastards Ed every last one of them like thanks glad you like the presentation here's your mic right what are you going to do with that all right so that was back in 2009 three years later I went to buwan anybody here go to buwan over in Belgium nobody's been to bran all right well I was there September 26 2012 and I did a talk on unleashing the dogs of cyber War to say what would cyber war look like how would how do we engage How

We Do attribution etc etc then three years after that I went to a place called bsides Augusta in Augusta Georgia anybody ever go to bides Augusta okay good and I did a presentation called kinetic ponage obliterating the line between computers in the physical world okay so every three years every fall I did one of these and then eight years passed and I didn't do one why because of many things I did a lot of private presentations for military customers and things like that I also got really focused on Internet of Things stuff and hacking all of that and did countless other presentations on other topics but now I wanted to come back to this and think about what I got

wrong back in those days how things have changed how my own thinking is evolved and that's what this talk is about cyber power project back in 2004 I got a call from a guy named Frank Kramer he was former assistant Secretary of Defense under Bill Clinton he said I've received funding to do a project to analyze how nation states can wield power in cber space are you interested well yeah I am very interested it very cool um so so I got some funding to work on this stuff and they give me like think pieces like hey how does this work or can you explain this to us or hey if you had to hack into this environment

how would you do it it was really interesting stuff in fact sometimes they'd send me scenarios of how I'd hack stuff I would come up with a way to hack it send it back to them and then a month later they'd say all that stuff that you just did you have to package it all up and send it to us because it's been classified and you're not even allowed to think about it anymore okay great how about that so um we think through various models and paradigms of nation state activity to this day I don't really know who funded the project but the checks didn't bounce so I was happy about that um and there was a lot of

focus at least early on in the project 2004 2005 2006 on defining cyber as a Warf fighting domain back in the day they opposed this a lot of people said no it's not but we really pushed for this you know the the the four War fighting domains before this work was land sea Air and Space and we said cyber is another War fighting domain and we have to be ready to engage in battle with enemies in that environment because it's going to happen whether we like it or not and cyber has very different rules of engagement very different physical if you want to call it that properties from these other warfighting domain so we set out to work

on that stuff we had debates about whether cyber should be its own branch of the military like say the Air Force which used to be part of the army right should cyber be entirely different or should it be included in the exist branches we discuss discussed military decision- making with cyber operations weapon system reliability this was look I'm a civilian guy i' I've never served many of you have served thank you for your service but my my my father served in Vietnam my grandfather served in World War II over the Philippines but not me I'm a civilian guy but to be part of this conversation and to hear these people who have studied and really

really know military professionalism and to learn from them was mind-blowing this was the most fun project I have ever worked on in my life and I had the honor of working on it five and a half almost six years we talked about the history of warfare so you'd be talking with somebody and they'd say you know William Tumi Sherman didn't believe that I'm like okay then you know how would Patton approached this gee whiz that's pretty kind of cool you know so all these discussions and much much much more so in 2006 and 2007 we took our project and we decided to have a series of workshops there were five workshops over two years where we would invite

some of the smartest people we could find in the military in Academia in commercial space and say hey let's talk about cyber nation state activity and how we expect it's going to evolve um 40 to 50 people would attend each of these workshops uh one meeting actually occurred on the day that the Russians to decided to do their distributed denial of service flood against uh Estonia back in 2007 do you remember that we were meeting in real time reading what was going on there in this meeting try to say okay if this happened against say American Banks what would we do right pretty cool now I was kind of the resident techie of this project uh at

the time I had written the sand security 504 course that Mark baggot was going to take around that time I think right and I was also while these meetings were happening I was writing the sand security 560 course which was s's first course ever on penetration testing Network pen testing um and I I want to tell you a little story about something that happened at this time in the project most of the people working on this project were 60 plus years old there were two of us that were in our late 30s or early 40s it was me and a guy from the Air Force named Greg ratray and uh so we were the young guys and all

the others on the project six or seven or eight of them constantly on the project they were the old guys we dialed into a conference call you remember in the old days you'd have like voice conference calls and there was no video who knew anyway so we Di in this conference call and it was just me and Greg the two young guys were on the call and I said to Greg I said the old guys hadn't shown up yet I said you know these guys are amazing he's like what do you mean I said they'll ask us to describe the TCP 3-way handshake and how that works or or tell me how virtual memory works or you know tell me this

