More Tales From the Crypt...Analyst

[Music] good afternoon everyone everybody hear me okay i'm tied to a microphone today it's only one bright light hi my name is jeff mann thank you for coming this afternoon if you were trying to see me yesterday at noon i couldn't make it here because i was stuck in canada um but that's not all bad um this is my name my contact information uh in case you want to ever get in touch with me and feel free to reach out to me i like talking to people answering questions uh i like asking questions and if by the end of the talk you want to get in touch with me i might have this at the

end again but uh easiest way to find me is mr jeff mann on twitter um very briefly just a snapshot of my background i've been in the information security business for about 35 years uh spent the first part in the department of defense primarily in the national security agency which is what we're going to talk about today i've been out in the private sector for the last 23 years doing mostly consulting advisory work uh started out doing a lot of penetration testing vulnerability assessments basically going out and talking to companies and trying to help them figure out their security problems and make them more secure and i would be remiss if i had not mentioned that i spent a good amount of

time in the pci world to which you're supposed to respond drink anybody have something for me um my company lets me do a lot of this talking so i have to have one obligatory slide to talk about them it's company called online business systems which nobody's ever heard of it's been around for about 30 years a guy that i used to work with in consulting in pci my old boss actually started a security practice with this what was essentially a software i.t services company about six years ago i've been there just about a year we help companies do security we help them figure out what's best for them we don't go in there and sell a specific

product or set of services we try to work with them we're growing very quickly if anybody's interested in the consulting world and is looking for work uh please see me afterwards there you know doesn't hurt to have a conversation i need to apologize at the outset uh for this talk because this talk is really a historical talk about what i used to do in the final years at nsa which was back in the early to mid 90s and what i discovered when i was trying to put together cool slides is uh this is how we used to do screenshots back in the day and so i i apologize for the the limited graphics that you're going to see in the

presentation today one of the things that i will have interspersed throughout the talk is a couple uh different at various points some important dates in the history of information security this is a way for us to interact a little bit so there's sort of a quiz throughout the throughout the talk i'll give you an example does anybody know what's important shout it out if you know about the date august 29 1997. shout it out if you know judgment day close give up yeah so it's more or less judgment day you're kind of right um and i'm going to apologize also because i have to kind of move quickly because i've got like 90 slides to get

through i've done it before and but i'm dragging a little bit so i spent years of 10 years at nsa from 1986 to 1996. uh in my time there i started out as a photographer a cryptanalyst i give a talk i did well i did all these other things which is what i'm talking about today i gave a talk a few years ago called tales from the crypt analyst which basically talked about the first six or seven years that i was at nsa when i was doing cryptography the last thing i did at nsa was the bulk of what we're going to talk about today um which was getting into to penetration testing red teaming

but just as a brief recap because i think it's somehow tripping on a course here it applies a little bit to sort of the formations at least of my career and my my mindset of being a hacker when i first started out at nsa one of my first assignments was uh my customer approached me uh i was working in what was called the manual crypto system shop we produced paper crypto systems primarily one-time pads and i had a customer come to me and say we've got this pc on our desk this cool computer uh isn't there some way we could do this encryption decryption of the one-time pad with the computer and i thought well

yeah that seems reasonable you should be able to do that so i set out in an organization that only produced hardware at the time uh and did something that had never been done before so lesson if you're a hacker or want to be a hacker or want to pursue a career in this field one of the motivators if you ask people that have gotten started in this industry early on uh if you ever had somebody tell you you can't do something and that you see is motivation to do it anyway that you might be a hacker so uh i had to basically hack a whole system where there was uh design specs there was rules to

follow there was uh i had to go before a board of directors essentially from nsa and sort of pitch the concept get them to approve to actually do it and then go off and do it come back and present what we've done had to go through security evaluations and get the whole thing approved and when it was finally approved uh the the senior management this board of directors essentially they sort of begrudgingly said well you've met all of our criteria so i guess we have to let you do this um but don't do it again so to my knowledge i produced the first software-based encryption system that nsa ever produced i had a rudimentary sort of like

microsoft paint kind of program on my computer and i redrew a calvin and hobbes comic strip years back uh it's funny to me probably more so than you but i drew this thing sort of pixel at a time it was all like freehand um and and what's in there though is something called the functional security requirement specification which was a big huge document of all the rules of how you built hardware back in nsa and i had to rewrite it for software so kind of make it up as i go along the other thing that i did early on in my career was i was working with us special forces and they used a one-time

