Sucking @Capitalism: Ethics in the Business of InfoSec

yes okay thanks Mike appreciate that I was joking around with Mike yesterday about this as well if he's learned anything about running beside Greenville I'm hopefully at this point he's learned that if you want to ensure your conference either gets canceled or delayed you invited me to be the keynote speaker for those of you that that don't really know what I'm talking about in 2017 besides cream but we like a freak winter storm I think it was in the spring or in the late winter that calls besides Greenville to get too late about six months and then of course he turns around invites being again for 2020 and then all of this happens so it's it's

it's ironic it's funny it's an inside joke but whatever another inside joke is is the fact is this I founded by you'll comment up here and we might get to that here in just a moment but you're here to see a talk called sucking at capitalism okay that's the name and I realized his first time most of you are hearing this I didn't really give it to Mike with enough time to get it out in any type of marketing or anything but that's the name of the talk here and it really kind of revolves around ethics in the business of InfoSec once again i'm tim tomes also known as land master 53 so i've been around long enough to see

things done a lot of different ways helped start a consultancy i've helped resurrect the consultancy i've worked as a senior principal and managing consultant started my own training company this company also does development consulting work i've been a director of training for an organization i've been a contract trainer I've done Quality Assurance for several training companies I was a senior leader for the for an NSA army certified red team or NSA certified army red team and I was a guy that built the curriculum for the Army's first cyber training for a program which has since become the cyber branch of the Army and so I say these things not to Pat myself on the back

okay I say them because I've seen a lot of different organizations do fee for service work I mean I've had a chance to learn a ton from my own experiences but also the experience of others because the leaders I've got to receive mentorship from during that process and for some opinions about how we do ethics and InfoSec business and I'm just here to basically share those opinions now another funny probably the only funny point about this is is well I'm getting ready to like slam all over capitalism at least the way that we're currently doing it in fo sec and then my good friend Adam Anderson whom I love dearly and I know is listening right now otherwise known

as the Nancy Kerrigan because he is the Upstate is A's second favorite speaker he's probably gonna get up and tell you to do all of the things that I'm telling you not to do okay so the irony there is real and it's funny so feel free to see this as kind of a pre-emptive flame session for everything that I'm gonna talk about I'm sorry Adam I love you brother I'm sure you'll have wonderful things to say so I usually start talks with a disclaimer and you know when you see a slide like this that I could potentially be saying something that's gonna get me in trouble alright that's basically what it comes down to number one I'm not going to name

any names I'm gonna talk about some real-world examples and some real-world experiences that I've had with organizations but as both as an employee and as a consumer and as an individual there's a good chance that you may be able to make assumptions and and figure out who I'm talking about but I'm not going to give away in fact I'm not gonna give away links to materials I'm not going to say any names I'm going to try to be as anonymous or non attributional as possible about these things because I think some of this can good somewhat help people form somewhat of a black eye about about certain organizations and and output a black eye on some

organizations or form opinions and I don't want to necessarily do that I just want to point out some systemic issues here also know that much of this is subjective this is my opinion and this is based on my experiences these are based on my circumstances this is based on my view of the world so there's a really good chance that a lot of you are going to have different views different opinions and that is completely okay with me and it should be okay with you I'm just up here up here sharing mine and you are free to either take that or leave it and the last thing is is because of that I could potentially

offend someone now I don't ever seek to offend but I realized that there are definitely people out there that do seek to be offended those individuals usually find what they're looking for I ask you to be open-minded open-hearted listen understand engage in dialogue and then and then we'll kind of move on from there once again this is very subjective very opinionated and that typically leads down that road of possibly offending people so let's talk about a couple of very different companies in our industry and while these two companies are hypothetical both of them exhibit qualities of various companies that have either word for or I have been a customer of within our industry and these are all within our industry so

number one consulting number 1 develops and distributes open-source tool ok so they as an organization they actively develop these tools give them away for free they also support other open-source tooling so for the things that they use right or the things that help them in their daily job they also support those not just by using them but also by marketing them telling people about them including in their training courses and even in some cases financially they donate to the cause even when open-source tool developers don't ask for any money there are organizations out there that will say you know it they've helped me a lot I'm gonna give money back to them through their you

know their buy a coffee link or whatever thing maybe PayPal whatever it is this organization understands that satisfied employees make satisfied customers an example that really stands out to me as an example of this this hypothetical consultancy here is I was at a I had an opportunity to go back and be a part of a an annual party for a company that I once worked for and and at one point I'm the owner of the company brought all the people together then the families were there and everything so it was really it was a really really good wholesome family environment and the owner they pulled everybody together said hey look we did really well this year we made a

whole bunch of money you know and was very transparent in literally giving numbers right we made X number of dollars more than we expected to this year and yes everybody gets bonuses and and yada yada yada but I've decided that instead of trying to take this money and try to do something to bolster technology at the company or add a new thing or do this or that or find ways to spend it and so that we can reduce our tax overhead or whatever it is just gave it away said look I'm giving it to you guys I'm giving it back to the employees that make our customers happy because our customers are the ones that are