aspect of an operating system scheduling algorithm and you know we tell them that and suddenly they were devising geopolitical strategies for taking into account the TCP 3-way hand shake it was unfreaking believable so I said this to Greg ratra I'm like these guys are amazing they're incredible I just tell them sin sinak act next thing you know they've got a way to deal with these denial service floods and can you look at this and make this wow they weren't technical but they were really brilliant at this stuff and Greg said to me he said oh you don't understand do you I'm like what do you mean he said these are the people that won the Cold War without

destroying the world they are amazing they are the the most brilliant people of their generation and they succeeded and most people don't even recognize what they did I'm kind of tearing up even thinking about it these people unnamed quiet in the back scenes tried to figure out how can we win the Cold War without a nuclear Holocaust damn that's pretty impressive right cool and I'm like okay and then all the old guys joined and we started talking about virtual memory management okay so there you go the project culminated in our creating a book called cyber power and National Security this is a book uh I'm going to show a little more detail about it I

wrote three chapters in it and collaborated on a few other chapters I'm not trying to sell you the book I wouldn't no offense to my co-authors but I wouldn't buy it now because it's back from 2009 right so um anyway we were really joyous when in 2010 Secretary of Defense William Lynn announced and acknowledged that cyberspace is a new war fighting domain it was something that we had worked years on trying to get the US military to say yes this is true and it was written up and it's now a war fighting domain and it has different properties than the other domains it was a big deal for us then I went to a meeting at the Pentagon in

2012 it actually about October of 2012 went to a meeting at the Pentagon invited by the office of the Secretary of Defense to meet with his staff to talk about just kind of how I see cyber military engagement evolving and I told the story about well this being defined as a cyber War fighting domain and there was a guy in the meeting who raised his hand and he said I wrote that memo and I'm like dude you wrote the memo that defined cyber as a war fighting yeah that was me like thank you I really appreciate it was kind of a weird moment you know but that was kind of cool I'm just a little Hecker here and just to be

invited to be even part of this amazing thing and then I told the story that I just told you the story with Greg ratree and Greg saying these old guys won the Cold War without destroying humanity and it was an amazing achievement and as I was presenting this there was an old guy at the meeting sorry I don't mean to point to you but there was an old guy at the meeting and I could see he was very very moved I mean I'm not going to say he was tearing up but he's almost tearing up after the meeting was done we walked out in the hallway and he came up to me and he thanked me he said no one knows what we

did we worked so hard we put in so much time so much effort that we weren't with our families to try to figure out how to resolve this situation the cold war with without there being a nuclear exchange almost nobody has any idea of what we did but we did it and we made it work so I shook his hand and said don't thank me thank you I mean you're the one that saved Humanity not me right wow huh so that's the Cyber power project and the associated workshops so a tale of two books that inspired this talk I already mentioned this book where I wrote three chapters I did one on evolutionary Trends in cyberspace in 2008 2009 I did

uh information security issues in cyberspace they also asked me to look at biotech Revolution and how we could like wire human brains into computers and stuff of course now neurolink is doing a lot of that stuff but anyway I've got three chapters in this book on that I also work with a guy named dick cougler he wrote a chapter on deterrence in the cyber world uh you know how could we deter our adversaries such as say the dragon and the bear uh that's in here and I work with Ellie who zimet on a graphical introduction to cyberspace for people who aren't technical so that was that book another thing that I do every year I have the the fortune The Good Fortune

of being invited to Princeton University it's about 45 minutes from where I live and I do a guest lecture there in a class on Modern Warfare It's not a technical class the people who are in this class are usually juniors seniors or graduate students at Princeton and they're they're studying to become like public policy makers you know making decisions maybe maybe support staff or say the military the president or something like that and uh this this class is really cool I think it's 14 or 16 weeks long they do a week on nuclear weapons they do a week on chemical weapons they do a week or two on biological weapons they do a week or two

on cyber attacks cyber War I'm there for that week they have a new week they've added on AI Warfare which is pretty cool so I go there and I was there in April of this year and I was doing my presentation somebody said have you read the Cyber persistence book and I said no what's the Cyber persistence oh you got to check it out so I got this book in April and I read through it you could see that you can vouch for me it's pretty heavily dog geared I found it fascinating there's a lot of really interesting ideas if you're interested in this topic I recommend you read this book okay I was not involved in its

creation whatsoever I didn't know it existed until about eight months after it came out okay um it's written by Michael fiser Keller Emily Goldman and Richard Harket these are all phds in military Affairs and this book reads like it was written by a bunch of phds in military Affairs you know what I mean I don't mean to be disrespectful but chapter is one of the most boring things you'll ever read however I got super excited chapter 5 is about legal issues in nation state Warfare and stuff that that's just not my my gig but I did read it all um it is a fascinating book if you're interested in this stuff read it I my whole team at counter hack uh were