pad that used as their encryption algorithm their method of producing cipher was something called a visionaire table and there's a sample of that it's basically the alphabet offset against itself 26 times but it's a reverse alphabet and that produces unique three-letter combinations that the special forces would memorize one letter being plain text one letter being key because the one time pad is just a a stream of key and then the third letter would become cipher because the three letters are unique they're reversible so it works in reverse they had it memorized i didn't so i just came up with this wheel because i've been through a bunch of crypto classes learning about classic cryptography learning about cipher

wheels and i thought you know there ought to be a way to make a cipher wheel out of this visionnaire square so i came up with the concept and i just did it for my own benefit um but they liked it so much they actually kept stealing it from me and so finally i said would you like us to make these for you yes we would so we ended up making 15 000 of them and distributing it to special forces i bring this story up to you because just a couple weeks ago i was at a conference and somebody asked me a friend of mine uh who i thought knew my story about the visionnaire wheel

he said have you ever heard of the diana crypto system that was used by special forces and you know i sort of scratched my head you know that doesn't sound familiar to me um so i googled it and i i found this page on etsy where some guy out of wood made this thing that looked a darn lot like this visionaire wheel that i created and it's labeled diana crypto system um so the guy that i was with i showed him a picture of my wheel and i said does it look like this and he said yeah i said did you know i invented it and he's like no so so the upshot was i got in touch with the guy that built

these things and uh he he was approached by someone that was a professor at the uh military war college uh i think it's up in pennsylvania carlisle pennsylvania and the guy at exec special forces and wanted to have the the history of these wheels preserved and so he had commissioned this guy to make a bunch of them i've interacted with the guy i've emailed him he actually sent me several of them they're up here up front afterwards you can come take a look at them they're show and tell please but take a look at them later this is essentially what's up here on the stage right now the guy that i've been talking to he had

seen a copy of the wheel on actually on instagram and so that's a picture of the actual one of the production models that's like the coolest thing i ever did at nsa and i did it in like the first two years i was there i've been kind of you know coasting ever since but i got a cash award uh for making this thing and my boss when he wrote up the little write-up abstract to put me forward for the cash award he entitled it man reinvents wheel the middle part of my career i became a cryptanalysis intern and i moved over to the operation side of nsa which is what most people know nsa for you know that's the you know

communications intercept collecting information from all what used to be just uh you know foreign powers our adversaries our enemies uh we won't get into the politics of what nsa is doing these days um but i happened to be there during the first golf skirmish desert shield desert storm so i got an award for that um i have a nice little certificate at home it was very interesting to see sort of everything working though at nsa and so i spent the middle part there my last tour as a crypto analysis intern um i i went up the road from fort meade back up closer to bwi airport and i had i'm sorry i take it back we started out

down at fort meade we moved later uh but i went back into the infosec side uh working as uh in an organization that was doing fielded fielded systems evaluations because somewhere along the line we figured out that the way nsa very often intercepted communications and were able to break encrypted messages and coded messages was because we were able to take advantage of the people that were using them misusing the systems very often they wouldn't change default settings very often they would reuse key more often than they should you know one-time pads are unbreakable but if you take a pad of key and use it more than one time you're introducing vulnerabilities that make it successful

susceptible to being compromised so i earned my uh one certification of krypton as a crypt analyst in my final days and in this final shop this final tours is basically the bulk of the rest of the talk so what i call 3.0 of my time at nsa is in the fielded systems evaluation group um my first assignment was i had to do some sort of a technical analysis and write a research paper to earn my cryptanalysis certification this is the device that i looked at um i don't know if they're still using it but this was like one of the first digital you know take an analog voice encrypt it digitize it i think it was digitize it then encrypt

it and then send it reverse it on the other end very often the message or the voice that came through when it was had gone through that whole process sounded a lot like donald duck uh but nonetheless it was a secure system i had to evaluate it to see if it was still secure wrote a paper that's what earned me my certification yup but then something happened and changed the world they may know what this date is known for i'm sorry very close this was the date that the first what came to be known as the commercial version of the worldwide web browser known as mosaic uh came out it wasn't the first browser but was the first commercially available

browser and that kind of changed the world because everything now focused on the internet and that's actually what it looked like back in the day as i said one of these rudimentary screenshots uh but thanks to google you can find stuff like that if you if you're willing to hunt hard enough anybody remember this anybody been around long enough to remember a few of us old-timers were you excellent very good you should be giving this talk okay um you know and then it became you know because the internet became more publicly aware and more publicly available of course the the idea of there being hackers and bad guys out there uh became more prevalent uh some of the

