I Am The Cavalry Track Welcome and Overview — I Can Do This All Day?

so welcome to b-sides it's gonna be a lot of talks you're gonna learn a lot of stuff one of the most important things is meet people so if you don't know the person the next to your left or right you want to reach out to somebody go shake their hand this is conversations that need to be made the security industry makes sense excellent all right here we go sponsors we can't do it without them so we've got critical stack and bail mail is our inner circle sponsors our stellar sponsors our Amazon blackberry the National Security Agency silence Microsoft Robin booth secure code warrior and paranoid if you want to become a sponsor come and list we need

your help this is how it all works okay we're gonna be video recording this in the back so I kindly ask that you turn your cellphone's to vibrate mode please if you have to take a call please step out that gives the speakers exactly what they need to do to kind of explain what they're doing makes sense yeah you guys know these two gentlemen yes they've done it many times they need no introduction so I'm gonna turn it over to him thank you hi Josh Corman 1-pounders Vienna cavalry the woods how do you think I this is our 6th birthday we were born here anybody who's been apart since day one or even today give

yourself a round of applause saving lives through security research so we have a little bit of late start probably to go faster and mostly do story time but I think each year we've tried to have a theme you'll see some themes emerge through the schedule some incredible speakers today and tomorrow as we got closer and closer to this I I got a little frustrated with myself that when I was really approaching last year I'm like where where are we as a movement right five years in and I've really been trying to make sure that not only do we have activity and we have milestones and we have progress on safety critical but that we actually are

in a position that were there to be a large attack on say medical devices that people would be safe and I feel like we're most of the way there for medical and we're sort of the way there for cars and in the last year we said hey look we have a blueprint we know it works I can't wait to see what you guys do with it and Bo's gonna highlight some of the stories about the journey thus far for him that like gave us courage or motivation through the hard times I may share one - if there's time permitting but I also just I felt like year-over-year at least for the one I focus on I decided to go really really

deep on medical alright we've done so many things on medical it's way ahead can we get one of these things across the finish line so that we have a blueprint start to finish on this is how you make a safe defensible resilient trustworthy safety critical space and that way everyone who's started this thing like the aviation village is that Def Con this year or the maritime village or the biohacking all these adjacent ones could then learn from our mistakes and follow that recipe start to finish now of course there's some beautiful unique snowflakes per but I felt very frustrated how stuck we were and what it really forced me to do is get back to first principles so I want

to I think the audio sucks but I want to share a more personal bit just at the beginning here and then pivot into maybe how we can get through this stuck period so there's plenty of good news guys I don't want to hit me a downer on it it's just the the struggle is real the journeys been hard and the room gets bigger and the participants get more vast and we are doing great thing it's just I always want to go faster or be in a much more defensible state so as anybody in here not seen marbles in infinity war and endgame I'm gonna keep it spoiler-free okay a lot of you guys know that I want to be a protector I

think a lot of us in this room are drunk is one of you protectors we talk about the motivations of protectors puzzlers prestige profit protests this this crowd this tribe within the tribes has really been about protectors and puzzlers that want to do things that matter and one of the things that are hard I had a really freaking hard year I'm out without making this autobiographical especially with a tiny compressed thing I just felt like this theme of just getting your ass kicked over and over and without sound this is one of the scenes from Captain America's first movie no superpowers still standing up to bullies doesn't know when to give up he says I could do this all day right

later in the same movie he's got superpowers he's a super soldier you know he's the ultimate paladin fighting a super villain but now more defiantly kind of owning his own skills he says I could do this all day right but then I was thinking about the full arc of the hero's journey here and if you get to Civil War you know there's a ideological schism between the heroes and they start fighting each other and takes on a very different tone now he's fighting Tony Stark right they both want to do right you disagree on how sometimes the hardest fight isn't against Red Skull it's against your friends stands up one more time anybody know what the line is

