Bsides Seattle 2024 Closing - Beau Woods & Josh Michaels

all right in the effect of time we'll go ahead and get on started people will be filtering in uh we did try something new this year which is keeping our Villages open a little bit longer keeping the bar open a little bit longer so please uh don't make the bartenders carry that stuff back okay um apparently I have my notes on the interwebs uh so for those who don't know me I'm Josh Michaels uh one of the founders and organizers for bide Seattle uh more importantly um with me I have a really excellent human being uh for those who don't know Bo this is Bo Woods um and bo uh has run the Defcon policy Village

founders of hacker on the hill uh Eater of delicious food and just all around good human um so B you know I met through Defcon policy Village and through a CJ mutual friend and one of the things that really just stood out for me was the passion you had for Change and I'm very curious so what was the Genesis for you for creating things like hackers on the hill or bringing bringing the government into our space yeah it's a good question I like it because I like any uh good hero or villain I get to tell my origin story a little bit um um so I was uh working at a hospital securing medical devices and

other things for many many years and uh went out and did Consulting and realized I was just fixing the same bugs over and over and over again or maybe like slight variations on the same bug and I was frustrated the like my big win at the end of the day was that um I had done something that I had done a bunch of times s before but this time somebody had listened to me and I was getting frustrated I was getting to your talk earlier today really burned out in all of that I said there's got to be a better way I have a goal that's to fix large quantities of security issues in the US and around the

world um I'm a hacker I'm not going to bang my head against the firewall over and over and over again I'm going to go around it and so uh I started doing more things uh like I am the Cavalry which was started by Josh Corman Nick Boko in 2013 so over a decade ago uh at besides Las Vegas and at Defcon uh that got launched um I started working with with them to kind of look for better ways to get these things fixed and a lot of that tended to run through public policy through Washington DC uh because because if you want to fix a single bug you go to the software that it's in if you want to fix an

organization you go to the top of the organization if you want to fix an industry you go to the industry Association if you want to fix the world you've got to go to the levers of power that can do that and so in uh after five years of travel around the world and living my best life I decided to move to Washington DC where it gets extremely hot and swampy in the summer um and uh practice a new skill instead of being technical I was interpersonal and uh had to uh to to quiet down a lot of the instincts that I had built over several years in the hacker Community like I've got to be right or like technical

knowledge is the domain to getting things fixed and do a lot of really uncomfortable things but it turns out that there's a lot of good to be had and so you know the name of this session is fuzzing the chain of influence and one of the things that we realized early on and I am the Cavalry is we don't know what's going to work um but we're going to try a bunch of things we're going to fuzz uh the chain of influence and whatever works we're just going to pursue it so the tongue and cheek title of our autobiography is going to be we have no idea what we're doing but it seems to be working because

we started naively and in many ways cynically thinking the only way to get anything done in Washington DC or in public policy is you got to play politics you got to be a lobbyist that takes a ton of money you've got to be somehow corrupt or corruptible and what we found was that none of that was true yes there are pathways through that but in actuality like just by being a sincere passionate human and connecting with other sincere passionate humans you can do a lot of good because especially in Washington DC and in public policy circles like they've got a tough job they've got to go from you know 15 minutes here they're spending talking about uh issues of

military defense and then they're going into Farm subsidies and then they're going into opioid epidemics and then they're talking to you for 15 minutes about this weird computery thing that they don't really understand but they know it's their job to get it right so they want to listen really really intently and if uh I realize that if we're not the ones in there talking to them they're going to talk to somebody else and those other people are probably going to be lobbyists they're probably going to be people with lesser motives with lesser knowledge with these other things um and they won't have our perspectives they won't have our independence they'll be reading from talking points and they

won't be able to articulate that so started uh basically building up capabilities and Connections in public policy which led to uh joining a think tank uh called the Atlantic Council based in Washington DC um spent a year and a half there doing that ended up taking a couple of members of Congress out to Defcon so I have done shots with with with members of Congress uh at a Defcon talk it was pretty amazing um ended up uh after I left I went to work for the FDA working on medical device policy given my background in health care um I uh helped start uh something called hackers on the hill which is a bunch of hackers that get together

around shukan time because we're all in town and go talk to Congressional staffers that started because a staffer I was talking to was like hey you said there's a bunch of hackers in town for this conference do you think they'd want to take a Capital Tour said I don't know but I put out a tweet and then like 8 in the morning on a Friday before shukan like 30 people showed up at the capital wanting to get this Capital Tour from an actual you know uh staffer and that evolved into what we do now which is about a half day session of for an hour and a half we talk about a day in the