early books that were sort of my my textbooks my bibles on how to do uh security were books like these anybody know any of these books some some of us might same hands are going up it's the old people in the room raise your hand if you're old you're gonna be able to say yes to my questions um so uh i i've added this just in the last week one of our our main inspirations and for a lot of us the people that are raising their hands uh was this guy uh clifford stahl wrote a book called the cuckoo's egg in 1986 he noticed that long story short because i don't have time he noticed somebody was breaking

into the university computer that he was working on and he took it upon himself to figure out who it was and catch him uh a fantastic story he he created things that had never been done before and and some of the things that we take for granted now in terms of forensics and and detection and you know threat monitoring threat hunting he was doing it sort of analog back then um i happened to meet him last week i was at a conference earlier this week in canada so you know one of my fanboy moments was i got to meet the actual cliff stall uh read the book or there's a nova special that you can

find on youtube uh just cliff stall cuckoo's egg put that into youtube you should i think it's the first thing that pops up it's about an hour long movie where all the real people acted out so he acts in his own story about his story it's kind of cool um so anyway this this group the fielded systems group we started learning about what we called at the time networked computing systems and we started looking into learning about hacking and breaking into things back in those days it was all unix-based systems primarily windows was kind of around but most organizations most enterprises were working on unix so that's where we were kind of cutting our teeth

you know because it became so popular management got got a hold of it and so you know any good bureaucracy is going to do what reorganized so they formed what came to be known as the systems and network attack center snack for short they pulled the best of the best and it was basically a big reorganization but the focus became more we're going to focus on this whole internet network security type of thing i actually worked in the office that was called c4 we kind of thought that was cool this was sort of our early marching orders um these are the things that i worked on at the very beginning um we assembled a team um the the deputy

director at the time uh this is more or less a you know it's from memory so it's not an exact quote but he had this vision that you know just hire a bunch of these long-haired weirdo you know pale-faced people that hide in rooms really smart hacker kids pull them together and we'd have the center of excellence and we will be better than everybody that was his belief there was a small group of us that were mostly working in this networks systems branch of fielded systems evaluation division that we sort of coalesced together and we took it upon ourselves to learn hacker methodology hacker culture one of the first things we did was we took a road trip back in those days

uh the air force sort of owned the network for all of armed forces so they set up the first network operations center they had the first security operations center so they were ahead of the curve on a lot of things they were based down in san antonio texas so and they had a group called the air force information warfare center so we took a trip down there we got to meet some of the the guys that were the leaders of that group two air force captains uh captain zeiss on the left who unfortunately passed away about a year and a half two years ago captain waddell these are the guys that we met with down there

these guys again this is only going to be appreciated by the old timers they they spun off the air force pretty much the first commercial uh organization that was focused on security it happened to be called the wheel group and like any good security company they very got quickly got snatched up by cisco so they only existed for maybe a year and a half or two years um that's that sort of comes out san antonio i meant to make that white font we took this trip to san antonio we got to see all sorts of cool stuff they had an air force museum they may know what that plane is yeah you know recently declassified

20 some years ago when we went down there um i might know what that plane is this is totally off subject but it's cool stuff that's the warthog that one desert shield desert storm that was the plane that was going in and bombing blowing up all the tanks and everything of course we saw the alamo and if you've ever been to san antonio san antonio has a river walk and what we discovered which is very important when you're building a hacker culture is the 46 ounce margarita we actually only had one drink that night and um there i was the driver of the minivan we had i think there was four or five of us

down there and the other guys were sort of laid across the seats and the floors in the back of the van we made it back in one piece and we bought one of these glasses that we came to call the orb and we brought it back because we're geeks we're trying to build the hacker culture the biggest thing we learned down there though at athletic was they you know they didn't have the traditional sort of cubicle land office structure they had everything pushed to the corners and they had a literal round table i had to work really hard to find anything that looked like it but they said they would have everybody on the fringes doing their job

but if anybody ever had a question where they wanted to talk and converse they would call round table everybody would spin their chairs and come to the middle we thought that was really cool so we created that in in our office oh and speaking of office we needed to have our own space so the office again sort of building this this culture of we want to be hackers and you know geeky and nerdy and different we named our office the pit the pit was uh was were local here it was right down by bdf bwi the the buildings that are on the approach to building to bwi um this particular building is called phoenix iii the pit was sort of in that corner i