18 people I had suggested it to them and about half of them read it and we did a little book club on it just to compare ideas and notes and thoughts and such it's pretty fun cool some additional noteworthy books on this top topic they go back quite a ways but if you want to kind of see how the thinking evolved uh there's a guy named Martin leiki who wrote a book um cyber dets in cyber War Martin was part of the Cyber power project and he and I debated at length about how cyber War might look and how it might not look back in the day the guy's a genius he's absolutely brilliant um and then also a guy named Thomas rid

who was not on the Cyber power project but a really smart guy out of the UK wrote a book called cyber war will not take place actually the BBC called me and interviewed me me about my thoughts on Cyber war and they called him and interviewed him about his thoughts on Cyber war and they spliced the two together as though they were a debate they were not but if you listen to it I looked for it I couldn't find the audio but if you listen to it because the person who cut the thing together was on my side they made it look like I won the debate I'm not sure if I actually talked to Thomas R I'd win a debate with him

but the way they cut that thing together and it shows you the way you cut audio or video can have a huge implication on it so these are some interesting books with some thoughts that kind of fueled this talk and others one of the things I liked least about the Cyber power project was the endless debates we'd have on how you define cyberspace I mean I honestly I almost didn't care but you'd have to sit there because these were professors at National Defense University at Fort McNair in Washington DC just going on and on and on about cyberspace the the debate settled on should it be a global IP network is that cyberspace yeah but

what about cable television what about terrestrial radio a lot of information gets pumped out on that what about satellites I like the way the Cyber persistence book deals with this it defines cyberspace by talking more about its characteristics rather than particular physical plant and I'm sorry about the details I have on these slides I tried to write this presentation as I do most of mine such that if you're not here you could still pick up what this is or you don't really have to take notes I'm happy to get these slides out to you maybe I can work with bsides to make sure you can download them or something in cyberspace one can be anywhere at any

time says this book in which b means sufficient presence to take meaningful actions Constant Contact must be understood as an essential element of cyberspace and you can't meaningfully pull yourself out of cyberspace and still be considered a modern nation state it's just necessary for your economy for your people's expectations they have to be part of this Global cyber community in the past a lot of things were done with just well hey let's just not connect to the Internet or let's fire wall the crap out of it now I do think there's an angle where you can firewall certain things like maybe certain social services or certain uh other things um but you can't just completely disconnect it's just part of

being a modern nation state and I think that's true now here's some arguments that we talked about at the Cyber power project that haven't held up terribly well not everyone agreed with what I'm about to say the these were the things we were debating back in 2004 through 2009 we thought cyber War would be a distinct thing a lot of people did hey there will be a time when couple of nation states go at each other with cyber weapons in an entirely cyber way and you'll see a little bit later with physical impact kinetic impact um we thought uh uh cyber War would involve direct cyber engagement say our forces against their forces directly battling

in in some engagement facing off against each other a lot of people thought this and I didn't this one wasn't one of my thoughts a cyber War would be shorten duration I remember arguing with Martin leiki he's like if there is a cyber War as you Des describe it it's going to be really really short because it'll move at Network speeds and once we shoot off all our zero days they'll catch some of them and shoot them back at us and then they're going to shoot off all their zero days the whole thing says he said maybe last a half hour but the duration of a war doesn't make it not a war I said a nuclear war might only last a

half hour but that's still a war so we would AR this is the kind of stuff we would debate okay happily I was funded to do this debate right so um we also thought cyber weapons would be cheap I mean back in those days 2004 2005 zero days like you shake a tree and they just start falling out so we thought you know for five or 10 or 50,000 half a million bucks you give me 5 million bucks I'll give you zero days until the cows come home we were wrong on that turns out it's not just finding the zero days although that that cost more money than we thought at the time nowadays because cyber secur is improved