paying us to do this work and you're the ones that are making them happy I'm cutting everybody a check and these checks were not small we're talking four fives digits to these individuals and this was in addition to bonuses that were already going to be paid based on performance and so on and so forth and so that kind of thing just speaks to me and says hey this guy company understands satisfied employees make satisfied customers and they went the extra mile to ensure that their companies were or not certain that the company's but they're their employees were we're well taken care of companies that use race to the throttle work there's a lot of different reasons

you'll see rates change but in this particular case I've seen organizations that will well not just raise rates because they can but they'll raise rates because in a lot of cases they can't and by can't I mean they can't satisfy the amount of work that's coming in and that they got a good reputation they get a lot of folks coming in but they don't feel like they can find enough skilled labor to do the things that means that they're being asked to do sometimes they'll raise the rate in an effort to reduce the backlog I'm sounds crazy sounds counterintuitive but I've seen that happen before as well transparent use of qualified sub grand subcontractors so this is this is kind

of important to me because I do a lot I'd use a lot of subcontracting work and I've also been on the other side where that where I've hire subcontractors it gives people an opportunity to start and grow similar businesses and someone to say well why on earth would I foster competition the reality is there's more work to be done than there are good people that can do it so the more small small companies more organizations that can get started and get up and running on the better the the better off our industry is going to end up being in the long run and also this transparent use of it is being just transparent about business practices right like I'm I do

not have such a matter expertise here so I am bringing in somebody in that does and I'm being transparent about that and it helps lead into trust and things of that sort believes in quality over quantity and this goes in a Lawford a lot of different directions both in the things that they do and the things that they purchase and the random end result of all that and the end result of all these things is no one and no one in this particular company has necessarily felt the rich okay so what's the common thread of all these particular bullets here well I would say that they're focused on a culture of giving versus a culture of receiving and this is

something that a lot of companies I think talk about and while they talk about it for a while rarely does it stick right rarely does this stick but when it does it shows there are people you can see it through your interactions with that particular organization but the problem with this particular consultancy right here is we look at it and we say wow they really suck in capitalism so let's look at consultancy number two here consultant number two bids on any contract with cyber in the title I've been the victim of this myself personally I've there before pvat my practical burp burp suite pro advanced tactics class ever went live I taught it for an organization privately

first is almost kind of a bait or run through the course and it was a result of an RFP they reached out and said hey you know we would love to be the first ones to do this however we have to go through an RFP process yada yada yada we're going to literally copy and paste your description of the course into the RFP so that it's like there's no way anybody else can do this it's proprietary information right and so they they put out the the proposal and I bid on it and I was really surprised to get the email that said I lost a bit and so I reached out to the organization I said hey look you know obviously you

know at this point in time that I've lost a bit just just want to let you know that I'm a little concerned because I know you what you were asking for you you cared about and I'm not sure how an organization can come in and bid on something that is a proprietary and coming from one of the individuals that's known as being an expert with that particular thing a subject matter expert in that field by a company that couldn't even find a website before on the internet and they went back did some did some investigating and of course that's exactly what it was somebody was literally just bidding on every contract opportunity they saw come

across their desk they had the worst library this is a real thing and this is happening and of course I think we can all agree that's not good for the state of security it's good for the state of those businesses perhaps but not for security overall policy number two sells any service with security in the name and regularly takes on work outside its core competency and I would say that one in two often lead into three right because when you're bidding on a bunch of stuff that you don't know how to do necessarily then you're going to have to take on work that you're not really qualified to do either so there's that bowl number four bills above market rate

because of company or individual name recognition well this doesn't sound wrong right but I've seen a lot of organizations do this is if the person with name recognition that name recognition that Rockstar is the one doing all the work I have literally seen proposals from companies that always include the bio of the rock star even if that company never intended for that particular person to fulfill that contract but they sell it as if that person is and I believe we call that in business the bait-and-switch right that's the InfoSec version of bait and switch hey rock stars gonna do this not really okay maybe when you're in a chat channel when we hop on a phone call and do an

email rockstars present that person didn't do the work because it's impossible for them to do everything that these organizations are taking in for work the next one bills the same inflated rate for the both the rock star from Bullitt for as well as the senior and junior analysts I would ask people to raise hands if I could see you right but have you ever seen a consultancy that paid that that asked for a different rate for rock star X versus college grad Y now I would imagine those exist I would imagine there has to be tiered to your tiered rates or tiered offerings and some organizations I've just not seen that happen I've seen it talked about