forget whether it was the second or third floor and the reason i bring this up is because a couple years ago there was a book came out called dark territory anybody heard of the book read the book a few different hands um in this book on the fourth chapter which is entitled eligible receiver there's a paragraph in it that i like to do this is a dramatic reading in the middle there during its most sensitive drills the red team worked out of a chamber called the pit which was so secret that few people at nsa knew it existed and even they couldn't enter without first passing through two not one but two combination locked doors

so somehow the legend of our office which we nicknamed the pit made it into a book so we thought that was kind of cool we also had to work on you know how are we going to do this thing called hacking and breaking into things to test the security of it we didn't have anything back then so we worked on developing a methodology and of course we were doing something different and so we ran into it you know because we were working for a government organization we ran into some red tape but we had some ground rules one of the important ground rules at least from our management's perspective was everything that we were doing against

classified systems had to be classified at the level we were doing keep that in mind um because we were doing something that was kind of different that they didn't understand they were all engineers and used to hardware not this sort of ethereal just working in the ether or magical software hacking stuff we had to get permission to do everything and permission in the government like any good bureaucracy takes a long time everybody has to put their their their signature on it or their initials to check off on it and it would take literally weeks and months for the paperwork to go from desk to death to death to death to get all these signatures that was a little bit bothersome more on

that later you know we came up with what essentially is i think roughly the methodology that most of us know today you know it there's a right way to go about doing this thing for trying to figure out the security of a network but it hadn't been written down before to our knowledge uh so we had to figure it out all by ourselves and lo and behold it's pretty much what we have today but you know what some people call osint these days we simply called recon we would decide what our targets were going to be by trying to discover things on the network uh figure out based on what we were seeing how we would approach attacking

it and trying to break in and so on and so forth when i was putting this off together originally i had to start thinking well gee what didn't we have because you know there's so much that's automated these days there's so many tools available so you know this is not it certainly an exhaustive list but you know just so you understand how hard it was to hack back in those days because it was cold and it took us 15 miles in the snow to walk to the computer we we didn't have some of the basic fundamental tools that a lot of people uh take for granted these days so please have pity on us old timers um a little bit of our trade

crap i would like to talk to you about and you know what we did have and this is where i need to sort of reiterate the disclaimer that uh anything that we use as as far as an attack tool was technically had to be classified at the at the level of the target that we were going after because we were nsa we were naturally going after top secret networks so everything we did got labeled top secret and above so my disclaimer is i'm not going to talk to you about things that we necessarily were using i'm going to talk to you about things that were used at the time nudge nudge wink wink with me all right

so we had network sniffers they were hardware they were devices they were like 30 40 50 pounds and we would wheel them around on carts and plug them into the networks in the network's office yes [Music] it's mostly a joke stay with me um tongue-in-cheek um one of the one of the first uh vulnerability scanning tools was a school a tool called satan and it was really just designed for network administrators to figure out what was going on in their network thus the name another fanboy moment i've had in recent past is uh i happen to be on one of the hosts on paul security weekly and we had a chance to interview the authors of satan uh back i

think was in november um vitsa venema and dan farmer one of the one of my favorite interview segments that we did on paul's security weekly oh another date popped up anyone probably not going to guess this one this is when something called bug track started to be published back in the day the way you found out about vulnerabilities was not looking at different vulnerability disclosure databases or vendors to close disclosures uh you went to bug track and bug track was a place where people were just sort of mostly network administrators getting together talking about problems they were having things that they encountered and they'd say well here's what i'm here's what i'm dealing with here's the

commands i'm entering here's the output i'm getting help and people would collaboratively work together to try to figure things out well that that was a great resource for discovering vulnerabilities and misconfigurations networks and how to fix things uh so this was something that was available to us as a resource as well so this is an example it was an email list essentially back in those days this is just an example of what a bug track message would look like we also had what was called cert advisories uh computer emergency response team and there were various flavors of certs out there and they would put out advisories usually early warning messages of hacker activity uh somebody's bothered to read this the

print's kind of small but this is a a real cert advisory that was issued on july 4th 1999 1996 talking about uh alien malware essentially and and how to look out for it if you've seen the movie the way that they bring down the aliens is they insert a virus into the mothership that's a joke awesome not classified we did do open source collection um this is usually on a bigger screen i can't even see it on my screen um back in those days there were most of the information that was on the internet was really on databases usually on university campuses on mainframes so there was various database lookup very rudiment rudimentary tools where you could look