but also all of the infrastructure needed for it all of the training all of the efforts cost a lot more money we thought cyber War would likely have a kinetic impact and we thought deterrence would be a major element of it we thought hey the Russians and the Chinese will be afraid of us hacking them so therefore they won't hack us it's deterrence and we have to show that we're capable of hacking them without actually hacking them now you notice the slide says this didn't hold up very well by the way my imagine prompt a civil defense poster warning people about cyber war and you could see even then it's pulling in these Concepts just sort

of automatically but that's not what cyber persistence Theory said almost everything you see on the previous slide cyber persistence Theory this book that came out last year it was uh April or May of 2022 says this this is what cyber persistence theory is listen to this carefully I'm going to just read it and then I'll unpack it for you cyber persistence theory is a structural Theory posits that the combination of core structural features interconnectedness core condition Constant Contact and reinforcing structural features macro resilience and micr vulnerability forms the basis of a distinct logic exploitation that carves out a form of strategic Behavior initiative persistence among states in the pursuit of security that is distinguishable from the conventional

and nuclear strategic let's unpack interconnectedness I mentioned that's just the nature of cyers space you're interconnected so you have constant contact with potential adversaries that's just the way it is this also I I thought was interesting macro resilience it is stunning to me as I look back over the last 20 years that the internet at large hasn't come down a few times yeah there's been some interruptions here and there but but it's been a remarkably resilient environment for those who know the details of how this thing works it's really incredible the isps are able to make this thing just work and Route packets but with micro vulnerabilities everywhere hack this machine zero days while more expensive they still come out

all the time with massive numbers of systems vulnerable so that they're right for exploitation and instead of it being sort of very periodic force on Force interaction there's so many pawns on the chessboard nation states can just reach out and start Gathering them in through exploitation with initiative persistence and this is very different from conventional and nuclear approaches to Warfare in profound ways some other aspects of cyber persistence Theory some of this is going to underscore what I just said others is going to bring in new ideas uh first of all you can't just disconnect you can't just fire all everything because then you're not a modern nation state it just doesn't work that way you're not just

playing defense this is a big thing this book talks about it says the United States if you go back 10 or 12 years ago said we're going to do this on defense and most of our actions are going to be associated with law enforcement not military and the book in the very boring chapter 5 talks about how that approach didn't really work that well and it was changed in 2000 say 12 13 14 to say no we're going to be have more initiative and to take some of the pawns off the chess board and not have direct confrontation right it talks the book oh so constant activity rather than episodic interactions it talks a lot in

this book about something they call a cyber feda complete the idea there is if your nation state wants to take those pieces off the chessboard you could do it and the other side very likely won't contest you or if they do it'll be minor now you got to be careful you want to stay under the threshold of direct connect military engagement you don't want to blow their stuff up but taking command and control of it depositing your C2 channels that seems to be acceptable by Modern Nation States at a certain level honestly it seems as long as the civilians don't know and don't get too worked up about it it's okay all right uh the relative scarcity of direct

cyber engagement they talk about um um because of the extraordinary abundance of opportunities for exploitation so in other words they just said in the normal course of business nation states are going to be compromising each other just constantly and any nation state that doesn't do this is actually going to fall behind and not be a great power over long periods of time it's pretty powerful stuff now you got to keep below the level of armed conflict and it's not war in the traditional sense it's just baked in it's the way cyberspace Works given the macro resiliency and the micro vulnerability and it's a fundamental component of being a modern nation state posits this book now that's jarring

isn't it and it's different than what we thought about 20 years ago and one of the big areas it talks about is conventional versus nuclear versus cyber activity when we were working on this in 2004 to 2009 we tried to analogize everything to Conventional Weapons or nuclear weapons this whole concept of deterrence this whole concept of Engagement etc etc analogies abounded some people said cyber war is inevitable others said it will not happen I mean you saw the the title of Thomas rid's book um that of course depends on how you define War cyber persistence Theory says this cyers space must be thought of from a nation state perspective as an environment right for exploitation

achieving strategic gains in the Cyber strategic environment does not require concession of the opponent in conventional War you beat on them until they concede they try to do the same back to you in cyber engagement you hack them as long as they don't get too pissed off everything seems to work out okay weird huh very different and look at that I did not like this last sentence but it's in the book a couple times conventional security rests in the presence of war that ability for nation states to just fight it out I don't like that okay but security depends on that nuclear security rests in the absence of War yeah that works for me let's not