gonna be almost hard to notice if you don't put them back to back I could do this all day right and without spoilers this is in the movie trailer for endgame everybody knows Chris Evans contracts up this scene is in the trailer so unless you haven't seen the trailer it's not a spoiler and you know he's probably not gonna do any more movies so I'm figuring one last time maybe he makes his last stand he's beating his shields broken his arms all cut up exhausted

so everybody's waiting for him to say I could do this all day right but at least for me this year is really hard here and I felt pretty beat up and I'm not sure we're in the end game right now but I feel like we're close and I know there's a lot of fight in me and there's a lot of fighting to you at some point we're gonna fight our last fight and I was questioning if that was where I was and I'm still fighting with that it's been a struggle and there's a lot of setbacks there's a lot of advances which give us hope so one things ruiner hopefully do with story time here is speak to some of

our most hopeful moments but what follows next if you've seen the movie you know I kind of will come back to that maybe without a spoiler but it's you know little old cap versus a lot of bad people so as we head into this just one more idea to tee up instead of bringing you a polished idea you know we talked about one of the reasons we did so well at first is we did a workshop you know we did this Derby con Constitutional Congress so what do we want to do how do we want to do it what are our first principles and I've been struggling with this idea of something that the polar opposite you know we did

these things like the five star automotive cyber safety framework for cars it was a huge milestone we just said if you want to you have to be this tall to ride the Internet of carbs and then beau beautifully translated this those principles into the FDA right medical language using a Hippocratic oath things they already care about don't make them care about our stuff make them understand how what they already care about maps to our stuff really beautiful and please don't groan when I show this I kept thinking what's the doppelganger of the cyber kill chain like what's the polar opposite and I kind of hate this either kill chain and a lot of people outside our industry hate the cyber idea

and the kill chain idea it's very aggressive it's very militaristic but like in general offense is easy defense is hard and we're getting our asses kicked mostly right and we always talk about that and we'd kind of resign ourselves to think that's s how it's gonna be but we only hope people derive from this cyber kill chain is if you can disrupt just one link of that chain the breach doesn't happen right so how could you flip that and like those a life chain a safe chain a protection chain and I still couldn't get it prepared enough for here so I don't want to solve it on my own I kind of want to workshop it with you guys so

where I flipped to is the this notion of a lifeline so what are all the steps we have to take to make sure that there's no mass casualty event in hospitals no is it enough to write a Hippocratic oath no is it enough to build trust with the regulator like the FDA well that helps is it enough to change regulatory guidance yeah but we won't see the fruits of that for six years is it enough to get the EFT to do a recall that's really helpful right but we're not really done until doctors and physicians and hospitals act on those recalls and that's where I've been stuck for about a year I just keep trying

harder and harder and I'm not really making a dent on that and when you keep trying the same thing over and over expecting different results I think there's a phrase for that but if there's this notion of a lifeline what are all the necessary steps and on this long one here this is the the medical one we've done this incredible amount of work on medical but we just can't seem to get through to hospitals and physicians yet so I both want to invite you guys this week all week here in by the pool or at biohacking village or somewhere around DEFCON let's start workshopping how we might define this lifeline as a model to map different safety critical industries

and a roadmap for how to have the most impact how long that lifeline is matters how many links in that that rope now maybe just like we said when we launched here six years ago maybe people have to die first and during that crisis we're gonna throw a lifeline to somebody they still got to catch it they still have to accept the help but we can do everything we can to make sure we're it's ready as possible for that flashpoint in that moment so instead of giving that answer maybe Bo we can pivot the story time but yeah sure so anybody recognize this photo I have full people so this is a mannequin that they use in clinical

simulations you ever took like CPR and your high school no school whatever so look really primitive version of this that you're working on this thing costs like $100,000 it gives out like realistic heartbeat vital signs and it responds it has a speaker and a microphone in it so it like actually makes noise and this is the result of a clinical hacking simulation that we did in Arizona in what 2017 I think where we brought physicians into a room where they didn't know what was going to happen we had a script that the all the nurses and the clinical staff knew and we had a patient who was a they call in a standardized patient it's an actor who comes in not