up things things things that were called archie things that were called gopher that were different sets of computer databases network university databases where you could do some router rudimentary searching um there was no such thing as network address translation back then everybody was internet routable if you were a company you went out and bought your ip address space whether it was a class a b or c or some some subnet portion of that and it was all dns and it was all pretty much freely available so you could do lookups and find out what your target space by just typing in the name of the company that you're going after or in this case it was the military but

again you know this is stuff that was available at the time there's an example of gopher before google and before yahoo there was this thing called alta vista which was one of the early search engines which was my personal favorite uh and then there was simply uh you know the network browser netscape came along after that was sort of the commercial spin-off of mosaic and then of course the original yahoo which if when you went there one of the options on yahoo the old-timers will remember this was they you could click on sort of a roulette button and they would just take you to a random website because they wanted people to just start looking around the web and discovering

things these are the things that we had available to us at the time in terms of doing target at target acquisition we didn't have nmap we had something called strobe strobe was a was a port scanner mostly tcp based uh didn't have a i forget whether it had udp but who cares about udp we will mostly look at tcp pop quiz does anybody know who wrote strobe give up julian assange think about that one for a while um various various other things where you could look up network information sort of ns look up was a way of looking up you know the names of systems and then we also had network mapping tools fun stuff

uh another date anyone this is the date when crack was published crack was one of the early password cracking primarily unix passwords one of the primary cracking password cracking tools we would use back in those days if you are on a unix system you could go look at the password file it wasn't hidden or masked in any way it was pretty much world readable to anybody and this is what it looked like i've blacked out uh the actual people's names because this is a real file but you know you would have the username the user id and then right after that you would have the hash of the password so you could grab that feed it into crack and just like we do

today still 20 some odd years 25 some odd years later pop out the password that's password or spring 2019 you know we were doing it back then too one of our common attack methods then also again because it was unix was to find programs that were running and what was called set uid 0 which meant the program ran as the author which and the author was set to root so a very common trick of breaking into a system and getting root privileges was to find one of these programs and just figure out a way to halt its execution or to break its execution because very often they would stop and halt and just stop in

in the state of they were root and they'd drop out to a shell you get the root prompt you do a little root dance and be excited what do we call it these days popping up popping a show we used to call it the root dance so those was those were a lot of the techniques and the things that we had available to us at the time and uh as i said doing all those things uh on one level was problematic because it would take so long to get the permissions to do all these things there was also sort of this political power struggle going on because again uh nsa uh in addition to them

being you know at a management level being kind of weird about you know how you know what are you doing this is all kind of foreign to us there was also some concern very legitimate concern that what nsa does according to our charter is we only do it against foreign adversaries and foreign powers we're not allowed to do what nsa does to us citizens so even if you're doing it you know from a good guy perspective from a white hat perspective you know we're the good guys trying to break in to tell you what all your problems are this became problematic um oh another date anyone this is the date that pgp came out um try to be very brief

uh there was a day in our office when an edict came out uh one of our customers uh was was thinking about canceling a multi-million dollar you know crypto project with nsa because they were asking the question well the pgp's out there and it's free why don't we just use that so an edict went out from the on high everybody stop what you're doing and try to find an attack we gotta break pgp and prove that it's not worth using so that we don't lose our customer long story short there's a couple guys that figured out an attack against it here's the attack they they found a document they found some unused byte space in the document they

inserted some code they put it in an email as an attachment and coerced the recipient into clicking on the attachment at that time the the code would execute copy the pgp key rings into a file and send it out the next email what is that it's phishing yeah this was like 1994 or 1995. the guys that did it they got all sorts of cash awards they'd saved the day they got paraded around all sorts of government facilities they were down in dc you know the pentagon everything was going on some months later they did a brown bag lunch to tell us peons that were just in the office uh what they had done and just you know

talk about the work they'd done and i i went to this brown bag session heard them describe their attack and when they got to asking questions i raised my hand and said wouldn't that work against our stuff and they paused and said yeah i'm like so what's the point they're like well we weren't hired to you know we weren't asked to attack our stuff we were asked to attack pgp we solved the problem that is nsa i'm sure it's changed a lot another fanboy moment i got to meet phil zimmerman last october we were at an issa conference together so i don't have many fan fanboy moments because the people that are my heroes are somewhat older than me and