I've not seen an organization do it but there is a big difference between the quality of the product write a better assay a better assets gonna get paid more okay so they justify that higher rate but all too often what we see is that inflated rate that that person is justified to bring in is actually applied universally and that's done for a lot of different reasons most of it to not be transparent okay so this is a big problem and it's a problem that's that's of scale right and fed by demand there simply aren't enough people to do the amount of work that's available in our industry and to do it well so the bigger

consulting firm gets the more people they need the more competitive hiring gets the lower the skilled talent pool becomes for that organization and the skilled talent pool grows before the industry as a whole is growing slower than the attack surface itself so the impact is that a company grows talent pool gets watered down overhead costs grow but the quality goes down and the rates go up okay now this demand then leads to the temptation to satisfy all comers which goes back to these top three bullets here right and these do they're saying here that simply can't provide a quality product when this is happening so the end result is watered-down security for the consumer at the same on a higher pre rup same or

higher premium rate and the worst part is if this consumer doesn't know any better and believes that they're continuing to receive a quality product based on either brand or past performance and to me it's just doesn't seem right but I'll get into that here in just a moment so the next one that seeks PC capital funding of our exact position is this not the American Dream right to get bought out by millions of dollars and retire at the age of 35 okay so the temptation of base taking that big payday is where it gets tricky for companies with good intentions like if you have bad intentions it doesn't get tricky this is exactly what you're out

for but if you have good intentions it can get tricky here because once investors get involved things can go very quickly from model number one to model number two do people come become rich that way absolutely they do but often they become rich at the cost of the community and the people that both trusted them and trusted in their vision okay so in contrast to the previous example what's the common thread and all these bullets right here well to me is a clear focus on maximizing gains and sometimes those gains are coming at the cost of others now this even though this example here is about consulting the model is not unique to consulting product and training vendors are equally

affected and InfoSec is full of people in companies that are taking advantage of the fact that they're citizens or that they're clients all right they don't know any better I so rather than take responsibility and help our clients understand right these organizations are capitalizing on lack of knowledge right with this company consultancy number two this company excels a capitalism okay now while these bullets are synonymous with what many would consider capitalism and properly functioning capitalism I'm going to spend the rest of this presentation making the argument that this is the result of capitalism done wrong done due to the greed of man and not to the core tenets of what capitalism was founded to be so we'll start that argument now okay

and I'll start it by briefly defining what not what I think capitalism is but what capitalism is okay shedding some light on the origin of it so here at bolt number one Google defines capitalism as a system in which a country's trade and industry are controlled by private owners for profit rather than by state okay so it's pretty straightforward our Constitution gives us the freedom to buy and sell property for the purpose of profit now does that mean that profit is the ultimate goal or does that mean that profit should be the sole focus but let's look at this next bullet here and this is a warning from the authors of our Constitution this one's specifically from John Adams and

you can read this whole paragraph and come back to read it or do it now as I'm speaking but ultimately if they all are speeding into these two bolded statements right here I'm gonna read to these bold statements the first one is we have no government armed with power capable of contending with human passions unbridled by morality and religion and the second one is our Constitution was made only for a morale a moral and religious people it is wholly inadequate to the government of any other okay so what does this mean for our definition of capitalism at the people that wrote the Constitution are telling us that morality and religion are really important to the use of this

Constitution which governs and gives us this capitalism so morality comes from religion right so these these these two particular terms here are pretty closely tied together and and most of the world religions share a common thread I went like yeah as I was thinking about this reading this thing I gotta find this comment that this morality and religion is so important of the proper implementation is capitalism then what's the common thread here and the common thread that I can I've been able to find and not all world religions but the major ones we're talking about Islam or talk about Christianity Judaism is love love is a common thread there and and so it got me thinking you know if I were

sitting in a room here and I said who here has heard the words uttered before love your neighbors as yourself or do unto others as you would have them do unto you right the golden rule I think I would see almost every single hand go up and while these are actually religious concepts in a matter of fact they're pretty much verbatim from Bible text they are shared across many religions across the world and recognized by society as a whole even a non-religious society recognizes these particular things so my point is is that even if Adams was referring to Christianity here as the implied religion the point doesn't actually change when we include others or just include societal norms

some sort of religion or moral conscious is required to navigate the rights that our Constitution affords and that Constitution includes this idea of capitalism okay so capitalism is described by our founding fathers as being tied to morality which stems from religion and the majority of world religions and societal norms share a common thread of loving your fellow man then the next step toward better understanding capitalism as I was going through this was better understanding what exactly is love okay so what is love and no I'm not talking about that hit song from the 90s okay that's the head of course that's not what I'm I hear I mean another another kind of humorous point is I

believe I could be the first person in the history of security conferences to actually divine and talk about love in a talk right especially a keynote so this is I will gladly wear that banner by the way so feel free to label me as that but bottom line is love is love is really difficult to define okay I think where I got from most places with some variation of this first bullet here right a complex series of feelings and emotions towards another thing okay but it's really difficult to define and the definitions are all over the place and so what we see the world religions which I had that common thread of love what they do is is they they don't actually

aren't able to define it either so what they do is they actually take and they try to say what love looks like give examples so that we have an idea or an image or visual of what this thing called love is so Quran with regards to love says that Allah is with those Allah loves those who are of service to others the Bible goes in great depth talking about love and in these particular two passages here its patient and kind doesn't end beer boast it's not arrogant or rude doesn't assist its own way it's not terrible or resentful it doesn't rejoice at wrongdoing rejoices in the truth bears all things believes all things hopes all things endures all

thing and that there's no greater love than laying down your life for a friend and so and so basically what we have here is love boiling down to service sacrifice and a reduction of self for the good of others so let's bring all of this stuff together if the founding fathers design capitalism for a moral and religious people and the major world religions in society a whole find them by finding their basis in love and if love looks like a reduction of self for the good of others then which business examples for example consultancy one or consultancy two sounds more like capitalism now I would certainly make the argument that kept that in consulting number one appears to be