have a nuclear war right okay and cyber security rests in an alternative to war of nation states wielding their power through exploitation on a constant contact perspective all right so that that's cyber power and how it's cyber persistence Theory and how it's very different than the stuff we were talking about back in 2004 to 2009 but there are some areas in this book that kind of jive with my thoughts I actually wrote a paper back in 2013 I was thinking about this talking with my friends about how you know at sufficiently Advanced levels of of cyber security offense and defense kind of merge you know you might be training people in defensive things well let me

give you just a real simple example have you ever thought about an endpoint Security Suite you know what does that do it hooks a whole bunch of API calls into the operating system some of it runs kernel level and it tries to hide things from malware and stuff like that and stop the malware from getting in in the first place you know what that is it's a rootkit right I so endpoint you know EDR stuff that's that's all root kits at various levels now root kits can be used offensively EDR tools can be used defensively the point is once you get really deep into this stuff offense and defense become interchangeable so the Cyber power Theory Book says this

tactically a state may exploit to protect or exploit to advance at what point am I playing defense and at what point am I playing offense and they point out they just kind of come together at very Advanced levels I'm not look they're still defense and they're still offense but when you get deep enough into this you got to defend your C2 stuff if you're doing offensive things or else you'll lose command and control right you've got to be able to hook your operating systems at a pretty deep level and understand them to the level you could exploit them this is more than just offense informs defense or defense informs offense this is offense and defense become one notice my

prompt here imagine prompt sword and shield I could not get it to draw an actual sword it just wouldn't do it but I said sword and shield merging together in the style of Pixar with both characters happy that's pretty good in the style of Pixar is like magic with mid Journey it just looks so good right I don't know why the shield is missing a leg maybe maybe the sword cut it off I don't know I could have gone in with a region and said add a leg but I decided not not to cuz I thought it was kind of cute um also notice that it sorted out red and blue I didn't say anything about

red and blue in my prompt but it just knew that blue would be the defense and red would be the offense I'm going to come back to that in a little bit but I do like what they say here some of us a decade ago were arguing that cyberspace is offense dominant or offense Advantage but today we realize that's less less meaningful and it actually might be analytically too limiting all right another thing in cyber Precision the that they say uh many times in the book is that one of the things that define cyberspace is the terrain is made of systems and code so the terrain over which we battle and the weapons are also

made of systems and code this is a very unusual thing that the terrain over which we fight is the same things that our weapons are made of and nation states and even users can create new terrain extending it at any time and wielding control over that or using it to manipulate in an exploitive way an adversary huh so I'm reading all this stuff and I'm thinking do you know what the most effective cyber weapon currently in widespread use is this kept coming back to me it's not in the book but I thought of it again and again are you ready watch this with that definition and the definition of cyber persistence Theory I think the most

effective cyber weapon in current widespread use is tick tock really powerful stuff amazing now some people on the other side of that divide might say no dudes we learned from you on YouTube and Snapchat and Instagram and Facebook now you're getting your own back at you now of course China does block its own people from using Tik Tok but they're really happy for us to use it huh yeah so anyway that just kept coming to my mind as I read through this book now let's talk about information dominance and cyber persistence theories thought on that um cyber persist Theory because the book came out you know last spring Well Spring of 2022 it doesn't talk a lot about AI there's a little bit

in there maybe four or five pages a little bit about AI but not a whole lot here's what it says AI does not clearly portend moving to dominance of the offense or the defense it says I get asked this all the time given the rise of AI and and large language models and developing code and creating malware using AI is it going to benefit offense or defense my belief is in the short-term offense all the way perhaps if we're lucky over the longer term defense will be able to keep up and I really think that holds I I strongly believe that but their point is hey we'll see that's down the road it does suggest though listen to this the book

suggests that widespread adoption of AI by nation states in their military structures could change this sort of Fate a comp thing and it's sort of free-for-all of exploitation and make for more channeled direct confrontation in cyberspace between offensive Ai and defensive AI between nation states it hints at that it's a light teasing of the concept but I find it fascinating but independent of AI the book says this there is at a base level too much information available in cyberspace oh yeah there's just too much information for us to process you hear all these talks today about disinformation and misinformation good information and bad information here's my thoughts AI large language model AI also generative AI for