not always around and sometimes hard to find so here's one top secret that i will reveal to you again it's tongue-in-cheek okay don't worry who thought this is gonna be a problem here's one of the primary attack tools that we use let that sink in if we were following the rules we had to wait a month to issue a ping command because we had to have 12 levels of management sign off on the fact that we were doing pick obviously a problem obviously not really classified obviously there was a misunderstanding so we had to talk to the lawyers we had to talk to our general counsel for some reason i volunteered to do the job

i think it's because i have a brother that's a lawyer and i was technically a business major in college so i felt like i could communicate with people so we set out to talk to the lawyers because they understood that uh conceptually you can't wait a month to issue a ping command but what they wanted to do was understand exactly what we were going to do ahead of time so that they could sort of pre-approve it so they wanted us to initially just go through every attack methodology and tool we had so that they could understand it and when we got asked to do a job we would basically say well you know we have

client a and they have network b and so we're going to use three of these and two of these and sort of pick from an alicart list that they'd pre-approved so we set out and i set out to explain to them it doesn't work like that you know there's you don't know what you're going to do until you encounter what you're going to do so i set out to teach them more the process and the methodology at the same time explaining to them how the tools worked and the things that we use back then and most of the tools we used back then were really unix commands they were features of the operating system that

you you know we knew a little bit more about how they the how they worked type of very often um we did this on a weekly basis and this was a cool show at the time home improvement so i called the time that i spent with the lawyers tool time um word got out we were doing this stuff you know mostly within nsa and within you know the dod uh customer space if you will um but word got out and uh there came a time uh where and this is a a a a copy of a report that was written some time after it that talks about how the story that i'm about to unfold to

you but basically we were approached by the department of justice and asked to do a vulnerability assessment of their internet presence at the time obviously the doj was an unclassified network that wasn't nsa's charter the organization that was supposed to be doing that at the time was nist nist at the time didn't really have much of an operational capability so they would always sort of hand it off to nsa anyway so there's a way to do this and i had to set out to learn sort of the the political uh hoops to jump through to make all this happen and one of the things i was told i happened to be working with the lawyers

anyway so they guided me through this was that it you know for this to be done it sort of had to be done as a favor between cabinet level positions so the secretary of defense got this email i'm sorry letter memo from the secretary of um what's the secretary of justice attorney general thank you uh who at the time was janet reno so this is an actual letter that i kept a hold of uh where janet reno asked the you know the department of defense hey could you have those nsa guys do their thing over for us this is a copy of the of the response that went back it took several months as i said to get to this point because

it's a bureaucracy but you can see in there somewhere down at the bottom i'm named as the primary point of contact for nsa going to help do the doj thing right before we got a chance to deliver this email or this memo i keep sorry in the past it was paper uh before this was delivered this happened one of the first if not the first you know hacks of a government website the doj website was compromised so i came in on monday morning and got a phone call from the guy that i was working with at the doj saying help we've been hacked and i i pulled together a team of people and we went down and tried to help them

do forensics but back in those days when you had a web server you hosted it on your own servers in your own network and you made it available to the internet so when they discovered that this hack it happened the first thing that they did was literally pull the plugs on the server and wipe it clean and reload it so there wasn't any forensic rules back then there was you know there was no training courses again um actually that was one of the outcomes was i contributed to one of the first sans uh documents on how to do incident handling and you know rule number one don't destroy the evidence that's what the hackers are trying to do

um so anyway it caused a big political issue there's a longer story out there that i won't that i won't go into the details on um but because i was there rep and a team of us were there from nsa after several days somebody blew the whistle on us and and called foul and said why is nsa that's responsible for classified networks doing something for the dog doj that's an unclassified network long boring story uh the up shot of it was most of us left myself included so um full disclosure the pit was actually six guys originally uh four of us left two of us are still at nsa the only other person that i'm

allowed to publicly say because i have his permission that was part of the original pit is ron gouler the rangola the founder of tenable network security so he and i have known each other for about 26 27 years we were both members of the original pit um after that what what happened after most of us left in the 96 97 range uh june 1997 remember that slide i had earlier about the book the exercise eligible receiver happened eligible receiver was the first joint hack that nsa did of all the armed forces it was designed to be something like a two or three week exercise and they called it after about 36 hours because they'd blown through everything and they