excelling at capitalism why Consol's e number two appears to be sucking to capitalism okay so this thought exercise led me full circle back to the key note that I gave in besides Greenville 2017 that Mike spoke of earlier and the talk was called infamous InfoSec proverbs the Tim domes top ten and basically what I did was is I just wanted to put together you know the top ten lessons I have learned whether it be about business about technical stuff about personal development professional development whatever this is my that was my first time ever doing a keynote I felt hopefully out of place just like I do right now because I'm much more technical than I am anything else

definitely not a thought later by any means but I just wanted to kind of like just throw those things out there hey these are some things I could share with people that are looking for mentorship so I created a I created a talk around that and number seven of that particular list was it is better to give than to receive and the point that I was trying to make is that pretty much applies to everything that that that I've been a part of and everything that we do within a mistake industry I mean mentorship software training workshops seminars conference talks whatever all right I don't give you some examples of those let's look at let's look at mentorship

if everyone's giving mentorship then who's receiving mentorship everyone right same thing goes for like service if everybody's serving everybody then who's being served everyone right this is actually a biblical concept but once again it does not require being a follower of Jesus to understand that this just feels right if we are all giving then everyone is receiving okay point number two like this the software here giving away software like recon Angie has done more for my career and my quality of life than selling it ever would add it has led to countless job opportunities it has it has I've probably been 80% of the development skills that I have acquired over the years have come from my

continuous development of that project and rewriting it over and over again um a quick story about that early on within within the development of that of Africana Angie I had folks come to me actually corner me at a conference and say hey look you know we're developing open source intelligence gathering tools and we're looking to make them subscription-based but you're giving away something that directly competes and in many cases is better than what we're doing and it's not fair or necessarily fair but they were angry about that they didn't like the fact that I was doing it I was preventing them from capitalizing on a me that they saw that others had and as I look back

at that guy was years ago I think recon Angie came out in 2014 this may have been 2014 or 15 when this happened I often wonder where are those individuals now not because I'm putting myself on a pedestal because but because I really wonder because I see what giving it away did for me in my career and I wonder if what what attempting to sell it did for theirs and so I really wonder where I wouldn't be if I hadn't and I wonder where they are where they had and I think it'd be an interesting contrast to see the differences based on one based on giving and the other one based on receiving and then the third third point

I'll make here is is giving away training all right things like giving away training giving away workshops going and speaking at a conference and not expecting to be paid for that right that not only helps others but it also builds a personal brand right and it forces you to become a subject matter expert at something I don't I don't know that there's too many people that say you know I'm gonna go to a conference to talk about this and then never prepare I'm sure it's happened but most people know most people they want to get up and speak about something they're going to work at becoming a subject matter expert in that area and so as a result of that

as a result of that you build your own professional skill set you build your personal brand all these things work together and you're giving right you're going out there and you're doing it because you want to help other people and it ends up benefiting you in the long run now these examples here are based on the individual but they apply to businesses as well the problem is is there are a lot of organizations and a lot of individuals that break this chain of selflessness not selfishness the selflessness and what this does is it contaminates our our it contaminates the society within our industry and it arose at the very principles that capitalism was founded other abated

found it under based on the things that we've talked about so as I looked for examples of areas where there are clear problems with this me culture versus the weak culture in our industry I landed on four different problems and I want to dip our toe in each of these and talk a little bit more about the motivation behind them and how I see it affecting our industry and these four problems are manipulation of recognized standards restriction of open source tooling training price gouging or the price gouging of training pen tests puppy mills which has been long since talked about I'm interested and just kind of go into the motivation behind each of these things okay so the first part I want to

talk about is standards making standards manipulation and the example that comes to mind is the OAuth top 10 in 2017 so for those of you that aren't aware the Olaf top 10 most of you should be aware with the OWASP top 10 is because as far as web application security goes this is some kind of sets the standard for where all of our assessments start like when you when you do web application security assessments the top ten are the minimum baseline of what you should be looking for and looking at and focusing on so in 2017 this particular list was delayed and it gets released every couple of years and a cycle delayed several months

and it was delayed because the tract included a really questionable entry okay so what was questioned about that entry well it turns out that the waffle leadership had corporate involvement with a particular organization meaning that a wasa leadership worked for a particular organization that released a product that particular year that focused on solving the problem that this new entry presented okay so there was a ton of there was it essentially the the list itself directly supported a conflict of interest for the leadership of the organization that released it based on corporate involvement that they had with private companies and so luckily in this particular guy mean obviously that's it that's it that's a conflict of interest right so luckily

the industry actually stood up right the industry stood up called them out and and they went back and they pulled in some some outside people they read through the analysis and rereleased it out ten a couple months later so things were fixed but the bottom line is a manipulation of the top 10 could have had far-reaching effects I mean think about it causing the community to emphasize on something that wasn't crucial as it seen while downgrading the emphasis on something that was the the the impact of that is essentially untold it's impossible to calculate that but think of potential compromise they could have happened as a result of that since people weren't looking for it all these vulnerabilities