pictures and videos and music they're going to greatly compound the information confusion problem in a way you can't even imagine but give it six months or a year and you're going to say oh my gosh what a disaster of garbage information because you see using AI in the 2024 us election available at no cost essentially to everybody it's going to be a watershed event of garbage information because AI allows so much content to be so quickly generated at such a low cost and deployed so widely we're going to be swimming in garbage it'll be everywhere and this made me think of an interesting analogy have you heard of low background steel just a fascinating thing so um humans starting

in 1945 started detonating Atomic weapons and then later nuclear weapons hydrogen bombs and things like that which contaminated the atmosphere when you make steel you get iron and you blow huge amounts of air into it to make it into Steel right turns out that starting in 1945 and later if you did this your steel was mildly radioactive it just is all the steel that you have around you at least almost all of it is slightly radioactive this doesn't bother us too much except for if you're making very high Precision sensors especially for radioactivity or things that go on satellites you're making high Precision sensors you can't use steel created since 1945 so what do you do you pull it out of sunken ships

that sank before 1945 this is called Low background radiation Steel okay so thinking about that as an analogy humans contaminate the environments we go into it's just what we do sorry it's bad I remember as a kid hearing about light pollution and I thought why would we have light you just turn the lights off but no light pollution is a big deal right you can't see the Milky Way galaxy from inhabited places in the United States largely inhabited or noise pollution just shut the noise off I thought as a child but no it's a big problem we're going to have information pollution we're going to pollute the infosphere like you've never seen in the next year running up to the 2024

election and it's going to be a mess so full of garbage and there's some really interesting papers that came out about oh gosh it was about maybe two months ago about how if you train an AI in a corpus of information that has been in part created by an AI the models diverge from reality and usefulness really fast over the space of two generations generations of AI which are happening every six months or a year now right so really fast train AI with too much AI generated data will result in severe and Rapid degradation of the models and it'll all be crap which means just like low background radiation steel is highly valuable right if you got sunken chips

that's really valuable stuff you could sell that metal for all kinds of money if you happen to have a corpus of information from prior to when chat GPT was released that you know was generated by humans that is incredibly valuable information it might even be worth paying $44 billion for all of those tweets because that is pure H well largely pure human generated information and if you had a source that could continually generate human generated information and if you could assure buyers of that information that it was human generated it will be massively valuable so Twitter and other large sources of information created before 2022 will be extra valuable because the pollution we're about to spew into the information space

H some additional thoughts on this AI stuff one of the big issues that people talk about with generative AI is the hallucination problem have you heard of it the idea is the way is generative AI for a large language model works is you give it a prompt and you're kind of tickling a neural network and the neural network is making associations with its Corpus of training data based on your prompt to create output and that output is just essentially a statistical language model spewing words together it's amazing that this actually works but in doing so it will create things that aren't true it will say things that you and I would consider a lie but it's

not like it's trying to be deceptive it's just pulling together from its neural network and training Corpus of information Andrew prompt stuff and displaying that and if you trust it shame on you there was a lawyer this was about a month ago maybe six weeks ago who submitted a legal briefing uh associated with a case that the lawyer was trying and uh it cited other legal cases as its proof he used the AI to generate this this legal uh briefing and it cited cases that didn't exist but man it was emphatic about the importance of these cases in arguing his point that's bad and a lot of people will say Hallucination is is the Achilles heel of

llm AIS but let me have you think about something else for some uses they are a concern have you heard the old joke about the talking dog the talking dog problem there's a great paper if you haven't read it I urge you to read it it's only about 28 pages long it's by Terence snowski it's called large language models and the reverse Turing test July of 2022 please read it it's really good I was talking to Marcus Ram who sort of the inventor of the modern firewall about this paper he says it's like a master's degree in large language model issues and it's worth your time to read anyway snowski says in this paper it's

like the talking dog problem and the talking dog joke goes like this there's a business person driving down the street in rural Kansas and he sees a sign hand painted on the side of the road that says talking dog $10 next stop he's like 10 bucks look for talking dog really so he pulls over why not and as he pulls over Rover starts running up to him this little dog runs up to him he says hey Mr how are you please take me away from here and the guy is startled this dog can talk just like the sign said so so so the the business person says well how is it that you came to

talk and the dog said oh my gosh you should hear this turns out the US government wanted to fund this talking dog problem and they spent over a billion dollars it was the NSA I'm telling you was the NSA spent over a billion dollars doing all this IC engineering and training and finally they produced me Rover the talking dog and then and then the business guy he's like well how is it that you came to be in this Farm in Kansas oh my gosh I got to tell you about that story they kept me under lock and keys because they were afraid people would freak out if they knew a dog could talk so I was in this

