All the Bacon

[Music] Johnson now I feel trapped behind this

don't go all the way up here like this okay very nice so I'm Kevin Johnson I'm not that excited about being Kevin Johnson I've been coming in for 45 years Kevin Johnson for 18 less than that we're going to talk about how bacon I personally think bacon is awesome and I know that everybody grieves I actually have a consultant that works for me and she was my baby her excuse is that gives more bacon for everybody else I told her she's wrong I actually have another friend who is vegan but they're like what it's bacon and I can't argue with that so you kill the pig and only the delicious part about all bacon little

bit about myself first supposed to like BIOS and all that crud oh by the way this talk totally pg-13 I made curse I'll try not to it I'm looking around and it seems okay I will try not to curse but every once in a while it may pop out like a light rain right now and that's what tends to happen so just as a heads-up but I am Kevin I'm the founder and CEO of secure ideas we are a consulting firm out of Jacksonville Florida we also have an office in when I refer to it's Charlotte South Carolina for the people who are not geographically idiots you will know that Charlotte is in North Carolina yeah Rock Hill which is a

suburb with Charlie being sued in South Carolina and is where our offices you would think I've known that since it's our office we did we've been around for years we're a bunch of nerds basically that's those sort of my life I'm a nerd I am so nerdy but the guy that used to steal my lunch money he still does but he makes a damn good Subway sandwich I've been involved in IT since 1991 I uh professionally a graduate in high school I got a job as a developer and a bulletin board system sigh sigh sigh stops asan yeah it's been so long I remember we later pronounced it Oh running bulletin board systems for evil

yes that is how old I am okay oh did that moved on god Multan security about 98 when the company I was the system administrator for got hacked and I got pissed and said that is never happening again we got hacked again my three six months later so I was wrong but I started to get involved in security dealing with that and I became a consultant just over a decade ago I have done everything from I'm an item's faculty member not the pet food company oh I saw on Ryan's not remember I wrote the weapon testing mobile security courses for SANS Institute one of which has been open-sourced we open-source the entire six-day web investing course in January

which I'm excited about right the professional evil web app pentesting 101 that's out there we're still releasing it I am an open source fanatic so samurai WTF of 10 year anniversary is this year it's a matter of fact tomorrow when I have my suitcase with me I have some challenge points from samurai 10th anniversary season one wants one come talk to me and I'll hand them out password so what do you think about a bit stablize to people who don't know samurai WTF which is the web testing framework is honest that's what extends were not that other WTF name when I first release a release because I miss Def Con and I was born so I wrote an

operating system because that's what you do and um when I released it I set it up builted zipped up the VM and uploaded it to SourceForge at the time and it was a good day later I got an email it's like hey Kim what's best for not like it's a samurai how did you not know that you're a hacker so I realized I'd never released the password so I created a text file and put it on the desktop and did a new release of course you had to be able to log in to get get that text file but saw a whole bunch of open source work I I speak I like to say that

I'm an international speaker because I've been to Australia once and Candida a few times it's kind of like the Jacksonville International Airport we're an international airport because we have a flight to the Bahamas once a week I said that joke in Jacksonville and somebody's like we are doing international air why where's customs in Atlanta is not the right answer what uh so but the thing we keep in mind is that my main role is penetration tester I attack organizations I I get together right I get to tell you you suck and go home that's my job right it's a great job but it affects my how's the test going and I'll be like oh it's great for me I'm

having a blast right about me is wrapped up in this idea of how cool it is to break stuff right and break stuff for good so I get to do a lot of that there is a lot of you clear this is the two sales pitches for today okay I try not to do sales pitches in my talks but here's the two sales pitches for this top one are training the reporter training is free for vets active-duty military and first responders so if you're a vet active duty military first responder our recorded training is free our live training is significantly discounted what we do is we basically just pass on the per seat cost we're

incurring to the vet sort of the attribute military our first responders so that's first sales pitch I'm not a great sales person I'd sales pitch three things second sales pitch if you work with a non-profit charity please note the two parts to that work nonprofit and charity we have a non-profit in dollar your budget asked us for this he said no oh so if you work with a non-profit charity our services are free and they're free for as long as we'd offer the service right there is a rule I'm gonna try to say it politely you cannot be a jerk charity a community sample since what like what he's a jerk charity Westboro Baptist Church those