life of a congressional staffer uh what are hot topics and then we break up into small groups go around and uh basically do briefing so this is like if You' ever T of tabletop exercise in your organization of how to act when there's a crisis what do you do if there's a policy crisis you go and do a tabletop by talking to staffers when there's not a crisis when you can war game it when you can dress rehearsal uh and kind of break down those um walls that in many cases we've put up ourselves and overall I just I try to to um give more access to more people in this community to talk to people in uh

places of public policy power so that we can make a difference so we can bring our knowledge our passion our intelligence our experience to bear on the problems that they're facing every day uh and one of the ways to do that is through things like policy at Defcon which raise your hand if you've been to Defcon all right A lot of people raise your keep your hand up if you've been to policy at Defcon a handful of people awesome so that was started in I think 2019 by a woman named Heather Blanchard who was in The Press department and basically was like I'm just going to go and take a bunch of rooms that are empty

and we're going to have public policy conversations so it was a very hackery thing to do um she started it and eventually it grew and grew and grew to what it is now which we have thousands of people come through there we have dozens of volunteers um who spend hundreds and hundreds of hours is prepping for this I estimated last year that we probably had somewhere north of 2,000 hours of work throughout the year to just make this thing go off um and it's really a testament to the hard work of people like Heather people like Alexander Romero Katie Noble uh wona desre um Sarah palak all of the people that you know in the spirit of gratitude that

actually make those things happen that have the connections that have the knowledge that have the insight and the foresight to be able to put something like that together and to build an environment that I think is uniquely positioned whether it's at hackers on the hill which they all help with that as well whether it's policy at Defcon whether it's the things they do in their day-to-day job to ensure that the people from this community have the ability to have an outlet that will be effective rather than just shouting on Twitter because like it's fun and all but it doesn't get anything done we've proven that over the last 10 to 20 years of shouting on Twitter shouting an IR C

doing those types of things so like I want to see more of this community engaging with the public policy Community whether it's in DC whether it's at Defcon or whether it's locally here with State local or even national uh elected and appointed officials who are in this area I mean it's amazing though the the evolution you know coming out from uh you know securing Health Care to taking that challenge and taking that challenge on um I will say if you're still posting your Twitter that might be a problem but uh no one thing that I have a question on those so you've made these connections you've built this environment where you're you're you're combining the

government officials and you're combining you know us hackers what do we get out of it what happens in the world really good question I think it's important to ask what our impact actually is of the things that we do because we only have a limited time here on on Earth and so we need to prioritize things that are effective so who here has heard of the Digital Millennium Copyright Act okay lots of hands who here uh knows that there are exceptions and exclusions carved out for good faith security research where you will not be prosecuted for that awesome you know who did that a bunch of hackers people like Jay Radcliff Andrea matsh Jen Ellis they

made made sure that they went to the proper channels through the Library of Congress that they wrote letters they responded to uh calls for comment to be able to get these good faith exclusions so now we can research things like medical devices like mobile phones like election systems like anything that's that's tested in a safe environment um to be able to find and Report vulnerabilities in good faith that's one very tangible thing and that's not something that I really had anything to do with but it's a testament to the power of the people in this space already doing these things um there are laws that have been passed based on conversations that were started at

Defcon based on conversations that were started at hackers on the hill based on conversations that were just had over beers with a congressional staffer one night and they wrote it down the next day went in gave it to their boss and their boss was like this cool let's go like get this done so uh there are tangible out outomes like that there are also laws that have not been written because somebody intended to write one and then you talk down sit down and talk with them and you're like yeah that'd be a really dumb idea like these 12 things would break if you did that oh really well let's not do that then they just

crumple it up and throw it away right um there have been a ton of things that usually are fairly low-key that happen um there's a amazing program called Tech Congress where technical people get a uh Fellowship to go and sit in a congressional office for a year and so if you've noticed a market increase in the tech literacy of some of the conversations that have happened on the hill in the last 5 to 10 years a lot of that's been because of things like Tech Congress uh a lot of people from our community have gone and spent a year sitting in Congress doing things now there's lots of tech illiteracy still in Congress and in agencies and other

places but that changes over time with our efforts so those are the types of tangible outcomes that we see from our community going and engaging in productive proactive ways well just like in our conferences here we we set stage in create space you've created space for us to have those conversations for us as a hacker Community for us as the subject matter experts in a cuttingedge space to as you said work through the proper channels to drive impact I mean I I know I've been frustrated by some what I would consider you know terrible laws for technology on the books but I just get mad and I go drink a beer you've created a pathway so if you