could have potentially gone unseen or unchecked run unmitigated I mean I don't need to I think go much further here to realize that that's just wrong okay but why did they do it what was the motivation well the motivation here was clearly to capitalize on a position of power for personal financial gain and at the same time sacrifice the security of a whole bunch of people essentially everyone to do that so the second problem here is restricting open source tooling now this really appears to be a noble effort okay it's a noble effort that makes two main arguments an argument number one is that bad actor capability is more important or more impactful than universal knowledge

excuse me all of that capability okay now the original paper spends most of the time making this particular argument and it claims to use facts that support this point but it provides very essentially zero supporting evidence now I expected as I read through this thing to see links and to see references and all kinds of stuff because person's throwing out a lot of facts and making sweeping assumptions and I didn't see and there's no links in there there's just no links to third party information which tells me that that information is coming from internal whether it's internal to him or internal an organization that kind of information is coming from somewhere but it's definitely not coming from a third party

resource that that particular person is willing to point out so for instance here I mean some of the flaws log that goes that's gone into this thing the author says that bad actors should be forced to invest in a capability in order to have it and that an effective way to prevent them from possessing it is preventing public release of that capability so so my question to that is what happens if a bad actor is willing to invest the capital and the time into developing a capability that that we have that we have disclosed from public release all that does is it creates a gap it doesn't actually get rid of any bad actors but it creates a

gap between the haves and the have-nots okay there are still going to be the hats they're still going to be threats there but the problem is is the good guys go from being fully aware to being virtually completely kept in the dark and I actually look at this and say well if you're going to make that argument the same argument can actually be made for the way to be made to to to say that we should no longer provide security patches for unpublished vulnerabilities and I say unpublishable mobility specifically because the release of patches for unpublished vulnerabilities gives bad actors now the ability to reverse engineer and div software right to find the patched issue and then

create exploits for sono patches would restrict their capability right and that seems to be more important the knowledge of those issues so if the benefit outweighs the risk with regards to security patching then why not with tooling and so that's as some of the logic that you kind of see there and now argument number two is actually a really good argument right no by there's no viable justification for obtaining raw offensive capability pseudo anonymously I can get Tyco and totally get on board with this as somebody that releases open source tools if an author is willing to associate themselves with the tool if I'm willing to say I wrote this thing then the users of that tool should be

okay with saying that they're using that particular thing I can get on I can get on board with it so so it's not a hundred percent bad argument I mean it's not 100 percent bad idea and it certainly appears to be a noble effort but what is the motivation you heard me kind of allude to it a little bit where I was saying there was no information that he didn't point to any public information that most of it probably came from internal and as I looked a little bit closer I found now that the person that's driving this movement works for a company that would greatly benefit from any implementation of this idea all right they're one of the

marquee names for all the kind of stuff the information that would feed into this and one of the marquee names for an organization that would implement or assist in any type of legal regulation of that stuff they would be someone that the government turned to to do this and so I am making an assumption here completely this is I totally don't know this is fact but it certainly appears to me that this movement here could be motivated by a desire to capital in a way that hampers many of us operationally while greatly benefiting a few financially whether it's done for noble whether there is a nobility behind it or not what is the motivation here

now unlike the the OWASP issue this one's not resolved ok there are some neutral resources out there where you can try to view some arguments overview the various arguments that are being made to make a decision yourself I got a link you're the one that's coming online in a couple of days this is not me right I am not running this the person that is is somebody that I think is is it very middle-of-the-road person tends to not get involved in in in drama but really cares about the truth and making good decisions as an industry and so I'm willing to put this link here but I just want to make it clear that I am not the one that is

building this for putting this information together and I'll let that person I'll let that person reveal themselves when and if they release this thing if they choose to do so I will not I will not name any names like I said for the third issue and this one really hits close to home for me is training price gouging and the reason why it hits close to home for me is because this is this is my passion I love teaching people about the things that I know and if a second the things that I've learned and in fact I built my company around it and I say my company it's just me right it's me with an LLC

but it but it is a company built around training and if I ever grow it will be to train I also do some other things on the side but I'm a training company so this is close to home and so what I did was I went out and I tried to build a table here of the average daily price of training for various organizations for various providers now these providers are generally highly rated you can find negative negative feedback pretty much anywhere with the exception of practice SEC just kidding right that's funny no seriously that that's my company all right and so of course I'm including myself for transparency here you could absolutely find negative reviews for any

of these but these are all generally considered to provide highly rated training I mean it is based on an eight-hour day too which is why some of these numbers look a little bit a little bit funny because there are organizations that teach for our work or you know three-day workshops 4 hours a day and so that you have to kind of do some math with the hours but ultimately 8 hour days so blackhat 2019 or and they had visitor pricing for blackhat 2019 $1,250 to $2,000 a day Black Hills InfoSec $198 a day now I have zero here because black deals recently came out and said hey if you can't afford to take the training