jackholes that protest funerals they are a non-profit charity according to the federal government I'm not givin them free service make sense so as long as you're not a jerk charity our services are free again those are the only sales pitches for today uh the last thing I want to tell you about something I'm very proud of my wife Denise says it's the nerdiest thing I've ever done of course I pointed out that she met me when I was 26 were 16,000 members as of the last census around the world what we are is a constituent group we build screen accurate Star Wars costumes and then we raise money for charity I think we've raised sixteen million dollars

indirectly last year which is kind of cool but I didn't this is me in my Maker that was actually a really cool event they brought together 300 blind kids and they had them watch the movies not as a joke I think it's kind of cool they referred to it as watching the movie right and then they had us stand there for a few hours and what the kids feel what the character is felt like right so this is a little boy who is blind feeling Darth Vader's chest box every day I am crying in this picture plain and simple tears streaming and we've got other lots of others of how to our first members insecurities Scott being a recent

addition were but that's me the last thing I tell you is I am full of tangents well lots of things - bro and I have a sense of humor if you wanna warn you though that you might have misheard me I bet you some of you heard I have a good sense of humor and it's not what I said I said I have a sense of humor dude you example my current favorite joke don't ruin it does anybody know what Walmart was intact I actually got to introduce the CIO of Walmart at an event and I told that joke and he would not shake my hand good side of the joke I said you weren't half

right but I was at 9s forum in Minneapolis and the CSO of target was the keynote speaker not good sense of humor but let's talk about what you're here for right how many people here have seen the TV show Parks and Rec yeah man the show it was stupid right I mean it really was dumb but I laughed every week I'm just right the show is great and as I started looking at it and started thinking about it and and this is something and I'm gonna be mushy maybe right what I've realized is I am not that good but I'm not that good at what I do I'm not that smart I'm not that capable

I though have had a series of giants that aren't allowed to stand on their shoulders right and I hope that it someday that I can not a giant but a kind of tall guy me right that can help other people stand up and this is one of the things I love about this field this industry it's also about this right and I think it's important bill dumped me Chuck because we saw let's we want 2018 almost 2019 close my mind and yet we're not much better at security than we were my oldest daughter she's 16 now Brennan when she was nine years old she was admitted to Wilson's Children's Hospital for seizure disorder and my daughter's

OCD as do I write and not just like oh patterns but neurologically diagnosed three months after rhinos in Wilson's they were breached you can look up her identity has been stolen and I don't need her credit card numbers your identity although I was told what they get my credit card number if that's your identity your life sucks right you're probably one of those people that take selfies in the bathroom because all that does is tell people friends will hold the phone Oh but when of for the rest of her life at 19 years old I got to have the conversation with her for the rest of her life her data was exposed because of a security problem right now it helps

when she was 15 we hadn't felt paperwork for her learner's permit my wife did not find her social security number so google searched it in writing is sometimes quite large right but that's a problem that was seven years ago right this morning this morning Jason Gilmore line people is doing the test and to figure out a way unauthenticated Lee I take a minute that word to steal every customers piece of information from this company we're testing from the internet right this is a customer that's been tested and I thought this is not a little R we're so much better that fell from saying from saying is we're just not improving and I think one of the reasons we're not

improving is that we don't approach community correctly I don't we don't approach education correctly we do a lot of victim blaming right we do a lot of your stupid developers or red teamers were the worst right oh man i won ha ha ha right so when I was watching Parks and Rec

okay I mean I'd love them to be real but um what it hit me was this is a group of dysfunctional weirdos had actually built a team right and Leslie Knope right and Leslie is cool she's not cool right but she was government she thinks the government is there to save us all right uh she is socialism or something I don't know and I'm not getting political because the only political battle I will find is VI versus Emacs and that's because VI wins right every time well I said that once in a kind of back to the room in classics punch the desk of yelled and stormed out of the room when he came back in about an hour later

I found out he was one of the Emacs developers so but um Leslie loves government and somebody there to take care of you and show you what to do and tell you what the rules are right and she believes that that will work because everybody is just good and if we help each other and I'm gonna be awesome right the government run out of it and then you're wrong which kind of a hypocrite because he's the head of a governmental agency in this town of Pawnee right Jenny hates the government he's very like he believes that an anarchy but just the fact that the government to be tiny like the government should be there when they need um but you

and people should be left alone right and do their own thing and it hit me that in our community we have leslie's and we have wrongs right we have people that fall somewhere in the middle and everything else like that but the really loud people right there we need places insane for security people right how many people heard that we'd be playing some things scaring people yeah and we hear things like oh they call actors laugh at that title whose ethics right cuz like some people make the mistake and they'll say that ethical hacking means you follow the law I disagree with that statement right because there are things that I consider at the goal that are absolutely illegal

in some countries including the US right I believe if you mess with my kids I'd be allowed to beat you and then kill you right kids probably disagree but right this is what we see and what we find if we ignore the stupid arguments on Twitter right