were done and so they pulled the plug on it um it was back in it's 2017 now they actually had a a meeting a seminar that they called cyber at the cyber at the crossroads um so if you google that i think the website's still up there that's the site but they got all the original players together and they talked about the whole eligible receiver thing um it's an interesting historical lesson in how bad the network was back then of course everything's much better now another date just to put things in context this is about a year after i left nsa anybody and met so i did enjoy nmap in the early days just not when i was technically

working for the government um the pit most of us still get together we try to get together at least once a year a couple times ago one of the guys who still works at nsa brought some trinkets that he had actually gotten at the national cryptologic museum which i encourage everyone if you haven't been there to visit sometime they have a gift shop and they sell things like nsa secret sauce they sell pens that actually have a a little bat signal built into it so the nsa seal is actually being projected by that pen onto just a coffee mug we were out at a restaurant they've got t-shirts they've got flasks they've got shot glasses all sorts of

cool stuff and it's a really cool museum i encourage you to visit um if you're interested in what i'm talking about uh and want to hear more just a little bit of a pitch about me for a little bit as i said i'm on a paul security weekly i'm one of the hosts on that if you want to learn about the history of hacking and freaking from the 70s through the 90s there's a charitable organization called hack for kids that put out a fantasy game card game a year ago called freaker life you can find it on freaker.life uh each card has a little piece of hacker freaker history it's a really good learning tool it's a hack for kids is

designed to teach young people about hacking and so this is one of the learning tools that they've come up with one of the one of the features is there's eight face cards called in hachemisms and i got to be one of the first uh face cards on this on this deck and then more recently this year there was a book published a couple months ago called tribe of hackers i was fortunate to be asked to be one of the contributors to that book next week i'm actually going down to texas they're hosting an all-day tribe of hackers summit on thursday if you're not going to be in the austin area they're going to be live

streaming the event i think it's nine to five so i guess that's central time uh so if you have a chance to just put it on in the background while you're doing your job next thursday tribe tribeofhackers.com if you go there you'll find the information um i'm also a jedi master i occasionally get escorted to talks by uh stormtroopers and uh one of my special moments the last couple years is i got to be come what's called a member of what's called the cabal of the curmudgeons which is a bunch of basically old farts that get together with gene spafford uh spaff uh he's the guy that's uh third in from the from the left the

beard and open he's usually wearing a bow tie that's what he's known for he's from purdue he's the one of those books in the early slides the basic internet and unix security he was one of the co-authors so he's been in this business for like 50 some odd years you know really bright guy and i got a chance to hang out with him um coincidentally or not the person that i have my arm around the guy on the red sweater that's actually the lawyer that i used to work with at nsa we've sort of we've sort of made amends after all this stuff that happened with that whole doj thing asked me about it over

drinks sometime um i'll be doing on time oh i i went fast today i have time for questions i may or may not be able to answer them and none of my answers will be classified say anybody have any questions comments

nothing yes

so the question was the keynote they were talking about the evolution of strong crypto exportable crypto and federal resist well indirectly you know i mentioned pgp and and you know we had this this whole thing about trying to break pgp when pgp came out uh cryptography back in those days was uh considered to be military materiel it was it was wet it was it was classified as weaponry and so it couldn't be exported phil zimmerman got into a huge amount of trouble uh because he put out something for free that the whole world was using and they were trying to stick it to him for many years he's he survived it um we weren't really in the business of

exporting crypto we were producing crypto for us us us um so we didn't really directly run into that as an issue um but we did we did work on things that could possibly theoretically be used throughout the world whether people knew it or not put it that way that makes it sound like we're above the law is that a question are you just waving at me okay yes [Music] [Applause] uh

so the question was before there was the concern of the confident confidentiality of data was there not also a concern about the integrity of data and was that a concern back then the way i learned infosec in my entire time at the dod was the idea of data security based on confidentiality integrity integrity and availability we called it cia for short and that's fairly common i think a lot of people know it always been a concern it's been a concern for thousands of years the idea that you need to keep see your in your secret information secrets that nobody else can read it that you need to make sure that the information is real the integrity

it hasn't been altered or modified uh the illustration that i typically use is sort of in a different context but in terms of the value of data if you think about a a battlefield where there's you know a skirmish going on and you want to call in an air strike it's pretty darn important to call in the right grid coordinates or gps coordinates so that the planes that are dropping the bombs or these days the drones that are coming in to drop the bombs are dropping it in the right place extremely important information the confidentiality and the integrity of that information is really important right up until the time the bombs drop and then not so much