lock and key I managed to wait until my Keepers were distracted and then I kind of got my way out and then did you ever see the movie sha Shank Redemption so the dog says it was like sha Shank Redemption and I had to dig down out of my prison and get out and then I ran and I got on a bus and they took me to Kansas and here I am and the business guy's like I can't believe this $10 for this and then the farmer walks out and the farmer said sir are you interested in the dog he's like I can't believe this dog this is so amazing for $10 this dog could talk the NSA spent a billion

dollars on he escaped and the farmer says oh he told you that story didn't he the dog's a liar he just makes stuff up that's not true at all there you go now if you think about it it's because talking dog has no value to someone who is a farmer wanting to plant Fields but if you use it for a different thing that talking dog could be really interesting maybe the talking dog could be a screenwriter right there was a strike you could put the dog in place right right or maybe maybe the dog could be a story tell maybe the dog can be an you know an exhibit that you you feature a TV show reality TV show talking dog it

depends on your use case as to whether this thing that yes technically speaking lies or just makes stuff up is actually useful so I POS it to you that generative AI could actually be really useful with hallucinations you can force it into hallucinations to think of ideas that have never been thought of before really powerful so imagine you've got some maybe you're using chat GPT and you type in what your prompt is but then you append to your prompt some nonsense words jalapeno butterscotch Chipotle what does that have to do with anything that I'm interest nothing but it will force certain neurons to fire in the the neural network of that AI making it perhaps generate things that no one's

ever thought of before now 99% of what it's going to generate is crap but we could have a human go through and try to sort through the crap and say hey these are really good ideas new ideas that nobody's ever thought of anymore that's pretty cool and there's a project called dream GPT dream GPT tries to force the LM AI to hallucinate and then it uses AI to sort through all of its output put to say this is the 99% that is garbage here's the 1% that is new ideas that might be interesting that no one's ever thought of before so we can use AI to sort through the garbage created by hallucinogenic other AIS really

interesting ideas here and some further thoughts on this why do large language model AIS even work this idea of tickling a neural network and then predictively just saying which word should come next turns into like really meaningful and useful output how is this possible I was actually listening to a podcast a while ago it was by an archaeologist you know a professor at some University I forget where and he was saying he took Chad gbt and he said hey I want you to do an analysis and comparison of some ancient Mesopotamian text it's very very rare it's been translated into English and the Noah story from the book of Genesis and I would like you to produce for me a

10-page paper analyzing human interactions with animals from each of those stories and he said the result that came out of this was actually mid-level work for a PhD candidate and nobody it's not like there was some other source comparing these two works that had never been done before this was brand new they say how is this even possible and it comes down to fundamentally words words are the building blocks of ideas right so because there were similar words in this ancient Mesopotamian text translated into English and similar words in the story of Noah those words the AI was able to create a associations between those ideas that no human had ever thought of before and we can do that now

at scale really cool oh and it also generate a lot of garbage but we can filter out the garbage using AI so now here's a here's a little thought here occurred to me when an llm generates the text to express a new idea has that idea actually been thought until a human mind comprehends it I don't think it has it's just a string of words but there were thoughts that went into the original Works which created the building blocks of ideas as long as they were created by actual humans that pull that together it's it's a a new variation on this if a tree falls in the woods and nobody hears it doesn't make a

sound is an idea an idea until a human mind perceives it okay I promise you some stuff on holiday hack have you guys played holiday hack anybody here ever play holiday hack thank you I appreciate that um so it comes the second week of December every year and what my team does we work over a year on this I've been working on holiday hack 2023 since October of last year 14 months to create this thing so I'm working on the next one before the current one comes out um it's our gift to the cyber security Community it's a free if you want to call it a CTF you can it's more than that it's a virtual world where you have

an avatar you interact with other users we usually get 17,500 to 19,000 people playing I'm here to tell you this year you're going to see AI throughout the whole thing a lot of it's going to be generated by AI you're going to have to use AI to solve stuff lots of lessons of AI and hallucination and using them for creativity and all kinds of stuff there and we think AI is so important to cybercity professionals if you want to win holiday hack 2023 you're going to have to submit your entry and you're going to have to use AI to create it and show us your prompts because we want to see how you're cleverly and creatively