[Music] it's the best Twitter account ever people send them pictures of their dog and they rate it all this is the best dog ever 13 of 10 it's awesome even the ugly dogs get rated well like we're eight dogs is just a nice Twitter account but total tangent but we see a lot of what's up pen test let's do a

stupid Twitter right I actually follow Dan Kaminsky and Thomas put a check just so I can see the two of them fight on Twitter they're both smart people but without fail one of them will say other one doesn't like the people on the two sides of the argument are these two right wait we see the and I'll be honest I'll be very clear I fall on this dance right you'll see the people like chris Roberts who will say well it's okay I have to that airplane while it was in the air I know I'm exaggerating and then you know people like me like well yeah I showed up for a good reason right there's that type of barbecue man

in case it that it's it's a following two sides right whether we should regulate whether we should not regulate whatever and it's not a disagreement on what's what's good it's not a disagreement about how useful or useless that person is except when we talk about kevin Mitnick because he's just as come back but when we look at it it's very often because we've got people who just disagree on stuff right and we have to work on the community and this is kind of funny to me because I am probably the most introverted shines person you'll ever meet people right yes this is an act I hate traveling I'm petrified of public speaking and I don't like meeting

new people period so I became a traveling consultant that presents around the country but I didn't smart what you know how people will say I don't mean this is a joke right but you know people say all that person's on the spectrum like I don't believe we're on the spectrum because I think we've broken it right I love you touched don't touch me nothing to get its jus right just I don't like being touched right I love you all and you know this is the way to do this and this is what it is but we are the weirdest group of people I've ever met we have people of all types I was at a conference once and

people were talking about this weird thing it was outside [Music]

your bedroom sports sports right either

it's an effort to say this is right but so i passaged up from Baltimore and we drove up here that was weird right like holes in the ground people drive through that's not I grew up in South Florida that would be flooded right indoor pool and not a good one but I hung around upstairs and I have about 4,000 people I don't count well to me and they just talk to me like oh hey you're speaking right cuz that like that's egotistical I'm a speaker you must come to me right no they were talking about cool stuff they were doing right I've learned thing standing in the hallway of besides gentleman right I learned in the kids

right and I listened to some talks that I learned things about a waste dude that dog was awesome you all missed it not all of you I saw some of you in there with me but that was a great it's this thriving vibrant community that we see and I hate to tell you it's not enough it's not because then you can go out to Def Con there is literally a hacker smell that

I've been a few years but I love it but then we leave here tomorrow because I believe that total spirit of calendar tomorrow's last day if he said that right okay right we leave here tomorrow and my question for you is what are you doing Monday what are you doing online and around the area and everything else we have to keep building up to it and oh by the way we have to step up right now how many people here but not a single one of you goes the last chapter right now I don't know why you don't don't I'm not judging I am judging you but that's important how many people here have complained

about the latest wash top 10 right I have I've ranted about it multiple times now ask me if I submit data to the wasp top 10 project and the answer's no I'm a hypocrite they saw I didn't help right how many people here use open source tools every single day how many people here have ever done a poll request how many people here opened up gladly to see to thank you how many people here have opened up an issue with a bug they found pungent right so I got four hands that time that's good did you give them enough detail they can fix it right did you submit a code sample they may use it and I know some

of you are sitting here going to Kevin I have a lot of code okay but President Obama was able to code you can too and I use that as a bad example because they hate the hour of code thing if he he was one of the examples I think it was awesome it was an example of it but it's this idea that you just do an hour of code to be an amazing program and that's a lie all right but I like how many of you have spent code and then you'll say I'm not a developer how many of you have submitted documentation how many of you sat down and done a video explaining how

to build something and I know you're gonna say like I'll be Kevin I'm an idiot this is so simple everybody knows it okay to you I run a security company that has 21 of the smartest and 20 of the smartest and people out there and me do you know what one of our most popular blogs is on our blog how to install these it's a dot description of how to install a piece of software that one of our most popular blogs another one is explaining what courses and I'm not saying there's anything wrong with having to explain of course is but a lot of people don't know what it is this is a simple introductory

thing and when Mike came to me and said I have this idea what do you think my god it's also my knees I have no wonder people don't know that and he wrote it was simple documentation we have to build stuff because we've got three major problems that I see standards ethics any clicks I feel like we're in high school right so it's standards one of the biggest problems I see is we don't have right and I can read about something close to my heart right how many people here do pen testing right okay - about three of us I'm good right thanks okay do you know how often I go and do a proposal for a