had you know uh wanted or something that you want to make sure that our community leaves with what do you want them to know what do you want our community to to leave here with today yeah I mean I think first and foremost anybody can do a lot of the things that uh I've done and other people have done right when I I kind of got started like if I had tried to find people and ask their permission first of all there wouldn't have been too many people to ask because there weren't too many people doing this now there's a lot more which is awesome uh but secondly they would have told me like sorry

you're you're nobody like we don't know who you are you you don't have permission to come and talk to my friends over here like that's BS right uh we're hackers we see Gatekeepers and we just go pick the locks right like we work around those uh those bottlenecks in the system and so I want you to understand and realize that you too can go and do those things can do similar things there's stuff you could do I haven't even thought of right I'm just one person and some of the other people are doing this we've done it a certain way for a long time and we're set in our ways you're going to come at it at a

whole new Direction find new ways to fuzz the chain of influence and to get through and to to make things happen secondly to realize that uh the people who are in public policy the vast majority of them that I've met do it because they really believe in serving the community serving the citizens in making the world a better place which is a lot like us right they have similar motivations to us and they want to get it right they sit down and they'll listen and not only will they listen they're actually seeking us out um they want to hear from us they just don't know how to get in touch with us uh they if you asked them

they probably would know what a bsides is let alone know when they're happening or where to go for them um and that's not their fault they just don't travel in our circles uh in many cases like I've run into people uh who got uh recommended to me or other people because they're like I've got this Burning question I'm sure somebody's got an answer I just don't know who I've called you know the CEO of these companies over there but like they just send their uh um government relations folks and all I get are the same four talking points I want at least a fifth talking point come on like we've got to do better and they find this Technical

Community that's so honest uh so giving so caring um and so willing to to talk about anything and everything whether it's a talking point or not uh that it's really refreshing and so there's a lot of really good conversations that have come out of that as well so you know you can do it um and they want to hear from you uh and then the third is that there are people who can help and support you know I am the Cavalry hackers on the hill Tech Congress policy at Defcon um there's there's folks out there in all of these areas that just want to help Empower you that don't want to put a wall in front of you that don't want to

gatekeep um that want to make sure that more of us can go have those conversations because like I can't do it all no one can do it all in fact the problem space is expanding much faster than any of this can actually rise to do it it's going to take all of us in order to do that you know in 2013 the problem statement that we had uh with I on the Cavalry is um our dependence on connected technology is growing much faster than our ability to secure it in areas impacting human life Public Safety National and economic security that hasn't changed has it well the public policy cyber policy problems face I can say cyber by the way

because I live inside the Beltway um I I don't always have to drink for that uh but the Cyber policy problem space is also increasing much faster than our ability to deal with it with the people who are there now um think about not just cyber security or infos SEC or uh or you know data protection think about artificial intelligence right we take a crummy technology stack that we can't trust and then we add non-deterministic components to it and we hope it's going to be more secure like that sounds like a crazy thing to do but like we're doing it we're going forward with that and so we can either go backwards or we can

just make these technology more dependable more trustworthy uh and a lot of that goes through public policy I mean I guess I will say chat GPT did tell me it was Secure so perfect believe everything you read on the internet no I I really love especially your statement on picking the lock why are we getting stopped by Gatekeepers in policy are we getting stopped and letting Gatekeepers keep us from impacting the world we're hackers we can do it and you and the work that you've done upon policy and with hackers on the hill and I'm the calary and all these groups is proof we can impact that greater change we can stop fixing the bug and start fixing the issue yeah uh

so so folks wanted to find out some more information where would they go yeah um like I mentioned hackers on the hill policy at Defcon um uh I am the Cavalry those are some great spaces to get started uh but also don't just be limited to stuff that other people are doing and and latch on to it go and start your own thing go and engage um you know a lot of national legislators have Offices here in Washington or if you're not from Washington from wherever you are from right because they represent the citizens uh a lot of times all the focus and attention is on stuff that happens in DC but for those people they have

local offices and the local offices get no love or they get very little love so if you just pick up the phone and say hey I'm a cyber security expert I'm a cons constituent of yours I care about these issues do you want to sit down and talk about them they might say like oh my God are you kidding me yes where have you been all my life right or maybe you'll get in the roll and they will reach out and call you um you can work with uh smaller local policy folks and here it's important to disambiguate between politics and policy politics is the things that people do to divide US policy are the things that govern Our