that guy but somebody else who comes in presenting with conditions and the doctor has to figure out what's going on and treat the symptoms right it's like it's kind of like your red teaming doctors a little bit so this particular situation was where a patient was getting shocked by a by their in pacemaker every 60 seconds or so they had a high voltage shock and it was obviously hurting them patient came in doctors started treating him I was like okay well we know how to deal with this we just put a magnet over it and it goes back resets defaults except in this case pacemaker with hat and so it didn't reset to defaults because those are all

software driven so what ended up happening is after the patient died a couple of times and the doctor brought them back the doctor I'd actually had to cut the patient open its little snip the leads to the pacemaker to stop it shocking him but because it's a pacemaker it's keeping them alive so now you have to have some kind of a manual backup process keep the patient alive while you can figure out how to you know fix the underlying problems here so this was a real eye-opener for I think a lot of physicians that watched this happen it was an eye-opener for a lot of the other people in the room watched it happen in real time and

talked to the doctor it said I would never have suspected that the device was hacked I just would have like swapped it out with another one thrown you know throwing this one away and gone on my way this actually got a film we filmed it for Nightline if you haven't already seen the Nightline episode go watch it it was actually really well done for a TV outlet it's massively mainstream you wouldn't think that they would have the ability to do nuance but Joshua and several other folks worked with them for months so that they understood the context understood what was gonna happen understood why it matters and they put together really well in they want story

now they did a lead-in that was like hyperbole really scary but the actual pieces that they filmed with us were I think pretty tastefully done for like I said a mass media outlet and I think this changed at least in my mind it changed a kind of a public consciousness a public awareness moment now I can point to a mainstream media outlet that has filmed realistic hacking of a medical device to show what would happen so we don't actually have to see people die we can see the mannequin supposedly died and I think that was a really really powerful thing that now all of us can use to get more traction to get more engagement with people who you know as

geeks and hackers we sometimes have a hard time explaining what we care about to people but for a massive this is you know consumable my my mother or my cousins then its consumable by pretty much anybody we talked to it's only like seven minutes so I think this this changed a lot for me anyways in a way that I'm able to explain why what we do matters yeah very related to medical and sometimes I get accused of the Cavalry's just the medical thing just because I talk about medical so much but remember it's wherever bits and bytes meet flesh or blood so there's plenty of you in the room doing projects that are aviation or

high-speed rail or cars or industrial control systems building automation any safety related thing for me the big surprise that gave me a bunch of in fact Suzanne's gonna get here shortly but when we launched J Radcliffe was in the room we had talked to Billy Rios earlier Barnaby Jack had just lost his life and you know a lot of the talk track in our prep was the FDA is not gonna listen no one's gonna do anything until people die so I just acknowledge that in the room I said hey look it's possible that even if we do all this stuff no one's really gonna listen until there's dead bodies that the intermission latches on to the

internet of bodies concept which includes this and some other relationships between humanity and technology so we we just took that as a given and somehow by building trust with you know with part of the the founding principles of the cavalry where empathy being a helping hand instead of a pointing finger we focus on future success instead of past failures you know meet them at their level use their language bridge their language and belief to ours and in doing that we didn't know if it would work but it did and we very quickly built trust with Suzanne at FDA Suzanna Schwartz so the point where she's now here in Vegas every year and she's gonna do the do no harm panel

again at DEFCON and she'll be here talking all you guys today and tomorrow but she's been one of the pioneers it's really advanced that lifeline as far as we have on any of the safety critical things we had teammates in Congress we have teammates in the White House is the last couple administration's but in general a lot of its Suzanne's courage now through that process Billy had previously found a flaw in a bedside infusion pump AHA Spira he gave the vendor a calendar year before he go public and about the 300 days into that somebody else down a similar flaw just went public directly and that really got the FDA to say wait a second if we make