pen test and my company's not that expensive right really bill - $50 and I know that doesn't sound like an old me okay but even consulting that's a lower-ranked okay and we're competing against people who do $500 pen tests I'm going to be rude but if you're paying five dollars for a pen test I'm not gonna fight you on that price I know you didn't come back to me in three months when you realized how crappy it was but right I'm competing as people who run Nessus reports and change the logo and call it a pen test those people should be set on fire right off the bat standards how do you know if somebody is

ready to be a pen tester how do you know somebody's good at forensic how do you know somebody's good at this job what are you comparing them against I'm gonna go with certification well that's a great plan how many people here can afford to go under pick a random company sans I know but how many people was the price up to $7,000 with certification right now I'm not saying the JT well I personally I was the SANS instructor they are an awesome organization they are I'm not bad-mouthing them but I am pointing out that their price currently is higher than 1904 that doesn't mean it's bad it's up to you to decide right we compare that to who the CH right

I heard an earlier today the person said they were certified ethical hacker their slide was missing viewer but that's okay oh and they said that just meant we knew a lot of flash carts and I thought dude that sucks it's a great quote I think it's accurate right not not from the person but I'm not making the part of the person I'm just saying the fact that we have two different standards for certification one of which is seen as worth $7,000 and effort and everything else of that and one that's seen as well you can memorize flashcards you can pass this and I'm not telling you you're right or wrong on either one of those but that's a problem

for standards and then we look at what you do right how do you handle it what's your career path how many people here believe that they can go take a course at a Technical College and lobbying for technical colleges and come out and be a senior pen tester right I had a guy I interviewed and I was interviewing him for a non senior position he didn't just graduated college and one of the questions I asked is what do you need to make according what's your salary requirements and please note that I'm not trying to have you negotiate against yourself I hate that idea but I literally am saying what do you need what would you like

to do this job and the guy said to me with a straight face I would like $300,000 that was like I learned the interview of my wife told me I wasn't allowed to she owns the company as well and I want to interview these guys resume trust me was absolutely not qualified but he was a sonar tech military as the security person to be running check marks against your applications how many people think yes could their product sucks in my opinion but do you have a webapp firewall are you required to write should you review no that's too much work right we have to build these standards and we as a community have to build we as a

community have to get together and say this is what we do cause I'll be born if we don't and including the next one if we don't the government level and I don't care your politics I don't care if you're a mad girl wearing a hat guy or a resist forever not my president guy okay I don't care the government is not we want the standards for what we do to come from we have to do that if we built the standards we could help drive those right because if we know the standards we can drive that in the example of that is the movie industry back in I think the 50s yeah I know you set me up I

appreciate any five bucks right but the movie industry people were bitching and complaining excuse me about the inappropriateness and movies and the government was about to step in and regulate them and give them ratings and cents for them whoa we got this are PGG right and then in the 80s gremlins I don't know why I saw them to me I don't know what was wrong with it but people are going lunch brother that's Eve all right and then I don't worry we got it pg-13 they drove the regulation we could do the same thing okay once in my life standards everybody wants to be we are these standards you know at least go through a

hundred different people who have searched and everything and the value of this one but ours different because we have XY everybody always wants to be the lead dog how do we get one that okay here's the ones that detachments mother that will then make sure that now we're going to use this one as opposed to this one ever hear that it's a great question your manager heard we should follow this and that we all know as far right the way we do it is that we start discussing it openly we at least open ourselves up to be willing to listen okay because I'm thinking right now do you know what the best standard out there is

right now this is the only wireless card you can use that's in but they fix that right the best interrupter pci-dss it is do the whites the best standard no it's not because it's the most prescriptive that's a nice word to the point where the FCC now uses is the industry standard for what they compare organizations to after breach did you beat this requirement right it's also kind of cool because it's you must be this tall to ride the internet right it doesn't intent and be good right now I'm not crucio is awesome what I'm saying is if we're going to build something we should build something similar we can build off of it right it doesn't try to answer every

single question it shows you a set of things you should aspire to and then once you figure out how to do that and then let's the industry figure out how to assess now there are negatives they're becoming a qsa internet as we use ridiculous of an asinine right but that's why I say is it's not the right standard but it's a good model to base it on and the way we do this is we work with a group of people who are not in it just to make money okay I notice I didn't say not to make money because we're greedy cabinets right my business goals we protested by the Occupy movement and I think to build the