Lives um so a lot of local policy maker a lot of a lot of policy gets made at the local and state level a lot of really important things happen at the local and state level and and there's not much focus and attention there so like go find your local policy apparatus and talk to them have conversations find five or 10 people engage with them see what makes them tick um find common interests and then when they have an issue that pops up they'll call you or if you have something that you see you can reach out to them um even if you want to to go to DC uh just call the your local

representative's office there and say hey I'm a constituent I want to get on your calendar can I come and talk to you about this thing that I care about they'll give you a half an hour um call them up write them they actually do pay attention to that because you are the people who put them in office and they want to make sure you know the cynical way to look at it we are lots of us are cynics is that they want to make sure that they uh maintain their voter uh trust and confidence but really they're also there because they recognize that they serve you as that population and they want to do all they can help so you

know find some answers on your own but also don't be afraid to go it alone and do something new and different or just go out and discover there's no harm in doing that um and you might find that there's a better way to do something than I've even thought of well Bo um you know from the community thank you for the energies and Leadership You' put into this space and uh I know you've given lots of gratitude also to others who are acting in the space um but thank you for showing us way and encouraging us to step a little beyond our comfort zone um thank you for putting on this event uh it's I think

awesome to see so many people here uh and the room was packed too for Tera Wheeler's talk uh talking about testifying which is something that most of us will never do but I think that speaks to the Curiosity that people have about this about wanting to learn more wanting to engage more excellent thank you again yeah thank for you

time thank you awesome uh all right uh we're going to go right into closing goodness which means I have to pull up notes um so you know bides is not possible to happen without every one of you our volunteers uh our staff and our sponsors and part uh uh Partners uh so the food we eat the space we rent uh all the gear we need you know they're they're providing for us um so I really thank all of you for you know engaging them in the sponsor room today and you know connecting with them uh we do have uh one of our sponsors was doing a giveaway uh for a switch light and uh I have the name

here uh Andrew scon you yes so we uh they will be emailing you and sending you the the gear so we didn't know if you would still be um in the same vein uh who here went to The Villages if you did not feel bad um no so our village lead uh and Village team did an amazing job this year uh of bringing in uh a new Caff group so thank you to the red team Alliance here in Seattle uh huge thank you to our Lockport in SC Lockport team and uh and a huge thank you to uh our cryptographer and crypto team and Sam and crew for that awesome newspaper crypto challenge who who finished it IC

see Hands yeah um and uh Michael Hedges and the 3D printing crew uh so you know this variety of technology and a variety of interesting uh spaces we get to play in uh the other side want to thank our our partners for coming out as well uh Issa uh wises and blacks and cyber uh you all are a huge part of our community and it was amazing to have you

here all right um Lockport it looks like we have uh some prizes yes uh is it the team that entered uh no it's individual oh you've got the names yeah I got oh great R assistant pull names oh oh I get to be um is this pseudo random yeah all right uh let's start we're going to go with the uh time challenge which uh many entr in yeah so the time challenge folks uh who haven't seen it uh you actually had an electronic uh uh setup lock uh so physical lock uh with a uh counter on it so how long it took you to make it through was it one or multiple uh it's just one okay and this

year in years past it's been whoever got it the fastest but that ended up being always the best lock picker in the group but we want to be able to give stuff to maybe not the best lock picker of the group so we used uh everybody who won basically got entered into a raffle okay and so I suppose I should look away just find a card somewhere within I have a card uh snea uh maet it's in the room oh this why you come to closing do TR two three number three well let me look because somebody's handwriting sucked three is a three here I don't know what would you call it dimple dimple is there

a dimple in the room dimple dimple yeah wooo come on down and a love prize of a I believe a newly published Lockport book yes um a lock pick and uh some stickers yeah excellent work y yep uh and I believe the book is signed right correct by our very own Matt yeah Matt and uh I was also the technical editor so I also put my name in there so all right all right uh RG version two so these are the lock boxes that on the table and a lock box yes uh that's a good one this is it this is the one Ryan Tan Ryan Tan Ryan Tan all right Ryan gets a book

a tape hang on tape is attacked everything we got a sparrows lock pick set a lock and some more stickers of course and also a book enjoy hey and box number a which was a difficult box because we only actually had two people open it so we got a 50/50 thing going here so oops I don't dropped one of them so now it's 100% never mind um uh Josh Michaels no I'm sorry um Evan Johnson Evan