so the i i usually tell that story in the context of not only the the in terms of the confidentiality integrity and availability of data but also in terms of the value of the data the shelf life of the data how long you need to protect the data that was part of the determination of data classification in the dod of whether something is confidential secret top secret and so on and so forth the higher level up not so much because of what the data is in and of itself especially at the top secret and compartmented levels but it's how you get the information the what we call methods and sources um but a bit a

the availability of data sort of the third part of the triad is making sure the data is there when you need it um that to me that's been you know for thousands of years that has been the focus of data security and in our modern technologically connected networking connected world they still pretty much stand there's a couple nuances i think that have been introduced that are sort of new concepts but still sort of related to those original three you have a follow-up question [Music] i'm not going to try to repeat that the question is you're really worried about the data and the especially the network traffic that gets transmitted where and how fair enough yes it's a concern

any other questions we can talk later if you want

yes all i see is the black square is that five two or one ten um interesting that you asked the question about red teaming because um ineligible receiver in that chapter in the book it talks about nsa's red team when i was there we called ourselves hackers and pen testers and just in the last couple weeks i've been asking people to define what they mean by pen testing and red team and i don't know if anybody uh here that subscribes to a sort of an online collaborative site called peerless somebody posted to peerless in the last couple weeks something about well i'm going to define these terms pen testing and red teaming and i read

through their terminology i think they also mentioned vulnerability assessment but their definition of pen testing i would call a vulnerability assessment and their deficits definition of red teaming i would call a pentax so my question to you and the question is how do you how does someone get into red teaming first i'm going to say what do you mean by red teaming define that because i want to make sure we're saying the same thing [Music]

okay so you're asking about the mindset how do you become this type of person that tries to break into things maybe beyond simply using tools that automate the results but how do you take those results and put them together that's a fair question um and i don't have an exact answer because i i have a suspicion that um that that mindset is something that's not necessarily something that you can grow and i'm happy to be proven wrong on this uh i think it's sort of a it's something that's built into you a a natural curiosity and there's certain there's certain tendencies i think in our personalities that can indicate that we got it or we don't and

i'm not and i don't mean to say that you either have it or you don't but i've met a lot of people over the years that are in this business as pen testers or red teamers or whatever you define it people that are trying to break into things or figure out how things work figure out how to break things in hopes of fixing things whatever you call it they all have if they're good at it they all seem to have sort of this natural curiosity this propensity to break things the this uh drive or hunger to figure out how things work and and if you can if you can teach that to young people and cultivate that great

in another context i call it critical thinking and i think there's debates among scholars of whether critical thinking is something that is you're just born with and you have the aptitude that can be cultivated or whether it's something that can be taught i i'm not convinced that it's something that can be taught i think it can be taught up to a certain degree but if you don't have that little whatever it is in your personality and your character that makes you want to break things or figure things out the curiosity i don't know if that's something that can be captured what i can tell you is like when i went to work at nsa back in 1986 i filled out an application

because i heard that they were hiring they asked me to come up to fort meade for like two or three days of testing so i took a series of aptitude tests and i don't know it was probably 12 or 15 tests i certainly don't remember all of them but the ones that stick out to me are one was a you were you were given a page or a couple pages of paragraphs and sentences you know in uh you know messages that have been intercepted that was in a made-up language it was not a language that existed and they would ask you to figure out you know can you tell me what the nouns are in all these messages or what the

verbs you know what what sense can you make out in a series of questions just based on sort of the construct of the language without knowing what the language was because it wasn't a real language one of the other tests that i took was simply they would show you a a two-dimensional picture of a three-dimensional object let's say like a pyramid or a cone and you had four choices and they would say what does this object look from look like from above or what does this object look like from behind um i happened to do well on that i was like oh this is easy you know i picked out all the answers but i met

people you know coming out of the test that really struggled with that so is that something you can learn or is that or is that something you're born with nsa tended to hire a lot of people with liberal arts degrees because for some reason they made good crippies because whatever makes somebody a good artist or thinking outside of the box made people good uh crypt analysts which is a lot of what they do and did um people that are good at puzzles people who like to do puzzles they tended to hire so they recognized characteristics over the years of people that they could cultivate but i don't know as they ever went as far as

saying you're either born with it or you're not am i answering your question at all because i don't know how to answer your questions you either got it or you don't if you're hungry and you want to get into it you'll find a way i guess is what i'm saying time to call it all right thank you very much everybody feel free to reach out to me if you want i have stickers up here