standards we have to focus on the second thing and that is ethics right because we what are your ethics what did you think is okay do you believe it's okay that we iterated through all of the data from AT&T and downloaded I'm not asking I'm just throwing that out as an example or do you believe that Wesley McGrew settings are better when he's talking about going after people for scanning his systems right I don't know I'm asking you that we need to come up with what we think is ethical because I'd be honest I hate the term ethical hacker right because I'll tell you right now the guy that stole a million dollars from that bank but we usually followed

his ethics because that million dollars wasn't sure and this is okay blah blah whatever right ethics well we don't say that you're flexible they are to a certain extent but what your ethics are may not match mine right what I think we need to do is say what are we allowed to do and what is the process and what do we think is a bare minimum of ethics like for example I have customers can you do a pen test I hold on to that hat for you like the real hackers do or is it okay for me to tell you who I hacked right what what are the right standards and I think I believe I'm not

that smart I school a lot of it already a basic level of what we consider required for what we do right I don't know you don't have a history of spilling stuff and selling right but we build that level of ethics up and then we have to realize the third problem we have and that's clicks right we got the gods we've got the Nerds we got the sports know what you see and I see a lot of this because over the last few years secure ideas has stopped going to as many security conferences as we use and it's not again security conferences because I'm trying to succeed at paying payroll every two weeks that to me is a

level of success that every two weeks every the company got their paycheck yes right to do that I can't talk to the same 50 people every week right and nothing against it right but so what we've started to do is to go to security cons hacker cons there's a difference right and non-security cons I go to humans events I go to the the RSP a defense whatever right and what I see is that there are people who are like you right like I'm at this one event and I'm talking to people and I'm N [Music] right because everybody knows except they don't I was at a professional infocom and I and when I mentioned HD

more nobody reacted any more right and not a single hand in the audience well they didn't know he lives now I would like to believe that everybody in this room knows the guy who created med sport right the guy who has created a tool set and a huge team of people hoping up right awesome stuff but did something that moved penetration testing and exploit development light years ahead of where it was right and nobody in that room knew who he was and I realized it's because even inside the nerdom that is InfoSec and I say that the product we have clicks of people who don't cost right how many people here know to monitor conferences yeah you learn stuff

yeah of course you say that and after there's a porter conference good boy why would you do that

I have to learn what they're looking for so I can hide that [ __ ] and we are seeing better place where I'm seeing it really bad is this last one public and users we would be if we didn't have users I don't know man you wouldn't get a paycheck nothing users were useless our entire job is to support that we are as penetration testers as security people glorifying QA and helpdesk we are I don't even like that I don't like it I want to think of myself as a wizard right I'm a genius okay stop until it breaks when it breaks then I giggle fun but that's it everything that's different we be in QA

right but we have to engage the users we have to engage the public we do engage developers how many people here make fun of developers right yeah but have you used Ruby but just yesterday I am so sorry or are you one crack but I'm opinionated by the way all of my opinions are my employers that's my boss right there what what I want us all to do is I want us to start going out and helping people learn I want us to start educated I want us to start sharing better because I'll be honest that's one of the things I loved about this and I'll tell you right now there's the only industry I know that

you can walk up to the geniuses and giants of what we do and talk to them and they'll talk back they will answer questions I know I'm not special but I know that I can reach out to movements I can reach out to Matt Carpenter I can reach out to Josh more pet and Scott Lyons and I've asked them questions and these geniuses other than Scott but these these people they'll take time to answer my question and then I say that to people and everyone saw somebody was showing an example well I talked to this guy chris Roberts and he wasn't willing to help me and I'm not sure I didn't use him as an example because he was

mentioned earlier right if the person you reach out to is it will interview they're not actually good at what they do that's where I found time and time again every single time I reach out to somebody who's supposedly a genius who is supposedly an expert and never answered I'll figure it out yourself right they don't actually know what they're talking about and I use the osep blanche mantra and I want to be very computer I'm not making fun of the Josephine here I think that certification is awesome what they do there is cool but I think that a lot of the idiots in the industry have taken that tried harder answering and they think it's a way to make themselves seem

smarter that's not why it happens with offensive security in the LCAP but we see people on twitter so let me say hey you were talking about this how do you do that try harder man Do It Yourself it's a shitty answer go out and help share talk communicate and educate we

because there's way too many things broken today and it's just getting worse okay and I will tell you right now if you have any questions do you ever in a situation that I know how to fix it and help you ask