we'll give it to you for free so obviously that seriously reduces the daily price but I went with what they're listed prices which I think was 395 days for a four day workshop that was a total of 16 hours my price is standard across the board $500 per person per day regardless of whether it's on site open open enrollment whatever sans is 1170 dollars a day now science is the only one that might not be exact and that's not because you know I I want to fudge these numbers to make them look bad or anything like that it's because every time I go there and I check the prices they're actually higher than it was

before and so there's a good chance that they may have actually gone up since I collected this information even though it was only like three to five days ago I just want to make sure I throw that caveat out there Specter offs pretty much thousand bucks across the board on all the classes that I could see that we're listed upcoming and trust his sex same thing about $750 okay so why is this information is important okay so I went and I did a little survey on Twitter this past week and asked a question how much are you willing to spend out-of-pocket per day for decent training and here I specify not the best but something relevant that will make

you marginally better at your craft without being reimbursed this is a really tough question to ask and it's a tough question to answer because it's extremely subjective well how many days is it right rich people versus poor people so I'm so there's there's a lot of subjectivity that goes into this but ultimately I was just trying to get enough data to make this point and I think I did okay regardless of where the statistical anomalies may be and how you could maybe draw some draw some conclusions from ninety percent of people ninety percent of people are willing or can't or aren't willing or can't spend or won't spend over five hundred dollars a day for training so what does this say

about the providers on the previous slide well it says that they're explicitly targeting big-money customers right government's large companies right they're not interested in helping individuals that are interested in health people they're interested in batting their pockets by supporting clients with a lot of money and so what does this do for our industry well it creates a barrier to entry and a barrier to improve of all of course increasing increasing profits for those organizations now this problem and this is what really grace me and really irritates me this problem is amplified when you apply the fact that the people that need the training are less skilled and because they're less skilled are less likely to be paid enough money to

afford the inflated prices that are being asked to be spent this is a huge problem all the problems I think we're covering here I think this is the biggest and it's certainly the one that grates me the most you could probably tell by the level of passion in this particular segment has gone up in my talk because this bothers me this affects me I know it if it would have affected me greatly if I wasn't privileged coming up and having people that pulled me through the through the industry and and set me up with great training Department of the Army is a big part of that right I didn't pay for all the training I got it came from them

right that was a privilege that they afforded me not everybody has that and and and so and so that being said this just it's a problem it's a problem that we got to deal with okay and the last one that I want to talk about is pen test Buffy Mills and this one has obviously been they talk about a lot over recent years it's a twist on example number two but in this case the result was inflated prices making the service inaccessible to small and medium bise's whereas medium businesses where pen test puppy mills actually have the opposite effect which I'll get into here in just a moment they prey on a lack of knowledge versus individual brands okay

so they're not praying here on rockstar brands they're playing and they're preying on a lack of knowledge of the clientele so and that's not 100 percent of what they do but it's a part of what they do because quality is never really intended with with with a pen test puppy mill right there's very little concern for quality and in frankly individual name recognition right that Rockstar thing that I was mentioning these companies take advantage of weak regulatory requirements things like PCI things that are like well you can be compliant but you're not necessarily secure and they provide a solution for that check the box security mentality which frankly a lot of organizations have they sell these services with a

sense of confidence in providing a service that they don't actually specialize in so this also goes back similar to example number two but instead of being able to instead of being enabled by that brand recognition these pentest puppy mills are enabled by their low rates now in order to offer these low rates they've got to they've got to make some compromises right and we'll get to that in just a second so the undercut other firms by conducting fully automated low quality tests they have to conduct fully automated quality tests in order to in order to pay the people that they're paying while also providing the service at the providing at the rates that they're charging now

don't get me wrong automation has this place right automation absolutely has this place but it's it's it's been long since known that these tools aren't very good right they only have the ability to find I shouldn't say they aren't very good because they're trying to do something very difficult but they only have the ability to find a very low percentage of actual issues that exist and depending on what part of the industry you're in it gets worse like find an automated tool that right zero-day exploits for like network services not gonna happen right or at least doesn't exist in any in any real good capacity now web application security in an environment that's changing in an environment where a

developer can solve a problem in a literally an unlimited number of ways the scanner the idea of having a scanner that can find problems and all these things is darn near impossible so this is a very rare this is a this is a very real problem and so if you've got organizations that are undercutting others and then conducting these full-on fully automated test they're absolutely going to be low quality and so what you end up having is you have these things being sold with confidence and then it leaves clients with a false sense of security okay now where this becomes dangerous is for consumers that are hiring these companies and that actually care about the results of these tests

because let's face it they're absolutely gonna be consumers that only want check the box stuff and they don't actually care about the results and you know what pen test puppy mail go for it you can service those clients I don't agree with anybody looking at security that way but the bottom line is there are people that are okay but that price point that they're able to offer is absolutely going to draw in others that don't know any better and then they're gonna be taken advantage of and this leads to a reduced level security for anyone associated with those organizations that fall for that particular tag business tactic okay so so that's the four main problems and

kind of my summarization of those there could be an individual talk done on each of these I literally just barely skim the surface of these things but I just wanted to throw those out there um so now how do we fix this problem right this this llll this we have rampant LLL apply capitalism its leading to these issues how do we fix it okay so solutions were providers number one I don't expect any leader of any company that behaves like this to actually watch this talk and take anything I say seriously right so if the site is essentially meant for those who realize they're a part of one or potentially could be moving in the