Johnson excellent all right and Evan got of course a book some more stickers a bigger lock pick set and a pretty cool lock from pack lock ooh shiny it fell out somewhere all right another stick ofus all right there you go enjoy all right is that it I think that's it thank you so much so who who attended the lock P Village all right did you have fun did you get locks open yes did you learn something new yes awesome who picks their first lock ever here hell yeah welcome to the addiction yeah it gets worse after a while you have a 20 lb bag you're C around everywhere it's our fitness program uh um if anybody's

interested Seattle oxport uh does meetups we do it twice a month we do one at North Lake Union currently at Fremont Brewery on the first Tuesday of every month and we also do one in Redmond third Tuesday and that's going to be at Redmond Pon pie or Northwest Brey that kind names are interchangeable um feel free to come visit hang out uh it doesn't matter if you know how to pick or not pick we'll get you picking at the end of the night and uh just you can find us Seattle lock sport.com meet up whatever and go so Seattle loock sport.com uh for meetups and continuing your locks pick Journeys yes thank you y y you're

welcome let me thank I forgot the crew I didn't do it myself everybody else helped me so Matt burrow was also part of uh the team that helped and our list my list got lost uh lockpicking Dev was also there and helped out quite a bit uh Nick Max Taylor and there was also a whole bunch of other experienced lock Pickers that were part of the con that just helped out teaching everybody else just because they like to teach and I like to thank every single one of those people that helped out because it's fun just spreading the education so anyway there we go oh yeah thanks man all right uh also in our Villages uh

so these prizes have already been given out uh but uh Sam from our crypto Village wanted to make sure that we mentioned uh Shakura who won the code Breakers book and there was a team that entered the crypto challenge which is exactly it embodies the crypto Community you don't go sit in a corner and you know break the codes all on your own but as you gather and create that that space to to work on it together so they wanted to call out Yara Oz Troy Joey uh Katie who's on her fourth year back solving crypto their first time was a high schooler so this community is growing up Patrick and leaf um so great work for

those folks and continue on your uh ausc crypto Journey um so look at my list here uh feedback uh we are always looking for feedback uh this kind you know conference uh this year uh we had 840 people here wow that is uh two or 300 more than we did last year um and you know we sold out our tickets which means we are probably uh capping out our space um one of the worst things that I have to do is uh deny people the ability to come so we will be considering our space options uh if anyone has any you know recommendations uh there's going to be a feedback survey coming out so please

take that opportunity uh it's critical for us to to continue to advance and grow um on that as well if you uh who here attended a talk today I hear there were some great uh the speakers love feedback right our speakers are everyone from their first time speaking to Tara who's been a speaker for many years in an amazing talent and skill feedback is critical as they take and grow in their skills you heard them let them know what you thought um next year we don't have the date for next year yet uh we are working with our crew and uh Microsoft to go ahead and get the date sets we'll probably be still in

that April time frame uh we have to work to land so that we're not on RSA week uh for all of you poor folks who are going to be in San Francisco next week um and we also try to make sure that we don't land on other bside days right this is a community we want to support each other speaking of that if you haven't heard bides Portland this fall so make sure check them out if you especially if you're in the Oregon area they're hop skiing a jump away another great opportunity to connect for here in Seattle uh the one thing I want to leave own with uh this is impossible to do without

volunteers and staff and one just again the Gratitude towards each and every one of those people who gave their time and effort to make this happen and now I call to action would you like to potentially be on staff we will have some roles and opportunities coming out so when we send feedback we'll be sending those out uh you'd be amazed that you know the work that it takes to put on the conference uh everything from running the registration to our cfp and how we select content as well as you know to kind of quote back to something both said the things we haven't thought about yet you know the new and the diversity of thinking that

we bring and we grow the staff we grow the diversity of what we have at this conference so if you are interested when the feedback form comes out please let us know if you're interested in potentially a staff role uh does have some offe or off uh um conference day work um and then the other side with feedback and we'll ask again if you have something that you're like ah this is great Wham this was the best thing ever except and you have an idea for what we need to do next year yes I've heard the question are we going two days next year we will consider but again back to that staff component um the other side is uh

there's an additional cost so one of the things that we do try to do here if you noticed we want our ticket prices to stay very low uh huge thank you to the super awesome donor participants who donated above and beyond you actually made it possible for us to donate 150 of our tickets to scholarship to folks who are having hardship to folks who just didn't have it

so money should never be the reason you can't come to death or def gun sorry wrong conference let me turn no that's a different con um but money should never be the reason you can't come to bad Seattle all right and if that ever stops you in the future email me we'll fix it all right y'all the bars are still open don't make those bartenders take that stuff home it's heavy and I appreciate each and every one of you you guys make this what it is thank you