it hard for someone do the safe thing we're buying time for someone else to do an unsafe thing and from that point on we've started bringing hackers into the FDA with the help of mitre and others and we started harmonizing our language and we had some shouting matches it was what's wrong with you people why would you hack a perfectly good medical device people get lives get saved by this stuff why do you do it and that's where we came up with these little things like the five P's of profit you know politics prestige for the project and whatnot and fast-forward and just about a month and a half into that you know true ambassador translator work

they found their regulatory footing and use regulatory power and right before Def Con called me up and said can you talk to four Reuters today I said sure why am I talking to writer is it because we're gonna do for a sever safety communication for cyber reasons I'm like did somebody die cuz the primer the primary you know standard of care historically was proof of harm someone has to get hurt has to be directly linked to this probably several people and I had to do a double take and I'm like wait nobody got hurt and initially I was just feeling like a shot of adrenaline like everybody said this wouldn't work maybe it's working I kind of felt like a intellectual

victory but when my daughter's got home from school and saw me like actually happy for a minute I tried to translate a bunch of cyber policy stuff into eleven-year-old and as I started Midway I'm like well we said people have to die and then I started sobbing now some of you heard this story a couple of times but like it really hit me like nobody died so the the you know the the brave altruistic idiots and this this group that wanted to try something and no idea if it would work in fact we said if we ever write a you know a story of how this happen we're gonna call it we have no idea what we're doing but it seems to

be working but just bravely going in with the right heart the right attitude and focused on translator ambassador looking for something right in our teammates looking for how to foster that and nobody died so like to me other than the birth of my two children that was like the proudest mom in my life and then we were just addicted I want to keep doing it now we're a little short on time does late start I'm gonna cut some of that story short but one of the reasons I have heartache is during wanna cry when Beau and I hadn't slept for weeks the whole week started on Friday Mother's Day weekend and heated his stuff I did my stuff we converged around

DHS and HHS I was in Europe there's a horrible week I come back from The Hague and I take my dog have to take my dog emergency room I just wanted a nap I just wanted to take a little nap and after like eight or nine hours in the emergency room because no the computers worked because it was freaking wanna cry I went home for ten minutes to get her pajamas because we were clearly gonna be there all night and I came back she's hooked up to the one device on earth I know can kill her two years after the recall and do I think she's gonna die from an overdose of saline no but I just felt like wait this is one of

our top accomplishments and our hospital hasn't replaced it so we started poking around and basically no hospitals had replaced it and I you know I met with the CIO of my hospital I said I know you guys got a lot of budget but maybe when you replace these or maybe you can just shut off the wireless for these and they said oh yeah yeah we'll take care of it well fast forward another year and a half later I'm getting surgery in the same hospital they're trying to hook me up to that same unpatched on patchable pump and I don't think I mean imminent mortal danger but we're one sloppy Internet noise attack away from a mass

casualty event and it's totally preventable we've actually done the work right that goes back to the lifeline and that's why it's really inspiring moments are these huge victories that we can pivot in others and then it's a real sobering shot right back down to reality that we still have a lot more work to do and instead of us trying to present throughout the rest of the week really just want to ask for help because when I go back to that lifeline stuff I started thinking what were the major milestones I would have labeled these with is it a is it a you know a five star or a Hippocratic oath well yeah that's one is

it getting a high trust relationship with a regulator that's another one sure is it having the first recall from that industry that's a huge one right that was the one I thought you know was a major victory shattered our expectations but I was gonna do a site gag if we hadn't had a lot of late start but I've reflected more on it it's not really what we accomplished it's who we aren't trust with every time we added a new teammate with a different background and a different perspective a different undergraduate degree with a different worldview with different relationships we solved the next step of the puzzle so maybe it's not what did we do next

it's who do we bring into the fold next who's currently watching that could be leading or who is needs to be encouraged to get to the table or who knows what to do it doesn't have the the experience trying something new and might just need a little nudge and to that end I'm going to pivot pretty hard pretty quick some of you guys that Jack Daniel and I like nine years ago to stress and burnout study well our essay finally said oh wait stress and burnout it's a thing so they had me interview the woman who invented the stress and burnout study dr. Christina Maslach and as we're talking about this which she's done for her most of her