directive of starting their own organization and being a provider of one of these services number one be transparent with your business practices and your competencies right if you don't do something well don't tell us don't don't tell don't tell somebody you do it well okay and if you have an organization that company says look we're looking for a one-stop shop we want somebody that does all these things is it not perfectly okay to be transparent with your business practices and say hey you know what that's not something I do well but I will I do know people and I will find a quality subcontractor or I will lean on one of my quality subcontractors to actually

fulfill that part of the compensate a competency that we lack to give you this full product that you're looking for there's absolutely nothing wrong with that nothing at all but but as a subcontractor I have absolutely run into companies that just refused to let me be me and what's absurd about that is is how hard is it to say huh tim tomes i wonder where his credentials look like since he's conducting my tests google tim tomes founder of practical security services LLC that's not who I hired right so it's not even really a secret in most cases so why not be transparent about it to begin with anyway so box all right so they offer different here's a

surface or offer for you all four different tiers of service based on asset proficiency once again it makes sense if you've got a rockstar charge rockstar rates for that person they're worth more they're gonna work faster chances are they're going to be more efficient get thing done quicker but that doesn't mean that that it should be the same rate as a result of that right you can up the rate for somebody that's going to be more efficient and a better asset that just makes sense that actually feeds into to what our founding fathers had in mind for capitalism there's nothing unethical about that price training so that accessible at all and this kind of goes

into the next bullet just stop being greedy have a heart for others contribute to the good of everyone and you can do that by pricing training so that it is accessible I'm not asking you to give it away like Black Hills right in fact Black Hills you know that I saw some people saying take advantage take advantage I don't necessarily agree that you should take advantage if you have the ability to give a little more you have the ability to pay that three hundred ninety five bucks do it there's still work going into that and even though Black Hills isn't gonna ask you to if you have the ability to do it if you don't then go get you free training

and and and that's a great thing that Black Hills is doing for you but ultimately just think about someone else other than yourself as you as you're doing as you're as you're embarking on this journey now I get it a lot of this stuff is much easier said than done right and ultimately it requires a huge culture change this is not going to be something that you brand new guy just got hired or intern is probably going to be able to change within an organization this definitely comes from the top but one of the good things about capitalism right is the employees and consumers we have the ability to drive change and so those are the kind of the next couple of

points that I'm gonna go into so Solutions for individuals this is for us the individuals number one share your tools and discoveries but do it responsibly now responsibly is a loaded term whole another talk right on what responsibly means but ultimately what I'm telling you to not do is lock it away and make it inaccessible okay recon ng is kind of an example of that and I have an interests I think it may perhaps a different approach to kind of how I manage this thing responsible disclosure of of recon ng for me a responsible distribution of recon ng for me is making it somewhat difficult to use ah I did that intentionally people ask me

well why you know why do I have to know sequel to do this or or or why is it difficult to set up the environment or or why is the command structure built this way because I get hit up on issue tracker and and Twitter DM z-- all the time from a non hacker with a guide with with you know with the without with anonymous mask you know I'm trying broken English I'm trying to hack my friends I'm trying to doc somebody on Facebook can you show me how to do with recon Angie no I'm not going to show you how to do it you're not the intended audience and I'm not going to contribute to that if you want to use

the tool you're going to need to invest some time and some efforts to do it now I'm not requiring you to invest to invest in such a way that you have to completely redevelop the tool but I am requiring you to invest in time to work through the learning curve and that's how I've chosen to make the distribution of recon ng a responsible distribution okay affect the culture change once again this starts at the top so if you're near it try to influence it don't sit idly by and watch our industry and your peers suffer for the sake of a few individuals greed don't do it you don't have to and that kind of leads into

number three here there's more work than there are good people to do it and that results in a ton of opportunities if you're a valuable asset consider finding any job consider moving if a company experiences a mass exodus of talent that sends a pretty darn strong message to the leadership of that organization if anything can drive culture change that may be it for employees okay number four don't support companies that hurt the community plain and simple don't support them by supporting these companies all you're doing is in building them to make it worse so if you've identified any companies that you know and I'm sure many of you as we've gone through this talk have said

organization comes to mind one two three Howard don't support them all right if that's an organization that you pour money into on an annual basis don't do it anymore the next slide I'm gonna cover ways that you can you can compensate for that but just don't do it and then the last one call it out right as an industry we're pretty good at self policing I would say we're pretty good at that making these kinds of things known and getting the word out I think goes a really long way to fixing this particular problem in fact this entire talk is me calling it out all right if that didn't get that didn't hit home pretty much immediately when I said that

that's what this is this is me calling out these particular problems I see an issue and I want to make it known so that we as an organization fix it okay solutions for consumers what can consumers do and by consumers doing I'm talking about individuals or companies that are purchasing these services whether it be training whether it be whether it be consulting whether it be development support whatever number one avoid the one-stop shop okay one-stop shopping is super tempting right but it can cost you money in the long run and I think it'll become apparent here in just a few months some of my points to support this and why why you should do it small companies usually have a