using AI to solve holiday hack so we can learn from you too right just like I'm putting those AI prompts here in all my pictures we're going to have you do that in your entries for Holiday hack challenge all right last topic for you thinking about military stuff and so forth have you seen what's going on with satellites lately holy crap satellites have proven to be the high ground in nation state engagement in cyberspace I mean Russia and Ukraine there's been countless stories of that space exit starlink I'm currently about three quars of the way through the Elon Musk biography and I just got to the part on Ukraine which is really fascinating um and and as I was

putting this presentation together check this out so did you hear like you know ukrainians are using starlink right now and the US military says gee we'd like to have one of those we don't quite have one quite that flexible so um maybe we'll put out to bid for somebody to create us one it was just four days five days ago six days whatever it is October 2nd um it was announced that uh space force gave a $70 million contract to SpaceX to create what they call Star shield Star Shield will be the US DOD equivalent of starlink which is their civilian service being used militarily by the ukrainians right now so isn't that interesting just a few days ago the

first contract was awarded also as I was updating my presentation yesterday evening I saw this story from yesterday you know Jeff Bezos man he'd like to have himself some starlink too so yesterday it was announced that blue origin under the guise of Amazon had launched its first two prototype satellites for their own constellation so this is competition for The High Ground with civilian companies and Military organizations engaging and there's a lot more to come this is huge so I urge you to learn a lot more about cyber in space not cyber space but cyber in space especially with satellite technology now I'm sure you're sitting there wishing sitting there how could I learn more about that right well there

is hack aad hack aad is a CTF that is used satellites actual satellite last this year at Defcon so the hacket stuff is up there all their code is up on GitHub it's worth taking a look at or wouldn't it be cool if there was like a really fun maybe annual competition every year with a fun storyline maybe a little virtual world so you can have an avatar you can hop around and there were like satellites in there that you could hack and you could learn things like the control flight system or the nanosat mission operations framework I mean have you anybody here ever dissect the space packet protocol did you know there was a

space packet protocol oh there is and if you play holiday hack 2023 you will learn all about it and you'll be hacking not actual satellites but we're going to simulate them our budgets aren't that high but we're going to simulate them and you're going to learn a whole lot about this technology and how important it is in your life right now so that's what I wanted to share with you Ai and satellites holiday hack it launches in two months launch you see what I did there so in conclusion my goodness we live in interesting times don't we and I also you know kind of as I was putting this presentation together I was thinking okay the last time I did

this event 2015 were there any ideas in here that that I would have thought then well yeah the Cyber power project stuff but once we branched off the Cyber project project into the Cyber persistence Theory and then the AI and then the satellite stuff this is all brand new stuff that I've been thinking about over the last 11 months we do live in fascinating times nation state engagement in cyberspace is different from what many people including me predicted it would be 15 years ago cyber persistence theory has a lot to offer but another thing I thought as I read through this book which I encourage you to read it's not that long it's 157 Pages um just watch out for chapter 5 U

it's snoozefest but 157 pages with like I don't know 40 50 pages of endnotes so it's very well cited but I do Wonder as I'm reading this this seems to me to be the way nation states are engaging in cyberspace now I get it and that seems like it will be true until it's not true right it's the kind of thing that once we get past that maybe through AI maybe through some large scale War due to you know events this whole idea of hey we're going to take targets off of the the playing field grab those pawns um that could change very rapidly with direct cyber confrontation of nation states we're not there right now thankfully but

uh we could get there so stay tuned and that's what I wanted to share with you I think I think we have a few minutes for Q&A right Mark yes sure do I think about how activists fit into the whole scheme I mean if you go back to when I started teaching for Sans quite a while ago started teaching in 1999 in Sans and activism was the thing people would hack into stuff deface their website maybe decry their politics back and forth back forth 2003 2004 2005 activism was a driving force back in the day Cult of the dead cow was a big thing a lot of discussions of of you know where they were going The Loft

was trying to improve the security today that seems to be less there I mean even the creation the origin of the eff Electronic Frontier Foundation um but I see well activists are still there and they're trying to represent they don't seem to be driving it as much as commercial companies and nation states these

days oh yeah the gentleman's point is when uh the Russian Ukraine thing heated up there was a lot of non-military folks that that came in and generate a lot of noise and a lot of activity so diversionary tactics it's also interesting when you're dealing with Russia as a