career so she's really bored with some of it but she's still pretty brilliant those three contributors are fatigue cynicism and the efficacy do you feel like you can do a good job and there's a lot of burnout on our stuff she talks about all these things I'm gonna skip but one of the things that really struck a chord in me is one particular industry seems to resemble us a lot which is nursing which is when nurses get burned out they turn vicious on each other it's a very toxic culture so you have the initial stress instead of looking for camaraderie you have an additional stress so there's a feedback loop of toxic behavior so as I started talking

about this with her I said so we got a burnout thing and when the top contributors is exhaustion right where does the exhaustion come from we have a really bad workforce shortage and I'm gonna be tutors here so I'll explain it more in the hallways and at the pool but one of the reasons we have a street to work force problem of not a million shortfall jobs like two years ago but four million now we've kind of tapped out the computer science privilege like guys I mean I'm not trying to over trivialize it but we really do struggle with diversity and it's not just getting diversity in its its it's also our turn rate we're driving them out you know

with two daughters I'm trying to get them into tech and everything and then I watched some of the really terrible behavior like we saw with ill mob or the the gatekeeping or the the Rockstar stuff where people own a topic and then I said you know what drives a lot of our diversity challenges it's the way we treat each other and we kind of celebrate our culture in the hacker community now b-sides has always been one of the friendlier cultures but this kind of loop means that toxicity perpetuates our diversity challenge which perpetuates our exhaustion because we're doing three jobs at a time which were pet rates our burnout and when I put that in context this was the

simplest way I could do it I wish FDA was here to watch so I can watch their faces so can anybody in the room I mean is really fast so you got to answer fast could anybody name a really badass world-class car hacker quick anybody Dallas actor Lee Miller okay can anybody name ten right can anybody name a world-class badass coordinated vulnerability disclosure expert Katie can anybody name ten right can anybody name a world-class badass threat modeling expert Adam Shaw stack right can anybody name ten well guess what we need ten thousand this year the FDA listened to us and they said you can't bring any medical device to market unless you have a threat model there are

ten thousand medical device makers trying to bring new devices to market they're gonna save lives improve treatment reduce cost of care we have failed and I'm not trying to be mean to us we have not developed a field now maybe it's not Chris valasek job or Charlie Miller's job or Katie's job or Adams job to feel develop maybe it's not their responsibility but objectively we have not developed a field of practice and I don't think it's just that we didn't try I think we actively prevent it and one thing I want to suggest to us is that if we get back to our first principles of empathy of being a helping hand being a translator ambassador I'm

also concerned about the overall cultural climate outside hackers where we're looking for hyper-polarization or we're looking for what's wrong with something somebody said or we clutch to our truth instead of being open to somebody else's every single advance we made on that lifeline every single [ __ ] one came from us looking for one piece of common ground with a new teammate and then fully integrating our worldviews and needs with air well deeds means and the only crime I can think of is the b-sides tribe and more specifically the people in this room can we at least lead by example that it's not about what next step on our roadmap we do to advance cyber safety it's who

else can we bring in the fold and which attitudes in heart but we have to bring to the problem because that's gonna be the difference between you know the culture of love and hugs and admiration or everything else so I want to promote transparency I want to promote finding what's right with something where it's just too easy to find everything wrong with stuff let's flip ourselves here the empathy the respect encouragement that were civil to even people to disagree with us so we can get to a point where we're driving 10,000 now would they be 10,000 really good throughout modelers a year one no but can we start them on a journey from kreyòl the drawings of trap models to

maybe something better later instead of being curious about it in the context of this you know some of you will not get the spoilers but if you know what follows this this is kind of the fork in the road are we aware that we're fighting in the endgame or are we still fighting the Civil War and fighting each other and I'm really looking for this crew to choose wisely oh that's all I got to say thanks [Applause]