sharper focus okay a couple of visuals get together they're really good at a thing maybe it's exploit research maybe it's web application security whatever they did get together they start a small company a small company and then they hire around that one core competency in which that company was developed you have a really high average skill per individual of a small company you can't I shouldn't say that universally applies but it's certainly a certainly has in my experience on the other on the flipside large companies right as they grow they've got a higher less skilled labor because as we said multiple times there's just not enough good people out there to do the work that needs to be

done and so they're gonna have to hire less skilled labor and in order to get the number of jobs done that are coming and they're gonna have to automate more and some of that automation is to take to the place is to take the place of a lack of skill so you're gonna end up with a less than average quality per engagement and what this ends up resulting is is you have this short-term game because guess what I'm only spending time doing one contract I'm only spending time talking to one client and that seems to save money now because some saving time but it ends up in a long-term loss and so let me give you an

example as an individual as a company and as a VP of services for for another company i've lost contracts to companies that have come to me and said hey we want you to do X Y & Z and I just simply couldn't and when I went and when I told them I couldn't or when I told them you know and you know I gave them everything I've talked about here in terms of how we can solve that problem I advised some of the this stuff they chose to go somewhere else big chose to go somewhere else now it is it isn't it worth noting that I personally I refuse to do anything outside in my core competency and I

don't do subcontracting right now so that as a result I simply cannot and will not satisfy these requests and and I feel like I need to say this because that if I didn't I I could be putting myself on the same side of the argument that I'm making or against it against the argument that I'm making so I want to make that clear I don't do anything outside of my core competency but in this particular case is I was open with them and I was transparent and say hey look we don't do that or I don't do that and I advised them of these particular dangers and they ended up going a different direction many of those companies ended

up coming back at a later time and ended up paying me to do the work a second time when if they would have just taken the time in the first place to form those relationships with me for the one thing and then another organization for another thing oh and by the way guess what we know each other so I could have given them really really good leads into companies or small companies or individuals that could have done a fantastic stellar job for a reasonable rate with for them but they ended up coming back to paying me to do it a second time anyway so long-term loss ended up paying two or three times to have this done and they saved a couple

of hours work early on a very real problem avoid the one-stop shop is tempting is it maybe in point number two kind of leads into that a little bit as well I build relationships with local small companies chances are there are some in your area that you're not even aware of I didn't really grasp this until I started going to some of the local meetups here in the Upstate area and realized that oh my gosh there are security consulting firms here there are really good development development firms here there's good local training in the area there's there's there's their stuff and yes it could be considered direct competition but once again there's more work than there is

people good people that can do it so competition is a really good thing right now having more of these companies is a good thing I just didn't realize that that that there were that many good small companies doing these things around me and in in I think another thing that we would agree on is when you're doing work like this Trust is really important yeah easy it is to build trust win month after month you go to these meetings and you see these people you see your client right asking good questions in in these things you see your client showing concern and care and passion for the for the work that they're doing you see your

client up there presenting technical or or or well-thought-out material it is really easy to build trust when you're doing that okay and so I'm convinced that the best services you've never heard of exist here it just takes a little bit of time and a little bit of effort to get involved go out meets the people and make to have the phone calls right have the additional phone calls put in the extra hours of contracting to bring in these small organizations that are going to do really really good work for you and have a high average skill and oh by the way since they don't have all that overhead they're also typically cheaper I've actually had people tell me

I had to raise my rate because my rate was so low they were afraid contracting was gonna think I was a fraud okay no I just don't I don't have an office I have to pay for I don't have a bunch of employees that I got to pay for it's just me I'm really good at what I do I'm a one-trick pony but I'm really really good at my trick okay and I want to do that trick for you okay and I'm willing to do it at a nominal rate and so they just don't that doesn't equate with with companies with regards to modern capitalism or the way that we've been doing capitalism so we really

need to kind of change that mindset okay so I probably way over at this point in time and I'm not looking at any text to imagine Mike's probably screaming at me so I'm good let's get through this conclusion here number one I'm a huge proponent of capitalism true capitalism regardless of what this presentation says I have to bet has to be now and I'm a proponent of true capitalism I don't believe that change happens when you're forced to give right and you didn't feel free to go down while I was saying this and read this first at the bottom of the page when you're forced to give there's no heart involved in it and when there's

no heart there's no change okay capitalism true capitalism gives us the opportunity to choose to give to choose to choose others over ourselves and that ability to choose is a change of the heart and the heart is the only way that we're going to fix this problem and many other problems that are very relevant in our culture in our country right now but and as I've said current capitalistic tendencies rooted in itself are not what the Founding Fathers intended and I hope I help people see that today there are absolutely companies doing it right I know I pointed out some things that could potentially be wrong but there are absolutely people doing a right doing

and doing it right but in the cases that those are wrong we all have a part to play we all have a part to play as a part of the solution and I hope I've been able to present those to you as well ultimately we have a choice between the good of humanity for the good assault and at a time when I believe it's never been more relevant I'm imploring everybody that's listening to this talk please choose humanity I choose others choose the industry I choose the thing that you love